diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 90c0795049..bf7bd89085 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -11,21 +11,21 @@ runs: - name: Restore Bun toolchain cache id: bun-toolchain-cache - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: /opt/hostedtoolcache/bun key: bun-toolchain-${{ runner.os }}-${{ runner.arch }}-${{ env.BUN_VERSION }} - name: Install Bun id: install-bun - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 continue-on-error: true with: bun-version: ${{ env.BUN_VERSION }} - name: Install Bun (fallback with retries) if: steps.install-bun.outcome == 'failure' - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 with: timeout_minutes: 3 max_attempts: 5 @@ -39,7 +39,7 @@ runs: run: bun --version - name: Install Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: .nvmrc package-manager-cache: false @@ -49,7 +49,7 @@ runs: run: npm install --global --force corepack && corepack enable - name: Configure dependency cache - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: cache: pnpm diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cb2ebe6d72..0889e6501e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: actions-major: patterns: - "*" + cooldown: + default-days: 7 - package-ecosystem: "gomod" directories: - "/" @@ -23,6 +25,8 @@ updates: - patch exclude-patterns: - github.com/compose-spec/compose-go/v2 + cooldown: + default-days: 7 - package-ecosystem: "npm" directory: "/" schedule: @@ -32,6 +36,8 @@ updates: npm-major: patterns: - "*" + cooldown: + default-days: 7 - package-ecosystem: "docker" directory: "/apps/cli-go/pkg/config/templates" schedule: @@ -49,3 +55,5 @@ updates: - dependency-name: "axllent/mailpit" - dependency-name: "darthsim/imgproxy" - dependency-name: "timberio/vector" + cooldown: + default-days: 7 diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index 48fa2ee1ab..cafc5eedca 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -4,15 +4,14 @@ name: Dependabot auto-merge on: pull_request permissions: - pull-requests: write - contents: write + contents: read jobs: dependabot: runs-on: ubuntu-latest # Checking the actor will prevent your Action run failing on non-Dependabot # PRs but also ensures that it only does work for Dependabot PRs. - if: ${{ github.actor == 'dependabot[bot]' }} + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name steps: # This first step will fail if there's no metadata and so the approval # will not occur. @@ -27,20 +26,24 @@ jobs: if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }} uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: - app-id: ${{ secrets.APP_ID }} + client-id: ${{ vars.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + permission-pull-requests: write + permission-contents: write # Here the PR gets approved. - name: Approve a PR if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }} - run: gh pr review --approve "${{ github.event.pull_request.html_url }}" + run: gh pr review --approve "${GITHUB_EVENT_PULL_REQUEST_HTML_URL}" env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_EVENT_PULL_REQUEST_HTML_URL: ${{ github.event.pull_request.html_url }} # Finally, this sets the PR to allow auto-merging for patch and minor # updates if all checks pass - name: Enable auto-merge for Dependabot PRs if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }} - run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}" + run: gh pr merge --auto --squash "${GITHUB_EVENT_PULL_REQUEST_HTML_URL}" env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + GITHUB_EVENT_PULL_REQUEST_HTML_URL: ${{ github.event.pull_request.html_url }} diff --git a/.github/workflows/cli-go-api-sync.yml b/.github/workflows/cli-go-api-sync.yml index 6e3f7fc03c..7bd7f4bf87 100644 --- a/.github/workflows/cli-go-api-sync.yml +++ b/.github/workflows/cli-go-api-sync.yml @@ -5,9 +5,9 @@ on: types: - api-sync workflow_dispatch: # allow manual triggering + permissions: - contents: write - pull-requests: write + contents: read jobs: sync: @@ -15,6 +15,8 @@ jobs: runs-on: blacksmith-2vcpu-ubuntu-2404 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: @@ -39,8 +41,10 @@ jobs: id: app-token uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: - app-id: ${{ secrets.APP_ID }} + client-id: ${{ vars.