Skip to content

Commit

Permalink
ci: improve token handling and workflow permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
tboerger committed Oct 31, 2023
1 parent fb0099b commit 4a831b3
Show file tree
Hide file tree
Showing 7 changed files with 117 additions and 18 deletions.
49 changes: 49 additions & 0 deletions .github/workflows/automerge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
name: automerge

"on":
workflow_dispatch:
pull_request:
branches:
- master

permissions:
contents: write
pull-requests: write

jobs:
dependabot:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'

steps:
- name: Generate token
id: token
uses: tibdex/github-app-token@v2
with:
app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
installation_retrieval_mode: id
installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
permissions: >-
{"contents": "write", "pull_requests": "write", "issues": "write"}
- name: Fetch metadata
id: metadata
uses: dependabot/fetch-metadata@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Approve request
id: approve
run: gh pr review --approve "${{github.event.pull_request.html_url}}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Enable automerge
id: automerge
run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}"
env:
GH_TOKEN: ${{ steps.token.outputs.token }}

...
11 changes: 10 additions & 1 deletion .github/workflows/binaries.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,19 @@
name: binaries

"on":
workflow_dispatch:
pull_request:
branches:
- master
push:
branches:
- master
tags:
- v*

permissions:
contents: write

jobs:
binaries:
runs-on: ubuntu-latest
Expand All @@ -31,6 +40,7 @@ jobs:

- name: Sign release
id: gpgsign
if: startsWith(github.ref, 'refs/tags/')
uses: actionhippie/gpgsign@v1
with:
private_key: ${{ secrets.GNUPG_KEY }}
Expand All @@ -51,7 +61,6 @@ jobs:
if: startsWith(github.ref, 'refs/tags/')
uses: ncipollo/release-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
body: ${{ steps.changelog.outputs.generated }}
artifacts: dist/*

Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/changes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,17 @@
name: changes

"on":
workflow_dispatch:
pull_request:
branches:
- master
push:
branches:
- master

permissions:
contents: read

jobs:
changelog:
runs-on: ubuntu-latest
Expand All @@ -29,6 +36,7 @@ jobs:

- name: Commit changes
id: commit
if: github.event_name != 'pull_request'
uses: EndBug/add-and-commit@v9
with:
author_name: GitHub Actions
Expand Down Expand Up @@ -60,6 +68,7 @@ jobs:

- name: Commit changes
id: commit
if: github.event_name != 'pull_request'
uses: EndBug/add-and-commit@v9
with:
author_name: GitHub Actions
Expand Down Expand Up @@ -91,6 +100,7 @@ jobs:

- name: Commit changes
id: commit
if: github.event_name != 'pull_request'
uses: EndBug/add-and-commit@v9
with:
author_name: GitHub Actions
Expand Down
35 changes: 26 additions & 9 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,20 @@
name: docker

"on":
workflow_dispatch:
pull_request:
branches:
- master
push:
branches:
- master
tags:
- v*

permissions:
contents: read
packages: write

jobs:
docker:
runs-on: ubuntu-latest
Expand All @@ -18,16 +26,20 @@ jobs:
- platform: linux/386
goos: linux
goarch: 386
tags: netgo
- platform: linux/amd64
goos: linux
goarch: amd64
- platform: linux/arm64
goos: linux
goarch: arm64
tags: netgo
- platform: linux/arm/6
goos: linux
goarch: arm
goarm: 6
tags: netgo
- platform: linux/arm64
goos: linux
goarch: arm64
tags: netgo

steps:
- name: Checkout source
Expand All @@ -46,6 +58,7 @@ jobs:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
GOARM: ${{ matrix.goarm }}
TAGS: ${{ matrix.tags }}
run: make generate

- name: Run build
Expand All @@ -54,13 +67,13 @@ jobs:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
GOARM: ${{ matrix.goarm }}
TAGS: ${{ matrix.tags }}
run: make build

