github/chromebrew
1
1
Fork 0
mirror of https://github.com/chromebrew/chromebrew.git synced 2026-01-09 15:37:56 -05:00
Code Issues Packages Projects Releases Wiki Activity

Adjust workflows to save GH token once. (#12169)

Browse Source 
* Adjust workflows to save GH token once.

Signed-off-by: Satadru Pramanik <satadru@gmail.com>

* fixup

Signed-off-by: Satadru Pramanik <satadru@gmail.com>

* fixup

Signed-off-by: Satadru Pramanik <satadru@gmail.com>

* fixup

Signed-off-by: Satadru Pramanik <satadru@gmail.com>

* fixup

Signed-off-by: Satadru Pramanik <satadru@gmail.com>

---------

Signed-off-by: Satadru Pramanik <satadru@gmail.com>
This commit is contained in:
Satadru Pramanik, DO, MPH, MEng
2025-07-10 15:57:25 -04:00
committed by GitHub
parent ba6432430b
commit 0c110ac89c
12 changed files with 62 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.github/workflows/Actionlint.yml vendored
View File

@@ -1,7 +1,9 @@
---
name: ActionLint
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
REVIEWDOG_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
SHELLCHECK_OPTS: "-e SC2086 -e SC2129 -e SC2155"
jobs:
actionlint:
@@ -10,21 +12,9 @@ jobs:
contents: read
pull-requests: write
steps:
- name: checkout
uses: actions/checkout@v4
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- uses: actions/checkout@v4
- name: Actionlint
uses: reviewdog/action-actionlint@v1
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
fail_level: any
reporter: github-pr-review

11
.github/workflows/Build.yml vendored
View File

@@ -17,6 +17,7 @@ on:
description: "Branch of chromebrew/chromebrew to run on, if different from this branch."
required: false
env:
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} # setting GH_TOKEN for the entire workflow
BRANCH: ${{ inputs.branch || github.ref_name }}
permissions:
actions: write
@@ -330,19 +331,11 @@ jobs:
git reset --hard "origin/${{ env.BRANCH }}"
git pull --rebase origin master && git push -f
git log --oneline -10
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Create Pull Request
if: ${{ github.event.inputs.with_pr == 'true' }}
env:
CHANGED_MANIFEST_FILES: ${{ steps.changed-manifest-files.outputs.all_changed_files }}
CHANGED_PACKAGES: ${{ needs.setup.outputs.changed_packages }}
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
TIMESTAMP: ${{ needs.setup.outputs.timestamp }}
i686_PACKAGES: ${{ needs.setup.outputs.i686_packages }}
x86_64_PACKAGES: ${{ needs.setup.outputs.x86_64_packages }}
@@ -373,7 +366,7 @@ jobs:
- name: Trigger Unit Test Workflow & Add Reviewer Team
if: ${{ github.event.inputs.with_pr == 'true' }}
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
run: |
echo "Flipping pr ${PR_NUMBER} state."
gh pr close "${PR_NUMBER}" && gh pr reopen "${PR_NUMBER}"

29
.github/workflows/Gen-Token.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
---
name: Generate GitHub Actions Token
on:
schedule:
- cron: 30 * * * *
workflow_dispatch: null
permissions:
issues: write
pull-requests: write
jobs:
gen_token:
name: Generate & Save
runs-on: ubuntu-24.04
if: ${{ contains(github.repository_owner, 'chromebrew') }}
steps:
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Save Token
id: save_workflow_token
uses: gliech/create-github-secret-action@v1
with:
name: CREW_PR_TOKEN
value: ${{ steps.get_workflow_token.outputs.token }}
pa_token: ${{ steps.get_workflow_token.outputs.token }}

13
.github/workflows/Markdown-lint.yml vendored
View File

@@ -1,6 +1,9 @@
---
name: Markdown-lint
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
jobs:
markdown-lint:
runs-on: ubuntu-24.04
@@ -9,18 +12,8 @@ jobs:
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Markdown-lint
uses: reviewdog/action-markdownlint@v0
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
fail_level: any
markdownlint_flags: '-s .mdl_style.rb'

11
.github/workflows/No-Compile-Needed.yml vendored
View File

@@ -7,6 +7,7 @@ on:
description: "Branch of chromebrew/chromebrew to run on, if different from this branch."
required: false
env:
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} # setting GH_TOKEN for the entire workflow
BRANCH: ${{ inputs.branch || github.ref_name }}
permissions:
actions: write
@@ -331,18 +332,10 @@ jobs:
git reset --hard "origin/${{ env.BRANCH }}"
git pull --rebase origin master && git push -f
git log --oneline -10
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Create Pull Request
env:
CHANGED_MANIFEST_FILES: ${{ steps.changed-manifest-files.outputs.all_changed_files }}
CHANGED_PACKAGES: ${{ needs.setup.outputs.changed_packages }}
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
TIMESTAMP: ${{ needs.setup.outputs.timestamp }}
i686_PACKAGES: ${{ needs.setup.outputs.i686_packages }}
x86_64_PACKAGES: ${{ needs.setup.outputs.x86_64_packages }}
@@ -372,7 +365,7 @@ jobs:
echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV"
- name: Trigger Unit Test Workflow & Add Reviewer Team
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
run: |
echo "Flipping pr ${PR_NUMBER} state."
gh pr close "${PR_NUMBER}" && gh pr reopen "${PR_NUMBER}"