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + permission-pull-requests: write + permission-contents: write - name: Create Pull Request if: steps.check.outputs.has_changes == 'true' @@ -60,15 +64,17 @@ jobs: - name: Approve a PR if: steps.check.outputs.has_changes == 'true' && steps.cpr.outputs.pull-request-operation == 'created' continue-on-error: true - run: gh pr review --approve --repo "${{ github.repository }}" "${{ steps.cpr.outputs.pull-request-number }}" + run: gh pr review --approve --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}" env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} + STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }} - name: Enable Pull Request Automerge if: steps.check.outputs.has_changes == 'true' - run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${{ steps.cpr.outputs.pull-request-number }}" + run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }} defaults: run: working-directory: apps/cli-go diff --git a/.github/workflows/cli-go-ci.yml b/.github/workflows/cli-go-ci.yml index 07edcdc37b..58482c2e39 100644 --- a/.github/workflows/cli-go-ci.yml +++ b/.github/workflows/cli-go-ci.yml @@ -22,6 +22,8 @@ jobs: runs-on: blacksmith-8vcpu-ubuntu-2404 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: @@ -59,6 +61,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: @@ -78,6 +82,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: apps/cli-go/go.mod @@ -102,6 +108,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: apps/cli-go/go.mod @@ -117,6 +125,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: diff --git a/.github/workflows/cli-go-codeql.yml b/.github/workflows/cli-go-codeql.yml index c43b57572b..9b5f9168e7 100644 --- a/.github/workflows/cli-go-codeql.yml +++ b/.github/workflows/cli-go-codeql.yml @@ -64,6 +64,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/cli-go-mirror-image.yml b/.github/workflows/cli-go-mirror-image.yml index d3e34f2bf3..541f89cc3d 100644 --- a/.github/workflows/cli-go-mirror-image.yml +++ b/.github/workflows/cli-go-mirror-image.yml @@ -9,6 +9,9 @@ on: image: required: true type: string + secrets: + PROD_AWS_ROLE: + required: true workflow_dispatch: inputs: image: @@ -26,8 +29,9 @@ jobs: runs-on: ubuntu-latest steps: - id: strip + env: + TAG: ${{ github.event.client_payload.image || inputs.image }} run: | - TAG=${{ github.event.client_payload.image || inputs.image }} echo "image=${TAG##*/}" >> $GITHUB_OUTPUT - name: configure aws credentials uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 diff --git a/.github/workflows/cli-go-mirror.yml b/.github/workflows/cli-go-mirror.yml index 30ad074580..03eaf4bfd5 100644 --- a/.github/workflows/cli-go-mirror.yml +++ b/.github/workflows/cli-go-mirror.yml @@ -28,6 +28,8 @@ jobs: curr: ${{ steps.curr.outputs.tags }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: apps/cli-go/go.mod @@ -55,10 +57,11 @@ jobs: matrix: src: ${{ fromJson(needs.setup.outputs.tags) }} # Call workflow explicitly because events from actions cannot trigger more actions - uses: ./.github/workflows/mirror-image.yml + uses: ./.github/workflows/cli-go-mirror-image.yml with: image: ${{ matrix.src }} - secrets: inherit + secrets: + PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }} defaults: run: working-directory: apps/cli-go diff --git a/.github/workflows/cli-go-pg-prove.yml b/.github/workflows/cli-go-pg-prove.yml index 4d732d3b78..1dff403bfc 100644 --- a/.github/workflows/cli-go-pg-prove.yml +++ b/.github/workflows/cli-go-pg-prove.yml @@ -86,10 +86,11 @@ jobs: - settings - merge_manifest # Call workflow explicitly because events from actions cannot trigger more actions - uses: ./.github/workflows/mirror-image.yml + uses: ./.github/workflows/cli-go-mirror-image.yml with: image: ${{ needs.settings.outputs.image_tag }} - secrets: inherit + secrets: + PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }} defaults: run: working-directory: apps/cli-go diff --git a/.github/workflows/cli-go-publish-migra.yml b/.github/workflows/cli-go-publish-migra.yml index cacfdbff64..d62bc19ebc 100644 --- a/.github/workflows/cli-go-publish-migra.yml +++ b/.github/workflows/cli-go-publish-migra.yml @@ -86,10 +86,11 @@ jobs: - settings - merge_manifest # Call workflow explicitly because events from actions cannot trigger more actions - uses: ./.github/workflows/mirror-image.yml + uses: ./.github/workflows/cli-go-mirror-image.yml with: image: ${{ needs.settings.outputs.image_tag }} - secrets: inherit + secrets: + PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }} defaults: run: working-directory: apps/cli-go diff --git a/.github/workflows/cli-go-tag-pkg.yml b/.github/workflows/cli-go-tag-pkg.yml index bf6c625585..b1658e3127 100644 --- a/.github/workflows/cli-go-tag-pkg.yml +++ b/.github/workflows/cli-go-tag-pkg.yml @@ -22,10 +22,11 @@ jobs: with: ref: develop fetch-depth: 0 + persist-credentials: false - name: Create and push pkg tag run: | - VERSION="${{ inputs.version }}" + VERSION="${INPUTS_VERSION}" if ! [[ "$VERSION" =~ ^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)$ ]]; then echo "Error: version '$VERSION' does not match semver format (e.g. v1.2.2)" exit 1 @@ -37,6 +38,8 @@ jobs: fi git tag "$TAG" git push origin "$TAG" + env: + INPUTS_VERSION: ${{ inputs.version }} defaults: run: working-directory: apps/cli-go diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index ad7c8a0368..94d46b7686 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -7,8 +7,7 @@ on: workflow_dispatch: permissions: - pull-requests: write - contents: write + contents: read jobs: deploy: @@ -17,11 +16,15 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + persist-credentials: false - id: app-token uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: - app-id: ${{ secrets.APP_ID }} + client-id: ${{ vars.