Skip to content

Allowing Deployment Board Disable #244

Allowing Deployment Board Disable

Allowing Deployment Board Disable #244

# This is the workflow the repository uses to increment itself. It does not have a version.
name: Increment Version & Kick off template sync
on:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
# - GitHub’s standard pull_request workflow trigger prevents write permissions and secrets
# access to the target repository from public forks. PRs from a branch in the same repo
# and forks of internal/private repos are not limited the same way for this trigger.
# - The pull_request_target trigger allows the workflow to relax some restrictions to a
# target repository so PRs from forks have write permission to the target repo and have
# secrets access (which we need in order to push a new tag in this workflow).
# - For this workflow, the elevated permissions should not be a problem because:
# - Our im-open repositories do not contain secrets, they are dumb actions
# - Require approval for all outside collaborators' is set at the org level so someone
# with Write access has a chance to review code before allowing any workflow runs
# - This workflow with elevated Write permissions will only run once the code has been
# reviewed, approved by a CODEOWNER and merged
pull_request_target:
types: [closed]
jobs:
increment-version:
if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners
steps:
# Generally speaking, when the PR contents are treated as passive data, i.e. not in a
# position of influence over the build/testing process, it is safe to checkout the code
# on a pull_request_target. But we need to be extra careful not to trigger any script
# that may operate on PR controlled contents like in the case of npm install.
# Here we are just checking it out to calculate the next version
- name: Checkout Repository
uses: actions/checkout@v3
with:
ref: main
fetch-depth: 0
# See https://github.com/im-open/git-version-lite for more details around how to increment
# major/minor/patch through commit messages
- name: Increment the version
id: version
uses: im-open/[email protected]
with:
default-release-type: major
- name: Create version tag, create or update major, and minor tags
run: |
git config user.name github-actions
git config user.email [email protected]
git tag ${{ steps.version.outputs.NEXT_VERSION }} ${{ github.sha }}
git tag -f ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} ${{ github.sha }}
git tag -f ${{ steps.version.outputs.NEXT_MINOR_VERSION }} ${{ github.sha }}
git push origin ${{ steps.version.outputs.NEXT_VERSION }}
git push origin ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} -f
git push origin ${{ steps.version.outputs.NEXT_MINOR_VERSION }} -f
- name: Tell github-management to sync templates
uses: actions/github-script@v6
with:
# You have to use something with write access to the repo. GITHUB_TOKEN
# doesn't work because it doesn't have access to another repo.
github-token: ${{ secrets.PIPELINE_BOT_PAT }} # This is an org level secret
script: |
github.rest.repos.createDispatchEvent({
owner: 'im-platform',
repo: 'github-management',
event_type: 'sync_workflows'
});