diff --git a/.github/workflows/add-good-first-issue-labels.yml b/.github/workflows/add-good-first-issue-labels.yml
index 05d05caf..5ba7a6a8 100644
--- a/.github/workflows/add-good-first-issue-labels.yml
+++ b/.github/workflows/add-good-first-issue-labels.yml
@@ -9,15 +9,20 @@ on:
types:
- created
+permissions: {}
+
jobs:
add-labels:
+ name: Add 'Good First Issue' and 'area/*' labels
if: ${{(!github.event.issue.pull_request && github.event.issue.state != 'closed' && github.actor != 'asyncapi-bot') && (contains(github.event.comment.body, '/good-first-issue') || contains(github.event.comment.body, '/gfi' ))}}
runs-on: ubuntu-latest
+ permissions:
+ issues: write # This is needed to add labels to issues.
steps:
- name: Add label
uses: actions/github-script@v7
with:
- github-token: ${{ secrets.GH_TOKEN }}
+ github-token: ${{ github.token }}
script: |
const areas = ['javascript', 'typescript', 'java' , 'go', 'docs', 'ci-cd', 'design'];
const words = context.payload.comment.body.trim().split(" ");
diff --git a/.github/workflows/automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml b/.github/workflows/automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml
index 2db55d85..52d42f47 100644
--- a/.github/workflows/automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml
+++ b/.github/workflows/automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml
@@ -12,8 +12,15 @@ on:
types:
- created
+permissions: {}
+
jobs:
add-ready-to-merge-label:
+ name: Add ready-to-merge label
+ permissions:
+ issues: write # required to add labels and post comments on PR issues
+ pull-requests: write # required to read PR metadata from the issue pull_request URL
+ contents: read # required to compare PR branch commits against base
if: >
github.event.issue.pull_request &&
github.event.issue.state != 'closed' &&
@@ -30,6 +37,9 @@ jobs:
env:
GITHUB_ACTOR: ${{ github.actor }}
with:
+ # Use bot PAT, not the default GITHUB_TOKEN: events created by
+ # GITHUB_TOKEN do not trigger other workflows, so `Automerge For
+ # Humans` would never see the `labeled` event.
github-token: ${{ secrets.GH_TOKEN }}
script: |
const prDetailsUrl = context.payload.issue.pull_request.url;
@@ -69,6 +79,10 @@ jobs:
}
add-do-not-merge-label:
+ name: Add do-not-merge label
+ permissions:
+ issues: write # required to add labels on PR issues
+ pull-requests: write # required to read PR metadata from the issue pull_request URL
if: >
github.event.issue.pull_request &&
github.event.issue.state != 'closed' &&
@@ -82,6 +96,7 @@ jobs:
- name: Add do-not-merge label
uses: actions/github-script@v7
with:
+ # Bot PAT so the `labeled` event can trigger downstream workflows.
github-token: ${{ secrets.GH_TOKEN }}
script: |
github.rest.issues.addLabels({
@@ -91,6 +106,10 @@ jobs:
labels: ['do-not-merge']
})
add-autoupdate-label:
+ name: Add autoupdate label
+ permissions:
+ issues: write # required to add labels on PR issues
+ pull-requests: write # required to read PR metadata from the issue pull_request URL
if: >
github.event.issue.pull_request &&
github.event.issue.state != 'closed' &&
@@ -104,6 +123,7 @@ jobs:
- name: Add autoupdate label
uses: actions/github-script@v7
with:
+ # Bot PAT so the `labeled` event can trigger the autoupdate workflow.
