This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-parent.git
The following commit(s) were added to refs/heads/main by this push:
new cbe78ac Use `pull_request_target` in `dependabot` CI to allow access
to secrets
cbe78ac is described below
commit cbe78ac711857dbf8460a1e47028170d0d345d62
Author: Volkan Yazıcı <[email protected]>
AuthorDate: Tue Sep 26 09:39:29 2023 +0200
Use `pull_request_target` in `dependabot` CI to allow access to secrets
---
.github/workflows/build-reusable.yaml | 109 ---------------------
.github/workflows/build.yaml | 24 ++---
.github/workflows/deploy-release-reusable.yaml | 12 +--
...eusable.yaml => merge-dependabot-reusable.yaml} | 48 +--------
.github/workflows/merge-dependabot.yaml | 44 +++++++++
5 files changed, 62 insertions(+), 175 deletions(-)
diff --git a/.github/workflows/build-reusable.yaml
b/.github/workflows/build-reusable.yaml
index 112f2b2..d2592f2 100644
--- a/.github/workflows/build-reusable.yaml
+++ b/.github/workflows/build-reusable.yaml
@@ -24,10 +24,6 @@ on:
description: The Java compiler version
default: 17
type: string
- secrets:
- GPG_SECRET_KEY:
- description: GPG secret key for signing commits
- required: true
jobs:
@@ -73,108 +69,3 @@ jobs:
--show-version --batch-mode --errors --no-transfer-progress \
-DskipTests=true \
clean verify artifact:compare
-
- merge-dependabot:
-
- runs-on: ubuntu-latest
- needs: build
- if: github.event_name == 'pull_request' && github.actor ==
'dependabot[bot]'
-
- steps:
-
- - name: Fetch metadata
- id: dependabot-metadata
- uses:
dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # 1.6.0
- with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
-
- - name: Find dependency attributes
- shell: bash
- run: |
- DEPENDENCY_NAME=$(echo "$DEPENDENCY_NAMES" | tr "," '\n' | head -n 1)
- cat >> $GITHUB_ENV << EOF
- DEPENDENCY_NAME=$DEPENDENCY_NAME
- DEPENDENCY_VERSION=$DEPENDENCY_VERSION
- EOF
- env:
- DEPENDENCY_NAMES: ${{
steps.dependabot-metadata.outputs.dependency-names }}
- DEPENDENCY_VERSION: ${{
steps.dependabot-metadata.outputs.new-version }}
-
- - name: Download patch
- shell: bash
- run: wget "$PATCH_URL" -O /tmp/patch
- env:
- PATCH_URL: ${{ github.event.pull_request.patch_url }}
-
- - name: Checkout repository
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #
3.6.0
- with:
- ref: ${{ steps.dependabot-metadata.outputs.target-branch }}
-
- - name: Apply patch
- shell: bash
- run: git apply /tmp/patch
-
- - name: Set up Java & GPG
- uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 #
3.12.0
- with:
- distribution: temurin
- java-version: ${{ inputs.java-version }}
- java-package: jdk
- architecture: x64
- cache: maven
- server-id: apache.releases.https
- server-username: NEXUS_USERNAME
- server-password: NEXUS_PASSWORD
- gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
-
- - name: Find the release version major
- shell: bash
- run: |
- RELEASE_VERSION_MAJOR=$(./mvnw \
- --non-recursive --quiet --batch-mode \
- -DforceStdout=true \
- -Dexpression=parsedVersion.majorVersion \
- build-helper:parse-version help:evaluate \
- | tail -n 1)
- echo "RELEASE_VERSION_MAJOR=$RELEASE_VERSION_MAJOR" >> $GITHUB_ENV
-
- - name: Create changelog entry
- shell: bash
- run: |
-
RELEASE_CHANGELOG_FILEPATH="src/changelog/.${RELEASE_VERSION_MAJOR}.x.x"
- SAFE_DEPENDENCY_NAME=$(echo "$DEPENDENCY_NAME" | tr "[:upper:]"
"[:lower:]" | sed -r 's/[^a-z0-9]/_/g' | sed -r 's/_+/_/g')
-
CHANGELOG_ENTRY_FILEPATH="$RELEASE_CHANGELOG_FILEPATH/update_${SAFE_DEPENDENCY_NAME}.xml"
- mkdir -p $(dirname "$CHANGELOG_ENTRY_FILEPATH")
- cat > "$CHANGELOG_ENTRY_FILEPATH" << EOF
- <?xml version="1.0" encoding="UTF-8"?>
- <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
- xmlns="http://logging.apache.org/log4j/changelog";
- xsi:schemaLocation="http://logging.apache.org/log4j/changelog
https://logging.apache.org/log4j/changelog-0.1.1.xsd";
- type="changed">
- <author id="github:dependabot"/>
- <description format="asciidoc">Update \`$DEPENDENCY_NAME\` to
version \`$DEPENDENCY_VERSION\`</description>
- </entry>
- EOF
-
- - name: Generate sources
- shell: bash
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- process-sources
-
- - name: Add & commit changes
- shell: bash
- run: |
- git add .
