From 556b4bc47e0a509f39a748ca5ef5a51624fc6902 Mon Sep 17 00:00:00 2001 From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com> Date: Fri, 5 Jul 2024 09:28:05 +0100 Subject: [PATCH 1/9] feat(ci): Update docs for dep-review --- .github/workflows/dependency-review.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index c4cd96f..2340f31 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,6 +1,7 @@ # 'Dependency Review' Reusable Workflow # -# Note: Override the default configuration by providing a './.github/dependency-review.yml' in your repo. +# Note: If the default configuration isn't present in your repository, we use the centralised +# configurations. name: 'Dependency Review' @@ -10,6 +11,7 @@ on: permissions: contents: read + # Required for writing a PR Comment pull-requests: write jobs: @@ -19,6 +21,8 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v4 + # [optional] This setup isn't required but if your repository have a configuration, + # we use that versus the centralised config. - name: 'Check for configuration file' id: config env: @@ -41,5 +45,7 @@ jobs: - name: 'Dependency Review' uses: actions/dependency-review-action@v4 with: + # this value can also be hardcoded to a remote repository + # Example: advanced-security/reusable-workflows/.github/dependency-review.yml@main config-file: ${{ steps.config.outputs.config }} comment-summary-in-pr: "always" From 4bf2ace6a8ca336f86b96629ddbf89a4c402e4e9 Mon Sep 17 00:00:00 2001 From: Adrien Pessu <7055334+adrienpessu@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:15:46 +0200 Subject: [PATCH 2/9] add permissions --- .github/workflows/language-detection-and-assignment.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/language-detection-and-assignment.yml b/.github/workflows/language-detection-and-assignment.yml index 282e992..b3a7a00 100644 --- a/.github/workflows/language-detection-and-assignment.yml +++ b/.github/workflows/language-detection-and-assignment.yml @@ -10,6 +10,9 @@ env: jobs: detect-and-assign: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: Checkout code uses: actions/checkout@v4 From a0da84e805d59edcab7f142c3be4a21f17f134ff Mon Sep 17 00:00:00 2001 From: Adrien Pessu <7055334+adrienpessu@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:18:14 +0200 Subject: [PATCH 3/9] test if we can assign to a team --- .github/workflows/language-detection-and-assignment.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/language-detection-and-assignment.yml b/.github/workflows/language-detection-and-assignment.yml index b3a7a00..512f06c 100644 --- a/.github/workflows/language-detection-and-assignment.yml +++ b/.github/workflows/language-detection-and-assignment.yml @@ -10,9 +10,7 @@ env: jobs: detect-and-assign: runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write + permissions: write-all steps: - name: Checkout code uses: actions/checkout@v4 From 0991042e27a2b8db1bceb553e094b4a3e5c31ebf Mon Sep 17 00:00:00 2001 From: Adrien Pessu <7055334+adrienpessu@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:20:07 +0200 Subject: [PATCH 4/9] add people explicitely --- .github/workflows/language-detection-and-assignment.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/language-detection-and-assignment.yml b/.github/workflows/language-detection-and-assignment.yml index 512f06c..5250b13 100644 --- a/.github/workflows/language-detection-and-assignment.yml +++ b/.github/workflows/language-detection-and-assignment.yml @@ -10,7 +10,6 @@ env: jobs: detect-and-assign: runs-on: ubuntu-latest - permissions: write-all steps: - name: Checkout code uses: actions/checkout@v4 @@ -47,4 +46,4 @@ jobs: - name: Assign default if: steps.detect-languages.outputs.java != 'true' && steps.detect-languages.outputs.kotlin != 'true' && steps.detect-languages.outputs.javascript != 'true' && steps.detect-languages.outputs.typescript != 'true' && steps.detect-languages.outputs.go != 'true' && steps.detect-languages.outputs.codeql != 'true' && steps.detect-languages.outputs.python != 'true' run: | - gh pr edit ${{ github.event.number }} --add-reviewer oss-maintainers + gh pr edit ${{ github.event.number }} --add-reviewer felickz --add-reviewer Geekmasher --add-reviewer adrienpessu From b3387179a31db0806844405f68651d3b0fa00ef4 Mon Sep 17 00:00:00 2001 From: Adrien Pessu <7055334+adrienpessu@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:24:56 +0200 Subject: [PATCH 5/9] test --- .../workflows/language-detection-and-assignment.