mirror of
https://github.com/nuxt/nuxt.git
synced 2024-11-22 21:55:11 +00:00
ci: harden GitHub actions (#22321)
This commit is contained in:
parent
b650207fa5
commit
2748e54aec
8
.github/workflows/ecosystem-ci-trigger.yml
vendored
8
.github/workflows/ecosystem-ci-trigger.yml
vendored
@ -12,7 +12,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
if: github.repository == 'nuxt/nuxt' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
|
if: github.repository == 'nuxt/nuxt' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/github-script@v6
|
- uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
|
||||||
with:
|
with:
|
||||||
script: |
|
script: |
|
||||||
const user = context.payload.sender.login
|
const user = context.payload.sender.login
|
||||||
@ -48,7 +48,7 @@ jobs:
|
|||||||
})
|
})
|
||||||
throw new Error('not allowed')
|
throw new Error('not allowed')
|
||||||
}
|
}
|
||||||
- uses: actions/github-script@v6
|
- uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
|
||||||
id: get-pr-data
|
id: get-pr-data
|
||||||
with:
|
with:
|
||||||
script: |
|
script: |
|
||||||
@ -64,12 +64,12 @@ jobs:
|
|||||||
repo: pr.head.repo.full_name
|
repo: pr.head.repo.full_name
|
||||||
}
|
}
|
||||||
- id: generate-token
|
- id: generate-token
|
||||||
uses: tibdex/github-app-token@v1
|
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
|
||||||
with:
|
with:
|
||||||
app_id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
|
app_id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
|
||||||
private_key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }}
|
private_key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }}
|
||||||
repository: "${{ github.repository_owner }}/ecosystem-ci"
|
repository: "${{ github.repository_owner }}/ecosystem-ci"
|
||||||
- uses: actions/github-script@v6
|
- uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
|
||||||
id: trigger
|
id: trigger
|
||||||
env:
|
env:
|
||||||
COMMENT: ${{ github.event.comment.body }}
|
COMMENT: ${{ github.event.comment.body }}
|
||||||
|
8
.github/workflows/semantic-pull-requests.yml
vendored
8
.github/workflows/semantic-pull-requests.yml
vendored
@ -7,14 +7,20 @@ on:
|
|||||||
- edited
|
- edited
|
||||||
- synchronize
|
- synchronize
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
main:
|
main:
|
||||||
|
permissions:
|
||||||
|
pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs
|
||||||
|
statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
|
||||||
if: github.repository == 'nuxt/nuxt'
|
if: github.repository == 'nuxt/nuxt'
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
name: Semantic pull request
|
name: Semantic pull request
|
||||||
steps:
|
steps:
|
||||||
- name: Validate PR title
|
- name: Validate PR title
|
||||||
uses: amannn/action-semantic-pull-request@v5
|
uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5.2.0
|
||||||
with:
|
with:
|
||||||
scopes: |
|
scopes: |
|
||||||
kit
|
kit
|
||||||
|
Loading…
Reference in New Issue
Block a user