- git config user.name "ASF Logging Services RM"
- git config user.email [email protected]
- git commit -S -a -m "Update \`$DEPENDENCY_NAME\` to version
\`$DEPENDENCY_VERSION\`"
- git push origin
-
- - name: Close the PR
- run: gh pr close "$PR_URL"
- env:
- PR_URL: ${{ github.event.pull_request.html_url }}
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index cc15d4b..38f55fb 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -19,8 +19,7 @@ name: build
on:
push:
- # Avoid workflow run for _merged_ `dependabot` PRs.
- # They were (hopefully!) already tested in PR-triggered workflow.
+ # Ignore `dependabot` branches, those are handled by
`merge-dependabot.yaml`
branches-ignore:
- "dependabot/**"
paths-ignore:
@@ -28,6 +27,9 @@ on:
- "**.md"
- "**.txt"
pull_request:
+ # Ignore `dependabot` branches, those are handled by
`merge-dependabot.yaml`
+ branches-ignore:
+ - "dependabot/**"
paths-ignore:
- "**.adoc"
- "**.md"
@@ -39,26 +41,24 @@ jobs:
build:
uses: apache/logging-parent/.github/workflows/build-reusable.yaml@main
- # Write permissions to allow merge of `dependabot` PRs
- permissions:
- contents: write
- pull-requests: write
- # Secrets for signing commits
- secrets: inherit
deploy-snapshot:
needs: build
- if: github.repository == 'apache/logging-parent' && github.ref ==
'refs/heads/main'
+ if: github.repository == 'apache/logging-parent' && github.ref_name ==
'main'
uses:
apache/logging-parent/.github/workflows/deploy-snapshot-reusable.yaml@main
# Secrets for deployments
- secrets: inherit
+ secrets:
+ NEXUS_USER: ${{ secrets.NEXUS_USER }}
+ NEXUS_PW: ${{ secrets.NEXUS_PW }}
deploy-release:
needs: build
- if: github.repository == 'apache/logging-parent' && startsWith(github.ref,
'refs/heads/release/')
+ if: github.repository == 'apache/logging-parent' &&
startsWith(github.ref_name, 'release/')
uses:
apache/logging-parent/.github/workflows/deploy-release-reusable.yaml@main
# Secrets for deployments
- secrets: inherit
+ secrets:
+ NEXUS_USER: ${{ secrets.NEXUS_USER }}
+ NEXUS_PW: ${{ secrets.NEXUS_PW }}
# Write permissions to allow the Maven `revision` property update,
changelog release, etc.
