github/chromebrew
1
1
Fork 0
mirror of https://github.com/chromebrew/chromebrew.git synced 2026-01-09 15:37:56 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update workflows to use github app token. (#12160)

Browse Source 
* Update workflows to use github app token.

Signed-off-by: Satadru Pramanik <satadru@gmail.com>

* let lint failure fail unit tests

Signed-off-by: Satadru Pramanik <satadru@gmail.com>

* Add shellcheck exclision.

Signed-off-by: Satadru Pramanik <satadru@gmail.com>

---------

Signed-off-by: Satadru Pramanik <satadru@gmail.com>
This commit is contained in:
Satadru Pramanik, DO, MPH, MEng
2025-07-09 16:23:54 -04:00
committed by GitHub
parent 142a8dbe67
commit e4c4efaf85
11 changed files with 115 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.github/workflows/Actionlint.yml vendored
View File

@@ -2,10 +2,7 @@
name: ActionLint
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
REVIEWDOG_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
SHELLCHECK_OPTS: "-e SC2129 -e SC2155"
SHELLCHECK_OPTS: "-e SC2086 -e SC2129 -e SC2155"
jobs:
actionlint:
runs-on: ubuntu-24.04
@@ -13,9 +10,21 @@ jobs:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: checkout
uses: actions/checkout@v4
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Actionlint
uses: reviewdog/action-actionlint@v1
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
fail_level: none
fail_level: any
reporter: github-pr-review

5
.github/workflows/Linter-Handoff.yml vendored
View File

@@ -43,22 +43,27 @@ jobs:
needs: handoff
if: contains(needs.handoff.outputs.category, 'Markdown')
uses: ./.github/workflows/Markdown-lint.yml
secrets: inherit
ruby:
needs: handoff
if: contains(needs.handoff.outputs.category, 'Ruby')
uses: ./.github/workflows/Rubocop.yml
secrets: inherit
bash:
needs: handoff
if: contains(needs.handoff.outputs.category, 'Bash')
uses: ./.github/workflows/ShellCheck.yml
secrets: inherit
yaml:
needs: handoff
if: contains(needs.handoff.outputs.category, 'YAML')
uses: ./.github/workflows/YAMLlint.yml
secrets: inherit
action-yaml:
needs: handoff
if: contains(needs.handoff.outputs.category, 'YAML')
uses: ./.github/workflows/Actionlint.yml
secrets: inherit
linter-tests:
runs-on: ubuntu-24.04
needs:

13
.github/workflows/Markdown-lint.yml vendored
View File

@@ -1,9 +1,6 @@
---
name: Markdown-lint
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
jobs:
markdown-lint:
runs-on: ubuntu-24.04
@@ -12,8 +9,18 @@ jobs:
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Markdown-lint
uses: reviewdog/action-markdownlint@v0
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
fail_level: any
markdownlint_flags: '-s .mdl_style.rb'

11
.github/workflows/No-Compile-Needed.yml vendored
View File

@@ -7,7 +7,6 @@ on:
description: "Branch of chromebrew/chromebrew to run on, if different from this branch."
required: false
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # setting GH_TOKEN for the entire workflow
BRANCH: ${{ inputs.branch || github.ref_name }}
permissions:
actions: write
@@ -332,10 +331,18 @@ jobs:
git reset --hard "origin/${{ env.BRANCH }}"
git pull --rebase origin master && git push -f
git log --oneline -10
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Create Pull Request
env:
CHANGED_MANIFEST_FILES: ${{ steps.changed-manifest-files.outputs.all_changed_files }}
CHANGED_PACKAGES: ${{ needs.setup.outputs.changed_packages }}
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
TIMESTAMP: ${{ needs.setup.outputs.timestamp }}
i686_PACKAGES: ${{ needs.setup.outputs.i686_packages }}
x86_64_PACKAGES: ${{ needs.setup.outputs.x86_64_packages }}
@@ -365,7 +372,7 @@ jobs:
echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV"
- name: Trigger Unit Test Workflow & Add Reviewer Team
env:
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
run: |
echo "Flipping pr ${PR_NUMBER} state."
gh pr close "${PR_NUMBER}" && gh pr reopen "${PR_NUMBER}"

