[StepSecurity] Apply security best practices #7
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify Testing Data | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| paths: | |
| - .github/workflows/main.yml | |
| permissions: | |
| contents: read | |
| jobs: | |
| use-latest-tag: | |
| name: Check Latest xclim-testdata Tag | |
| runs-on: ubuntu-latest | |
| if: | | |
| (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Find xclim-testdata Tag and CI Testing Branch | |
| run: | | |
| XCLIM_TESTDATA_TAG="$( \ | |
| git -c 'versionsort.suffix=-' \ | |
| ls-remote --exit-code --refs --sort='version:refname' --tags https://github.com/Ouranosinc/xclim-testdata '*.*.*' \ | |
| | tail --lines=1 \ | |
| | cut --delimiter='/' --fields=3)" | |
| echo "XCLIM_TESTDATA_TAG=${XCLIM_TESTDATA_TAG}" >> $GITHUB_ENV | |
| XCLIM_TESTDATA_BRANCH="$(grep -E "XCLIM_TESTDATA_BRANCH" .github/workflows/main.yml | cut -d ' ' -f4)" | |
| echo "XCLIM_TESTDATA_BRANCH=${XCLIM_TESTDATA_BRANCH}" >> $GITHUB_ENV | |
| - name: Report Versions Found | |
| run: | | |
| echo "Latest xclim-testdata tag: ${{ env.XCLIM_TESTDATA_TAG }}" | |
| echo "Tag for xclim-testdata in CI: ${{ env.XCLIM_TESTDATA_BRANCH }}" | |
| - name: Find Comment | |
| uses: peter-evans/find-comment@a54c31d7fa095754bfef525c0c8e5e5674c4b4b1 # v2.4.0 | |
| id: fc | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-author: 'github-actions[bot]' | |
| body-includes: It appears that this Pull Request modifies the `main.yml` workflow. | |
| - name: Compare Versions | |
| if: ${{( env.XCLIM_TESTDATA_TAG != env.XCLIM_TESTDATA_BRANCH )}} | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| core.setFailed('Configured `xclim-testdata` tag is not `latest`.') | |
| - name: Update Failure Comment | |
| if: ${{ failure() }} | |
| uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0 | |
| with: | |
| comment-id: ${{ steps.fc.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body: | | |
| > **Warning** | |
| > It appears that this Pull Request modifies the `main.yml` workflow. | |
| On inspection, it seems that the `XCLIM_TESTDATA_BRANCH` environment variable is set to a tag that is not the latest in the `Ouranosinc/xclim-testdata` repository. | |
| This value must match the most recent tag (`${{ env.XCLIM_TESTDATA_TAG }}`) in order to merge this Pull Request. | |
| If this PR depends on changes in a new testing dataset branch, be sure to tag a new version of `Ouranosinc/xclim-testdata` once your changes have been merged to its `main` branch. | |
| edit-mode: replace | |
| - name: Update Success Comment | |
| if: ${{ success() }} | |
| uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0 | |
| with: | |
| comment-id: ${{ steps.fc.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body: | | |
| > **Note** | |
| > It appears that this Pull Request modifies the `main.yml` workflow. | |
| On inspection, the `XCLIM_TESTDATA_BRANCH` environment variable is set to the most recent tag (`${{ env.XCLIM_TESTDATA_TAG }}`). | |
| No further action is required. | |
| edit-mode: replace |