github-token: ${{ secrets.GH_TOKEN }}
script: |
github.rest.issues.addLabels({
diff --git a/.github/workflows/automerge-for-humans-merging.yml b/.github/workflows/automerge-for-humans-merging.yml
index 482c83d7..b47a551b 100644
--- a/.github/workflows/automerge-for-humans-merging.yml
+++ b/.github/workflows/automerge-for-humans-merging.yml
@@ -14,16 +14,20 @@ on:
- edited
- ready_for_review
- reopened
- - unlocked
+ - unlocked # zizmor: ignore[dangerous-triggers] needed if we want author to be our bot
+
+permissions: {}
jobs:
automerge-for-humans:
+ name: Automerge PRs labeled with ready-to-merge
+ permissions:
+ contents: read # required for PR commit metadata reads
+ pull-requests: read # required to read pull request details in github-script steps
# it runs only if PR actor is not a bot, at least not a bot that we know
if: |
github.event.pull_request.draft == false &&
- (github.event.pull_request.user.login != 'asyncapi-bot' ||
- github.event.pull_request.user.login != 'dependabot[bot]' ||
- github.event.pull_request.user.login != 'dependabot-preview[bot]')
+ !contains(fromJSON('["asyncapi-bot","dependabot[bot]","dependabot-preview[bot]"]'), github.event.pull_request.user.login)
runs-on: ubuntu-latest
steps:
- name: Get PR authors
@@ -68,9 +72,11 @@ jobs:
- name: Create commit message
id: create-commit-message
uses: actions/github-script@v7
+ env:
+ AUTHORS_JSON: ${{ steps.authors.outputs.result }}
with:
script: |
- const authors = ${{ steps.authors.outputs.result }};
+ const authors = JSON.parse(process.env.AUTHORS_JSON);
if (Object.keys(authors).length === 0) {
core.setFailed('No authors found in the PR');
diff --git a/.github/workflows/automerge-for-humans-remove-ready-to-merge-label-on-edit.yml b/.github/workflows/automerge-for-humans-remove-ready-to-merge-label-on-edit.yml
index d5a290dd..d31ed820 100644
--- a/.github/workflows/automerge-for-humans-remove-ready-to-merge-label-on-edit.yml
+++ b/.github/workflows/automerge-for-humans-remove-ready-to-merge-label-on-edit.yml
@@ -6,19 +6,24 @@
name: Remove ready-to-merge label
on:
- pull_request_target:
+ pull_request:
types:
- synchronize
- edited
+permissions: {}
+
jobs:
remove-ready-label:
+ name: Remove ready-to-merge label
runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write # required to remove labels and post comments on PR issues
steps:
- name: Remove label
uses: actions/github-script@v7
with:
- github-token: ${{ secrets.GH_TOKEN }}
+ github-token: ${{ github.token }}
script: |
const labelToRemove = 'ready-to-merge';
const labels = context.payload.pull_request.labels;
diff --git a/.github/workflows/automerge-orphans.yml b/.github/workflows/automerge-orphans.yml
index 23a0b007..cda0740e 100644
--- a/.github/workflows/automerge-orphans.yml
+++ b/.github/workflows/automerge-orphans.yml
@@ -7,19 +7,26 @@ on:
schedule:
- cron: "0 0 * * *"
+permissions: {}
+
jobs:
identify-orphans:
if: startsWith(github.repository, 'asyncapi/')
name: Find orphans and notify
+ permissions:
+ contents: read # required by checkout and repository metadata reads
+ pull-requests: read # required to list open pull requests
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Get list of orphans
uses: actions/github-script@v7
id: orphans
with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
+ github-token: ${{ github.token }}
script: |
const query = `query($owner:String!, $name:String!) {
repository(owner:$owner, name:$name){
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
index 9faa78b1..e81c0036 100644
--- a/.github/workflows/automerge.yml
+++ b/.github/workflows/automerge.yml
@@ -4,10 +4,12 @@
name: Automerge PRs from bots
on:
- pull_request_target:
+ pull_request_target: # Needed as GH_TOKEN_BOT_EVE needed for approval.
types:
- opened
- - synchronize
+ - synchronize # zizmor: ignore[dangerous-triggers]
+
+permissions: {}
jobs:
autoapprove-for-bot:
diff --git a/.github/workflows/autoupdate.yml b/.github/workflows/autoupdate.yml
index eeb77a47..30ff788f 100644
--- a/.github/workflows/autoupdate.yml
+++ b/.github/workflows/autoupdate.yml
@@ -18,6 +18,8 @@ on:
- 'bot/**'
- 'all-contributors/**'
+permissions: {}
+
jobs:
autoupdate-for-bot:
if: startsWith(github.repository, 'asyncapi/')
@@ -25,7 +27,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Autoupdating
- uses: docker://chinthakagodawita/autoupdate-action:v1
+ uses: chinthakagodawita/autoupdate@0707656cd062a3b0cf8fa9b2cda1d1404d74437e
env:
GITHUB_TOKEN: '${{ secrets.GH_TOKEN_BOT_EVE }}'
PR_FILTER: "labelled"
diff --git a/.github/workflows/bounty-program-commands.yml b/.github/workflows/bounty-program-commands.yml
index c42e3005..3447c2eb 100644
--- a/.github/workflows/bounty-program-commands.yml
+++ b/.github/workflows/bounty-program-commands.yml
@@ -20,10 +20,16 @@ env:
{"name": "bounty", "color": "0e8a16", "description": "Participation in the Bounty Program"}
]
+permissions: {}
+
jobs:
guard-against-unauthorized-use:
+ name: Guard against unauthorized use
+ permissions:
+ issues: write # required to post a comment on the issue/PR
+ pull-requests: write # required to post a comment on the issue/PR if it's a PR
if: >
- github.actor != ('aeworxet' || 'thulieblack') &&
+ !contains(fromJSON('["aeworxet","thulieblack"]'), github.actor) &&
(
startsWith(github.event.comment.body, '/bounty' )
)
@@ -36,7 +42,7 @@ jobs:
env:
ACTOR: ${{ github.actor }}
with:
- github-token: ${{ secrets.GH_TOKEN }}
+ github-token: ${{ github.token }}
script: |
const commentText = `❌ @${process.env.ACTOR} is not authorized to use the Bounty Program's commands.
