actions/code-coverage-summary
1
0
Fork 0
mirror of https://github.com/irongut/CodeCoverageSummary.git synced 2026-05-20 17:00:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

merge PR #50 Implement StepSecurity Secure Workflows

Browse Source 
PR: Implement StepSecurity Secure Workflows
This commit is contained in:
irongut
2022-07-24 21:59:44 +01:00
committed by GitHub
parent 7cdc061845 7ede3df512
commit 5783d61eba
6 changed files with 85 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/assign-to-project.yml
+15 -4
View File
@@ -8,34 +8,45 @@ on:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
permissions:
contents: read
jobs: jobs:
assign-to-project: assign-to-project:
permissions:
repository-projects: write # for srggrs/assign-one-project-github-action to assign issues and PRs to repo project
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Assign to Project name: Assign to Project
steps: steps:
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Assign Issues to Bugs - name: Assign Issues to Bugs
uses: srggrs/assign-one-project-github-action@1.3.1 uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
if: contains(github.event.issue.labels.*.name, 'bug') if: contains(github.event.issue.labels.*.name, 'bug')
with: with:
project: 'https://github.com/irongut/CodeCoverageSummary/projects/1' project: 'https://github.com/irongut/CodeCoverageSummary/projects/1'
column_name: 'Needs triage' column_name: 'Needs triage'
- name: Assign Issues to Enhancements - name: Assign Issues to Enhancements
uses: srggrs/assign-one-project-github-action@1.3.1 uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
if: contains(github.event.issue.labels.*.name, 'enhancement') if: contains(github.event.issue.labels.*.name, 'enhancement')
with: with:
project: 'https://github.com/irongut/CodeCoverageSummary/projects/2' project: 'https://github.com/irongut/CodeCoverageSummary/projects/2'
column_name: 'To do' column_name: 'To do'
- name: Assign PRs to Bugs - name: Assign PRs to Bugs
uses: srggrs/assign-one-project-github-action@1.3.1 uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
if: contains(github.event.pull_request.labels.*.name, 'bug') if: contains(github.event.pull_request.labels.*.name, 'bug')
with: with:
project: 'https://github.com/irongut/CodeCoverageSummary/projects/1' project: 'https://github.com/irongut/CodeCoverageSummary/projects/1'
column_name: 'In Progress' column_name: 'In Progress'
- name: Assign PRs to Enhancements - name: Assign PRs to Enhancements
uses: srggrs/assign-one-project-github-action@1.3.1 uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
if: contains(github.event.pull_request.labels.*.name, 'enhancement') if: contains(github.event.pull_request.labels.*.name, 'enhancement')
with: with:
project: 'https://github.com/irongut/CodeCoverageSummary/projects/2' project: 'https://github.com/irongut/CodeCoverageSummary/projects/2'
.github/workflows/auto-assign-pr.yml
+12 -1
View File
@@ -7,11 +7,22 @@ on:
pull_request: pull_request:
types: [opened] types: [opened]
permissions:
contents: read
jobs: jobs:
assignAuthor: assignAuthor:
permissions:
issues: write # for samspills/assign-pr-to-author
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Auto Assign PR - name: Auto Assign PR
uses: samspills/assign-pr-to-author@v1.0.1 uses: samspills/assign-pr-to-author@223a87a821f7e7447cfb5221bc53ceeb633341c2
with: with:
repo-token: '${{ secrets.GITHUB_TOKEN }}' repo-token: '${{ secrets.GITHUB_TOKEN }}'
.github/workflows/ci-build.yml
+11 -2
View File
@@ -6,16 +6,25 @@ on:
pull_request: pull_request:
branches: [ master ] branches: [ master ]
permissions:
contents: read
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: CI Build name: CI Build
steps: steps:
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Checkout - name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
- name: Setup .Net - name: Setup .Net
uses: actions/setup-dotnet@v1 uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87
with: with:
dotnet-version: 6.0.x dotnet-version: 6.0.x
.github/workflows/mark-stale.yml
+13 -2
View File
@@ -4,14 +4,25 @@ on:
schedule: schedule:
- cron: "30 1 * * *" - cron: "30 1 * * *"
permissions:
contents: read
jobs: jobs:
stale: stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Mark Stale - name: Mark Stale
uses: actions/stale@v3 uses: actions/stale@98ed4cb500039dbcccf4bd9bedada4d0187f2757
with: with:
repo-token: ${{ secrets.GITHUB_TOKEN }} repo-token: ${{ secrets.GITHUB_TOKEN }}
exempt-all-milestones: true exempt-all-milestones: true
.github/workflows/pr-labeler.yml
+13 -1
View File
@@ -7,10 +7,22 @@ name: PR Labeler
on: on:
pull_request_target: pull_request_target:
permissions:
contents: read
jobs: jobs:
label: label:
permissions:
contents: read # for actions/labeler to determine modified files
pull-requests: write # for actions/labeler to add labels to PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/labeler@v3
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/labeler@472c5d3aaacde439785e94966eb2e545627f4935
with: with:
repo-token: "${{ secrets.GITHUB_TOKEN }}" repo-token: "${{ secrets.GITHUB_TOKEN }}"
.github/workflows/release-build.yml
+21 -6
View File
@@ -8,18 +8,27 @@ env:
REGISTRY: ghcr.io REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }} IMAGE_NAME: ${{ github.repository }}
permissions:
contents: read
jobs: jobs:
build: build:
name: Test Build name: Test Build
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Checkout - name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Setup .Net - name: Setup .Net
uses: actions/setup-dotnet@v1 uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87
with: with:
dotnet-version: 6.0.x dotnet-version: 6.0.x
@@ -40,11 +49,17 @@ jobs:
contents: read contents: read
packages: write packages: write
steps: steps:
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Checkout - name: Checkout
uses: actions/checkout@v2 uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v1 uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7
with: with:
registry: ${{ env.REGISTRY }} registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
@@ -52,12 +67,12 @@ jobs:
- name: Extract Docker metadata - name: Extract Docker metadata
id: meta id: meta
uses: docker/metadata-action@v3 uses: docker/metadata-action@b2391d37b4157fa4aa2e118d643f417910ff3242
with: with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build + Push Docker image - name: Build + Push Docker image
uses: docker/build-push-action@v2 uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
with: with:
context: . context: .
push: true push: true