Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fine tunes workflows and actions permissions #259

Merged
merged 1 commit into from
Apr 10, 2024
Merged

fix: fine tunes workflows and actions permissions #259

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 30 additions & 10 deletions .github/workflows/release-actions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ Reusable workflow that performs actions and workflows release.
<!-- end description -->
<!-- start contents -->
<!-- end contents -->

# Usage

<!-- start usage -->

```yaml
Expand All @@ -28,9 +31,9 @@ on:
tags: ["*"]

permissions:
actions: write
contents: write
pull-requests: write
# FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
id-token: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -44,7 +47,7 @@ jobs:
update-all: false

# GitHub App ID to generate GitHub token in place of private-access-token.
# See https://github.com/actions/create-github-app-token
# See https://github.com/actions/create-github-app-token.
github-app-id: ""

secrets:
Expand All @@ -53,26 +56,43 @@ jobs:
github-token: ""

# GitHub App private key to generate GitHub token in place of github-token.
# See https://github.com/actions/create-github-app-token
# See https://github.com/actions/create-github-app-token.
github-app-key: ""
```

<!-- end usage -->

## Permissions

<!-- start permissions -->

This workflow requires the following permissions:

- `contents: read`: To read the contents of the repository
- `id-token: write`: <!-- FIXME --> This is a workaround for having workflow ref. See <https://github.com/orgs/community/discussions/38659>.

<!-- end permissions -->

## Secrets

<!-- start secrets -->

| **Secret** | **Description** | **Default** | **Required** |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | ------------ |
| **<code>github-token</code>** | GitHub token for creating and merging pull request (permissions contents: write and pull-requests: write, workflows: write). See [../../actions/create-and-merge-pull-request](../../actions/create-and-merge-pull-request) | <code>GITHUB_TOKEN</code> | **false** |
| **<code>github-app-key</code>** | GitHub App private key to generate GitHub token in place of github-token. See [https://github.com/actions/create-github-app-token](https://github.com/actions/create-github-app-token) | <code></code> | **false** |
| **<code>github-app-key</code>** | GitHub App private key to generate GitHub token in place of github-token. See <https://github.com/actions/create-github-app-token>. | <code></code> | **false** |

<!-- end secrets -->

## Inputs

<!-- start inputs -->

| **Input** | **Description** | **Default** | **Required** |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | ------------ |
| **<code>runs-on</code>** | Json array of runner(s) to use. See [https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job](https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job) | <code>["ubuntu-latest"]</code> | **false** |
| **<code>update-all</code>** | Update all actions and workflows, regardless of changes. | <code>false</code> | **false** |
| **<code>github-app-id</code>** | GitHub App ID to generate GitHub token in place of private-access-token. See [https://github.com/actions/create-github-app-token](https://github.com/actions/create-github-app-token) | <code></code> | **false** |
| **Input** | **Description** | **Default** | **Required** |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | ------------ |
| **<code>runs-on</code>** | Json array of runner(s) to use. See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>. | <code>["ubuntu-latest"]</code> | **false** |
| **<code>update-all</code>** | Update all actions and workflows, regardless of changes. | <code>false</code> | **false** |
| **<code>github-app-id</code>** | GitHub App ID to generate GitHub token in place of private-access-token. See <https://github.com/actions/create-github-app-token>. | <code></code> | **false** |

<!-- end inputs -->

Expand Down
28 changes: 7 additions & 21 deletions .github/workflows/release-actions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ on:
workflow_call:
inputs:
runs-on:
description: "Json array of runner(s) to use. See https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job"
description: "Json array of runner(s) to use. See https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job."
type: string
default: '["ubuntu-latest"]'
required: false
Expand All @@ -20,19 +20,19 @@ on:
default: false
type: boolean
github-app-id:
description: "GitHub App ID to generate GitHub token in place of private-access-token. See https://github.com/actions/create-github-app-token"
description: "GitHub App ID to generate GitHub token in place of private-access-token. See https://github.com/actions/create-github-app-token."
required: false
type: string
secrets:
github-token:
description: "GitHub token for creating and merging pull request (permissions contents: write and pull-requests: write, workflows: write). See [actions/create-and-merge-pull-request](../../actions/create-and-merge-pull-request)"
github-app-key:
description: "GitHub App private key to generate GitHub token in place of github-token. See https://github.com/actions/create-github-app-token"
description: "GitHub App private key to generate GitHub token in place of github-token. See https://github.com/actions/create-github-app-token."

permissions:
actions: write
contents: write
pull-requests: write
contents: read
# FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
id-token: write

jobs:
prepare-release:
Expand Down Expand Up @@ -127,13 +127,9 @@ jobs:
fail-fast: false
matrix:
action: ${{ fromJson(needs.prepare-release.outputs.changed-actions) }}
# FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4

# FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
# jscpd:ignore-start
- id: oidc
Expand Down Expand Up @@ -189,10 +185,6 @@ jobs:
fail-fast: false
matrix:
workflow: ${{ fromJson(needs.prepare-release.outputs.changed-workflows) }}
# FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4

Expand Down Expand Up @@ -234,12 +226,6 @@ jobs:
needs: [prepare-release, generate-actions-readme, generate-workflows-readme]
if: always() && (needs.prepare-release.outputs.changed-actions != '[]' || needs.prepare-release.outputs.changed-workflows != '[]')
runs-on: ${{ fromJson(inputs.runs-on) }}

permissions:
pull-requests: write
contents: write
actions: write

steps:
- uses: actions/checkout@v4

Expand Down
35 changes: 19 additions & 16 deletions actions/create-and-merge-pull-request/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,14 @@
<!-- start branding -->