These commands can only be used by members of the [Bounty Team](https://github.com/orgs/asyncapi/teams/bounty_team).`;
@@ -50,19 +56,22 @@ jobs:
})
add-label-bounty:
+ name: Add bounty label
+ permissions:
+ issues: write # required to read/create labels and add labels on the issue/PR
+ pull-requests: write # required to read/create labels and add labels on the issue/PR
if: >
- github.actor == ('aeworxet' || 'thulieblack') &&
+ contains(fromJSON('["aeworxet","thulieblack"]'), github.actor) &&
(
startsWith(github.event.comment.body, '/bounty' )
)
runs-on: ubuntu-latest
-
steps:
- name: Add label `bounty`
uses: actions/github-script@v7
with:
- github-token: ${{ secrets.GH_TOKEN }}
+ github-token: ${{ github.token }}
script: |
const BOUNTY_PROGRAM_LABELS = JSON.parse(process.env.BOUNTY_PROGRAM_LABELS_JSON);
let LIST_OF_LABELS_FOR_REPO = await github.rest.issues.listLabelsForRepo({
@@ -91,19 +100,21 @@ jobs:
})
remove-label-bounty:
+ name: Remove bounty label
+ permissions:
+ issues: write # required to read/remove labels on the issue/PR
+ pull-requests: write # required to read/remove labels on the issue/PR if it's a PR
if: >
- github.actor == ('aeworxet' || 'thulieblack') &&
+ contains(fromJSON('["aeworxet","thulieblack"]'), github.actor) &&
(
startsWith(github.event.comment.body, '/unbounty' )
)
-
runs-on: ubuntu-latest
-
steps:
- name: Remove label `bounty`
uses: actions/github-script@v7
with:
- github-token: ${{ secrets.GH_TOKEN }}
+ github-token: ${{ github.token }}
script: |
const BOUNTY_PROGRAM_LABELS = JSON.parse(process.env.BOUNTY_PROGRAM_LABELS_JSON);
let LIST_OF_LABELS_FOR_ISSUE = await github.rest.issues.listLabelsOnIssue({
diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml
index 6228c56f..6fe1a137 100644
--- a/.github/workflows/help-command.yml
+++ b/.github/workflows/help-command.yml
@@ -4,21 +4,26 @@
name: Create help comment
on:
- issue_comment:
- types:
- - created
+ issue_comment:
+ types:
+ - created
+
+permissions: {}
jobs:
create_help_comment_pr:
+ name: Help Comment in PR
if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '/help') && github.actor != 'asyncapi-bot' }}
runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write # To comment on Pull requests
steps:
- name: Add comment to PR
uses: actions/github-script@v7
env:
ACTOR: ${{ github.actor }}
with:
- github-token: ${{ secrets.GH_TOKEN }}
+ github-token: ${{ github.token }}
script: |
//Yes to add comment to PR the same endpoint is use that we use to create a comment in issue
//For more details http://developer.github.com/v3/issues/comments/
@@ -41,15 +46,18 @@ jobs:
})
create_help_comment_issue:
+ name: Help Comment in Issue
if: ${{ !github.event.issue.pull_request && startsWith(github.event.comment.body, '/help') && github.actor != 'asyncapi-bot' }}
runs-on: ubuntu-latest
+ permissions:
+ issues: write # To comment on Issues
steps:
- name: Add comment to Issue
uses: actions/github-script@v7
env:
ACTOR: ${{ github.actor }}
with:
- github-token: ${{ secrets.GH_TOKEN }}
+ github-token: ${{ github.token }}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
diff --git a/.github/workflows/if-nodejs-pr-testing.yml b/.github/workflows/if-nodejs-pr-testing.yml
index 2bab0a7a..cef2b770 100644
--- a/.github/workflows/if-nodejs-pr-testing.yml
+++ b/.github/workflows/if-nodejs-pr-testing.yml
@@ -8,6 +8,9 @@ on:
pull_request:
types: [opened, reopened, synchronize, ready_for_review]
+permissions:
+ contents: read
+
jobs:
test-nodejs-pr:
name: Test NodeJS PR - ${{ matrix.os }}
@@ -18,21 +21,21 @@ jobs:
steps:
- if: >
!github.event.pull_request.draft && !(
- (github.actor == 'asyncapi-bot' && (
+ (github.event.pull_request.user.login == 'asyncapi-bot' && (
startsWith(github.event.pull_request.title, 'ci: update of files from global .github repo') ||
startsWith(github.event.pull_request.title, 'chore(release):')
)) ||
- (github.actor == 'asyncapi-bot-eve' && (
+ (github.event.pull_request.user.login == 'asyncapi-bot-eve' && (
startsWith(github.event.pull_request.title, 'ci: update of files from global .github repo') ||
startsWith(github.event.pull_request.title, 'chore(release):')
)) ||
- (github.actor == 'allcontributors[bot]' &&
