diff --git a/.github/workflows/__need-fix-to-issue.yml b/.github/workflows/__need-fix-to-issue.yml index 62133b4a..13257d4b 100644 --- a/.github/workflows/__need-fix-to-issue.yml +++ b/.github/workflows/__need-fix-to-issue.yml @@ -21,7 +21,7 @@ permissions: {} jobs: main: - uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 permissions: contents: read issues: write diff --git a/.github/workflows/__semantic-pull-request.yml b/.github/workflows/__semantic-pull-request.yml index be904c77..60d99ed6 100644 --- a/.github/workflows/__semantic-pull-request.yml +++ b/.github/workflows/__semantic-pull-request.yml @@ -12,7 +12,7 @@ permissions: {} jobs: main: - uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 permissions: contents: write pull-requests: write diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml index 331a082b..e31f263e 100644 --- a/.github/workflows/__shared-ci.yml +++ b/.github/workflows/__shared-ci.yml @@ -16,7 +16,7 @@ permissions: jobs: linter: - uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 test-action-docker-build-image: needs: linter diff --git a/.github/workflows/__stale.yml b/.github/workflows/__stale.yml index fac0f87d..056785f2 100644 --- a/.github/workflows/__stale.yml +++ b/.github/workflows/__stale.yml @@ -9,7 +9,7 @@ permissions: {} jobs: main: - uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 permissions: issues: write pull-requests: write diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml index 7a81d350..1f569cc2 100644 --- a/.github/workflows/docker-build-images.yml +++ b/.github/workflows/docker-build-images.yml @@ -143,12 +143,7 @@ on: # yamllint disable-line rule:truthy ``` value: ${{ jobs.publish-manifests.outputs.built-images }} -permissions: - contents: read - issues: read - packages: write - pull-requests: read - id-token: write +permissions: {} jobs: prepare-variables: @@ -239,12 +234,16 @@ jobs: - id: define-images-by-platform uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + IMAGES: ${{ steps.validate-inputs.outputs.images }} + RUNS_ON_INPUT: ${{ inputs.runs-on }} + REPOSITORY_PRIVATE: ${{ github.event.repository.private }} with: script: | - const imagesInput = `${{ steps.validate-inputs.outputs.images }}`; + const imagesInput = process.env.IMAGES; const images = JSON.parse(imagesInput.replace(/\n/g, '\\n')); - const runsOnInput = `${{ inputs.runs-on }}`; + const runsOnInput = process.env.RUNS_ON_INPUT; const isDefaultRunsOn = runsOnInput === '["ubuntu-latest"]'; const runsOn = JSON.parse(runsOnInput); @@ -254,7 +253,7 @@ jobs: { runner: "windows-latest", platformPattern: /^windows\// } ]; - const isRepositoryPrivate = `${{ github.event.repository.private }}` === 'true'; + const isRepositoryPrivate = process.env.REPOSITORY_PRIVATE === 'true'; if (!isRepositoryPrivate) { standardHostedRunnerByPlatform.unshift( { runner: "ubuntu-24.04-arm", platformPattern: /^linux\/arm/ }, // FIXME: should use latest when available, @@ -317,6 +316,8 @@ jobs: } } + core.debug(`Images by platform: ${JSON.stringify(imagesByPlatform, null, 2)}`); + core.setOutput('images', JSON.stringify(imagesByPlatform)); - id: define-artifact-name @@ -344,10 +345,9 @@ jobs: pull-requests: read issues: read packages: write - # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 - id-token: write + id-token: write # Needed for getting local workflow actions steps: - - uses: hoverkraft-tech/ci-github-common/actions/checkout@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 with: lfs: ${{ inputs.lfs }} @@ -355,20 +355,10 @@ jobs: shell: bash run: git lfs pull - # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 - - id: oidc - uses: ChristopherHX/oidc@73eee1ff03fdfce10eda179f617131532209edbd # v3 - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - id: local-workflow-actions + uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@e6733528d06b6e1668674c35ef3612ac416cedda # 0.31.1 with: - persist-credentials: false - path: ./self-workflow - repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }} - ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }} - sparse-checkout: | - actions - - run: | - echo "self-workflow" >> .gitignore - echo "self-workflow" >> .dockerignore + actions-path: actions - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 if: inputs.build-secret-github-app-id @@ -432,36 +422,31 @@ jobs: # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix # https://github.com/orgs/community/discussions/26639 - - uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + - uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 with: artifact-name: ${{ needs.prepare-variables.outputs.artifact-name }} value: ${{ steps.build.outputs.built-image }} - # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - if: always() && steps.oidc.outputs.job_workflow_repo_name_and_owner + - uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@e6733528d06b6e1668674c35ef3612ac416cedda # 0.31.1 + if: always() && steps.local-workflow-actions.outputs.repository with: - persist-credentials: false - path: ./self-workflow - repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }} - ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }} - sparse-checkout: | - actions + actions-path: actions + repository: ${{ steps.local-workflow-actions.outputs.repository }} + ref: ${{ steps.local-workflow-actions.outputs.ref }} publish-manifests: name: Publish images manifests permissions: contents: read packages: write - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 - id-token: write + id-token: write # Needed for getting local workflow actions needs: [prepare-variables, build-images] runs-on: ${{ fromJson(inputs.runs-on) }} outputs: built-images: ${{ steps.create-images-manifests.outputs.built-images }} steps: - id: get-matrix-outputs - uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 with: artifact-name: ${{ needs.prepare-variables.outputs.artifact-name }} @@ -496,21 +481,10 @@ jobs: core.setOutput('built-images', JSON.stringify(images)); - # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659 - - id: oidc - uses: ChristopherHX/oidc@73eee1ff03fdfce10eda179f617131532209edbd # v3 - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - id: local-workflow-actions + uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@e6733528d06b6e1668674c35ef3612ac416cedda # 0.31.1 with: - persist-credentials: false - path: ./self-workflow - repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }} - ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }} - sparse-checkout: | - actions - - name: ignore self-worfklow changes - run: | - echo "self-workflow" >> .gitignore - echo "self-workflow" >> .dockerignore + actions-path: actions - id: create-images-manifests uses: ./self-workflow/actions/docker/create-images-manifests @@ -536,8 +510,16 @@ jobs: // Get images to sign const imagesToSign = Object.values(builtImages).map(image => image.images).flat(); core.setOutput('images-to-sign', JSON.stringify(imagesToSign)); + - uses: ./self-workflow/actions/docker/sign-images if: steps.get-images-to-sign.outputs.images-to-sign with: images: ${{ steps.get-images-to-sign.outputs.images-to-sign }} github-token: ${{ secrets.GITHUB_TOKEN }} + + - uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@e6733528d06b6e1668674c35ef3612ac416cedda # 0.31.1 + if: always() && steps.local-workflow-actions.outputs.repository + with: + actions-path: actions + repository: ${{ steps.local-workflow-actions.outputs.repository }} + ref: ${{ steps.local-workflow-actions.outputs.ref }} diff --git a/.github/workflows/prune-pull-requests-images-tags.yml b/.github/workflows/prune-pull-requests-images-tags.yml index 3109b018..fdd579ad 100644 --- a/.github/workflows/prune-pull-requests-images-tags.yml +++ b/.github/workflows/prune-pull-requests-images-tags.yml @@ -38,12 +38,7 @@ on: # yamllint disable-line rule:truthy type: string required: false -permissions: - contents: read - pull-requests: read - packages: write - # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 - id-token: write +permissions: {} jobs: prepare-variables: @@ -98,23 +93,22 @@ jobs: contents: read pull-requests: read packages: write - # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 - id-token: write + id-token: write # Needed for getting local workflow actions steps: - # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 - - id: oidc - uses: ChristopherHX/oidc@73eee1ff03fdfce10eda179f617131532209edbd # v3 - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - id: local-workflow-actions + uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@e6733528d06b6e1668674c35ef3612ac416cedda # 0.31.1 with: - persist-credentials: false - path: ./self-workflow - repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }} - ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }} - sparse-checkout: | - actions + actions-path: actions - id: build uses: ./self-workflow/actions/docker/prune-pull-requests-image-tags with: image: ${{ matrix.image }} pull-request-tag-filter: ${{ inputs.pull-request-tag-filter }} + + - uses: hoverkraft-tech/ci-github-common/actions/local-workflow-actions@e6733528d06b6e1668674c35ef3612ac416cedda # 0.31.1 + if: always() && steps.local-workflow-actions.outputs.repository + with: + actions-path: actions + repository: ${{ steps.local-workflow-actions.outputs.repository }} + ref: ${{ steps.local-workflow-actions.outputs.ref }} diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml index 594ce8dc..ced7d68e 100644 --- a/actions/docker/build-image/action.yml +++ b/actions/docker/build-image/action.yml @@ -142,7 +142,7 @@ runs: rm -fr ./self-actions - id: slugify-platform - uses: hoverkraft-tech/ci-github-common/actions/slugify@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + uses: hoverkraft-tech/ci-github-common/actions/slugify@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 with: value: ${{ inputs.platform }} @@ -233,7 +233,7 @@ runs: } - if: steps.get-docker-config.outputs.docker-exists != 'true' - uses: docker/setup-docker-action@efe9e3891a4f7307e689f2100b33a155b900a608 # v4.5.0 + uses: docker/setup-docker-action@e61617a16c407a86262fb923c35a616ddbe070b3 # v4.6.0 - if: steps.get-docker-config.outputs.platform-exists != 'true' uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 diff --git a/actions/docker/get-image-metadata/action.yml b/actions/docker/get-image-metadata/action.yml index bcd23a5a..7e1b245e 100644 --- a/actions/docker/get-image-metadata/action.yml +++ b/actions/docker/get-image-metadata/action.yml @@ -64,7 +64,7 @@ runs: - id: get-issue-number if: inputs.tag == '' && (github.event_name == 'pull_request' || github.event_name == 'pull_request_review' || github.event_name == 'issue_comment') - uses: hoverkraft-tech/ci-github-common/actions/get-issue-number@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + uses: hoverkraft-tech/ci-github-common/actions/get-issue-number@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 - id: define-metadata-inputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -113,7 +113,7 @@ runs: core.setFailed(`No tags found for the current event: ${context.eventName}`); - id: docker-metadata - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ steps.image-name.outputs.image-name-with-registry }} tags: ${{ steps.define-metadata-inputs.outputs.tags }} diff --git a/actions/docker/prune-pull-requests-image-tags/action.yml b/actions/docker/prune-pull-requests-image-tags/action.yml index f631a9fe..3b17735a 100644 --- a/actions/docker/prune-pull-requests-image-tags/action.yml +++ b/actions/docker/prune-pull-requests-image-tags/action.yml @@ -42,7 +42,7 @@ runs: image: ${{ inputs.image }} - id: is-organization-or-user - uses: hoverkraft-tech/ci-github-common/actions/repository-owner-is-organization@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + uses: hoverkraft-tech/ci-github-common/actions/repository-owner-is-organization@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 - id: get-tags-to-delete uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/actions/helm/generate-docs/action.yml b/actions/helm/generate-docs/action.yml index 483eb739..3391edb3 100644 --- a/actions/helm/generate-docs/action.yml +++ b/actions/helm/generate-docs/action.yml @@ -129,7 +129,7 @@ runs: } core.setOutput("markdownlint-config-path", markdownlintConfigPath); - - uses: hoverkraft-tech/ci-github-common/actions/checkout@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 - uses: losisin/helm-docs-github-action@a57fae5676e4c55a228ea654a1bcaec8dd3cf5b5 # v1.6.2 with: @@ -237,7 +237,7 @@ runs: app-id: ${{ inputs.github-app-id }} private-key: ${{ inputs.github-app-key }} - - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 with: github-token: ${{ steps.generate-token.outputs.token || inputs.github-token }} branch: docs/update-helm-chart-docs-${{ steps.prepare-variables.outputs.working-directory-name }} diff --git a/actions/helm/release-chart/action.yml b/actions/helm/release-chart/action.yml index 4b1fd157..e7abdceb 100644 --- a/actions/helm/release-chart/action.yml +++ b/actions/helm/release-chart/action.yml @@ -76,7 +76,7 @@ outputs: runs: using: "composite" steps: - - uses: hoverkraft-tech/ci-github-common/actions/checkout@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 - id: chart-values-updates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/actions/helm/test-chart/action.yml b/actions/helm/test-chart/action.yml index 72cd1305..f81d41f5 100644 --- a/actions/helm/test-chart/action.yml +++ b/actions/helm/test-chart/action.yml @@ -72,7 +72,7 @@ runs: echo "::error ::At least one of 'enable-lint' or 'enable-install' input must be true" exit 1 - - uses: hoverkraft-tech/ci-github-common/actions/checkout@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@a55670b58d3e064526201acde6c720ede638420c # 0.31.0 with: fetch-depth: 0