diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index 673e8d9..c711d65 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -1,4 +1,4 @@ -name: Check dist/ +name: Check dist content on: push: @@ -11,6 +11,9 @@ on: - '**.md' workflow_dispatch: +permissions: + contents: read + jobs: call-check-dist: name: Check dist/ diff --git a/.github/workflows/close-inactive-issues.yml b/.github/workflows/close-inactive-issues.yml index fe6d19f..86d227d 100644 --- a/.github/workflows/close-inactive-issues.yml +++ b/.github/workflows/close-inactive-issues.yml @@ -1,4 +1,5 @@ name: Close inactive issues + on: schedule: - cron: "30 8 * * *" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cf15b23..c882f16 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -name: "Code scanning - action" +name: Code scanning on: push: @@ -6,15 +6,14 @@ on: schedule: - cron: '0 19 * * 0' +permissions: + contents: read + security-events: write + jobs: CodeQL-Build: # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest runs-on: ubuntu-latest - - permissions: - # required for all workflows - security-events: write - steps: - name: Checkout repository uses: actions/checkout@v5 diff --git a/.github/workflows/issue-opened-workflow.yml b/.github/workflows/issue-opened-workflow.yml index 185eb1d..d8dfbf4 100644 --- a/.github/workflows/issue-opened-workflow.yml +++ b/.github/workflows/issue-opened-workflow.yml @@ -1,16 +1,21 @@ name: Assign issue + on: issues: types: [opened] + +permissions: + issues: write + jobs: run-action: runs-on: ubuntu-latest steps: - - name: Get current oncall - id: oncall - run: | - echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT - - - name: add_assignees - run: | - curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.issue.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}' + - name: Get current oncall + id: oncall + run: | + echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT + + - name: add_assignees + run: | + curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.issue.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}' diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml index 3363979..78cf588 100644 --- a/.github/workflows/licensed.yml +++ b/.github/workflows/licensed.yml @@ -1,6 +1,4 @@ -name: Licensed -permissions: - contents: read +name: License check on: push: @@ -11,6 +9,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: validate-cached-dependency-records: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-opened-workflow.yml b/.github/workflows/pr-opened-workflow.yml index 3346d9e..e4da21e 100644 --- a/.github/workflows/pr-opened-workflow.yml +++ b/.github/workflows/pr-opened-workflow.yml @@ -1,20 +1,25 @@ -name: Add Reviewer PR +name: Assign pull request reviewer + on: pull_request_target: types: [opened] + +permissions: + pull-requests: write + jobs: run-action: runs-on: ubuntu-latest steps: - - name: Get current oncall - id: oncall - run: | - echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT - - - name: Request Review - run: | - curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/pulls/${{ github.event.pull_request.number}}/requested_reviewers -d '{"reviewers":["${{steps.oncall.outputs.CURRENT}}"]}' - - - name: Add Assignee - run: | - curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.pull_request.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}' + - name: Get current oncall + id: oncall + run: | + echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT + + - name: Request Review + run: | + curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/pulls/${{ github.event.pull_request.number}}/requested_reviewers -d '{"reviewers":["${{steps.oncall.outputs.CURRENT}}"]}' + + - name: Add Assignee + run: | + curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.pull_request.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}' diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml index 26a42b4..f66b952 100644 --- a/.github/workflows/publish-immutable-actions.yml +++ b/.github/workflows/publish-immutable-actions.yml @@ -1,17 +1,17 @@ -name: 'Publish Immutable Action Version' +name: Publish immutable action on: release: types: [released] +permissions: + contents: read + id-token: write + packages: write + jobs: publish: runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - packages: write - steps: - name: Checking out uses: actions/checkout@v5 diff --git a/.github/workflows/release-new-action-version.yml b/.github/workflows/release-new-action-version.yml index 0b64c97..1f52abb 100644 --- a/.github/workflows/release-new-action-version.yml +++ b/.github/workflows/release-new-action-version.yml @@ -1,4 +1,5 @@ name: Release new action version + on: release: types: [released] @@ -10,6 +11,7 @@ on: env: TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} + permissions: contents: write diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 891aa95..3dbbc6f 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -10,6 +10,9 @@ on: - main - releases/** +permissions: + contents: read + jobs: # Build and unit test build: @@ -57,6 +60,7 @@ jobs: path: | test-cache ~/test-cache + test-restore: needs: test-save strategy: @@ -104,6 +108,7 @@ jobs: with: key: test-proxy-${{ github.run_id }} path: test-cache + test-proxy-restore: needs: test-proxy-save runs-on: ubuntu-latest