From 234f79dd44a2ef0d395f2d2676c222122244b96f Mon Sep 17 00:00:00 2001 From: murn0 Date: Mon, 7 Aug 2023 17:51:20 +0900 Subject: [PATCH 1/6] =?UTF-8?q?update-checksums=E3=82=A2=E3=82=AF=E3=82=B7?= =?UTF-8?q?=E3=83=A7=E3=83=B3=E3=81=AE=E3=83=88=E3=83=BC=E3=82=AF=E3=83=B3?= =?UTF-8?q?=E8=AA=AD=E3=81=BF=E8=BE=BC=E3=81=BF=E3=82=921Password=E7=B5=8C?= =?UTF-8?q?=E7=94=B1=E3=81=AB=E5=A4=89=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/pull_request.yaml | 8 +- .../workflows/wc-update-aqua-checksums.yaml | 140 ++++++++++++++++-- 2 files changed, 135 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index b31049b..f389a43 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -55,9 +55,13 @@ jobs: uses: ./.github/workflows/wc-update-aqua-checksums.yaml permissions: contents: read + with: + aqua_version: v2.9.0 + prune: true + app_id: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID" + app_secret: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key" secrets: - gh_app_id: ${{secrets.gh_app_id}} - gh_app_private_key: ${{secrets.gh_app_private_key}} + op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} status-check: needs: diff --git a/.github/workflows/wc-update-aqua-checksums.yaml b/.github/workflows/wc-update-aqua-checksums.yaml index 6f0dd4a..935b43c 100644 --- a/.github/workflows/wc-update-aqua-checksums.yaml +++ b/.github/workflows/wc-update-aqua-checksums.yaml @@ -1,21 +1,139 @@ --- name: update-aqua-checksums + on: workflow_call: - secrets: - gh_app_id: + inputs: + aqua_policy_config: + required: false + type: string + aqua_version: + required: true + type: string + policy_allow: + required: false + type: string + working_directory: + required: false + default: "" + type: string + prune: + required: false + default: false + type: boolean + ref: + required: false + type: string + runs-on: + required: false + type: string + default: '"ubuntu-latest"' + description: | + JSON string for runs-on. + e.g. + runs-on: '"macos-latest"' + runs-on: '["foo"]' + app_id: required: true - gh_app_private_key: + type: string + description: The Secret Reference URL for the AppID stored in 1Password + app_secret: required: true + type: string + description: The Secret Reference URL for the AppSecret stored in 1Password + secrets: + op_service_account_token: + required: true + +env: + AQUA_POLICY_CONFIG: ${{inputs.aqua_policy_config}} + AQUA_LOG_COLOR: always + +permissions: {} + jobs: update-aqua-checksums: # Update aqua-checksums.json and push a commit - uses: aquaproj/update-checksum-workflow/.github/workflows/update-checksum.yaml@01a3dfca0b401e2fa1ff11f2b840d227806deca1 # v0.1.7 + runs-on: ${{fromJSON(inputs.runs-on)}} permissions: - contents: read - with: - aqua_version: v2.10.1 - prune: true - secrets: - gh_app_id: ${{secrets.gh_app_id}} - gh_app_private_key: ${{secrets.gh_app_private_key}} \ No newline at end of file + contents: read # To checkout private repository + steps: + - name: Get ref + id: ref + run: | + set -eu + ref="" + case "$GITHUB_EVENT_NAME" in + "pull_request" ) ref="${{github.event.pull_request.head.sha}}";; + esac + if [ -n "${{inputs.ref}}" ]; then + ref="${{inputs.ref}}" + fi + echo "ref=$ref" >> "$GITHUB_OUTPUT" + + - uses: 1password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1.3.1 + id: op-load-secret + with: + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + APP_ID: ${{ inputs.app_id }} + APP_SECRET: ${{ inputs.app_secret }} + + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 + with: + app_id: ${{steps.op-load-secret.outputs.APP_ID}} + private_key: ${{steps.op-load-secret.outputs.APP_SECRET}} + + - name: Get skip_push + id: skip_push + run: | + set -eu + skip_push="" + case "$GITHUB_EVENT_NAME" in + "pull_request" ) skip_push="${{github.event.pull_request.head.repo.fork}}";; + esac + if [ -z "$skip_push" ]; then + skip_push=false + fi + if [ "$TOKEN_TYPE" = "empty" ]; then + skip_push=false + fi + echo "skip_push=$skip_push" >> "$GITHUB_OUTPUT" + env: + TOKEN_TYPE: ${{steps.generate_token.outputs.token_type}} + + - name: Checkout + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + ref: ${{steps.ref.outputs.ref}} + + - uses: aquaproj/aqua-installer@36dc5833b04eb63f06e3bb818aa6b7a6e6db99a9 # v2.1.2 + if: steps.generate_token.outputs.token_type == 'empty' + # Install ghcp + with: + aqua_version: ${{inputs.aqua_version}} + env: + AQUA_GITHUB_TOKEN: ${{github.token}} + - uses: aquaproj/aqua-installer@36dc5833b04eb63f06e3bb818aa6b7a6e6db99a9 # v2.1.2 + if: ${{steps.generate_token.outputs.token_type != 'empty'}} + # Install ghcp + with: + aqua_version: ${{inputs.aqua_version}} + policy_allow: ${{inputs.policy_allow}} + env: + AQUA_GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + + - uses: aquaproj/update-checksum-action@2fb7f676d407d4fb8c2c466c19d09d3ddec4f82f # v0.2.2 + with: + skip_push: ${{steps.skip_push.outputs.skip_push}} + prune: ${{inputs.prune}} + working_directory: ${{inputs.working_directory}} + env: + # To trigger GitHub Actions Workflow by pushing a commit, GitHub App token is required. + # github.token doesn't trigger GitHub Actions Workflow. + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow + # > When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} \ No newline at end of file From 0cbef470f544732ceeb516d167861943318e2b3d Mon Sep 17 00:00:00 2001 From: murn0 Date: Mon, 7 Aug 2023 17:59:46 +0900 Subject: [PATCH 2/6] add step name --- .github/workflows/wc-update-aqua-checksums.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/wc-update-aqua-checksums.yaml b/.github/workflows/wc-update-aqua-checksums.yaml index 935b43c..c8b726f 100644 --- a/.github/workflows/wc-update-aqua-checksums.yaml +++ b/.github/workflows/wc-update-aqua-checksums.yaml @@ -71,7 +71,8 @@ jobs: fi echo "ref=$ref" >> "$GITHUB_OUTPUT" - - uses: 1password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1.3.1 + - name: Load secrets + uses: 1password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1.3.1 id: op-load-secret with: export-env: false From e4fddbcc956784d62db71434526e529a55269846 Mon Sep 17 00:00:00 2001 From: murn0 Date: Mon, 7 Aug 2023 18:00:46 +0900 Subject: [PATCH 3/6] =?UTF-8?q?enable-auto-merge=E3=82=A2=E3=82=AF?= =?UTF-8?q?=E3=82=B7=E3=83=A7=E3=83=B3=E3=81=AE=E3=83=88=E3=83=BC=E3=82=AF?= =?UTF-8?q?=E3=83=B3=E3=81=AE=E8=AA=AD=E3=81=BF=E8=BE=BC=E3=81=BF=E3=82=92?