From 8a102caddeadadce4b96aed6686012f76cac352e Mon Sep 17 00:00:00 2001 From: Danielle Adams Date: Thu, 31 Aug 2023 15:51:08 -0600 Subject: [PATCH] ARCH-1916 - Refactor the build and increment workflows based on latest reusable workflow implementations --- .github/workflows/auto-update-readme.yml | 24 ------ .github/workflows/build-and-review-pr.yml | 62 +++++++++++++++ .../workflows/increment-version-on-merge.yml | 79 +++++++++++++------ 3 files changed, 119 insertions(+), 46 deletions(-) delete mode 100644 .github/workflows/auto-update-readme.yml create mode 100644 .github/workflows/build-and-review-pr.yml diff --git a/.github/workflows/auto-update-readme.yml b/.github/workflows/auto-update-readme.yml deleted file mode 100644 index 47b7eec..0000000 --- a/.github/workflows/auto-update-readme.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Review PR -on: - # This workflow uses the pull_request trigger which prevents write permissions on the - # GH_TOKEN and secrets access from public forks. This should remain as a pull_request - # trigger to protect org-level secrets which are utilized when the workflow automatically - # updates the readme with the latest version changes in branches. The reduced permissions - # for public forks is adequate but does mean re-compiles and readme changes will have to - # be made manually when the PR comes from a fork. - pull_request: - # Don't include any specific paths here so we always get a build that produces a status - # check that our Branch Protection Rules can use. Having a status check also allows us - # to require that branches be up to date before they are merged. - -jobs: - ci: - uses: im-open/.github/.github/workflows/reusable-javascript-build.yml@v1 - with: - action-name: ${{ github.repository }} - default-branch: main - readme-location: './README.md' - files-with-code: 'action.yml' # TODO: Update if there are additional files or scripts that contain source code for the action - folders-with-code: 'src' # TODO: Update if there are additional directories that contain source code for the action - secrets: - PIPELINE_BOT_PAT: ${{ secrets.PIPELINE_BOT_PAT }} diff --git a/.github/workflows/build-and-review-pr.yml b/.github/workflows/build-and-review-pr.yml new file mode 100644 index 0000000..54328df --- /dev/null +++ b/.github/workflows/build-and-review-pr.yml @@ -0,0 +1,62 @@ +name: Build and Review PR +run-name: Build and Review PR #${{ github.event.pull_request.number }} + +on: + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token + # + # This workflow uses the pull_request trigger which prevents write permissions on the + # GH_TOKEN and secrets access from public forks. This should remain as a pull_request + # trigger to minimize the access public forks have in the repository. The reduced + # permissions is adequate but does mean re-compiles and readme changes will have to be + # made manually by the PR author. These auto-updates could be done by this workflow + # for branches but in order to re-trigger a PR build (which is needed for status checks), + # we would make the commits with a different user and their PAT. To minimize exposure + # and complication we will request those changes be manually made by the PR author. + pull_request: + types: [opened, synchronize, reopened] + # paths: + # Do not include specific paths here. We always want this build to run and produce a + # status check which are branch protection rules can use. If this is skipped because of + # path filtering, a status check will not be created and we won't be able to merge the PR + # without disabling that requirement. If we have a status check that is always produced, + # we can also use that to require all branches be up to date before they are merged. + +jobs: + build-and-review-pr: + # This reusable workflow will check to see if an action's source code has changed based on + # whether the PR includes files that match the files-with-code arg or are in one of the + # dirs-with-code directories. If there are source code changes, this reusable workflow + # will then run the action's build (if one was provided) and update the README.md with the + # the latest version of the action. If those two steps result in any changes that need to + # be committed, the workflow will fail because the PR needs some updates. Instructions for + # updating the PR will be available in the build log, the workflow summary and as a PR + # comment if the PR came from a branch (not a fork). + # This workflow assumes: + # - The main README.md is at the root of the repo + # - The README contains a contribution guidelines and usage examples section + uses: im-open/.github/.github/workflows/reusable-build-and-review-pr.yml@v1 + with: + action-name: ${{ github.repository }} + default-branch: main + readme-name: 'README.md' + + # The id of the contribution guidelines section of the README.md + readme-contribution-id: '#contributing' + + # The id of the usage examples section of the README.md + readme-examples-id: '#usage-examples' + + # The files that contain source code for the action. Only files that affect the action's execution + # should be included like action.yml or package.json. Do not include files like README.md or .gitignore. + # Files do not need to be explicitly provided here if they fall under one of the dirs in dirs-with-code. + # ** This value must match the same files-with-code argument specified in increment-version-on-merge.yml. + files-with-code: 'action.yml' # TODO: Update if there are additional files or scripts. + + # The directories that contain source code for the action. Only dirs with files that affect the action's + # execution should be included like src or dist. Do not include dirs like .github or node_modules. + # ** This value must match the same dirs-with-code argument specified