Skip to content

Allow erlef/setup-beam v1.24.0 #23

Allow erlef/setup-beam v1.24.0

Allow erlef/setup-beam v1.24.0 #23

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
name: Update Approved Patterns and Composite Action
on:
workflow_dispatch:
push:
branches:
- main
paths:
- "actions.yml"
pull_request:
paths:
- ".github/workflows/update_composite_action.yml"
- "actions.yml"
- gateway/*
permissions: {}
# We want workflows on main to run in order to avoid losing data through race conditions
concurrency: "${{ github.ref }}-${{ github.workflow }}"
jobs:
update:
name: Update Workflow
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
# We have to use a PAT to commit the workflow file
token: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} # zizmor: ignore[secrets-outside-env]
- name: Print token details
if: ${{ github.event_name != 'pull_request' }}
env:
GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN }} # zizmor: ignore[secrets-outside-env]
run: |
echo "::group::Token details"
echo "Token user and permissions:"
gh api /user --jq '"Login: \(.login)\nName: \(.name)\nEmail: \(.email)"'
echo ""
echo "Token expiration:"
gh api /installation/token --jq '.expires_at' 2>/dev/null || echo "Token expiration not available (likely a PAT, not an installation token)"
echo ""
echo "Token scopes:"
curl -sS -H "Authorization: token ${GH_TOKEN}" -I https://api.github.com/ 2>/dev/null | grep -i 'x-oauth-scopes' || echo "No OAuth scopes header (fine-grained or app token)"
echo "::endgroup::"
- run: pipx install uv
- name: Update Workflow
run: |
uv run python << 'PYEOF'
import sys
sys.path.append("./gateway/")
import gateway as g
g.update_workflow(".github/actions/for-dependabot-triggered-reviews/action.yml", "actions.yml")
g.update_patterns("approved_patterns.yml", "actions.yml")
PYEOF
- name: Commit and push changes
if: ${{ github.event_name != 'pull_request' }}
env:
GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} # zizmor: ignore[secrets-outside-env]
run: |
AUTHOR_NAME=$(gh api /user --jq '.login' 2>/dev/null || echo "asfgit")
AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com")
git config --local user.name "${AUTHOR_NAME}"
git config --local user.email "${AUTHOR_EMAIL}"
git add -f .github/actions/for-dependabot-triggered-reviews/action.yml approved_patterns.yml
git commit -m "Update approved_patterns.yml and .github/actions/for-dependabot-triggered-reviews/action.yml based on actions.yml" -m "Generated by .github/workflows/update_composite_action.yml" || echo "No changes"
git push origin