diff --git a/.github/workflows/__greetings.yml b/.github/workflows/__greetings.yml index c5e2031..05319fa 100644 --- a/.github/workflows/__greetings.yml +++ b/.github/workflows/__greetings.yml @@ -13,4 +13,4 @@ permissions: jobs: greetings: - uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml index c118192..a8ca57d 100644 --- a/.github/workflows/__main-ci.yml +++ b/.github/workflows/__main-ci.yml @@ -10,17 +10,7 @@ on: schedule: - cron: "25 8 * * 1" -permissions: - actions: write - contents: write - issues: read - packages: write - pages: write - pull-requests: write - security-events: write - statuses: write - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 - id-token: write +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -29,14 +19,39 @@ concurrency: jobs: ci: uses: ./.github/workflows/__shared-ci.yml + # jscpd:ignore-start + permissions: + actions: read + contents: read + packages: write + pull-requests: read + id-token: write + issues: read + security-events: write + statuses: write + # jscpd:ignore-end secrets: inherit release: needs: ci if: github.event_name != 'schedule' - uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@b5b9f9278423f286fa2e14ca86f932475493828a # 0.12.1 + uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@0717eb404857b7e4a15dc0db5fbece52921e85fb # 0.13.1 + permissions: + contents: read with: update-all: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }} github-app-id: ${{ vars.CI_BOT_APP_ID }} secrets: github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }} + + sync-docs: + needs: release + if: github.event_name != 'schedule' && github.ref_name == github.event.repository.default_branch && needs.release.outputs.artifact-id + uses: hoverkraft-tech/public-docs/.github/workflows/sync-docs-dispatcher.yml@c40c17f7d6a8090950b3ef4bfc70502707a6bb9f # 0.3.0 + permissions: + contents: read + with: + artifact-id: ${{ needs.release.outputs.artifact-id }} + github-app-id: ${{ vars.CI_BOT_APP_ID }} + secrets: + github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }} diff --git a/.github/workflows/__need-fix-to-issue.yml b/.github/workflows/__need-fix-to-issue.yml index dab43ad..afe0050 100644 --- a/.github/workflows/__need-fix-to-issue.yml +++ b/.github/workflows/__need-fix-to-issue.yml @@ -24,7 +24,7 @@ concurrency: jobs: main: - uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 with: manual-commit-ref: ${{ inputs.manual-commit-ref }} manual-base-ref: ${{ inputs.manual-base-ref }} diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml index bf39100..dc88b4d 100644 --- a/.github/workflows/__pull-request-ci.yml +++ b/.github/workflows/__pull-request-ci.yml @@ -5,16 +5,7 @@ on: pull_request: branches: [main] -permissions: - actions: read - contents: read - issues: read - packages: write - pull-requests: read - security-events: write - statuses: write - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 - id-token: write +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -23,4 +14,13 @@ concurrency: jobs: ci: uses: ./.github/workflows/__shared-ci.yml + permissions: + actions: read + contents: read + packages: write + pull-requests: read + id-token: write + issues: read + security-events: write + statuses: write secrets: inherit diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml index d57a189..fda3b71 100644 --- a/.github/workflows/__shared-ci.yml +++ b/.github/workflows/__shared-ci.yml @@ -3,43 +3,54 @@ name: Internal - Common Continuous Integration tasks on: workflow_call: -permissions: - actions: read - contents: read - issues: read - packages: write - pull-requests: read - security-events: write - statuses: write - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 - id-token: write +permissions: {} jobs: linter: - uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 + permissions: + contents: read + statuses: write + actions: read + security-events: write test-action-dependencies-cache: name: Test action "dependencies-cache" needs: linter uses: ./.github/workflows/__test-action-dependencies-cache.yml + permissions: + contents: read test-action-get-package-manager: name: Test action "get-package-manager" needs: linter uses: ./.github/workflows/__test-action-get-package-manager.yml + permissions: + contents: read test-action-has-installed-dependencies: name: Test action "has-installed-dependencies" needs: linter uses: ./.github/workflows/__test-action-has-installed-dependencies.yml + permissions: + contents: read test-action-setup-node: name: Test action "setup-node" needs: linter uses: ./.github/workflows/__test-action-setup-node.yml + permissions: + contents: read test-workflow-continuous-integration: name: Test workflow "continuous-integration" needs: linter uses: ./.github/workflows/__test-workflow-continuous-integration.yml + permissions: + contents: read + packages: write + pull-requests: read + id-token: write + issues: read + security-events: write secrets: inherit diff --git a/.github/workflows/__stale.yml b/.github/workflows/__stale.yml index 341d908..71dab5a 100644 --- a/.github/workflows/__stale.yml +++ b/.github/workflows/__stale.yml @@ -10,4 +10,4 @@ permissions: jobs: main: - uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 diff --git a/.github/workflows/__test-action-dependencies-cache.yml b/.github/workflows/__test-action-dependencies-cache.yml index 9760f25..46eb628 100644 --- a/.github/workflows/__test-action-dependencies-cache.yml +++ b/.github/workflows/__test-action-dependencies-cache.yml @@ -3,13 +3,14 @@ name: Internal - Tests for "dependencies-cache" action on: workflow_call: -permissions: - contents: read +permissions: {} jobs: test: name: Test "dependencies-cache" (${{ matrix.working-directory }}) runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: include: diff --git a/.github/workflows/__test-action-get-package-manager.yml b/.github/workflows/__test-action-get-package-manager.yml index 17458fc..ca0ba3c 100644 --- a/.github/workflows/__test-action-get-package-manager.yml +++ b/.github/workflows/__test-action-get-package-manager.yml @@ -3,13 +3,14 @@ name: Internal - Tests for "get-package-manager" action on: workflow_call: -permissions: - contents: read +permissions: {} jobs: test: name: Test "get-package-manager" (${{ matrix.working-directory }}) runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: include: diff --git a/.github/workflows/__test-action-has-installed-dependencies.yml b/.github/workflows/__test-action-has-installed-dependencies.yml index 6d00a77..cbd51ed 100644 --- a/.github/workflows/__test-action-has-installed-dependencies.yml +++ b/.github/workflows/__test-action-has-installed-dependencies.yml @@ -3,13 +3,14 @@ name: Internal - Tests for "has-installed-dependencies" action on: workflow_call: -permissions: - contents: read +permissions: {} jobs: test: name: Test "has-installed-dependencies" (${{ matrix.working-directory }}) runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: include: diff --git a/.github/workflows/__test-action-setup-node.yml b/.github/workflows/__test-action-setup-node.yml index 2bf6b40..2b46bad 100644 --- a/.github/workflows/__test-action-setup-node.yml +++ b/.github/workflows/__test-action-setup-node.yml @@ -3,13 +3,14 @@ name: Internal - Tests for "setup-node" action on: workflow_call: -permissions: - contents: read +permissions: {} jobs: test: name: Test "setup-node" (${{ matrix.working-directory }}) runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: include: diff --git a/.github/workflows/__test-workflow-continuous-integration.yml b/.github/workflows/__test-workflow-continuous-integration.yml index bc7e1b8..f037697 100644 --- a/.github/workflows/__test-workflow-continuous-integration.yml +++ b/.github/workflows/__test-workflow-continuous-integration.yml @@ -3,16 +3,17 @@ name: Internal - Test Continuous integration workflow on: workflow_call: -permissions: - contents: read - security-events: write - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 - id-token: write +permissions: {} jobs: act-without-container: name: Act - Run the continuous integration workflow (without container) uses: ./.github/workflows/continuous-integration.yml + permissions: + contents: read + security-events: write + # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 + id-token: write with: working-directory: tests/npm build: | @@ -60,6 +61,11 @@ jobs: name: Act - Run the continuous integration workflow (with container) uses: ./.github/workflows/continuous-integration.yml needs: arrange-with-container + permissions: + contents: read + security-events: write + # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 + id-token: write with: container: ${{ fromJSON(needs.arrange-with-container.outputs.built-images).ci-npm.images[0] }} working-directory: /usr/src/app/ diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index d3be71e..3f824f9 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -97,11 +97,7 @@ on: ``` required: false -permissions: - contents: read - security-events: write - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 - id-token: write +permissions: {} jobs: code-ql: @@ -111,7 +107,7 @@ jobs: security-events: write runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }} steps: - - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 - uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: languages: ${{ inputs.code-ql }} @@ -124,7 +120,7 @@ jobs: contents: read runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }} steps: - - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 - uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1 setup: @@ -134,9 +130,9 @@ jobs: image: ${{ inputs.container != '' && inputs.container || null }} # Root user is required to use GitHub Actions features inside the container options: --user root:root - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 permissions: contents: read + # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 id-token: write outputs: build-env: ${{ steps.build-variables.outputs.env }} @@ -144,7 +140,7 @@ jobs: build-artifact: ${{ steps.build-variables.outputs.artifact }} steps: - if: inputs.container == '' - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 - id: build-variables if: inputs.build != '' @@ -258,12 +254,12 @@ jobs: options: --user root:root needs: setup # jscpd:ignore-start - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 permissions: contents: read + # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 id-token: write steps: - - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 if: inputs.container == '' # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 @@ -310,11 +306,11 @@ jobs: options: --user root:root needs: setup permissions: - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 contents: read + # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 id-token: write steps: - - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 if: needs.setup.outputs.build-commands && inputs.container == '' # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 @@ -416,12 +412,12 @@ jobs: needs: - setup - build - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 permissions: contents: read + # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 id-token: write steps: - - uses: hoverkraft-tech/ci-github-common/actions/checkout@b7dd413209df265bef8d7eb0efb117eaabc684c4 # 0.27.0 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@5f11437c716059f30c635f90055060e4ef8b31a0 # 0.28.0 if: inputs.container == '' - if: needs.setup.outputs.build-artifact && inputs.container == ''