diff --git a/.github/workflows/bump-repository-activity.yml b/.github/workflows/bump-repository-activity.yml index 9a93fe8e..57f94959 100644 --- a/.github/workflows/bump-repository-activity.yml +++ b/.github/workflows/bump-repository-activity.yml @@ -25,7 +25,7 @@ on: type: number permissions: - contents: write + id-token: write concurrency: group: bump-repository-activity-${{github.ref}} @@ -35,42 +35,24 @@ defaults: run: shell: bash -env: - PUSH_BACK_TOKEN: ${{secrets.PUSH_BACK_TOKEN || github.token}} - jobs: bump-repository-activity: name: Bump repository activity runs-on: ubuntu-latest timeout-minutes: 5 steps: - - name: Get rate limits - uses: remal-github-actions/get-rate-limits@v1 - id: rate-limits + - name: Get GitHub Token + id: get-token + uses: remal/github-repository-token-issuer@v1 with: - githubToken: ${{env.PUSH_BACK_TOKEN}} - - name: Make rate limits decision - id: decision - run: | - echo "Core rate limit usage: ${{steps.rate-limits.outputs.coreUsage}}" - if [ "${{steps.rate-limits.outputs.coreUsage < 75}}" == "true" ]; then - echo "Enough rate limits" - echo 'enough=true' >> $GITHUB_OUTPUT - else - echo "::warning::Not enough rate limits!" - if [ "${{github.event_name != 'schedule'}}" == "true" ]; then - echo "::warning::Executing anyway, as event is '${{github.event_name}}'" - echo 'enough=true' >> $GITHUB_OUTPUT - else - echo 'enough=false' >> $GITHUB_OUTPUT - fi - fi + scopes: | + contents: write - name: Bump repository activity - if: ${{fromJSON(steps.decision.outputs.enough) == true}} uses: remal-github-actions/bump-repository-activity@v1 with: dryRun: ${{inputs.dryRun || 'false'}} - githubToken: ${{env.PUSH_BACK_TOKEN}} + githubToken: ${{steps.get-token.outputs.token}} + maxInactivityDays: ${{inputs.maxInactivityDays || 14}} bumperFile: 'repository-activity.bumper' commitMessage: '[push-back] Bump repository activity' diff --git a/.github/workflows/cancel-pr-actions.yml b/.github/workflows/cancel-pr-actions.yml index 12f5ae13..6058c20c 100644 --- a/.github/workflows/cancel-pr-actions.yml +++ b/.github/workflows/cancel-pr-actions.yml @@ -6,9 +6,9 @@ on: - closed permissions: - pull-requests: 'read' - checks: 'read' - actions: 'write' + pull-requests: read + checks: read + actions: write jobs: cancel-pr-actions: diff --git a/.github/workflows/check-action-secrets.yml b/.github/workflows/check-action-secrets.yml index 2a1e0c2b..d6599463 100644 --- a/.github/workflows/check-action-secrets.yml +++ b/.github/workflows/check-action-secrets.yml @@ -11,6 +11,9 @@ on: - cron: '1 3 * * *' # sync-with-template: adjust workflow_dispatch: { } +permissions: + id-token: write + concurrency: group: check-action-secrets-${{github.ref}} cancel-in-progress: true @@ -25,30 +28,23 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - name: Get rate limits - uses: remal-github-actions/get-rate-limits@v1 - id: rate-limits - with: - githubToken: ${{secrets.LIST_SECRETS || github.token}} - - name: Make rate limits decision - id: decision + - name: Get repository owner type + id: owner-type run: | - echo "Core rate limit usage: ${{steps.rate-limits.outputs.coreUsage}}" - if [ "${{steps.rate-limits.outputs.coreUsage < 75}}" == "true" ]; then - echo "Enough rate limits" - echo 'enough=true' >> $GITHUB_OUTPUT - else - echo "::warning::Not enough rate limits!" - if [ "${{github.event_name != 'schedule'}}" == "true" ]; then - echo "::warning::Executing anyway, as event is '${{github.event_name}}'" - echo 'enough=true' >> $GITHUB_OUTPUT - else - echo 'enough=false' >> $GITHUB_OUTPUT - fi - fi + REPO_JSON=$(curl -s "${{github.api_url}}/repos/${{github.repository}}" -H "Authorization: token ${{github.token}}") + OWNER_TYPE=$(echo $REPO_JSON | jq -r '.owner.type') + OWNER_TYPE=$(echo "$OWNER_TYPE" | tr '[:upper:]' '[:lower:]') + echo "owner-type=$OWNER_TYPE" | tee -a $GITHUB_OUTPUT + + - name: Get GitHub Token + id: get-token + uses: remal/github-repository-token-issuer@v1 + with: + scopes: | + secrets: read + ${{steps.owner-type.outputs.owner-type == 'organization' && 'organization_secrets:read' || ''}} - name: Check action secrets - if: ${{fromJSON(steps.decision.outputs.enough) == true}} uses: remal-github-actions/check-action-secrets@v1 with: - githubToken: ${{secrets.LIST_SECRETS || github.token}} + githubToken: ${{steps.get-token.outputs.token}} diff --git a/.github/workflows/codeowners-validator.yml b/.github/workflows/codeowners-validator.yml index 6606d3cd..83d45446 100644 --- a/.github/workflows/codeowners-validator.yml +++ b/.github/workflows/codeowners-validator.yml @@ -14,49 +14,14 @@ on: workflow_dispatch: { } permissions: - contents: read + id-token: write concurrency: group: codeowners-validation-${{github.ref}} cancel-in-progress: true -env: - VALIDATION_TOKEN: ${{secrets.CODEOWNERS_VALIDATOR_TOKEN && secrets.CODEOWNERS_VALIDATOR_TOKEN || github.token}} - jobs: - rate-limits: - name: Check rate limits - runs-on: ubuntu-latest - timeout-minutes: 5 - steps: - - name: Get rate limits - uses: remal-github-actions/get-rate-limits@v1 - id: rate-limits - with: - githubToken: ${{env.VALIDATION_TOKEN || github.token}} - - name: Make decision - id: decision - run: | - echo "Core rate limit usage: ${{steps.rate-limits.outputs.coreUsage}}" - if [ "${{steps.rate-limits.outputs.coreUsage < 75}}" == "true" ]; then - echo "Enough rate limits" - echo 'enough=true' >> $GITHUB_OUTPUT - else - echo "::warning::Not enough rate limits!" - if [ "${{github.event_name != 'schedule'}}" == "true" ]; then - echo "::warning::Executing anyway, as event is '${{github.event_name}}'" - echo 'enough=true' >> $GITHUB_OUTPUT - else - echo 'enough=false' >> $GITHUB_OUTPUT - fi - fi - outputs: - enough: ${{steps.decision.outputs.enough}} - codeowners-validation: - needs: - - rate-limits - if: ${{fromJSON(needs.rate-limits.outputs.enough) == true}} runs-on: ubuntu-latest timeout-minutes: 15 steps: @@ -68,20 +33,22 @@ jobs: - name: Get repository owner type id: owner-type run: | - REPO_JSON=$(curl -s "${{github.api_url}}/repos/${{github.repository}}" -H "Authorization: token ${{env.VALIDATION_TOKEN}}") + REPO_JSON=$(curl -s "${{github.api_url}}/repos/${{github.repository}}" -H "Authorization: token ${{github.token}}") OWNER_TYPE=$(echo $REPO_JSON | jq -r '.owner.type') OWNER_TYPE=$(echo "$OWNER_TYPE" | tr '[:upper:]' '[:lower:]') echo "owner-type=$OWNER_TYPE" | tee -a $GITHUB_OUTPUT - - name: Basic CODEOWNERS validation - if: ${{steps.owner-type.outputs.owner-type != 'organization'}} - uses: mszostok/codeowners-validator@v0.7.4 + - name: Get GitHub Token + id: get-token + uses: remal/github-repository-token-issuer@v1 with: - github_access_token: '${{env.VALIDATION_TOKEN}}' - checks: 'syntax,duppatterns,files' + scopes: | + contents: read + ${{steps.owner-type.outputs.owner-type == 'organization' && 'members:read' || ''}} - - name: Full CODEOWNERS validation - if: ${{steps.owner-type.outputs.owner-type == 'organization'}} + - name: CODEOWNERS validation + if: ${{steps.owner-type.outputs.owner-type != 'organization'}} uses: mszostok/codeowners-validator@v0.7.4 with: - github_access_token: '${{env.VALIDATION_TOKEN}}' + github_access_token: '${{steps.get-token.outputs.token}}' + checks: ${{steps.owner-type.outputs.owner-type == 'organization' && '' || 'duppatterns,files,syntax'}} diff --git a/.github/workflows/rebase-dependabot-pull-requests.yml b/.github/workflows/rebase-dependabot-pull-requests.yml index 98420027..1c78a153 100644 --- a/.github/workflows/rebase-dependabot-pull-requests.yml +++ b/.github/workflows/rebase-dependabot-pull-requests.yml @@ -12,9 +12,9 @@ on: workflow_dispatch: { } permissions: - contents: read - issues: write pull-requests: write + issues: write + contents: read concurrency: group: rebase-dependabot-pull-requests-${{github.ref}} diff --git a/.github/workflows/sync-with-template.yml b/.github/workflows/sync-with-template.yml index 9fbd2659..f85a5934 100644 --- a/.github/workflows/sync-with-template.yml +++ b/.github/workflows/sync-with-template.yml @@ -22,49 +22,39 @@ on: - 'true' - 'false' +permissions: + id-token: write + concurrency: group: sync-with-template-${{github.ref}} cancel-in-progress: true +env: + TEMPLATE_REPOSITORY: ${{secrets.TEMPLATE_REPOSITORY || vars.TEMPLATE_REPOSITORY || ''}} + defaults: run: shell: bash -env: - PUSH_BACK_TOKEN: ${{secrets.PUSH_BACK_TOKEN}} - jobs: sync-with-template: name: Sync with template repository runs-on: ubuntu-latest timeout-minutes: 30 steps: - - name: Get rate limits - uses: remal-github-actions/get-rate-limits@v1 - id: rate-limits + - name: Get GitHub Token + id: get-token + uses: remal/github-repository-token-issuer@v1 with: - githubToken: ${{env.PUSH_BACK_TOKEN || github.token}} - - name: Make rate limits decision - id: decision - run: | - echo "Core rate limit usage: ${{steps.rate-limits.outputs.coreUsage}}" - if [ "${{steps.rate-limits.outputs.coreUsage < 75}}" == "true" ]; then - echo "Enough rate limits" - echo 'enough=true' >> $GITHUB_OUTPUT - else - echo "::warning::Not enough rate limits!" - if [ "${{github.event_name != 'schedule'}}" == "true" ]; then - echo "::warning::Executing anyway, as event is '${{github.event_name}}'" - echo 'enough=true' >> $GITHUB_OUTPUT - else - echo 'enough=false' >> $GITHUB_OUTPUT - fi - fi + scopes: | + contents: write + workflows: write + pull_requests: write + issues: write - name: Sync with template repository - if: ${{env.PUSH_BACK_TOKEN && fromJSON(steps.decision.outputs.enough) == true}} uses: remal-github-actions/sync-with-template@v3 with: dryRun: ${{inputs.dryRun}} - githubToken: ${{env.PUSH_BACK_TOKEN}} - templateRepository: ${{secrets.TEMPLATE_REPOSITORY || vars.TEMPLATE_REPOSITORY || ''}} + githubToken: ${{steps.get-token.outputs.token}} + templateRepository: ${{env.TEMPLATE_REPOSITORY}}