= =?UTF-8?q?1Password=E7=B5=8C=E7=94=B1=E3=81=AB=E5=A4=89=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/pull_request.yaml | 6 +++-- .github/workflows/wc-enable-auto-merge.yaml | 28 +++++++++++++++++---- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index f389a43..a0f43b1 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -82,6 +82,8 @@ jobs: ! failure() && ! cancelled() && github.event.pull_request.user.login == 'renovate[bot]' && contains(github.event.pull_request.body, ' **Automerge**: Enabled.') uses: ./.github/workflows/wc-enable-auto-merge.yaml permissions: {} + with: + app_id: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID" + app_secret: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key" secrets: - gh_app_id: ${{secrets.gh_app_id}} - gh_app_private_key: ${{secrets.gh_app_private_key}} \ No newline at end of file + op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/wc-enable-auto-merge.yaml b/.github/workflows/wc-enable-auto-merge.yaml index 32352dc..59e3f1c 100644 --- a/.github/workflows/wc-enable-auto-merge.yaml +++ b/.github/workflows/wc-enable-auto-merge.yaml @@ -2,10 +2,17 @@ name: enable-auto-merge on: workflow_call: - secrets: - gh_app_id: + inputs: + app_id: + required: true + type: string + description: The Secret Reference URL for the AppID stored in 1Password + app_secret: required: true - gh_app_private_key: + type: string + description: The Secret Reference URL for the AppSecret stored in 1Password + secrets: + op_service_account_token: required: true jobs: enable-auto-merge: @@ -13,12 +20,23 @@ jobs: runs-on: ubuntu-latest permissions: {} steps: + - name: Load secrets + uses: 1password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1.3.1 + id: op-load-secret + with: + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + APP_ID: ${{ inputs.app_id }} + APP_SECRET: ${{ inputs.app_secret }} + - name: Generate token id: generate_token uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 with: - app_id: ${{secrets.gh_app_id}} - private_key: ${{secrets.gh_app_private_key}} + app_id: ${{steps.op-load-secret.outputs.APP_ID}} + private_key: ${{steps.op-load-secret.outputs.APP_SECRET}} + - run: gh -R "$GITHUB_REPOSITORY" pr merge --squash --auto --delete-branch "$PR_NUMBER" env: GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} # Use GitHub App to trigger GitHub Actions Workflow by merge commit. From c52844a48bcaf1ba12defefc26249f972fa9ef17 Mon Sep 17 00:00:00 2001 From: murn0 Date: Wed, 9 Aug 2023 14:37:41 +0900 Subject: [PATCH 4/6] =?UTF-8?q?auto-add-label=E3=82=A2=E3=82=AF=E3=82=B7?= =?UTF-8?q?=E3=83=A7=E3=83=B3=E3=81=AE=E3=83=88=E3=83=BC=E3=82=AF=E3=83=B3?= =?UTF-8?q?=E3=81=AE=E8=AA=AD=E3=81=BF=E8=BE=BC=E3=81=BF=E3=82=921Password?= =?UTF-8?q?=E7=B5=8C=E7=94=B1=E3=81=AB=E5=A4=89=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/pull_request.yaml | 5 ++++ .github/workflows/wc-auto-add-label.yaml | 33 ++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index a0f43b1..c4e3b53 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -7,6 +7,11 @@ jobs: permissions: pull-requests: write uses: ./.github/workflows/wc-auto-add-label.yaml + with: + app_id: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID" + app_secret: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key" + secrets: + op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} path-filter: outputs: diff --git a/.github/workflows/wc-auto-add-label.yaml b/.github/workflows/wc-auto-add-label.yaml index a99831d..565eb91 100644 --- a/.github/workflows/wc-auto-add-label.yaml +++ b/.github/workflows/wc-auto-add-label.yaml @@ -1,5 +1,18 @@ name: Pull request auto add label workflow -on: workflow_call +on: + workflow_call: + inputs: + app_id: + required: true + type: string + description: The Secret Reference URL for the AppID stored in 1Password + app_secret: + required: true + type: string + description: The Secret Reference