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: |
promhippie/jenkins-exporter
quay.io/promhippie/jenkins-exporter
Expand Down Expand Up @@ -109,7 +122,7 @@ jobs:
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.actor }}
username: bothippie
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build image
Expand All @@ -128,6 +141,7 @@ jobs:
manifest:
runs-on: ubuntu-latest
needs: docker
if: github.event_name != 'pull_request'

steps:
- name: Checkout source
Expand All @@ -138,7 +152,6 @@ jobs:
id: hubTags
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: promhippie/jenkins-exporter
tags: |
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
Expand All @@ -161,7 +174,6 @@ jobs:
id: quayTags
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: quay.io/promhippie/jenkins-exporter
tags: |
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
Expand All @@ -171,6 +183,7 @@ jobs:
- name: Quay manifest
id: quay
if: github.event_name != 'pull_request'
uses: actionhippie/manifest@v1
with:
username: ${{ secrets.QUAY_USERNAME }}
Expand All @@ -182,9 +195,9 @@ jobs:

- name: Ghcr tags
id: ghcrTags
if: github.event_name != 'pull_request'
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: ghcr.io/promhippie/jenkins-exporter
tags: |
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
Expand All @@ -194,9 +207,10 @@ jobs:
- name: Ghcr manifest
id: ghcr
if: github.event_name != 'pull_request'
uses: actionhippie/manifest@v1
with:
username: ${{ github.actor }}
username: bothippie
password: ${{ secrets.GITHUB_TOKEN }}
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6
template: ghcr.io/promhippie/jenkins-exporter:VERSION-OS-ARCH
Expand All @@ -206,6 +220,7 @@ jobs:
readme:
runs-on: ubuntu-latest
needs: docker
if: github.event_name != 'pull_request'

steps:
- name: Checkout source
Expand All @@ -214,6 +229,7 @@ jobs:

- name: Hub readme
id: hub
if: github.event_name != 'pull_request'
uses: actionhippie/pushrm@v1
with:
provider: dockerhub
Expand All @@ -225,6 +241,7 @@ jobs:

- name: Quay readme
id: quay
if: github.event_name != 'pull_request'
uses: actionhippie/pushrm@v1
with:
provider: quay
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,17 @@
name: docs

"on":
workflow_dispatch:
pull_request:
branches:
- master
push:
branches:
- master

permissions:
contents: write

jobs:
docs:
runs-on: ubuntu-latest
Expand All @@ -28,6 +35,7 @@ jobs:

- name: Deploy pages
id: deploy
if: github.event_name != 'pull_request'
uses: peaceiris/actions-gh-pages@v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
Expand Down
10 changes: 7 additions & 3 deletions .github/workflows/general.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,17 @@
name: general

"on":
push:
workflow_dispatch:
pull_request:
branches:
- master
pull_request:
push:
branches:
- master

permissions:
contents: read

jobs:
testing:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -50,7 +54,7 @@ jobs:

- name: Coverage report
id: codacy
if: github.ref == 'refs/heads/master'
if: github.event_name != 'pull_request'
uses: codacy/codacy-coverage-reporter-action@v1
with:
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
Expand Down
12 changes: 7 additions & 5 deletions .github/workflows/kustomize.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,17 @@
name: kustomize

"on":
push:
workflow_dispatch:
pull_request:
branches:
- master
pull_request:
push:
branches:
- master

permissions:
contents: read

jobs:
generate:
runs-on: ubuntu-latest
Expand All @@ -17,14 +21,12 @@ jobs:
- name: Checkout source
id: source
uses: actions/checkout@v4
with:
token: ${{ secrets.BOT_ACCESS_TOKEN }}

- name: Generate manifest
id: kustomize
uses: actionhippie/kustomize@v2
with:
version: 4.4.0
version: 5.2.1
path: deploy/kubernetes/
target: deploy/kubernetes/bundle.yml

Expand Down

0 comments on commit 4a831b3

Please sign in to comment.