From 657b2852e90086d03d717b316f34d842f83e8e42 Mon Sep 17 00:00:00 2001 From: Kai Schwarz Date: Thu, 9 Nov 2023 12:54:41 +0100 Subject: [PATCH] ci(gh actions): reviewed permissions, secret names and use of OS var --- .github/workflows/auto-merge-dependabot-pr.yml | 4 ++-- .github/workflows/release.yml | 15 ++++++++++----- .github/workflows/test.yml | 11 +++++++++-- 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/.github/workflows/auto-merge-dependabot-pr.yml b/.github/workflows/auto-merge-dependabot-pr.yml index e7938377..4d59f161 100644 --- a/.github/workflows/auto-merge-dependabot-pr.yml +++ b/.github/workflows/auto-merge-dependabot-pr.yml @@ -16,7 +16,7 @@ jobs: dependabot: name: Auto-merge Dependabot PR - runs-on: ubuntu-latest + runs-on: ${{ vars.RTLDEV_MW_CI_OS }} needs: tests if: ${{ github.actor == 'dependabot[bot]' }} steps: @@ -31,4 +31,4 @@ jobs: run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{secrets.RTLDEV_MW_CI_TOKEN}} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 383059f3..62544930 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,8 +1,6 @@ name: Release on: - # will run for every branch, except tags. See RSRMID-206. push: - # Sequence of patterns matched against refs/heads branches: - master @@ -10,10 +8,17 @@ jobs: build: name: Build uses: ./.github/workflows/test.yml + permissions: + contents: read + packages: write release: name: Release @ ubuntu-latest - runs-on: ubuntu-latest + runs-on: ${{ vars.RTLDEV_MW_CI_OS }} + permissions: + contents: write + issues: write + deployments: write needs: build steps: - name: Checkout @@ -44,7 +49,7 @@ jobs: run: npm ci - name: Release env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + GITHUB_TOKEN: ${{ secrets.RTLDEV_MW_CI_TOKEN }} MAVEN_OPTS: ${{ vars.MAVEN_OPTS }} OSSRH_JIRA_USERNAME: ${{ secrets.OSSRH_JIRA_USERNAME }} OSSRH_JIRA_PASSWORD: ${{ secrets.OSSRH_JIRA_PASSWORD }} @@ -52,7 +57,7 @@ jobs: ENCRYPTED_C9F9AEDF26B7_IV: ${{ secrets.ENCRYPTED_C9F9AEDF26B7_IV }} GPG_KEY_NAME: ${{ secrets.GPG_KEY_NAME }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - RTLDEV_MW_NOTIFICATION_URI: ${{ secrets.RTLDEV_MW_NOTIFICATION_URI }} + RTLDEV_MW_NOTIFICATION_URI: ${{ secrets.RTLDEV_MW_CI_NOTIFICATION_URI }} run: | openssl aes-256-cbc -K $ENCRYPTED_C9F9AEDF26B7_KEY -iv $ENCRYPTED_C9F9AEDF26B7_IV -in codesigning.asc.enc -out codesigning.asc -d gpg --import --batch codesigning.asc diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8c7d3f35..53642bb1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,7 +8,10 @@ jobs: # as the build names above change each time Node versions change lint: name: 🧪 Linting - runs-on: ubuntu-latest + runs-on: ${{ vars.RTLDEV_MW_CI_OS }} + permissions: + contents: read + packages: read steps: - name: Checkout uses: actions/checkout@v4 @@ -26,7 +29,11 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} test_matrix: - runs-on: ubuntu-latest + runs-on: ${{ vars.RTLDEV_MW_CI_OS }} + permissions: + contents: write + packages: write + deployments: write strategy: matrix: