diff --git a/.github/settings.yml b/.github/settings.yml index 9fe7eba..5dd2f16 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -22,38 +22,6 @@ repository: enable_automated_security_fixes: true enable_vulnerability_alerts: true -labels: - - name: bug - color: d73a4a - description: Something isn't working - - name: duplicate - color: cfd3d7 - description: This issue or pull request already exists - - name: enhancement - color: a2eeef - description: New feature or request - - name: good first issue - color: 7057ff - description: Good for newcomers - - name: help wanted - color: 008672 - description: Extra attention is needed - - name: invalid - color: e4e669 - description: This doesn't seem right - - name: question - color: d876e3 - description: Further information is requested - - name: renovate - color: e99695 - description: Automated action from Renovate - - name: wontfix - color: ffffff - description: This will not be worked on - - name: outdated - color: cccccc - description: This is out of scope and outdated - branches: - name: master protection: @@ -66,6 +34,7 @@ branches: restrictions: apps: - renovate + - promhippie users: [] teams: - admins diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml new file mode 100644 index 0000000..9623fa0 --- /dev/null +++ b/.github/workflows/automerge.yml @@ -0,0 +1,49 @@ +--- +name: automerge + +"on": + workflow_dispatch: + pull_request: + branches: + - master + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + + steps: + - name: Generate token + id: token + uses: tibdex/github-app-token@v2 + with: + app_id: ${{ secrets.TOKEN_EXCHANGE_APP }} + installation_retrieval_mode: id + installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }} + private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }} + permissions: >- + {"contents": "write", "pull_requests": "write", "issues": "write"} + + - name: Fetch metadata + id: metadata + uses: dependabot/fetch-metadata@v1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Approve request + id: approve + run: gh pr review --approve "${{github.event.pull_request.html_url}}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Enable automerge + id: automerge + run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}" + env: + GH_TOKEN: ${{ steps.token.outputs.token }} + +... diff --git a/.github/workflows/binaries.yml b/.github/workflows/binaries.yml index 9abad87..5b47c36 100644 --- a/.github/workflows/binaries.yml +++ b/.github/workflows/binaries.yml @@ -12,6 +12,9 @@ name: binaries tags: - v* +permissions: + contents: write + jobs: binaries: runs-on: ubuntu-latest @@ -58,7 +61,6 @@ jobs: if: startsWith(github.ref, 'refs/tags/') uses: ncipollo/release-action@v1 with: - token: ${{ secrets.GITHUB_TOKEN }} body: ${{ steps.changelog.outputs.generated }} artifacts: dist/* diff --git a/.github/workflows/changes.yml b/.github/workflows/changes.yml index 76edf2b..b495da5 100644 --- a/.github/workflows/changes.yml +++ b/.github/workflows/changes.yml @@ -10,6 +10,9 @@ name: changes branches: - master +permissions: + contents: read + jobs: changelog: runs-on: ubuntu-latest diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index c8500b9..7eedd51 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -12,6 +12,10 @@ name: docker tags: - v* +permissions: + contents: read + packages: write + jobs: docker: runs-on: ubuntu-latest @@ -70,7 +74,6 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} images: | promhippie/prometheus-scw-sd quay.io/promhippie/prometheus-scw-sd @@ -119,7 +122,7 @@ jobs: if: github.event_name != 'pull_request' with: registry: ghcr.io - username: ${{ github.actor }} + username: bothippie password: ${{ secrets.GITHUB_TOKEN }} - name: Build image @@ -149,7 +152,6 @@ jobs: id: hubTags uses: docker/metadata-action@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} images: promhippie/prometheus-scw-sd tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} @@ -172,7 +174,6 @@ jobs: id: quayTags uses: docker/metadata-action@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} images: quay.io/promhippie/prometheus-scw-sd tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} @@ -197,7 +198,6 @@ jobs: if: github.event_name != 'pull_request' uses: docker/metadata-action@v5 with: - github-token: ${{ secrets.GITHUB_TOKEN }} images: ghcr.io/promhippie/prometheus-scw-sd tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} @@ -210,7 +210,7 @@ jobs: if: github.event_name != 'pull_request' uses: actionhippie/manifest@v1 with: - username: ${{ github.actor }} + username: bothippie password: ${{ secrets.GITHUB_TOKEN }} platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6 template: ghcr.io/promhippie/prometheus-scw-sd:VERSION-OS-ARCH diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ce9526a..a8f5b61 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -10,6 +10,9 @@ name: docs branches: - master +permissions: + contents: write + jobs: docs: runs-on: ubuntu-latest diff --git a/.github/workflows/general.yml b/.github/workflows/general.yml index b850470..f2af8e6 100644 --- a/.github/workflows/general.yml +++ b/.github/workflows/general.yml @@ -10,6 +10,9 @@ name: general branches: - master +permissions: + contents: read + jobs: testing: runs-on: ubuntu-latest diff --git a/.github/workflows/kustomize.yml b/.github/workflows/kustomize.yml index 4fdec9c..4c59d01 100644 --- a/.github/workflows/kustomize.yml +++ b/.github/workflows/kustomize.yml @@ -10,6 +10,9 @@ name: kustomize branches: - master +permissions: + contents: read + jobs: generate: runs-on: ubuntu-latest @@ -23,7 +26,7 @@ jobs: id: kustomize uses: actionhippie/kustomize@v2 with: - version: 4.4.0 + version: 5.2.1 path: deploy/kubernetes/ target: deploy/kubernetes/bundle.yml