+ (github.event.pull_request.user.login == 'allcontributors[bot]' &&
startsWith(github.event.pull_request.title, 'docs: add')
)
)
id: should_run
name: Should Run
- run: echo "shouldrun=true" >> $GITHUB_OUTPUT
+ run: echo "shouldrun=true" >> "$GITHUB_OUTPUT"
shell: bash
- if: steps.should_run.outputs.shouldrun == 'true'
name: Set git to use LF #to once and for all finish neverending fight between Unix and Windows
@@ -43,10 +46,12 @@ jobs:
- if: steps.should_run.outputs.shouldrun == 'true'
name: Checkout repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- if: steps.should_run.outputs.shouldrun == 'true'
name: Check if Node.js project and has package.json
id: packagejson
- run: test -e ./package.json && echo "exists=true" >> $GITHUB_OUTPUT || echo "exists=false" >> $GITHUB_OUTPUT
+ run: test -e ./package.json && echo "exists=true" >> "$GITHUB_OUTPUT" || echo "exists=false" >> "$GITHUB_OUTPUT"
shell: bash
- if: steps.packagejson.outputs.exists == 'true'
name: Determine what node version to use
diff --git a/.github/workflows/issues-prs-notifications.yml b/.github/workflows/issues-prs-notifications.yml
index ce136286..1e3b616e 100644
--- a/.github/workflows/issues-prs-notifications.yml
+++ b/.github/workflows/issues-prs-notifications.yml
@@ -9,11 +9,13 @@ on:
types: [opened, reopened]
pull_request_target:
- types: [opened, reopened, ready_for_review]
+ types: [opened, reopened, ready_for_review] # zizmor: ignore[dangerous-triggers]
discussion:
types: [created]
+permissions: {}
+
jobs:
issue:
if: github.event_name == 'issues' && github.actor != 'asyncapi-bot' && github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml
index 77aa1c6e..106f3166 100644
--- a/.github/workflows/lint-pr-title.yml
+++ b/.github/workflows/lint-pr-title.yml
@@ -4,32 +4,37 @@
name: Lint PR title
on:
- pull_request_target:
+ pull_request:
types: [opened, reopened, synchronize, edited, ready_for_review]
+permissions: {}
+
jobs:
lint-pr-title:
name: Lint PR title
runs-on: ubuntu-latest
+ permissions:
+ contents: read # To checkout code and read PR information
+ pull-requests: write # To comment on PR if the title is not valid
steps:
# Since this workflow is REQUIRED for a PR to be mergable, we have to have this 'if' statement in step level instead of job level.
- - if: ${{ !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor) }}
+ - if: ${{ !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor) }} # zizmor: ignore[obfuscation]
uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 #version 5.2.0 https://github.com/amannn/action-semantic-pull-request/releases/tag/v5.2.0
id: lint_pr_title
env:
- GITHUB_TOKEN: ${{ secrets.GH_TOKEN}}
+ GITHUB_TOKEN: ${{ github.token }}
with:
subjectPattern: ^(?![A-Z]).+$
subjectPatternError: |
The subject "{subject}" found in the pull request title "{title}" should start with a lowercase character.
# Comments the error message from the above lint_pr_title action
- - if: ${{ always() && steps.lint_pr_title.outputs.error_message != null && !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor)}}
+ - if: ${{ always() && steps.lint_pr_title.outputs.error_message != null && !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor)}} # zizmor: ignore[obfuscation]
name: Comment on PR
uses: marocchino/sticky-pull-request-comment@3d60a5b2dae89d44e0c6ddc69dd7536aec2071cd #use 2.5.0 https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.5.0
with:
header: pr-title-lint-error
- GITHUB_TOKEN: ${{ secrets.GH_TOKEN}}
+ GITHUB_TOKEN: ${{ github.token }}
message: |
We require all PRs to follow [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/).
@@ -44,4 +49,4 @@ jobs:
with:
header: pr-title-lint-error
delete: true
- GITHUB_TOKEN: ${{ secrets.GH_TOKEN}}
+ GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/microgrant-program-commands.yml b/.github/workflows/microgrant-program-commands.yml
new file mode 100644
index 00000000..9eadd748
--- /dev/null
+++ b/.github/workflows/microgrant-program-commands.yml
@@ -0,0 +1,137 @@
+# This workflow is centrally managed at https://github.com/asyncapi/.github/
+# Don't make changes to this file in this repository, as they will be overwritten with
+# changes made to the same file in the abovementioned repository.
