From 0fd7125b3b8933f2b5bcb6dff020221951e855ed Mon Sep 17 00:00:00 2001 From: Frederic Leger Date: Tue, 14 Jan 2025 17:39:52 +0100 Subject: [PATCH] ci: fix linter warnings --- .github/actions/should-build-image/action.yml | 12 ++++++--- .github/dependabot.template.yml | 19 -------------- .../__shared-get-available-images-matrix.yml | 2 ++ .github/workflows/generate-release-config.yml | 5 +++- .github/workflows/main-ci.yml | 15 +++++++++++ .github/workflows/need-fix-to-issue.yml | 26 +++++++++++++++++++ .github/workflows/pull-request-ci.yml | 2 +- .github/workflows/release.yml | 26 ++++++++++++++++--- 8 files changed, 78 insertions(+), 29 deletions(-) delete mode 100644 .github/dependabot.template.yml create mode 100644 .github/workflows/need-fix-to-issue.yml diff --git a/.github/actions/should-build-image/action.yml b/.github/actions/should-build-image/action.yml index cce0416..58022bb 100644 --- a/.github/actions/should-build-image/action.yml +++ b/.github/actions/should-build-image/action.yml @@ -20,19 +20,23 @@ inputs: runs: using: "composite" steps: - - name: Checkout + - if: ${{ github.event_name == 'push' }} + uses: actions/checkout@v4 + with: + fetch-depth: 2 + - if: ${{ github.event_name != 'push' }} uses: actions/checkout@v4 with: fetch-depth: 0 - id: changed-files - uses: tj-actions/changed-files@v44.5.2 + uses: tj-actions/changed-files@v45.0.5 with: base_sha: ${{ inputs.base-sha }} since_last_remote_commit: ${{ github.event_name == 'push' }} files: | - ./${{ inputs.build-context }}/* - .github/actions/should-build-image/* + ${{ inputs.build-context }}/ + .github/actions/should-build-image/ .github/workflows/__shared-ci.yml .github/workflows/__shared-get-available-images-matrix.yml diff --git a/.github/dependabot.template.yml b/.github/dependabot.template.yml deleted file mode 100644 index 909edb9..0000000 --- a/.github/dependabot.template.yml +++ /dev/null @@ -1,19 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "docker" - directory: "/images/*/Dockerfile" - open-pull-requests-limit: 20 - schedule: - interval: "weekly" - - - package-ecosystem: "github-actions" - directory: "/" - open-pull-requests-limit: 20 - schedule: - interval: "weekly" - - - package-ecosystem: "github-actions" - directory: ".github/actions/**/action.yml" - open-pull-requests-limit: 20 - schedule: - interval: "weekly" diff --git a/.github/workflows/__shared-get-available-images-matrix.yml b/.github/workflows/__shared-get-available-images-matrix.yml index f2d5027..6e7a8f8 100644 --- a/.github/workflows/__shared-get-available-images-matrix.yml +++ b/.github/workflows/__shared-get-available-images-matrix.yml @@ -6,6 +6,8 @@ on: images-matrix: description: 'Available images matrix. Example: ["composer","drupal-10"]' value: ${{ jobs.get-available-images-matrix.outputs.images-matrix }} +permissions: + contents: read jobs: get-available-images-matrix: diff --git a/.github/workflows/generate-release-config.yml b/.github/workflows/generate-release-config.yml index 52f1d50..8cf52d9 100644 --- a/.github/workflows/generate-release-config.yml +++ b/.github/workflows/generate-release-config.yml @@ -4,6 +4,9 @@ on: branches: - main +permissions: + contents: read + jobs: get-available-images-matrix: uses: ./.github/workflows/__shared-get-available-images-matrix.yml @@ -58,7 +61,7 @@ jobs: app_id: ${{ vars.CI_BOT_APP_ID }} private_key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }} - - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@0.4.3 + - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@0.16.0 with: github-token: ${{ steps.generate-token.outputs.token }} branch: chore/release-config diff --git a/.github/workflows/main-ci.yml b/.github/workflows/main-ci.yml index 1f9ac07..d3900d4 100644 --- a/.github/workflows/main-ci.yml +++ b/.github/workflows/main-ci.yml @@ -4,6 +4,15 @@ on: push: branches: [main] +permissions: + contents: read + issues: read + packages: write + pull-requests: read + statuses: write + # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 + id-token: write + jobs: ci: name: Continuous Integration @@ -15,6 +24,12 @@ jobs: uses: ./.github/workflows/__shared-get-available-images-matrix.yml clean: + # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 + permissions: + id-token: write + contents: read + pull-requests: read + packages: write needs: get-available-images-matrix uses: hoverkraft-tech/ci-github-container/.github/workflows/prune-pull-requests-images-tags.yml@0.19.0 with: diff --git a/.github/workflows/need-fix-to-issue.yml b/.github/workflows/need-fix-to-issue.yml new file mode 100644 index 0000000..9f10a46 --- /dev/null +++ b/.github/workflows/need-fix-to-issue.yml @@ -0,0 +1,26 @@ +name: Need fix to Issue + +on: + push: + branches: + - main + workflow_dispatch: + inputs: + #checkov:skip=CKV_GHA_7: required + manual-commit-ref: + description: "The SHA of the commit to get the diff for" + required: true + manual-base-ref: + description: "By default, the commit entered above is compared to the one directly before it; to go back further, enter an earlier SHA here" + required: false + +permissions: + contents: read + issues: write + +jobs: + main: + uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.16.0 + with: + manual-commit-ref: ${{ inputs.manual-commit-ref }} + manual-base-ref: ${{ inputs.manual-base-ref }} diff --git a/.github/workflows/pull-request-ci.yml b/.github/workflows/pull-request-ci.yml index b34316c..a00b729 100644 --- a/.github/workflows/pull-request-ci.yml +++ b/.github/workflows/pull-request-ci.yml @@ -62,7 +62,7 @@ jobs: core.setOutput('comment-body','No images have been built.'); } - - uses: hoverkraft-tech/ci-github-common/actions/create-or-update-comment@0.15.0 + - uses: hoverkraft-tech/ci-github-common/actions/create-or-update-comment@0.16.0 with: title: "Images have been built :sparkles: !" body: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 243be21..45e8e07 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,14 @@ name: • 🛫 Release on: workflow_dispatch: +permissions: + contents: write + issues: read + packages: write + pull-requests: read + # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 + id-token: write + jobs: get-available-images-matrix: uses: ./.github/workflows/__shared-get-available-images-matrix.yml @@ -48,7 +56,7 @@ jobs: - id: release if: steps.should-build-image.outputs.should-build-image == 'true' - uses: release-drafter/release-drafter@v5 + uses: release-drafter/release-drafter@v6.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -59,19 +67,21 @@ jobs: if: steps.should-build-image.outputs.should-build-image == 'true' && steps.release.outputs.tag_name != '' run: | BUILD_TAG=$(echo "${{ steps.release.outputs.tag_name }}" | sed -E "s/^${{ matrix.image }}-//") - BUILD_IMAGES='{"name":"${{ matrix.image }}","context":"images/${{ matrix.image }}", "dockerfile":"Dockerfile", "tag":"'$BUILD_TAG'", "platforms": ["linux/amd64","linux/arm64","linux/arm/v7"]}' + BUILD_IMAGES='{"name":"${{ matrix.image }}","context":"images/${{ matrix.image }}", "dockerfile":"Dockerfile", "tag":"'$BUILD_TAG'", "platforms": ["linux/amd64","linux/arm64"]}' + echo "BUILD_IMAGES=$BUILD_IMAGES" echo "images<> "$GITHUB_OUTPUT" && echo "$BUILD_IMAGES" >> "$GITHUB_OUTPUT" && echo "EOF" >> "$GITHUB_OUTPUT" # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix # https://github.com/orgs/community/discussions/26639 - if: steps.should-build-image.outputs.should-build-image == 'true' - uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@0.4.3 + uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@0.16.0 with: value: ${{ steps.set-images-to-build.outputs.images }} artifact-name: images-to-build # FIXME: Download matrix ouputs from artifacts, because github action does not handle job outputs for matrix # https://github.com/orgs/community/discussions/26639 + # jscpd:ignore-start get-images-to-build: needs: prepare-images-to-build runs-on: "ubuntu-latest" @@ -79,16 +89,24 @@ jobs: images: ${{ steps.get-matrix-outputs.outputs.result }} steps: - id: get-matrix-outputs - uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@0.4.3 + uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@0.16.0 with: artifact-name: "images-to-build" build-images: needs: get-images-to-build if: needs.get-images-to-build.outputs.images != '[]' + # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 + permissions: + id-token: write + contents: read + packages: write + issues: read + pull-requests: read uses: hoverkraft-tech/ci-github-container/.github/workflows/docker-build-images.yml@0.19.0 with: oci-registry: ${{ vars.OCI_REGISTRY }} images: ${{ needs.get-images-to-build.outputs.images }} secrets: oci-registry-password: ${{ secrets.GITHUB_TOKEN }} +# jscpd:ignore-end