in increment-version-on-merge.yml. + dirs-with-code: '' # TODO: Update if there are additional directories with code for the action. + + # The npm script to run to build the action. This is typically 'npm run build' if the + # action needs to be compiled. For composite-run-steps actions this is typically empty. + build-command: '' # TODO: Update if this action has a build step. diff --git a/.github/workflows/increment-version-on-merge.yml b/.github/workflows/increment-version-on-merge.yml index 25418ba..9ab314c 100644 --- a/.github/workflows/increment-version-on-merge.yml +++ b/.github/workflows/increment-version-on-merge.yml @@ -1,27 +1,62 @@ -name: Increment Version on Merge +name: Build and Review PR +run-name: Build and Review PR #${{ github.event.pull_request.number }} + on: - # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - # - GitHub’s standard pull_request workflow trigger prevents write permissions and secrets - # access to the target repository from public forks. PRs from a branch in the same repo - # and forks of internal/private repos are not limited the same way for this trigger. - # - The pull_request_target trigger allows the workflow to relax some restrictions to a - # target repository so PRs from forks have write permission to the target repo and have - # secrets access (which we need in order to push a new tag in this workflow). - # - For this workflow, the elevated permissions should not be a problem because: - # - Require approval for all outside collaborators' is set at the org level so someone - # with Write access has a chance to review code before allowing any workflow runs - # - This workflow with elevated Write permissions will only run once the code has been - # reviewed, approved by a CODEOWNER and merged - pull_request_target: - types: [closed] - paths-ignore: - - 'README.md' - - 'LICENSE' - - '.github/CODEOWNERS' - - '.github/workflows/**' + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token + # + # This workflow uses the pull_request trigger which prevents write permissions on the + # GH_TOKEN and secrets access from public forks. This should remain as a pull_request + # trigger to minimize the access public forks have in the repository. The reduced + # permissions is adequate but does mean re-compiles and readme changes will have to be + # made manually by the PR author. These auto-updates could be done by this workflow + # for branches but in order to re-trigger a PR build (which is needed for status checks), + # we would make the commits with a different user and their PAT. To minimize exposure + # and complication we will request those changes be manually made by the PR author. + pull_request: + types: [opened, synchronize, reopened] + # paths: + # Do not include specific paths here. We always want this build to run and produce a + # status check which are branch protection rules can use. If this is skipped because of + # path filtering, a status check will not be created and we won't be able to merge the PR + # without disabling that requirement. If we have a status check that is always produced, + # we can also use that to require all branches be up to date before they are merged. jobs: - increment-version: - uses: im-open/.github/.github/workflows/reusable-version-on-merge.yml@v1 + build-and-review-pr: + # This reusable workflow will check to see if an action's source code has changed based on + # whether the PR includes files that match the files-with-code arg or are in one of the + # dirs-with-code directories. If there are source code changes, this reusable workflow + # will then run the action's build (if one was provided) and update the README.md with the + # the latest version of the action. If those two steps result in any changes that need to + # be committed, the workflow will fail because the PR needs some updates. Instructions for + # updating the PR will be available in the build log, the workflow summary and as a PR + # comment if the PR came from a branch (not a fork). + # This workflow assumes: + # - The main README.md is at the root of the repo + # - The README contains a contribution guidelines and usage examples section + uses: im-open/.github/.github/workflows/reusable-build-and-review-pr.yml@v1 with: + action-name: ${{ github.repository }} default-branch: main + readme-name: 'README.md' + + # The id of the contribution guidelines section of the README.md + readme-contribution-id: '#contributing' + + # The id of the usage examples section of the README.md + readme-examples-id: '#usage-examples' + + # The files that contain source code for the action. Only files that affect the action's execution + # should be included like action.yml or package.json. Do not include files like README.md or .gitignore. + # Files do not need to be explicitly provided here if they fall under one of the dirs in dirs-with-code. + # ** This value must match the same files-with-code argument specified in increment-version-on-merge.yml. + files-with-code: 'action.yml,package.json,package-lock.json' # TODO: Update if there are additional files or scripts. + + # The directories that contain source code for the action. Only dirs with files that affect the action's + # execution should be included like src or dist. Do not include dirs like .github or node_modules. + # ** This value must match the same dirs-with-code argument specified in increment-version-on-merge.yml. + dirs-with-code: 'src,dist' # TODO: Update if there are additional directories with code for the action. + + # The npm script to run to build the action. This is typically 'npm run build' if the + # action needs to be compiled. For composite-run-steps actions this is typically empty. + build-command: 'npm run build' # TODO: Update if a different command is used to build/recompile/format the action