+
+# The purpose of this workflow is to allow Microgrant Team members
+# (https://github.com/orgs/asyncapi/teams/microgrant_team) to issue commands to the
+# organization's global AsyncAPI bot related to the Microgrant Program, while at the
+# same time preventing unauthorized users from misusing them.
+
+name: Microgrant Program commands
+
+on:
+ issue_comment:
+ types:
+ - created
+
+env:
+ MICROGRANT_PROGRAM_LABELS_JSON: |
+ [
+ {"name": "microgrant", "color": "708090", "description": "Participation in the Microgrant Program"}
+ ]
+
+permissions: {}
+
+jobs:
+ guard-against-unauthorized-use:
+ name: Guard against unauthorized use
+ permissions:
+ issues: write # required to post a comment on the issue/PR
+ pull-requests: write # required to post a comment on the issue/PR if it's a PR
+ if: >
+ !contains(fromJSON('["aeworxet","thulieblack"]'), github.actor) &&
+ github.event.comment &&
+ (
+ github.event.comment.body == '/microgrant' || github.event.comment.body == '/unmicrogrant'
+ )
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: ❌ @${{github.actor}} made an unauthorized attempt to use a Microgrant Program's command
+ uses: actions/github-script@v7
+ env:
+ ACTOR: ${{ github.actor }}
+ with:
+ github-token: ${{ github.token }}
+ script: |
+ const commentText = `❌ @${process.env.ACTOR} is not authorized to use the Microgrant Program's commands.
+ These commands can only be used by members of the [Microgrant Team](https://github.com/orgs/asyncapi/teams/microgrant_team).`;
+
+ console.log(`❌ @${process.env.ACTOR} made an unauthorized attempt to use a Microgrant Program's command.`);
+ github.rest.issues.createComment({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ body: commentText
+ })
+
+ add-label-microgrant:
+ name: Add microgrant label
+ permissions:
+ issues: write # required to read/create labels and add labels on the issue/PR
+ pull-requests: write # required to read/create labels and add labels on the issue/PR
+ if: >
+ contains(fromJSON('["aeworxet","thulieblack"]'), github.actor) &&
+ (
+ github.event.comment.body == '/microgrant'
+ )
+
+ runs-on: ubuntu-latest
+ steps:
+ - name: Add label `microgrant`
+ uses: actions/github-script@v7
+ with:
+ github-token: ${{ github.token }}
+ script: |
+ const MICROGRANT_PROGRAM_LABELS = JSON.parse(process.env.MICROGRANT_PROGRAM_LABELS_JSON);
+ let LIST_OF_LABELS_FOR_REPO = await github.rest.issues.listLabelsForRepo({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ });
+
+ LIST_OF_LABELS_FOR_REPO = LIST_OF_LABELS_FOR_REPO.data.map(key => key.name);
+
+ if (!LIST_OF_LABELS_FOR_REPO.includes(MICROGRANT_PROGRAM_LABELS[0].name)) {
+ await github.rest.issues.createLabel({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ name: MICROGRANT_PROGRAM_LABELS[0].name,
+ color: MICROGRANT_PROGRAM_LABELS[0].color,
+ description: MICROGRANT_PROGRAM_LABELS[0].description
+ });
+ }
+
+ console.log('Adding label `microgrant`...');
+ github.rest.issues.addLabels({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ labels: [MICROGRANT_PROGRAM_LABELS[0].name]
+ })
+
+ remove-label-microgrant:
+ name: Remove microgrant label
+ permissions:
+ issues: write # required to read/remove labels on the issue/PR
+ pull-requests: write # required to read/remove labels on the issue/PR if it's a PR
+ if: >
+ contains(fromJSON('["aeworxet","thulieblack"]'), github.actor) &&
+ (
+ github.event.comment.body == '/unmicrogrant'
+ )
+ runs-on: ubuntu-latest
+ steps:
+ - name: Remove label `microgrant`
+ uses: actions/github-script@v7
+ with:
+ github-token: ${{ github.token }}
+ script: |
+ const MICROGRANT_PROGRAM_LABELS = JSON.parse(process.env.MICROGRANT_PROGRAM_LABELS_JSON);
+ let LIST_OF_LABELS_FOR_ISSUE = await github.rest.issues.listLabelsOnIssue({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ issue_number: context.issue.number,
+ });
+
+ LIST_OF_LABELS_FOR_ISSUE = LIST_OF_LABELS_FOR_ISSUE.data.map(key => key.name);
+
+ if (LIST_OF_LABELS_FOR_ISSUE.includes(MICROGRANT_PROGRAM_LABELS[0].name)) {
+ console.log('Removing label `microgrant`...');
+ github.rest.issues.removeLabel({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ name: [MICROGRANT_PROGRAM_LABELS[0].name]
+ })
+ }
diff --git a/.github/workflows/notify-tsc-members-mention.yml b/.github/workflows/notify-tsc-members-mention.yml
index ffa39bbc..d5a945a0 100644
--- a/.github/workflows/notify-tsc-members-mention.yml
+++ b/.github/workflows/notify-tsc-members-mention.yml
@@ -17,14 +17,16 @@ on:
types:
- opened
- pull_request_target:
+ pull_request_target: # Needed to access secrets. The checkout is done on base branch so script cannot be malicious.
