mirror of
https://github.com/ivuorinen/actions.git
synced 2026-03-07 08:56:19 +00:00
40f722ec18
Set `permissions: {}` at the top level of all workflow files to deny all
permissions by default, then grant only the minimum required permissions at
the job level. This fixes the Docker push failure caused by missing
`packages: write` permission being scoped incorrectly.
Changes per workflow:
- build-testing-image.yml: add contents: read + packages: write to job
- action-security.yml: consolidate contents: read, actions: read,
pull-requests: read into the analyze job
- codeql-new.yml: add actions: read to the analyze job
- dependency-review.yml: add contents: read to the dependency-review job
- issue-stats.yml: top-level only (no checkout, existing job perms sufficient)
- new-release.yml: was read-all; job already has contents: write
- pr-lint.yml: was contents: read + packages: read; job already has full perms
- release.yml: job already has contents: write
- security-suite.yml: move all perms to job level
- stale.yml: top-level only (no checkout, existing job perms sufficient)
- sync-labels.yml: was read-all; add contents: read to job for checkout
- version-maintenance.yml: move all perms to job level
Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com>
148 lines
4.7 KiB
YAML
148 lines
4.7 KiB
YAML
---
|
|
name: Version Maintenance
|
|
|
|
on:
|
|
schedule:
|
|
# Run weekly on Monday at 9 AM UTC
|
|
- cron: '0 9 * * 1'
|
|
workflow_dispatch:
|
|
inputs:
|
|
major-version:
|
|
description: 'Major version to check (e.g., v2025)'
|
|
required: false
|
|
type: string
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
check-and-update:
|
|
name: Check Version References
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
issues: write
|
|
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
|
|
with:
|
|
fetch-depth: 0
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Determine Major Version
|
|
id: version
|
|
shell: sh
|
|
run: |
|
|
if [ -n "${{ inputs.major-version }}" ]; then
|
|
printf '%s\n' "major=${{ inputs.major-version }}" >> "$GITHUB_OUTPUT"
|
|
else
|
|
current_year=$(date +%Y)
|
|
printf '%s\n' "major=v$current_year" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Ensure Major Version Tag Exists
|
|
id: ensure-tag
|
|
shell: sh
|
|
env:
|
|
MAJOR_VERSION: ${{ steps.version.outputs.major }}
|
|
run: |
|
|
set -eu
|
|
|
|
git fetch --tags --force
|
|
|
|
if git rev-list -n 1 "$MAJOR_VERSION" >/dev/null 2>&1; then
|
|
echo "Tag $MAJOR_VERSION already exists"
|
|
printf '%s\n' "created=false" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "Tag $MAJOR_VERSION not found, creating..."
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
git tag -a "$MAJOR_VERSION" -m "Major version $MAJOR_VERSION"
|
|
git push origin "$MAJOR_VERSION"
|
|
echo "Created and pushed tag $MAJOR_VERSION"
|
|
printf '%s\n' "created=true" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Run Action Versioning
|
|
id: action-versioning
|
|
uses: ./action-versioning
|
|
with:
|
|
major-version: ${{ steps.version.outputs.major }}
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Create Pull Request
|
|
if: steps.action-versioning.outputs.updated == 'true'
|
|
uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
commit-message: 'chore: update action references to ${{ steps.version.outputs.major }}'
|
|
title: 'chore: Update action references to ${{ steps.version.outputs.major }}'
|
|
body: |
|
|
## Version Maintenance
|
|
|
|
This PR updates all internal action references to match the latest ${{ steps.version.outputs.major }} tag.
|
|
|
|
**Updated SHA**: `${{ steps.action-versioning.outputs.commit-sha }}`
|
|
|
|
### Changes
|
|
- Updated all `*/action.yml` files to reference the current ${{ steps.version.outputs.major }} SHA
|
|
|
|
### Verification
|
|
```bash
|
|
make check-version-refs
|
|
```
|
|
branch: automated/version-update-${{ steps.version.outputs.major }}
|
|
delete-branch: true
|
|
labels: |
|
|
automated
|
|
dependencies
|
|
|
|
- name: Check for Annual Bump
|
|
if: steps.action-versioning.outputs.needs-annual-bump == 'true'
|
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
|
|
with:
|
|
script: |
|
|
const currentYear = new Date().getFullYear();
|
|
const majorVersion = '${{ steps.version.outputs.major }}';
|
|
|
|
await github.rest.issues.create({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
title: `🔄 Annual Version Bump Needed: ${majorVersion} → v${currentYear}`,
|
|
body: `## Annual Version Bump Required
|
|
|
|
It's time to bump the major version from ${majorVersion} to v${currentYear}.
|
|
|
|
### Steps
|
|
|
|
1. **Create the new major version tag:**
|
|
\`\`\`bash
|
|
git tag -a v${currentYear} -m "Major version v${currentYear}"
|
|
git push origin v${currentYear}
|
|
\`\`\`
|
|
|
|
2. **Bump all action references:**
|
|
\`\`\`bash
|
|
make bump-major-version OLD=${majorVersion} NEW=v${currentYear}
|
|
\`\`\`
|
|
|
|
3. **Update documentation:**
|
|
\`\`\`bash
|
|
make docs
|
|
\`\`\`
|
|
|
|
4. **Commit and push:**
|
|
\`\`\`bash
|
|
git push origin main
|
|
\`\`\`
|
|
|
|
### Verification
|
|
|
|
\`\`\`bash
|
|
make check-version-refs
|
|
\`\`\`
|
|
`,
|
|
labels: ['maintenance', 'high-priority']
|
|
});
|