mirror of
https://github.com/ivuorinen/dotfiles.git
synced 2026-02-07 18:46:25 +00:00
Ismo Vuorinen
89aeb29c04
Replace read-all/write-all with minimum required permission scopes across all GitHub Actions workflows to follow the principle of least privilege (SonarCloud rule githubactions:S8234).
59 lines
1.5 KiB
YAML
59 lines
1.5 KiB
YAML
---
|
|
# $schema: "https://json.schemastore.org/github-workflow.json"
|
|
name: Update submodules
|
|
|
|
on:
|
|
schedule:
|
|
# At 04:00 on Monday and Thursday.
|
|
- cron: '0 4 * * 1'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
update-submodules:
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
submodules: true
|
|
fetch-depth: 2
|
|
token: ${{secrets.GITHUB_TOKEN}}
|
|
|
|
- name: Config Git User
|
|
shell: bash
|
|
run: |
|
|
git config --global user.name "${{ github.actor }}"
|
|
git config --global user.email "${{ github.actor }}@users.noreply.github.com"
|
|
|
|
- name: Update submodules
|
|
shell: bash
|
|
run: |
|
|
git submodule sync
|
|
git submodule foreach --quiet "
|
|
tag=\"$(git describe --tags --abbrev=0 origin/HEAD)\"
|
|
if [ \"$(git describe --tags)\" != \"$tag\" ]; then
|
|
git checkout --quiet \"$tag\"
|
|
echo \"$name updated to $tag\"
|
|
fi
|
|
"
|
|
|
|
if git diff --quiet; then
|
|
echo "No updates for submodules."
|
|
else
|
|
git add .
|
|
git commit -m "chore(git): Update submodules (automated)"
|
|
git show --raw
|
|
git push
|
|
fi
|