-
Notifications
You must be signed in to change notification settings - Fork 579
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(ci): Manage secrets/permissions #3396
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,10 +6,29 @@ on: | |
- master | ||
|
||
jobs: | ||
config: | ||
runs-on: "ubuntu-latest" | ||
permissions: | ||
contents: none | ||
outputs: | ||
has-secrets: ${{ steps.check.outputs.has-secrets }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. the output then arrives here |
||
steps: | ||
- name: "Check for secrets" | ||
id: check | ||
shell: bash | ||
run: | | ||
if [ -n "${{ (secrets.REPO_GPG_PASSPHRASE != '' && secrets.NIGHTLY_KEYCHAIN_PASSPHRASE != '') || '' }}" ]; then | ||
echo "has-secrets=1" >> "$GITHUB_OUTPUT" | ||
Comment on lines
+20
to
+21
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is the main logic for checking for secrets |
||
fi | ||
|
||
build: | ||
needs: config | ||
if: needs.config.outputs.has-secrets | ||
Comment on lines
+25
to
+26
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. and is checked here |
||
name: Build and Sign | ||
|
||
runs-on: macos-12 | ||
permissions: | ||
contents: read | ||
Comment on lines
+30
to
+31
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. separately, we declare the permissions. Afaict, this job only needs to be able to checkout. |
||
env: | ||
IS_CI: 1 | ||
IS_NIGHTLY: 1 | ||
|
@@ -114,5 +133,9 @@ jobs: | |
path: archive/${{ steps.version.outputs.NIGHTLY_VERSION }}/Release-build.log | ||
|
||
- name: Send notification | ||
if: env.CI_WEBHOOK_URL != '' && env.CI_WEBHOOK_SECRET != '' | ||
env: | ||
CI_WEBHOOK_URL: ${{ secrets.CI_WEBHOOK_URL }} | ||
CI_WEBHOOK_SECRET: ${{ secrets.CI_WEBHOOK_SECRET }} | ||
run: | | ||
/usr/bin/curl -H "X-CI-WebHook: true" -H "Content-Type: application/json" -d '{"secret": "${{ secrets.CI_WEBHOOK_SECRET }}", "repository": "hammerspoon", "workflow": "Dev Build", "message": "New development build: ${{ steps.version.outputs.NIGHTLY_VERSION }}"}' ${{ secrets.CI_WEBHOOK_URL }} | ||
/usr/bin/curl -H "X-CI-WebHook: true" -H "Content-Type: application/json" -d '{"secret": "$CI_WEBHOOK_SECRET", "repository": "hammerspoon", "workflow": "Dev Build", "message": "New development build: ${{ steps.version.outputs.NIGHTLY_VERSION }}"}' $CI_WEBHOOK_URL | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As in #3394, the lack of this secret pair shouldn't result in the workflow dying / skipping, so we don't put it in the other job... There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there a particular reason for pulling the secrets into env here? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,6 +10,8 @@ jobs: | |
build: | ||
name: Build and Test | ||
runs-on: macos-12 | ||
permissions: | ||
contents: read | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. afaict, the only permissions this workflow needs are to checkout, so let's be explicit (this reduces scope from the default which is much broader) |
||
env: | ||
IS_CI: 1 | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,6 +10,11 @@ jobs: | |
publish: | ||
name: "Process CI Results" | ||
runs-on: ubuntu-latest | ||
permissions: | ||
actions: read | ||
checks: write | ||
pull-requests: write | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I missed that this is using |
||
if: always() | ||
|
||
steps: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,6 +10,8 @@ jobs: | |
generate-release-notes: | ||
name: Generate Release Notes | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: write | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v2 | ||
|
@@ -52,6 +54,9 @@ jobs: | |
create-next-milestone: | ||
name: Create next milestone | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. actions/checkout needs read |
||
issues: write | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. afaict creating a milestone requires issues write (I looked this up but closed the tab -- I'm not particularly happy that the action doesn't state that explicitly). |
||
steps: | ||
- uses: actions/checkout@v2 | ||
with: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this job doesn't really need any permissions, so we say so.