ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-03-07 13:56:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
40f722ec1840e7300d6faeea3d4e4ee1758e09bc
actions/.github/workflows/new-release.yml
copilot-swe-agent[bot] 40f722ec18 fix: harden workflow permissions - set top-level permissions: {} and scope perms to jobs 
Set `permissions: {}` at the top level of all workflow files to deny all
permissions by default, then grant only the minimum required permissions at
the job level. This fixes the Docker push failure caused by missing
`packages: write` permission being scoped incorrectly.

Changes per workflow:
- build-testing-image.yml: add contents: read + packages: write to job
- action-security.yml: consolidate contents: read, actions: read,
  pull-requests: read into the analyze job
- codeql-new.yml: add actions: read to the analyze job
- dependency-review.yml: add contents: read to the dependency-review job
- issue-stats.yml: top-level only (no checkout, existing job perms sufficient)
- new-release.yml: was read-all; job already has contents: write
- pr-lint.yml: was contents: read + packages: read; job already has full perms
- release.yml: job already has contents: write
- security-suite.yml: move all perms to job level
- stale.yml: top-level only (no checkout, existing job perms sufficient)
- sync-labels.yml: was read-all; add contents: read to job for checkout
- version-maintenance.yml: move all perms to job level

Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com>
2026-03-05 21:22:44 +00:00

66 lines
1.9 KiB
YAML
Raw Blame History

---
name: Release Daily State
on:
workflow_dispatch:
schedule:
- cron: '0 21 * * *' # 00:00 at Europe/Helsinki
permissions: {}
jobs:
new-daily-release:
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
created: ${{ steps.daily-version.outputs.created }}
version: ${{ steps.daily-version.outputs.version }}
steps:
- uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
with:
fetch-depth: 0 # Fetch all history and tags for comparison
- name: Create daily release
id: daily-version
run: |
set -eu
VERSION="v$(date '+%Y.%m.%d')"
printf '%s\n' "version=$VERSION" >> "$GITHUB_OUTPUT"
# Check if release already exists
if gh release view "$VERSION" >/dev/null 2>&1; then
printf '%s\n' "created=false" >> "$GITHUB_OUTPUT"
printf '%s\n' "Release $VERSION already exists - skipping"
exit 0
fi
# Get the most recent tag
PREVIOUS_TAG=$(git tag --sort=-version:refname | head -1)
# Check if there are any changes since the previous tag
if [ -n "$PREVIOUS_TAG" ]; then
CHANGES=$(git rev-list "$PREVIOUS_TAG"..HEAD --count)
if [ "$CHANGES" -eq 0 ]; then
printf '%s\n' "created=false" >> "$GITHUB_OUTPUT"
printf '%s\n' "No changes since $PREVIOUS_TAG - skipping release"
exit 0
fi
printf '%s\n' "Found $CHANGES commit(s) since $PREVIOUS_TAG"
fi
# Create release with auto-generated changelog (also creates tag)
gh release create "$VERSION" \
--title "Release $VERSION" \
--generate-notes \
--target main
printf '%s\n' "created=true" >> "$GITHUB_OUTPUT"
printf '%s\n' "Created release $VERSION"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Reference in New Issue View Git Blame Copy Permalink