Skip to content

Commit

Permalink
ci: improve token handling and workflow permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
tboerger committed Oct 31, 2023
1 parent e75216e commit 81d0240
Show file tree
Hide file tree
Showing 8 changed files with 72 additions and 40 deletions.
33 changes: 1 addition & 32 deletions .github/settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,38 +22,6 @@ repository:
enable_automated_security_fixes: true
enable_vulnerability_alerts: true

labels:
- name: bug
color: d73a4a
description: Something isn't working
- name: duplicate
color: cfd3d7
description: This issue or pull request already exists
- name: enhancement
color: a2eeef
description: New feature or request
- name: good first issue
color: 7057ff
description: Good for newcomers
- name: help wanted
color: 008672
description: Extra attention is needed
- name: invalid
color: e4e669
description: This doesn't seem right
- name: question
color: d876e3
description: Further information is requested
- name: renovate
color: e99695
description: Automated action from Renovate
- name: wontfix
color: ffffff
description: This will not be worked on
- name: outdated
color: cccccc
description: This is out of scope and outdated

branches:
- name: master
protection:
Expand All @@ -66,6 +34,7 @@ branches:
restrictions:
apps:
- renovate
- promhippie
users: []
teams:
- admins
Expand Down
49 changes: 49 additions & 0 deletions .github/workflows/automerge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
name: automerge

"on":
workflow_dispatch:
pull_request:
branches:
- master

permissions:
contents: write
pull-requests: write

jobs:
dependabot:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'

steps:
- name: Generate token
id: token
uses: tibdex/github-app-token@v2
with:
app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
installation_retrieval_mode: id
installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
permissions: >-
{"contents": "write", "pull_requests": "write", "issues": "write"}
- name: Fetch metadata
id: metadata
uses: dependabot/fetch-metadata@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Approve request
id: approve
run: gh pr review --approve "${{github.event.pull_request.html_url}}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Enable automerge
id: automerge
run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}"
env:
GH_TOKEN: ${{ steps.token.outputs.token }}

...
4 changes: 3 additions & 1 deletion .github/workflows/binaries.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ name: binaries
tags:
- v*

permissions:
contents: write

jobs:
binaries:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -58,7 +61,6 @@ jobs:
if: startsWith(github.ref, 'refs/tags/')
uses: ncipollo/release-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
body: ${{ steps.changelog.outputs.generated }}
artifacts: dist/*

Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/changes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ name: changes
branches:
- master

permissions:
contents: read

jobs:
changelog:
runs-on: ubuntu-latest
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ name: docker
tags:
- v*

permissions:
contents: read
packages: write

jobs:
docker:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -70,7 +74,6 @@ jobs:
id: meta
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: |
promhippie/prometheus-scw-sd
quay.io/promhippie/prometheus-scw-sd
Expand Down Expand Up @@ -119,7 +122,7 @@ jobs:
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.actor }}
username: bothippie
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build image
Expand Down Expand Up @@ -149,7 +152,6 @@ jobs:
id: hubTags
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: promhippie/prometheus-scw-sd
tags: |
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
Expand All @@ -172,7 +174,6 @@ jobs:
id: quayTags
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: quay.io/promhippie/prometheus-scw-sd
tags: |
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
Expand All @@ -197,7 +198,6 @@ jobs:
if: github.event_name != 'pull_request'
uses: docker/metadata-action@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: ghcr.io/promhippie/prometheus-scw-sd
tags: |
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
Expand All @@ -210,7 +210,7 @@ jobs:
if: github.event_name != 'pull_request'
uses: actionhippie/manifest@v1
with:
username: ${{ github.actor }}
username: bothippie
password: ${{ secrets.GITHUB_TOKEN }}
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6
template: ghcr.io/promhippie/prometheus-scw-sd:VERSION-OS-ARCH
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ name: docs
branches:
- master

permissions:
contents: write

jobs:
docs:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/general.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ name: general
branches:
- master

permissions:
contents: read

jobs:
testing:
runs-on: ubuntu-latest
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/kustomize.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ name: kustomize
branches:
- master

permissions:
contents: read

jobs:
generate:
runs-on: ubuntu-latest
Expand All @@ -23,7 +26,7 @@ jobs:
id: kustomize
uses: actionhippie/kustomize@v2
with:
version: 4.4.0
version: 5.2.1
path: deploy/kubernetes/
target: deploy/kubernetes/bundle.yml

Expand Down

0 comments on commit 81d0240

Please sign in to comment.