11
.github/workflows/Repology.yml vendored
View File

@@ -27,11 +27,18 @@ jobs:
LIBC_VERSION: 2.37
run: |
ruby -Ctools json.rb
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Create Pull Request
id: cpr
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.CREW_PR_TOKEN }}
token: ${{ steps.get_workflow_token.outputs.token }}
add-paths: "tools/repology.json"
title: "Update Repology JSON"
body: "Automatic PR to update tools/repology.json"
@@ -40,7 +47,7 @@ jobs:
delete-branch: true
- name: Trigger Unit Test Workflow & Add Reviewer Team
env:
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
run: |
echo "Flipping pr ${PR_NUMBER} state."

13
.github/workflows/Rubocop.yml vendored
View File

@@ -1,9 +1,6 @@
---
name: Rubocop
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
jobs:
rubocop:
runs-on: ubuntu-24.04
@@ -15,8 +12,18 @@ jobs:
- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.4'
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Rubocop
uses: reviewdog/action-rubocop@v2
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
fail_level: any
filter_mode: nofilter

13
.github/workflows/ShellCheck.yml vendored
View File

@@ -1,9 +1,6 @@
---
name: ShellCheck
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
jobs:
shellcheck:
runs-on: ubuntu-24.04
@@ -12,8 +9,18 @@ jobs:
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: ShellCheck
uses: reviewdog/action-shellcheck@v1
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
exclude: './tools/*'
fail_level: any

20
.github/workflows/Updater.yml vendored
View File

@@ -4,8 +4,6 @@ on:
schedule:
- cron: '0 0 * * *' # Daily
workflow_dispatch:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # setting GH_TOKEN for the entire workflow
permissions: # Global permissions configuration starts here
actions: write
contents: write
@@ -98,9 +96,18 @@ jobs:
uses: ad-m/github-push-action@master
with:
branch: ${{ steps.set-variables.outputs.UPDATE_BRANCH_NAME }}
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Cancel if no updates
id: no-update-cancel
if: ${{ ( steps.pip-update-checks.outputs.PIP_UPDATED == 'false' ) && ( steps.gem-update-checks.outputs.GEM_UPDATED == 'false' ) }}
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
run: |
echo "PIP_UPDATED is ${{ steps.pip-update-checks.outputs.PIP_UPDATED }}."
echo "GEM_UPDATED is ${{ steps.gem-update-checks.outputs.GEM_UPDATED }}."
@@ -115,5 +122,14 @@ jobs:
env:
UPDATE_BRANCH_NAME: ${{ needs.update-check.outputs.update_branch_name }}
steps:
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: gh_workflow_dispatch
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
run: gh workflow -R chromebrew/chromebrew run Build.yml -f branch="${UPDATE_BRANCH_NAME}"

16
.github/workflows/YAMLlint.yml vendored
View File

@@ -1,9 +1,6 @@
---
name: YAMLLint
on: workflow_call
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
jobs:
yamllint:
runs-on: ubuntu-24.04
@@ -11,9 +8,20 @@ jobs:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: checkout
uses: actions/checkout@v4
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: YAMLLint
uses: reviewdog/action-yamllint@v1
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
REVIEWDOG_GITHUB_API_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
fail_level: any
reporter: github-pr-review

11
.github/workflows/autocheck.yml vendored
View File

@@ -4,8 +4,6 @@ on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
env:
GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }}
permissions:
actions: write
contents: write
@@ -20,7 +18,16 @@ jobs:
- uses: actions/checkout@v4
with:
persist-credentials: true
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- name: Run required checks if necessary
env:
GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
run: |
for pr in $(gh pr list -s open --author app/github-actions --json number | jq '.[].number')
do

9
.github/workflows/repo-merge-conflict.yaml vendored
View File

@@ -13,7 +13,14 @@ jobs:
runs-on: ubuntu-24.04
if: ${{ contains(github.repository_owner, 'chromebrew') }}
steps:
- name: Get GH Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v4
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: chromebrew
- uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
with:
dirtyLabel: merge conflict
repoToken: ${{ secrets.CREW_PR_TOKEN }}
repoToken: ${{ steps.get_workflow_token.outputs.token }}