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/language-detection-and-assignment.yml b/.github/workflows/language-detection-and-assignment.yml index 5250b13..29c667b 100644 --- a/.github/workflows/language-detection-and-assignment.yml +++ b/.github/workflows/language-detection-and-assignment.yml @@ -4,9 +4,6 @@ on: pull_request: branches: [main] -env: - GH_TOKEN: ${{ github.token }} - jobs: detect-and-assign: runs-on: ubuntu-latest @@ -32,18 +29,26 @@ jobs: if: steps.detect-languages.outputs.java == 'true' || steps.detect-languages.outputs.kotlin == 'true' || steps.detect-languages.outputs.javascript == 'true' || steps.detect-languages.outputs.typescript == 'true' || steps.detect-languages.outputs.go == 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer adrienpessu + env: + GH_TOKEN: ${{ github.token }} - name: Assign for Python, Go, CodeQL, Rust if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.go == 'true' || steps.detect-languages.outputs.codeql == 'true' || steps.detect-languages.outputs.rust == 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer Geekmasher + env: + GH_TOKEN: ${{ github.token }} - name: Assign for Python, JavaScript, TypeScript, CodeQL if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.javascript == 'true' || steps.detect-languages.outputs.typescript == 'true' || steps.detect-languages.outputs.codeql == 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer felickz + env: + GH_TOKEN: ${{ github.token }} - name: Assign default if: steps.detect-languages.outputs.java != 'true' && steps.detect-languages.outputs.kotlin != 'true' && steps.detect-languages.outputs.javascript != 'true' && steps.detect-languages.outputs.typescript != 'true' && steps.detect-languages.outputs.go != 'true' && steps.detect-languages.outputs.codeql != 'true' && steps.detect-languages.outputs.python != 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer felickz --add-reviewer Geekmasher --add-reviewer adrienpessu + env: + GH_TOKEN: ${{ github.token }} From a4b6540205a58843e6ea10398538faf7a92d49dc Mon Sep 17 00:00:00 2001 From: Adrien Pessu <7055334+adrienpessu@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:26:03 +0200 Subject: [PATCH 6/9] test again --- .github/workflows/language-detection-and-assignment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/language-detection-and-assignment.yml b/.github/workflows/language-detection-and-assignment.yml index 29c667b..52432b6 100644 --- a/.github/workflows/language-detection-and-assignment.yml +++ b/.github/workflows/language-detection-and-assignment.yml @@ -7,6 +7,7 @@ on: jobs: detect-and-assign: runs-on: ubuntu-latest + permissions: write-all steps: - name: Checkout code uses: actions/checkout@v4 From 37b6e0e6ec17c57c454eba6b5c4a13e1b646ae6e Mon Sep 17 00:00:00 2001 From: Adrien Pessu <7055334+adrienpessu@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:30:36 +0200 Subject: [PATCH 7/9] add PAT --- .github/workflows/language-detection-and-assignment.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/language-detection-and-assignment.yml b/.github/workflows/language-detection-and-assignment.yml index 52432b6..3473ae0 100644 --- a/.github/workflows/language-detection-and-assignment.yml +++ b/.github/workflows/language-detection-and-assignment.yml @@ -31,25 +31,25 @@ jobs: run: | gh pr edit ${{ github.event.number }} --add-reviewer adrienpessu env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GH_AP_TOKEN }} - name: Assign for Python, Go, CodeQL, Rust if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.go == 'true' || steps.detect-languages.outputs.codeql == 'true' || steps.detect-languages.outputs.rust == 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer Geekmasher env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GH_AP_TOKEN }} - name: Assign for Python, JavaScript, TypeScript, CodeQL if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.javascript == 'true' || steps.detect-languages.outputs.typescript == 'true' || steps.detect-languages.outputs.codeql == 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer felickz env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GH_AP_TOKEN }} - name: Assign default if: steps.detect-languages.outputs.java != 'true' && steps.detect-languages.outputs.kotlin != 'true' && steps.detect-languages.outputs.javascript != 'true' && steps.detect-languages.outputs.typescript != 'true' && steps.detect-languages.outputs.go != 'true' && steps.detect-languages.outputs.codeql != 'true' && steps.detect-languages.outputs.python != 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer felickz --add-reviewer Geekmasher --add-reviewer adrienpessu env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.GH_AP_TOKEN }} From ce1b39e2d95d32247505c9e238bd9e6c38c8700d Mon Sep 17 00:00:00 2001 From: Adrien Pessu <7055334+adrienpessu@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:33:48 +0200 Subject: [PATCH 8/9] clean --- .../workflows/language-detection-and-assignment.yml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/language-detection-and-assignment.yml b/.github/workflows/language-detection-and-assignment.yml index 3473ae0..e9f60fa 100644 --- a/.github/workflows/language-detection-and-assignment.yml +++ b/.github/workflows/language-detection-and-assignment.yml @@ -4,10 +4,11 @@ on: pull_request: branches: [main] +env: + GH_TOKEN: ${{ secrets.GH_AP_TOKEN }} jobs: detect-and-assign: runs-on: ubuntu-latest - permissions: write-all steps: - name: Checkout code uses: actions/checkout@v4 @@ -30,26 +31,18 @@ jobs: if: steps.detect-languages.outputs.java == 'true' || steps.detect-languages.outputs.kotlin == 'true' || steps.detect-languages.outputs.javascript == 'true' || steps.detect-languages.outputs.typescript == 'true' || steps.detect-languages.outputs.go == 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer adrienpessu - env: - GH_TOKEN: ${{ secrets.GH_AP_TOKEN }} - name: Assign for Python, Go, CodeQL, Rust if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.go == 'true' || steps.detect-languages.outputs.codeql == 'true' || steps.detect-languages.outputs.rust == 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer Geekmasher - env: - GH_TOKEN: ${{ secrets.GH_AP_TOKEN }} - name: Assign for Python, JavaScript, TypeScript, CodeQL if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.javascript == 'true' || steps.detect-languages.outputs.typescript == 'true' || steps.detect-languages.outputs.codeql == 'true' run: | gh pr edit ${{ github.event.number }} --add-reviewer felickz - env: - GH_TOKEN: ${{ secrets.GH_AP_TOKEN }} - name: Assign default if: steps.detect-languages.outputs.java != 'true' && steps.detect-languages.outputs.kotlin != 'true' && steps.detect-languages.outputs.javascript != 'true' && steps.detect-languages.outputs.typescript != 'true' && steps.detect-languages.outputs.go != 'true' && steps.detect-languages.outputs.codeql != 'true' && steps.detect-languages.outputs.python != 'true' run: | - gh pr edit ${{ github.event.number }} --add-reviewer felickz --add-reviewer Geekmasher --add-reviewer adrienpessu - env: - GH_TOKEN: ${{ secrets.GH_AP_TOKEN }} + gh pr edit ${{ github.event.number }} --add-reviewer oss-maintainers From d1f88a4769543863f6e6e169ea2c8505caaf3d23 Mon Sep 17 00:00:00 2001 From: Adrien Pessu <7055334+adrienpessu@users.noreply.github.com> Date: Fri, 5 Jul 2024 11:35:04 +0200 Subject: [PATCH 9/9] cleaner --- .github/workflows/language-detection-and-assignment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/language-detection-and-assignment.yml b/.github/workflows/language-detection-and-assignment.yml index e9f60fa..99e8f44 100644 --- a/.github/workflows/language-detection-and-assignment.yml +++ b/.github/workflows/language-detection-and-assignment.yml @@ -45,4 +45,4 @@ jobs: - name: Assign default if: steps.detect-languages.outputs.java != 'true' && steps.detect-languages.outputs.kotlin != 'true' && steps.detect-languages.outputs.javascript != 'true' && steps.detect-languages.outputs.typescript != 'true' && steps.detect-languages.outputs.go != 'true' && steps.detect-languages.outputs.codeql != 'true' && steps.detect-languages.outputs.python != 'true' run: | - gh pr edit ${{ github.event.number }} --add-reviewer oss-maintainers + gh pr edit ${{ github.event.number }} --add-reviewer felickz --add-reviewer Geekmasher --add-reviewer adrienpessu