11
.github/workflows/Repology.yml vendored
View File

@@ -27,18 +27,11 @@ jobs:
LIBC_VERSION: 2.37
run: |
ruby -Ctools json.rb
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Create Pull Request
id: cpr
uses: peter-evans/create-pull-request@v7
with:
token: ${{ steps.get_workflow_token.outputs.token }}
token: ${{ secrets.CREW_PR_TOKEN }}
add-paths: "tools/repology.json"
title: "Update Repology JSON"
body: "Automatic PR to update tools/repology.json"
@@ -47,7 +40,7 @@ jobs:
delete-branch: true
- name: Trigger Unit Test Workflow & Add Reviewer Team
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
run: |
echo "Flipping pr ${PR_NUMBER} state."

13
.github/workflows/Rubocop.yml vendored
View File

@@ -1,6 +1,9 @@
---
name: Rubocop
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
jobs:
rubocop:
runs-on: ubuntu-24.04
@@ -12,18 +15,8 @@ jobs:
- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.4'
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Rubocop
uses: reviewdog/action-rubocop@v2
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
fail_level: any
filter_mode: nofilter

13
.github/workflows/ShellCheck.yml vendored
View File

@@ -1,6 +1,9 @@
---
name: ShellCheck
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
jobs:
shellcheck:
runs-on: ubuntu-24.04
@@ -9,18 +12,8 @@ jobs:
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: ShellCheck
uses: reviewdog/action-shellcheck@v1
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
exclude: './tools/*'
fail_level: any

20
.github/workflows/Updater.yml vendored
View File

@@ -4,6 +4,8 @@ on:
schedule:
- cron: '0 0 * * *' # Daily
workflow_dispatch:
env:
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} # setting GH_TOKEN for the entire workflow
permissions: # Global permissions configuration starts here
actions: write
contents: write
@@ -96,18 +98,9 @@ jobs:
uses: ad-m/github-push-action@master
with:
branch: ${{ steps.set-variables.outputs.UPDATE_BRANCH_NAME }}
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Cancel if no updates
id: no-update-cancel
if: ${{ ( steps.pip-update-checks.outputs.PIP_UPDATED == 'false' ) && ( steps.gem-update-checks.outputs.GEM_UPDATED == 'false' ) }}
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
run: |
echo "PIP_UPDATED is ${{ steps.pip-update-checks.outputs.PIP_UPDATED }}."
echo "GEM_UPDATED is ${{ steps.gem-update-checks.outputs.GEM_UPDATED }}."
@@ -122,14 +115,5 @@ jobs:
env:
UPDATE_BRANCH_NAME: ${{ needs.update-check.outputs.update_branch_name }}
steps:
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: gh_workflow_dispatch
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
run: gh workflow -R chromebrew/chromebrew run Build.yml -f branch="${UPDATE_BRANCH_NAME}"

26
.github/workflows/YAMLlint.yml vendored
View File

@@ -1,6 +1,9 @@
---
name: YAMLLint
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
jobs:
yamllint:
runs-on: ubuntu-24.04
@@ -8,20 +11,9 @@ jobs:
contents: read
pull-requests: write
steps:
- name: checkout
uses: actions/checkout@v4
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: YAMLLint
uses: reviewdog/action-yamllint@v1
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
fail_level: any
reporter: github-pr-review
- uses: actions/checkout@v4
- name: YAMLLint
uses: reviewdog/action-yamllint@v1
with:
fail_level: any
reporter: github-pr-review

11
.github/workflows/autocheck.yml vendored
View File

@@ -4,6 +4,8 @@ on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
env:
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
permissions:
actions: write
contents: write
@@ -18,16 +20,7 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: true
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Run required checks if necessary
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
run: |
for pr in $(gh pr list -s open --author app/github-actions --json number | jq '.[].number')
do

11
.github/workflows/repo-merge-conflict.yaml vendored
View File

@@ -1,26 +1,17 @@
---
name: Repo / Label merge conflict
on:
push:
pull_request_target:
types:
- synchronize
jobs:
triage:
name: Triage
runs-on: ubuntu-24.04
if: ${{ contains(github.repository_owner, 'chromebrew') }}
steps:
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
with:
dirtyLabel: merge conflict
repoToken: ${{ steps.get_workflow_token.outputs.token }}
repoToken: ${{ secrets.CREW_PR_TOKEN }}