<img src=".github/ghadocs/branding.svg" width="15%" align="center" alt="branding<icon:git-pull-request color:gray-dark>" />

<!-- end branding -->
<!-- start title -->

# <img src=".github/ghadocs/branding.svg" width="60px" align="center" alt="branding<icon:git-pull-request color:gray-dark>" /> GitHub Action: Create and merge Pull Request

<!-- end title -->
<!-- start badges -->
<!-- start branding -->

<a href="https%3A%2F%2Fgithub.com%2Fhoverkraft-tech%2Fci-github-common%2Freleases%2Flatest"><img src="https://img.shields.io/github/v/release/hoverkraft-tech/ci-github-common?display_name=tag&sort=semver&logo=github&style=flat-square" alt="Release%20by%20tag" /></a><a href="https%3A%2F%2Fgithub.com%2Fhoverkraft-tech%2Fci-github-common%2Freleases%2Flatest"><img src="https://img.shields.io/github/release-date/hoverkraft-tech/ci-github-common?display_name=tag&sort=semver&logo=github&style=flat-square" alt="Release%20by%20date" /></a><img src="https://img.shields.io/github/last-commit/hoverkraft-tech/ci-github-common?logo=github&style=flat-square" alt="Commit" /><a href="https%3A%2F%2Fgithub.com%2Fhoverkraft-tech%2Fci-github-common%2Fissues"><img src="https://img.shields.io/github/issues/hoverkraft-tech/ci-github-common?logo=github&style=flat-square" alt="Open%20Issues" /></a><img src="https://img.shields.io/github/downloads/hoverkraft-tech/ci-github-common/total?logo=github&style=flat-square" alt="Downloads" />
<img src=".github/ghadocs/branding.svg" width="15%" align="center" alt="branding<icon:git-pull-request color:gray-dark>" />

<!-- end branding -->
<!-- start badges -->
<!-- end badges -->
<!-- start description -->

Expand All @@ -24,14 +21,17 @@ Allow GitHub Actions to create and approve pull requests](https://docs.github.co

<!-- start contents -->
<!-- end contents -->

## Usage

<!-- start usage -->

```yaml
- uses: hoverkraft-tech/[email protected]
with:
# Description: GitHub token for creating and merging pull request (permissions
# contents: write and pull-requests: write). See
# [https://github.com/peter-evans/create-pull-request#action-inputs](https://github.com/peter-evans/create-pull-request#action-inputs)
# contents: write and pull-requests: write).
# See https://github.com/peter-evans/create-pull-request#action-inputs.
#
# Default: ${{ github.token }}
github-token: ""
Expand All @@ -54,15 +54,18 @@ Allow GitHub Actions to create and approve pull requests](https://docs.github.co
```

<!-- end usage -->

## Inputs

<!-- start inputs -->

| **Input** | **Description** | **Default** | **Required** |
| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | ------------ |
| <code>github-token</code> | GitHub token for creating and merging pull request (permissions contents: write and pull-requests: write). See [https://github.com/peter-evans/create-pull-request#action-inputs](https://github.com/peter-evans/create-pull-request#action-inputs) | <code>${{ github.token }}</code> | **false** |
| <code>branch</code> | The pull request branch name | | **true** |
| <code>title</code> | The pull request title | | **true** |
| <code>body</code> | The pull request body | | **true** |
| <code>commit-message</code> | The commit message for the pull request | | **true** |
| **Input** | **Description** | **Default** | **Required** |
| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | ------------ |
| <code>github-token</code> | GitHub token for creating and merging pull request (permissions contents: write and pull-requests: write). See <https://github.com/peter-evans/create-pull-request#action-inputs>. | <code>${{ github.token }}</code> | **false** |
| <code>branch</code> | The pull request branch name | | **true** |
| <code>title</code> | The pull request title | | **true** |
| <code>body</code> | The pull request body | | **true** |
| <code>commit-message</code> | The commit message for the pull request | | **true** |

<!-- end inputs -->
<!-- start outputs -->
Expand Down
7 changes: 4 additions & 3 deletions actions/create-and-merge-pull-request/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ branding:

inputs:
github-token:
description: "GitHub token for creating and merging pull request (permissions contents: write and pull-requests: write). See [https://github.com/peter-evans/create-pull-request#action-inputs](https://github.com/peter-evans/create-pull-request#action-inputs)"
description: "GitHub token for creating and merging pull request (permissions contents: write and pull-requests: write). See https://github.com/peter-evans/create-pull-request#action-inputs."
default: ${{ github.token }}
required: false
branch:
Expand Down Expand Up @@ -56,6 +56,7 @@ runs:
if: steps.create-pull-request.outputs.pull-request-number && steps.create-pull-request.outputs.pull-request-operation != 'closed'
uses: actions/github-script@v7
with:
github-token: ${{ inputs.github-token }}
script: |
let attemps = 0;
const maxAttemps = 10;
Expand All @@ -82,6 +83,8 @@ runs:
- name: Merge pull request
if: steps.wait-for-pull-request-mergeable-by-admin.outputs.is-mergeable
shell: bash
env:
GH_TOKEN: ${{ inputs.github-token }}
run: |
set +e

Expand Down Expand Up @@ -112,5 +115,3 @@ runs:

echo "::error::Failed to merge pull request after $MAX_ATTEMPS attemps: $MERGE_OUTPUTS"
exit 1
env:
GH_TOKEN: ${{ inputs.github-token }}