ARCH-2142 - Reusable TechDocs #269
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is the workflow the repository uses to increment itself. It does not have a version. | |
name: Increment Version & Kick off template sync | |
on: | |
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
# - GitHub’s standard pull_request workflow trigger prevents write permissions and secrets | |
# access to the target repository from public forks. PRs from a branch in the same repo | |
# and forks of internal/private repos are not limited the same way for this trigger. | |
# - The pull_request_target trigger allows the workflow to relax some restrictions to a | |
# target repository so PRs from forks have write permission to the target repo and have | |
# secrets access (which we need in order to push a new tag in this workflow). | |
# - For this workflow, the elevated permissions should not be a problem because: | |
# - Our im-open repositories do not contain secrets, they are dumb actions | |
# - Require approval for all outside collaborators' is set at the org level so someone | |
# with Write access has a chance to review code before allowing any workflow runs | |
# - This workflow with elevated Write permissions will only run once the code has been | |
# reviewed, approved by a CODEOWNER and merged | |
pull_request_target: | |
types: [closed] | |
jobs: | |
increment-version: | |
if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' | |
runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners | |
steps: | |
# Generally speaking, when the PR contents are treated as passive data, i.e. not in a | |
# position of influence over the build/testing process, it is safe to checkout the code | |
# on a pull_request_target. But we need to be extra careful not to trigger any script | |
# that may operate on PR controlled contents like in the case of npm install. | |
# Here we are just checking it out to calculate the next version | |
- name: Checkout Repository | |
uses: actions/checkout@v4 | |
with: | |
ref: main | |
fetch-depth: 0 | |
# See https://github.com/im-open/git-version-lite for more details around how to increment | |
# major/minor/patch through commit messages | |
- name: Increment the version | |
id: version | |
uses: im-open/[email protected] | |
with: | |
default-release-type: major | |
- name: Create version tag, create or update major, and minor tags | |
run: | | |
git config user.name github-actions | |
git config user.email [email protected] | |
git tag ${{ steps.version.outputs.NEXT_VERSION }} ${{ github.sha }} | |
git tag -f ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} ${{ github.sha }} | |
git tag -f ${{ steps.version.outputs.NEXT_MINOR_VERSION }} ${{ github.sha }} | |
git push origin ${{ steps.version.outputs.NEXT_VERSION }} | |
git push origin ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} -f | |
git push origin ${{ steps.version.outputs.NEXT_MINOR_VERSION }} -f | |
- name: Tell github-management to sync templates | |
uses: actions/github-script@v7 | |
with: | |
# You have to use something with write access to the repo. GITHUB_TOKEN | |
# doesn't work because it doesn't have access to another repo. | |
github-token: ${{ secrets.PIPELINE_BOT_PAT }} # This is an org level secret | |
script: | | |
github.rest.repos.createDispatchEvent({ | |
owner: 'im-platform', | |
repo: 'github-management', | |
event_type: 'sync_workflows' | |
}); |