URL for the AppSecret stored in 1Password + secrets: + op_service_account_token: + required: true permissions: {} jobs: @@ -14,6 +27,22 @@ jobs: contains(github.head_ref, 'test') || contains(github.head_ref, 'doc') steps: + - name: Load secrets + uses: 1password/load-secrets-action@d1a4e73495bde3551cf63f6c048588b8f734e21d # v1.3.1 + id: op-load-secret + with: + export-env: false + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.op_service_account_token }} + APP_ID: ${{ inputs.app_id }} + APP_SECRET: ${{ inputs.app_secret }} + + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 + with: + app_id: ${{steps.op-load-secret.outputs.APP_ID}} + private_key: ${{steps.op-load-secret.outputs.APP_SECRET}} - run: | if [[ "$HEAD_REF" == *"feat"* ]]; then echo "HEADブランチに 'feat' が含まれています。" @@ -29,6 +58,6 @@ jobs: gh -R "$GITHUB_REPOSITORY" pr edit "$PR_NUMBER" --add-label "documentation" fi env: - GITHUB_TOKEN: ${{github.token}} + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} PR_NUMBER: ${{github.event.pull_request.number}} HEAD_REF: ${{github.head_ref}} \ No newline at end of file From 2b8b1ef409ff74457f7bd553e2e4f73076407d59 Mon Sep 17 00:00:00 2001 From: murn0 Date: Wed, 9 Aug 2023 14:39:11 +0900 Subject: [PATCH 5/6] fix: add permissions field --- .github/workflows/wc-enable-auto-merge.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/wc-enable-auto-merge.yaml b/.github/workflows/wc-enable-auto-merge.yaml index 59e3f1c..06913d9 100644 --- a/.github/workflows/wc-enable-auto-merge.yaml +++ b/.github/workflows/wc-enable-auto-merge.yaml @@ -14,6 +14,8 @@ on: secrets: op_service_account_token: required: true + +permissions: {} jobs: enable-auto-merge: # Enable automerge to merge pull requests from Renovate automatically. From c9476125d678de052ee08a256f68495ea95fe349 Mon Sep 17 00:00:00 2001 From: murn0 Date: Wed, 9 Aug 2023 14:39:38 +0900 Subject: [PATCH 6/6] =?UTF-8?q?release=E3=82=A2=E3=82=AF=E3=82=B7=E3=83=A7?= =?UTF-8?q?=E3=83=B3=E3=81=AE=E3=83=88=E3=83=BC=E3=82=AF=E3=83=B3=E3=81=AE?= =?UTF-8?q?=E8=AA=AD=E3=81=BF=E8=BE=BC=E3=81=BF=E3=82=921Password=E7=B5=8C?= =?UTF-8?q?=E7=94=B1=E3=81=AB=E5=A4=89=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/release-pr.yaml | 5 +++-- .github/workflows/release.yaml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-pr.yaml b/.github/workflows/release-pr.yaml index 17090f0..566cac6 100644 --- a/.github/workflows/release-pr.yaml +++ b/.github/workflows/release-pr.yaml @@ -46,6 +46,7 @@ jobs: major_title: '## ⚠️ Breaking Changes' minor_title: '## Features' labels: 'release' + app_id_url: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID" + app_secret_url: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key" secrets: - gh_app_id: ${{secrets.GH_APP_ID}} - gh_app_private_key: ${{secrets.GH_APP_PRIVATE_KEY}} \ No newline at end of file + op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ca1e9bd..99fcd55 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -16,6 +16,7 @@ jobs: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release/v') with: draft: true + app_id_url: "op://Github/uhto3hzapjcxicwm664wvh4zu4/AppID" + app_secret_url: "op://Github/uhto3hzapjcxicwm664wvh4zu4/private_key" secrets: - gh_app_id: ${{secrets.GH_APP_ID}} - gh_app_private_key: ${{secrets.GH_APP_PRIVATE_KEY}} \ No newline at end of file + op_service_account_token: ${{secrets.OP_SERVICE_ACCOUNT_TOKEN}} \ No newline at end of file