types:
- - opened
-
+ - opened # zizmor: ignore[dangerous-triggers]
discussion:
types:
- created
+permissions:
+ contents: read # To checkout repository
+
jobs:
issue:
if: github.event_name == 'issues' && contains(github.event.issue.body, '@asyncapi/tsc_members')
@@ -33,10 +35,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
cache: 'npm'
cache-dependency-path: '**/package-lock.json'
#########
@@ -56,22 +60,22 @@ jobs:
SLACK_MESSAGE: ${{steps.issuemarkdown.outputs.text}}
MSG_MINIMAL: true
#########
- # Handling Mailchimp notifications
+ # Handling Kit.com notifications
#########
- name: Install deps
run: npm install
- working-directory: ./.github/workflows/scripts/mailchimp
- - name: Send email with MailChimp
+ working-directory: ./.github/workflows/scripts/kit
+ - name: Send email with Kit.com
uses: actions/github-script@v7
env:
- CALENDAR_ID: ${{ secrets.CALENDAR_ID }}
- CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
- MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
+ KIT_API_KEY: ${{ secrets.KIT_API_KEY }}
+ KIT_TSC_TAG_ID: ${{ secrets.KIT_TSC_TAG_ID }}
TITLE: ${{ github.event.issue.title }}
+ HTML_URL: ${{ github.event.issue.html_url }}
with:
script: |
- const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
- sendEmail('${{github.event.issue.html_url}}', process.env.TITLE);
+ const sendEmail = require('./.github/workflows/scripts/kit/index.js');
+ return sendEmail(process.env.HTML_URL, process.env.TITLE);
pull_request:
if: github.event_name == 'pull_request_target' && contains(github.event.pull_request.body, '@asyncapi/tsc_members')
@@ -80,10 +84,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
cache: 'npm'
cache-dependency-path: '**/package-lock.json'
#########
@@ -103,22 +109,22 @@ jobs:
SLACK_MESSAGE: ${{steps.prmarkdown.outputs.text}}
MSG_MINIMAL: true
#########
- # Handling Mailchimp notifications
+ # Handling Kit.com notifications
#########
- name: Install deps
run: npm install
- working-directory: ./.github/workflows/scripts/mailchimp
- - name: Send email with MailChimp
+ working-directory: ./.github/workflows/scripts/kit
+ - name: Send email with Kit.com
uses: actions/github-script@v7
env:
- CALENDAR_ID: ${{ secrets.CALENDAR_ID }}
- CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
- MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
+ KIT_API_KEY: ${{ secrets.KIT_API_KEY }}
+ KIT_TSC_TAG_ID: ${{ secrets.KIT_TSC_TAG_ID }}
TITLE: ${{ github.event.pull_request.title }}
+ HTML_URL: ${{ github.event.pull_request.html_url }}
with:
script: |
- const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
- sendEmail('${{github.event.pull_request.html_url}}', process.env.TITLE);
+ const sendEmail = require('./.github/workflows/scripts/kit/index.js');
+ return sendEmail(process.env.HTML_URL, process.env.TITLE);
discussion:
if: github.event_name == 'discussion' && contains(github.event.discussion.body, '@asyncapi/tsc_members')
@@ -127,10 +133,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
cache: 'npm'
cache-dependency-path: '**/package-lock.json'
#########
@@ -142,7 +150,7 @@ jobs:
id: discussionmarkdown
with:
markdown: "[${{github.event.discussion.title}}](${{github.event.discussion.html_url}}) \n ${{github.event.discussion.body}}"
- - name: Send info about pull request
+ - name: Send info about discussion
uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # Using v2.3.2
env:
SLACK_WEBHOOK: ${{secrets.SLACK_TSC_MEMBERS_NOTIFY}}
@@ -150,22 +158,22 @@ jobs:
SLACK_MESSAGE: ${{steps.discussionmarkdown.outputs.text}}
MSG_MINIMAL: true
#########
- # Handling Mailchimp notifications
+ # Handling Kit.com notifications
#########
- name: Install deps
run: npm install
- working-directory: ./.github/workflows/scripts/mailchimp
- - name: Send email with MailChimp
+ working-directory: ./.github/workflows/scripts/kit
+ - name: Send email with Kit.com
uses: actions/github-script@v7
env:
- CALENDAR_ID: ${{ secrets.CALENDAR_ID }}
- CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
- MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
+ KIT_API_KEY: ${{ secrets.KIT_API_KEY }}
+ KIT_TSC_TAG_ID: ${{ secrets.KIT_TSC_TAG_ID }}
TITLE: ${{ github.event.discussion.title }}
+ HTML_URL: ${{ github.event.discussion.html_url }}
with:
script: |
- const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
- sendEmail('${{github.event.discussion.html_url}}', process.env.TITLE);