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + permission-contents: write + permission-pull-requests: write + - run: "gh pr create -B main -H develop --title 'chore: production deploy' --label 'do not merge' --fill" env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/release-shared.yml b/.github/workflows/release-shared.yml index 1a6f841e7b..4c9fe3b8f7 100644 --- a/.github/workflows/release-shared.yml +++ b/.github/workflows/release-shared.yml @@ -42,7 +42,15 @@ on: required: false type: string default: supabase - + secrets: + SENTRY_DSN: + required: false + POSTHOG_API_KEY: + required: false + POSTHOG_ENDPOINT: + required: false + GH_APP_PRIVATE_KEY: + required: false jobs: build: runs-on: blacksmith-32vcpu-ubuntu-2404 @@ -54,13 +62,15 @@ jobs: POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }} steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup uses: ./.github/actions/setup - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: apps/cli-go/go.mod cache: true @@ -92,7 +102,7 @@ jobs: ls -la dist/ - name: Upload build artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: cli-build-${{ inputs.shell }}-${{ inputs.version }} path: | @@ -118,13 +128,15 @@ jobs: VERSION: ${{ inputs.version }} steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup uses: ./.github/actions/setup - name: Download build artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: cli-build-${{ inputs.shell }}-${{ inputs.version }} @@ -144,7 +156,7 @@ jobs: - name: Setup QEMU for cross-platform Docker if: runner.os == 'Linux' - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 # Cache the smoke-test base images across runs. Without this, eight # parallel `docker run` calls in smoke-test-linux.ts race on first-time @@ -154,7 +166,7 @@ jobs: - name: Cache smoke-test docker images if: runner.os == 'Linux' id: smoke-docker-cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.cache/smoke-docker-images.tar key: smoke-docker-images-debian-bookworm-slim-amazonlinux-2023-alpine-3.21-v1 @@ -223,13 +235,15 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: true - name: Setup uses: ./.github/actions/setup - name: Download build artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: cli-build-${{ inputs.shell }}-${{ inputs.version }} @@ -298,7 +312,7 @@ jobs: done - name: Create draft GitHub Release - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 with: tag_name: v${{ inputs.version }} name: v${{ inputs.version }} @@ -352,13 +366,15 @@ jobs: VERSION: ${{ inputs.version }} steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup uses: ./.github/actions/setup - name: Download build artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: cli-build-${{ inputs.shell }}-${{ inputs.version }} @@ -366,11 +382,12 @@ jobs: id: app-token uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: - app-id: ${{ secrets.APP_ID }} + client-id: ${{ vars.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: | homebrew-tap + permission-contents: write - name: Configure git for tap push env: @@ -394,13 +411,15 @@ jobs: VERSION: ${{ inputs.version }} steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup uses: ./.github/actions/setup - name: Download build artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: cli-build-${{ inputs.shell }}-${{ inputs.version }} @@ -408,11 +427,12 @@ jobs: id: app-token uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: - app-id: ${{ secrets.APP_ID }} + client-id: ${{ vars.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: | scoop-bucket + permission-contents: write - name: Configure git for bucket push env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0dfa2a75ed..bb209b899b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,10 +53,12 @@ jobs: - id: app-token uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: - app-id: ${{ secrets.APP_ID }} + client-id: ${{ vars.