Sync Secret Scanning data #683
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync Secret Scanning data | |
| # **What it does**: This updates the data used by the secret scanning patterns page. | |
| # **Why we have it**: To automate updates to the secret scanning pattern data in our public-facing documentation. | |
| # **Who does it impact**: Docs engineering, content writers. | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '20 16 * * 1-5' # Run Mon-Fri at 16:20 UTC / 8:20 PST | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| # This allows a subsequently queued workflow run to interrupt previous runs | |
| concurrency: | |
| group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
| cancel-in-progress: true | |
| jobs: | |
| update-secret-scanning-file: | |
| if: github.repository == 'github/docs-internal' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - uses: ./.github/actions/node-npm-setup | |
| - name: Sync secret scanning data | |
| id: secret-scanning-sync | |
| env: | |
| # need to use a token from a user with access to | |
| # github/token-scanning-service for this step | |
| GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} | |
| run: | | |
| npm run sync-secret-scanning | |
| - name: Create pull request | |
| id: create-pull-request | |
| uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # pin @v8.0.0 | |
| env: | |
| # Disable pre-commit hooks; they don't play nicely here | |
| HUSKY: '0' | |
| with: | |
| # need to use a token with repo and workflow scopes for this step | |
| token: ${{ secrets.DOCS_BOT_PAT_BASE }} | |
| commit-message: 'Add updated secret scanning data' | |
| title: Sync secret scanning data | |
| body: | | |
| 👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service. | |
| If CI passes, this PR will be auto-merged. :green_heart: | |
| If CI does not pass or other problems arise, contact #docs-engineering on Slack. | |
| This automated PR was created by [this workflow](https://github.com/github/docs-internal/blob/main/.github/workflows/sync-secret-scanning.yml). | |
| branch: sync-secret-scanning-data | |
| labels: | | |
| secret-scanning-pipeline | |
| skip FR board | |
| workflow-generated | |
| - name: Enable GitHub auto-merge | |
| if: ${{ steps.create-pull-request.outputs.pull-request-number }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }} | |
| AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }} | |
| run: npm run enable-automerge | |
| - if: ${{ steps.create-pull-request.outputs.pull-request-number }} | |
| name: Approve | |
| uses: juliangruber/approve-pull-request-action@dcc4effb325c0b503408619918d56e40653dcc91 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| number: ${{ steps.create-pull-request.outputs.pull-request-number }} | |
| - uses: ./.github/actions/slack-alert | |
| if: ${{ failure() && github.event_name != 'workflow_dispatch' }} | |
| with: | |
| slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} | |
| slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }} | |
| - uses: ./.github/actions/create-workflow-failure-issue | |
| if: ${{ failure() && github.event_name != 'workflow_dispatch' }} | |
| with: | |
| token: ${{ secrets.DOCS_BOT_PAT_BASE }} |