-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtest-workflow.yaml
94 lines (86 loc) · 2.77 KB
/
test-workflow.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: test
on: pull_request
env:
# Workflow should not set secrets to environment variables
FOO: bar
GITHUB_TOKEN: ${{github.token}}
API_KEY: ${{secrets.API_KEY}}
jobs:
release:
# action_ref_should_be_full_length_commit_sha
uses: suzuki-shunsuke/go-release-workflow/.github/workflows/[email protected]
# deny_inherit_secrets
secrets: inherit
permissions: {}
foo:
# job_permissions
runs-on: ubuntu-latest
env:
# job_secrets
FOO: bar
GITHUB_TOKEN: ${{github.token}}
API_KEY: ${{secrets.API_KEY}}
steps:
# checkout_persist_credentials_should_be_false
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: echo hello
- run: echo hello
read-all:
runs-on: ubuntu-latest
# deny_read_all_permission
permissions: read-all
env:
# If the job has only one job, it's okay to set secrets to job's environment variables
FOO: bar
GITHUB_TOKEN: ${{github.token}}
API_KEY: ${{secrets.API_KEY}}
steps:
- run: echo hello
write-all:
runs-on: ubuntu-latest
# deny_write_all_permission
permissions: write-all
steps:
# action_ref_should_be_full_length_commit_sha
- uses: tibdex/[email protected]
id: token1
with:
app_id: ${{secrets.APP_ID}}
private_key: ${{secrets.PRIVATE_KEY}}
# github_app_should_limit_repositories
# github_app_should_limit_permissions
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
id: token2
with:
app_id: ${{secrets.APP_ID}}
private_key: ${{secrets.PRIVATE_KEY}}
repositories: >-
["${{github.event.repository.name}}"]
permissions: >-
{
"contents": "write"
}
- uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 # v1.6.1
id: token3
with:
app-id: ${{vars.APP_ID}}
private-key: ${{secrets.PRIVATE_KEY}}
owner: ${{github.repository_owner}}
# github_app_should_limit_repositories
- uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 # v1.6.1
id: token4
with:
app-id: ${{vars.APP_ID}}
private-key: ${{secrets.PRIVATE_KEY}}
owner: ${{github.repository_owner}}
repositories: "repo1,repo2"
- uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 # v1.6.1
id: token5
with:
app-id: ${{vars.APP_ID}}
private-key: ${{secrets.PRIVATE_KEY}}
container-job:
runs-on: ubuntu-latest
permissions: {}
container:
image: node:latest # deny_job_container_latest_image