Skip to content

ci(GitHub): Bump step-security/harden-runner from 2.8.0 to 2.8.1 #6

ci(GitHub): Bump step-security/harden-runner from 2.8.0 to 2.8.1

ci(GitHub): Bump step-security/harden-runner from 2.8.0 to 2.8.1 #6

Workflow file for this run

name: PR Deps Baseline
# Add the necessary changes to the dependency update PRs.
on:
pull_request:
types: [ opened, reopened, synchronize ]
permissions:
contents: write
# We appear to need write permission for both pull-requests and
# issues to post a comment to a pull request.
pull-requests: write
issues: write
jobs:
pr-deps:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
concurrency:
group: '${{ github.workflow }}-${{ github.ref }}'
cancel-in-progress: true
env:
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: audit
# Verify that the PR is from Dependabot
- uses: dependabot/fetch-metadata@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Confirm start in the comment
uses: actions/github-script@v7
continue-on-error: true
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { RUN_URL } = process.env
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `🔄 Baseline update [started](${RUN_URL})...`
})
- uses: actions/checkout@v4
with:
# Needed for correct git commit --amend.
fetch-depth: 3
# Checkout pull request HEAD commit instead of merge commit.
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 22
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
with:
cache-disabled: true
cache-read-only: true
- name: Update baseline
run: ./updateBaseline
- name: Setup GIT
run: |
# Set GIT user email and name to match author of the last commit.
#git config --local user.name "$(git log --pretty=format:'%an' -1)"
#git config --local user.email "$(git log --pretty='%ae' -1)"
git config --local user.name "Baseline Action"
git config --local user.email "[email protected]"
# Create SSH key
#mkdir -p ~/.ssh/
#echo "${{ secrets.BOT_GIT_SSH_KEY }}" > ~/.ssh/id_rsa_bot
#chmod 666 ~/.ssh/id_rsa_bot
# Configure GH commit signing key.
# TODO: Fix it, doesn't work atm. Fails for SSH key saved and used this way.
#git config --local commit.gpgsign true
#git config --local gpg.format ssh
#git config --local user.signingkey ~/.ssh/id_rsa
- name: GIT add
run: |
git add -v .
- name: Commit amend and push
env:
GITHUB_HEAD_REF: ${{ github.head_ref }}
run: |
if [ -n "$(git diff --name-only --cached)" ]; then
# Show what's available.
git log -n 3 --pretty=format:"%h - %an, %ar : %s"
# Amend the baseline changes to the last commit.
git commit --amend --no-edit -vv
# Show what we are about to push.
git log -n 3 --pretty=format:"%h - %an, %ar : %s"
# Push changes back to branch
git push --force -v origin "HEAD:refs/heads/${GITHUB_HEAD_REF}"
else
echo "No changes needed."
fi
# Track result in the comment
- uses: actions/github-script@v7
continue-on-error: true
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { RUN_URL } = process.env
github.rest.issues.createComment({
issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
body: `✅ Baseline [updated](${RUN_URL}).`
})
- uses: actions/github-script@v7
if: failure()
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { RUN_URL } = process.env
github.rest.issues.createComment({
issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
body: `❌ Baseline update [failed](${RUN_URL})!`
})