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + permission-contents: write - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 with: + persist-credentials: true fetch-depth: 0 token: ${{ steps.app-token.outputs.token }} - name: Fast-forward main @@ -92,6 +94,7 @@ jobs: with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + permission-contents: write # `persist-credentials: false` is required: otherwise checkout caches the # default GITHUB_TOKEN as an `http.extraheader` in git config, and that # Authorization header overrides the App token semantic-release puts in @@ -200,4 +203,8 @@ jobs: scoop_name: ${{ needs.plan.outputs.scoop_name }} dry_run: ${{ needs.plan.outputs.dry_run == 'true' }} channel: ${{ needs.plan.outputs.channel }} - secrets: inherit + secrets: + SENTRY_DSN: ${{ secrets.SENTRY_DSN }} + POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }} + POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }} + GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }} diff --git a/.github/workflows/setup-cli-smoke-test.yml b/.github/workflows/setup-cli-smoke-test.yml index 0fd423f907..11b8139ebb 100644 --- a/.github/workflows/setup-cli-smoke-test.yml +++ b/.github/workflows/setup-cli-smoke-test.yml @@ -48,12 +48,12 @@ jobs: steps: - name: Install Supabase CLI via setup-cli@v1 if: matrix.major-version == 'v1' - uses: supabase/setup-cli@v1 + uses: supabase/setup-cli@ab058987d8d6c725971f6cf9d0b5c98467e30bd1 # v1.7.1 with: version: ${{ inputs.version }} - name: Install Supabase CLI via setup-cli@v2 if: matrix.major-version == 'v2' - uses: supabase/setup-cli@v2 + uses: supabase/setup-cli@3c2f5e2ae34c34e428e8e206e2c4d21fa2d20fbf # v2.1.1 with: version: ${{ inputs.version }} - name: Verify supabase --version matches the expected version @@ -100,12 +100,12 @@ jobs: run: apk add --no-cache bash curl tar - name: Install Supabase CLI via setup-cli@v1 if: matrix.major-version == 'v1' - uses: supabase/setup-cli@v1 + uses: supabase/setup-cli@ab058987d8d6c725971f6cf9d0b5c98467e30bd1 # v1.7.1 with: version: ${{ inputs.version }} - name: Install Supabase CLI via setup-cli@v2 if: matrix.major-version == 'v2' - uses: supabase/setup-cli@v2 + uses: supabase/setup-cli@3c2f5e2ae34c34e428e8e206e2c4d21fa2d20fbf # v2.1.1 with: version: ${{ inputs.version }} - name: Verify supabase --version matches the expected version diff --git a/.github/workflows/smoke-test-pr.yml b/.github/workflows/smoke-test-pr.yml index 4879139593..0dfd0fb19c 100644 --- a/.github/workflows/smoke-test-pr.yml +++ b/.github/workflows/smoke-test-pr.yml @@ -58,4 +58,5 @@ jobs: # `!inputs.dry_run` and never execute here, but GitHub validates secret # references at startup, so the called workflow needs the secrets bag # propagated even when the jobs that use them are skipped. - secrets: inherit + secrets: + GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b98860a0e7..850bc66c3a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,12 +28,14 @@ jobs: runs-on: blacksmith-8vcpu-ubuntu-2404 steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup uses: ./.github/actions/setup - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: apps/cli-go/go.mod cache-dependency-path: apps/cli-go/go.sum @@ -41,7 +43,7 @@ jobs: run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest && echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH" - name: Unlock keyring (for cli-go keyring tests) - uses: t1m0thyj/unlock-keyring@cbcf205c879ebd86add70bab3a6abfcce59a5cae + uses: t1m0thyj/unlock-keyring@cbcf205c879ebd86add70bab3a6abfcce59a5cae # v1.2.0 - name: Check code quality run: pnpm run check:all @@ -52,12 +54,14 @@ jobs: runs-on: blacksmith-8vcpu-ubuntu-2404 steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup uses: ./.github/actions/setup - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: apps/cli-go/go.mod cache-dependency-path: apps/cli-go/go.sum @@ -65,7 +69,7 @@ jobs: run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest && echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH" - name: Unlock keyring (for cli-go keyring tests) - uses: t1m0thyj/unlock-keyring@cbcf205c879ebd86add70bab3a6abfcce59a5cae + uses: t1m0thyj/unlock-keyring@cbcf205c879ebd86add70bab3a6abfcce59a5cae # v1.2.0 - name: Run unit and integration tests run: pnpm run test:core @@ -80,13 +84,13 @@ jobs: shard: [ 1, 2, 3 ] steps: - name: Checkout - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1 + uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1.0.0-beta with: fetch-depth: 0 - name: Set base and head SHAs for affected if: github.event_name == 'pull_request' - uses: nrwl/nx-set-shas@v4 + uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4.4.0 - name: Setup uses: ./.github/actions/setup @@ -114,7 +118,7 @@ jobs: - name: Cache Go CLI binary if: steps.detect.outputs.cli_e2e == 'true' id: cache-go-binary - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: apps/cli-go/supabase-go key: go-cli-${{ runner.os }}-${{ hashFiles('apps/cli-go/**/*.go', @@ -123,7 +127,7 @@ jobs: - name: Setup Go if: steps.detect.outputs.cli_e2e == 'true' && steps.cache-go-binary.outputs.cache-hit != 'true' - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: apps/cli-go/go.mod cache-dependency-path: apps/cli-go/go.sum