+ const sendEmail = require('./.github/workflows/scripts/kit/index.js');
+ return sendEmail(process.env.HTML_URL, process.env.TITLE);
issue_comment:
if: ${{ github.event_name == 'issue_comment' && !github.event.issue.pull_request && contains(github.event.comment.body, '@asyncapi/tsc_members') }}
@@ -174,10 +182,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
cache: 'npm'
cache-dependency-path: '**/package-lock.json'
#########
@@ -197,22 +207,22 @@ jobs:
SLACK_MESSAGE: ${{steps.issuemarkdown.outputs.text}}
MSG_MINIMAL: true
#########
- # Handling Mailchimp notifications
+ # Handling Kit.com notifications
#########
- name: Install deps
run: npm install
- working-directory: ./.github/workflows/scripts/mailchimp
- - name: Send email with MailChimp
+ working-directory: ./.github/workflows/scripts/kit
+ - name: Send email with Kit.com
uses: actions/github-script@v7
env:
- CALENDAR_ID: ${{ secrets.CALENDAR_ID }}
- CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
- MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
+ KIT_API_KEY: ${{ secrets.KIT_API_KEY }}
+ KIT_TSC_TAG_ID: ${{ secrets.KIT_TSC_TAG_ID }}
TITLE: ${{ github.event.issue.title }}
+ HTML_URL: ${{ github.event.comment.html_url }}
with:
script: |
- const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
- sendEmail('${{github.event.comment.html_url}}', process.env.TITLE);
+ const sendEmail = require('./.github/workflows/scripts/kit/index.js');
+ return sendEmail(process.env.HTML_URL, process.env.TITLE);
pr_comment:
if: github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '@asyncapi/tsc_members')
@@ -221,10 +231,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
cache: 'npm'
cache-dependency-path: '**/package-lock.json'
#########
@@ -244,22 +256,22 @@ jobs:
SLACK_MESSAGE: ${{steps.prmarkdown.outputs.text}}
MSG_MINIMAL: true
#########
- # Handling Mailchimp notifications
+ # Handling Kit.com notifications
#########
- name: Install deps
run: npm install
- working-directory: ./.github/workflows/scripts/mailchimp
- - name: Send email with MailChimp
+ working-directory: ./.github/workflows/scripts/kit
+ - name: Send email with Kit.com
uses: actions/github-script@v7
env:
- CALENDAR_ID: ${{ secrets.CALENDAR_ID }}
- CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
- MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
+ KIT_API_KEY: ${{ secrets.KIT_API_KEY }}
+ KIT_TSC_TAG_ID: ${{ secrets.KIT_TSC_TAG_ID }}
TITLE: ${{ github.event.issue.title }}
+ HTML_URL: ${{ github.event.comment.html_url }}
with:
script: |
- const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
- sendEmail('${{github.event.comment.html_url}}', process.env.TITLE);
+ const sendEmail = require('./.github/workflows/scripts/kit/index.js');
+ return sendEmail(process.env.HTML_URL, process.env.TITLE);
discussion_comment:
if: github.event_name == 'discussion_comment' && contains(github.event.comment.body, '@asyncapi/tsc_members')
@@ -268,10 +280,12 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v4
with:
- node-version: 16
+ node-version: 20
cache: 'npm'
cache-dependency-path: '**/package-lock.json'
#########
@@ -291,19 +305,19 @@ jobs:
SLACK_MESSAGE: ${{steps.discussionmarkdown.outputs.text}}
MSG_MINIMAL: true
#########
- # Handling Mailchimp notifications
+ # Handling Kit.com notifications
#########
- name: Install deps
run: npm install
- working-directory: ./.github/workflows/scripts/mailchimp
- - name: Send email with MailChimp
+ working-directory: ./.github/workflows/scripts/kit
+ - name: Send email with Kit.com
uses: actions/github-script@v7
env:
- CALENDAR_ID: ${{ secrets.CALENDAR_ID }}
- CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
- MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
+ KIT_API_KEY: ${{ secrets.KIT_API_KEY }}
+ KIT_TSC_TAG_ID: ${{ secrets.KIT_TSC_TAG_ID }}
TITLE: ${{ github.event.discussion.title }}
+ HTML_URL: ${{ github.event.comment.html_url }}
with:
script: |
- const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');
- sendEmail('${{github.event.comment.html_url}}', process.env.TITLE);
+ const sendEmail = require('./.github/workflows/scripts/kit/index.js');
+ return sendEmail(process.env.HTML_URL, process.env.TITLE);
diff --git a/.github/workflows/please-take-a-look-command.yml b/.github/workflows/please-take-a-look-command.yml
index 84b5a262..30a6938d 100644
