generated from wr-projects/github-template
-
Notifications
You must be signed in to change notification settings - Fork 0
177 lines (153 loc) · 6.26 KB
/
pullrequest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# SPDX-FileCopyrightText: 2022 WebReady Projects <https://github.com/wr-projects/>
#
# SPDX-License-Identifier: MIT
---
name: Pipeline - Pull Request
on:
pull_request:
types: [ opened, reopened ]
permissions:
contents: read
pull-requests: write
jobs:
# More info: https://github.com/GitGuardian/ggshield-action
gitguardian:
name: GitGuardian Scanner
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.gitguardian.com:443
github.com:443
- name: Checkout & Authentication
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
fetch-depth: 0
- name: GitGuardian Scanner
uses: GitGuardian/gg-shield-action@4b450617504f2a3e1b58cbf0214f7ad3108cdab7
with:
args: -v --all-policies
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
# More info: https://github.com/actions/dependency-review-action
dependency-review:
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: audit
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
# More info: https://github.com/actions/dependency-review-action
- name: Dependency Review
uses: actions/dependency-review-action@0659a74c94536054bfa5aeb92241f70d680cc78e
with:
config-file: './.github/config/workflows/dependency-review.yml'
# More info: https://github.com/AlbertHernandez/working-label-action
working_label:
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974
with:
application_id: ${{ secrets.ID_WORKLABELBOT }}
application_private_key: ${{ secrets.ID_WORKLABELBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
# More info: https://github.com/AlbertHernandez/working-label-action
- name: Working Label
uses: AlbertHernandez/working-label-action@398809d95be33f8f631c0f02e1d0e8cd8fbf8e73
with:
work_in_progress_label: 'type:🚧chore'
ready_to_review_label: 'status:⌛awaiting-review'
env:
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
# More info: https://github.com/pineapplelol/emojify-pr-title
emojify-pr-title:
runs-on: ubuntu-latest
needs: [gitguardian]
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974
with:
application_id: ${{ secrets.ID_EMOJIFYBOT }}
application_private_key: ${{ secrets.PEM_EMOJIFYBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
- name: Emojify PR Title
uses: pineapplelol/emojify-pr-title@a380b02ff04e737a60066bcd0a8c45f1f7a1a709
with:
use-fuzzy: false
use-emoji-map: true
emoji-map: 'https://raw.githubusercontent.com/wr-projects/github-template/main/.github/config/workflows/emoji_mapping.json'
require-space: true
# More info: https://github.com/hiwelo/new-dependencies-action
check_new_dependencies:
runs-on: ubuntu-latest
needs: [gitguardian]
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974
with:
application_id: ${{ secrets.ID_CHECKDEPSBOT }}
application_private_key: ${{ secrets.PEM_CHECKDEPSBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
- name: Check for new dependencies
uses: hiwelo/new-dependencies-action@e4175e14484328f9ab56df91e420e90ad5031c08