From 4a831b3b9300694f3f056c91702911499d00f51a Mon Sep 17 00:00:00 2001 From: Thomas Boerger Date: Tue, 31 Oct 2023 14:55:40 +0100 Subject: [PATCH] ci: improve token handling and workflow permissions --- .github/workflows/automerge.yml | 49 +++++++++++++++++++++++++++++++++ .github/workflows/binaries.yml | 11 +++++++- .github/workflows/changes.yml | 10 +++++++ .github/workflows/docker.yml | 35 +++++++++++++++++------ .github/workflows/docs.yml | 8 ++++++ .github/workflows/general.yml | 10 +++++-- .github/workflows/kustomize.yml | 12 ++++---- 7 files changed, 117 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/automerge.yml diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml new file mode 100644 index 0000000..9623fa0 --- /dev/null +++ b/.github/workflows/automerge.yml @@ -0,0 +1,49 @@ +--- +name: automerge + +"on": + workflow_dispatch: + pull_request: + branches: + - master + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + + steps: + - name: Generate token + id: token + uses: tibdex/github-app-token@v2 + with: + app_id: ${{ secrets.TOKEN_EXCHANGE_APP }} + installation_retrieval_mode: id + installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }} + private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }} + permissions: >- + {"contents": "write", "pull_requests": "write", "issues": "write"} + + - name: Fetch metadata + id: metadata + uses: dependabot/fetch-metadata@v1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Approve request + id: approve + run: gh pr review --approve "${{github.event.pull_request.html_url}}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Enable automerge + id: automerge + run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}" + env: + GH_TOKEN: ${{ steps.token.outputs.token }} + +... diff --git a/.github/workflows/binaries.yml b/.github/workflows/binaries.yml index df5058f..5b47c36 100644 --- a/.github/workflows/binaries.yml +++ b/.github/workflows/binaries.yml @@ -2,10 +2,19 @@ name: binaries "on": + workflow_dispatch: + pull_request: + branches: + - master push: + branches: + - master tags: - v* +permissions: + contents: write + jobs: binaries: runs-on: ubuntu-latest @@ -31,6 +40,7 @@ jobs: - name: Sign release id: gpgsign + if: startsWith(github.ref, 'refs/tags/') uses: actionhippie/gpgsign@v1 with: private_key: ${{ secrets.GNUPG_KEY }} @@ -51,7 +61,6 @@ jobs: if: startsWith(github.ref, 'refs/tags/') uses: ncipollo/release-action@v1 with: - token: ${{ secrets.GITHUB_TOKEN }} body: ${{ steps.changelog.outputs.generated }} artifacts: dist/* diff --git a/.github/workflows/changes.yml b/.github/workflows/changes.yml index 78e6fe9..2f20fc9 100644 --- a/.github/workflows/changes.yml +++ b/.github/workflows/changes.yml @@ -2,10 +2,17 @@ name: changes "on": + workflow_dispatch: + pull_request: + branches: + - master push: branches: - master +permissions: + contents: read + jobs: changelog: runs-on: ubuntu-latest @@ -29,6 +36,7 @@ jobs: - name: Commit changes id: commit + if: github.event_name != 'pull_request' uses: EndBug/add-and-commit@v9 with: author_name: GitHub Actions @@ -60,6 +68,7 @@ jobs: - name: Commit changes id: commit + if: github.event_name != 'pull_request' uses: EndBug/add-and-commit@v9 with: author_name: GitHub Actions @@ -91,6 +100,7 @@ jobs: - name: Commit changes id: commit + if: github.event_name != 'pull_request' uses: EndBug/add-and-commit@v9 with: author_name: GitHub Actions diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f139235..dab5b49 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -2,12 +2,20 @@ name: docker "on": + workflow_dispatch: + pull_request: + branches: + - master push: branches: - master tags: - v* +permissions: + contents: read + packages: write + jobs: docker: runs-on: ubuntu-latest @@ -18,16 +26,20 @@ jobs: - platform: linux/386 goos: linux goarch: 386 + tags: netgo - platform: linux/amd64 goos: linux goarch: amd64 - - platform: linux/arm64 - goos: linux - goarch: arm64 + tags: netgo - platform: linux/arm/6 goos: linux goarch: arm goarm: 6 + tags: netgo + - platform: linux/arm64 + goos: linux + goarch: arm64 + tags: netgo steps: - name: Checkout source @@ -46,6 +58,7 @@ jobs: GOOS: ${{ matrix.goos }} GOARCH: ${{ matrix.goarch }} GOARM: ${{ matrix.goarm }} + TAGS: ${{ matrix.tags }} run: make generate - name: Run build @@ -54,13 +67,13 @@ jobs: GOOS: ${{ matrix.goos }} GOARCH: ${{ matrix.goarch }} GOARM: ${{ matrix.goarm }} + TAGS: ${{ matrix.tags }} run: make build - name: Docker meta id: meta uses: docker/metadata-action@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} images: | promhippie/jenkins-exporter quay.io/promhippie/jenkins-exporter @@ -109,7 +122,7 @@ jobs: if: github.event_name != 'pull_request' with: registry: ghcr.io - username: ${{ github.actor }} + username: bothippie password: ${{ secrets.GITHUB_TOKEN }} - name: Build image @@ -128,6 +141,7 @@ jobs: manifest: runs-on: ubuntu-latest needs: docker + if: github.event_name != 'pull_request' steps: - name: Checkout source @@ -138,7 +152,6 @@ jobs: id: hubTags uses: docker/metadata-action@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} images: promhippie/jenkins-exporter tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} @@ -161,7 +174,6 @@ jobs: id: quayTags uses: docker/metadata-action@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} images: quay.io/promhippie/jenkins-exporter tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} @@ -171,6 +183,7 @@ jobs: - name: Quay manifest id: quay + if: github.event_name != 'pull_request' uses: actionhippie/manifest@v1 with: username: ${{ secrets.QUAY_USERNAME }} @@ -182,9 +195,9 @@ jobs: - name: Ghcr tags id: ghcrTags + if: github.event_name != 'pull_request' uses: docker/metadata-action@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} images: ghcr.io/promhippie/jenkins-exporter tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} @@ -194,9 +207,10 @@ jobs: - name: Ghcr manifest id: ghcr + if: github.event_name != 'pull_request' uses: actionhippie/manifest@v1 with: - username: ${{ github.actor }} + username: bothippie password: ${{ secrets.GITHUB_TOKEN }} platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6 template: ghcr.io/promhippie/jenkins-exporter:VERSION-OS-ARCH @@ -206,6 +220,7 @@ jobs: readme: runs-on: ubuntu-latest needs: docker + if: github.event_name != 'pull_request' steps: - name: Checkout source @@ -214,6 +229,7 @@ jobs: - name: Hub readme id: hub + if: github.event_name != 'pull_request' uses: actionhippie/pushrm@v1 with: provider: dockerhub @@ -225,6 +241,7 @@ jobs: - name: Quay readme id: quay + if: github.event_name != 'pull_request' uses: actionhippie/pushrm@v1 with: provider: quay diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 8badfe3..a8f5b61 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -2,10 +2,17 @@ name: docs "on": + workflow_dispatch: + pull_request: + branches: + - master push: branches: - master +permissions: + contents: write + jobs: docs: runs-on: ubuntu-latest @@ -28,6 +35,7 @@ jobs: - name: Deploy pages id: deploy + if: github.event_name != 'pull_request' uses: peaceiris/actions-gh-pages@v3 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/general.yml b/.github/workflows/general.yml index a790052..f2af8e6 100644 --- a/.github/workflows/general.yml +++ b/.github/workflows/general.yml @@ -2,13 +2,17 @@ name: general "on": - push: + workflow_dispatch: + pull_request: branches: - master - pull_request: + push: branches: - master +permissions: + contents: read + jobs: testing: runs-on: ubuntu-latest @@ -50,7 +54,7 @@ jobs: - name: Coverage report id: codacy - if: github.ref == 'refs/heads/master' + if: github.event_name != 'pull_request' uses: codacy/codacy-coverage-reporter-action@v1 with: project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} diff --git a/.github/workflows/kustomize.yml b/.github/workflows/kustomize.yml index 5e6ea92..4c59d01 100644 --- a/.github/workflows/kustomize.yml +++ b/.github/workflows/kustomize.yml @@ -2,13 +2,17 @@ name: kustomize "on": - push: + workflow_dispatch: + pull_request: branches: - master - pull_request: + push: branches: - master +permissions: + contents: read + jobs: generate: runs-on: ubuntu-latest @@ -17,14 +21,12 @@ jobs: - name: Checkout source id: source uses: actions/checkout@v4 - with: - token: ${{ secrets.BOT_ACCESS_TOKEN }} - name: Generate manifest id: kustomize uses: actionhippie/kustomize@v2 with: - version: 4.4.0 + version: 5.2.1 path: deploy/kubernetes/ target: deploy/kubernetes/bundle.yml