--- a/.github/workflows/please-take-a-look-command.yml
+++ b/.github/workflows/please-take-a-look-command.yml
@@ -11,6 +11,8 @@ on:
issue_comment:
types: [created]
+permissions: {}
+
jobs:
ping-for-attention:
if: >
@@ -22,6 +24,7 @@ jobs:
contains(github.event.comment.body, '/ptal') ||
contains(github.event.comment.body, '/PTAL')
)
+ name: Ping code owners for attention
runs-on: ubuntu-latest
steps:
- name: Check for Please Take a Look Command
@@ -31,7 +34,7 @@ jobs:
script: |
const prDetailsUrl = context.payload.issue.pull_request.url;
const { data: pull } = await github.request(prDetailsUrl);
- const reviewers = pull.requested_reviewers.map(reviewer => reviewer.login);
+ const reviewers = (pull.requested_reviewers || []).map(reviewer => reviewer.login);
const { data: reviews } = await github.rest.pulls.listReviews({
owner: context.repo.owner,
diff --git a/.github/workflows/release-announcements.yml b/.github/workflows/release-announcements.yml
index 311b701f..b521d394 100644
--- a/.github/workflows/release-announcements.yml
+++ b/.github/workflows/release-announcements.yml
@@ -8,6 +8,9 @@ on:
types:
- published
+permissions:
+ contents: read # To checkout code and read release information
+
jobs:
slack-announce:
@@ -16,6 +19,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Convert markdown to slack markdown for issue
# This workflow is from our own org repo and safe to reference by 'master'.
uses: asyncapi/.github/.github/actions/slackify-markdown@master # //NOSONAR
@@ -42,11 +47,13 @@ jobs:
steps:
- name: Checkout repo
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Get version of last and previous release
uses: actions/github-script@v7
id: versions
with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
+ github-token: ${{ github.token }}
script: |
const query = `query($owner:String!, $name:String!) {
repository(owner:$owner, name:$name){
@@ -72,12 +79,12 @@ jobs:
env:
PREV_VERSION: ${{steps.versions.outputs.previousver}}
LAST_VERSION: ${{steps.versions.outputs.lastver}}
- run: echo "type=$(npx -q -p semver-diff-cli semver-diff "$PREV_VERSION" "$LAST_VERSION")" >> $GITHUB_OUTPUT
+ run: echo "type=$(npx -q -p semver-diff-cli semver-diff "$PREV_VERSION" "$LAST_VERSION")" >> "$GITHUB_OUTPUT"
- name: Get name of the person that is behind the newly released version
id: author
run: |
AUTHOR_NAME=$(git log -1 --pretty=format:'%an')
- printf 'name=%s\n' "$AUTHOR_NAME" >> $GITHUB_OUTPUT
+ printf 'name=%s\n' "$AUTHOR_NAME" >> "$GITHUB_OUTPUT"
- name: Publish information about the release to Twitter # tweet only if detected version change is not a patch
# tweet goes out even if the type is not major or minor but "You need provide version number to compare."
# it is ok, it just means we did not identify previous version as we are tweeting out information about the release for the first time
diff --git a/.github/workflows/scripts/kit/htmlContent.js b/.github/workflows/scripts/kit/htmlContent.js
new file mode 100644
index 00000000..4acb5134
--- /dev/null
+++ b/.github/workflows/scripts/kit/htmlContent.js
@@ -0,0 +1,510 @@
+/**
+ * This code is centrally managed in https://github.com/asyncapi/.github/
+ * Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in above mentioned repo
+ *
+ * Kit.com version — greeting uses Kit Liquid (subscriber.first_name). Unsubscribe is provided by the Kit email template/footer.
+ */
+
+/**
+ * Escape HTML special characters to prevent XSS
+ */
+function escapeHtml(text) {
+ if (!text) return '';
+ return text
+ .replace(/&/g, '&')
+ .replace(//g, '>')
+ .replace(/"/g, '"')
+ .replace(/'/g, ''');
+}
+
+module.exports = (link, title) => {
+ // Sanitize inputs to prevent XSS
+ const safeLink = escapeHtml(link);
+ const safeTitle = escapeHtml(title);
+
+ return `
+
+
+
+
+
+
+
+ ${safeTitle}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Hey {{ subscriber.first_name | strip | default: "TSC member" }},
+
+There is a new topic at AsyncAPI Initiative that requires Technical Steering Committee attention.
+
+Please have a look if it is just something you need to be aware of, or maybe your vote is needed.
+
+Topic: ${ safeTitle }.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Cheers,
+AsyncAPI Initiative
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ You are receiving this email because you are subscribed to TSC Voting notifications.
+
+