permissions:
contents: write
diff --git a/.github/workflows/deploy-release-reusable.yaml
b/.github/workflows/deploy-release-reusable.yaml
index b1c2c68..3346f94 100644
--- a/.github/workflows/deploy-release-reusable.yaml
+++ b/.github/workflows/deploy-release-reusable.yaml
@@ -82,14 +82,14 @@ jobs:
- name: Export version
shell: bash
run: |
- [[ "$GIT_REF" =~ ^refs/heads/release/.+$ ]] || {
- echo "was expecting a \`refs/heads/release/\`-prefixed Git
reference, found: \`$GIT_REF\`"
+ [[ "$GIT_BRANCH_NAME" =~ ^release/.+$ ]] || {
+ echo "was expecting a \`release/\`-prefixed Git branch name,
found: \`$GIT_BRANCH_NAME\`"
exit 1
}
- export PROJECT_VERSION=$(echo "$GIT_REF" | sed
's/^refs\/heads\/release\///')
+ export PROJECT_VERSION=$(echo "$GIT_BRANCH_NAME" | sed
's/^release\///')
echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_ENV
env:
- GIT_REF: ${{ github.ref }}
+ GIT_BRANCH_NAME: ${{ github.ref_name }}
- name: Set the Maven `revision` property
shell: bash
@@ -113,8 +113,6 @@ jobs:
git commit -S pom.xml -m "Set version to \`$PROJECT_VERSION\`"
git push origin
fi
- env:
- GIT_REF_NAME: ${{ github.ref_name }}
- name: Release changelog
shell: bash
@@ -129,8 +127,6 @@ jobs:
git commit -S src/changelog -m "Release changelog for version
\`$PROJECT_VERSION\`"
git push origin
fi
- env:
- GIT_REF_NAME: ${{ github.ref_name }}
- name: Commit generated sources
shell: bash
diff --git a/.github/workflows/build-reusable.yaml
b/.github/workflows/merge-dependabot-reusable.yaml
similarity index 75%
copy from .github/workflows/build-reusable.yaml
copy to .github/workflows/merge-dependabot-reusable.yaml
index 112f2b2..27712ae 100644
--- a/.github/workflows/build-reusable.yaml
+++ b/.github/workflows/merge-dependabot-reusable.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
#
-name: build-reusable
+name: merge-dependabot-reusable
on:
workflow_call:
@@ -31,53 +31,9 @@ on:
jobs:
- build:
-
- runs-on: ${{ matrix.os }}
-
- strategy:
- matrix:
- os: [ macos-latest, ubuntu-latest, windows-latest ]
-
- steps:
-
- - name: Checkout repository
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #
4.0.0
-
- - name: Set up Java
- uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 #
3.7.0
- with:
- distribution: temurin
- java-version: ${{ inputs.java-version }}
- java-package: jdk
- architecture: x64
- cache: maven
-
- # We could have used `verify`, but `clean install` is required while
generating the build reproducibility report, which is performed in the next
step.
- # For details, see:
https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility
- - name: Build
- shell: bash
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -DtrimStackTrace=false \
- -DinstallAtEnd=true \
- clean install
-
- # `clean verify artifact:compare` is required to generate the build
reproducibility report.
- # For details, see:
https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility
- - name: Verify build reproducibility
- shell: bash
- run: |
- ./mvnw \
- --show-version --batch-mode --errors --no-transfer-progress \
- -DskipTests=true \
- clean verify artifact:compare
-
merge-dependabot:
runs-on: ubuntu-latest
- needs: build
if: github.event_name == 'pull_request' && github.actor ==
'dependabot[bot]'
steps:
@@ -174,7 +130,7 @@ jobs:
git push origin
- name: Close the PR
- run: gh pr close "$PR_URL"
+ run: gh pr close "$PR_URL" -c "Changes are applied by CI"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/merge-dependabot.yaml
b/.github/workflows/merge-dependabot.yaml
new file mode 100644
index 0000000..70011e9
--- /dev/null
+++ b/.github/workflows/merge-dependabot.yaml
@@ -0,0 +1,44 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: build
+
+on:
+ pull_request_target:
+ branches:
+ - "dependabot/**"
+ paths-ignore:
+ - "**.adoc"
+ - "**.md"
+ - "**.txt"
+
+permissions: read-all
+
+jobs:
+
+ build:
+ uses: apache/logging-parent/.github/workflows/build-reusable.yaml@main
+
+ merge-dependabot:
+ needs: build
+ if: github.repository == 'apache/logging-parent'
+ uses:
apache/logging-parent/.github/workflows/merge-dependabot-reusable.yaml@main
+ permissions:
+ contents: write # to push changelog
commits
+ pull-requests: write # to close the PR
+ secrets:
+ GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }} # to sign commits
