generated from wr-projects/github-template
-
Notifications
You must be signed in to change notification settings - Fork 0
177 lines (153 loc) · 6.26 KB
/
pullrequest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# SPDX-FileCopyrightText: 2022 WebReady Projects <https://github.com/wr-projects/>
#
# SPDX-License-Identifier: MIT
---
name: Pipeline - Pull Request
on:
pull_request:
types: [ opened, reopened ]
permissions:
contents: read
pull-requests: write
jobs:
# More info: https://github.com/GitGuardian/ggshield-action
gitguardian:
name: GitGuardian Scanner
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.gitguardian.com:443
github.com:443
- name: Checkout & Authentication
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
persist-credentials: false
fetch-depth: 0
- name: GitGuardian Scanner
uses: GitGuardian/gg-shield-action@e8eef84fc3419d2a7e7beb15ab96c95b3ce2da24
with:
args: -v --all-policies
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
# More info: https://github.com/actions/dependency-review-action
dependency-review:
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
egress-policy: audit
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
fetch-depth: 0
# More info: https://github.com/actions/dependency-review-action
- name: Dependency Review
uses: actions/dependency-review-action@0659a74c94536054bfa5aeb92241f70d680cc78e
with:
config-file: './.github/config/workflows/dependency-review.yml'
# More info: https://github.com/AlbertHernandez/working-label-action
working_label:
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
with:
application_id: ${{ secrets.ID_WORKLABELBOT }}
application_private_key: ${{ secrets.ID_WORKLABELBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
# More info: https://github.com/AlbertHernandez/working-label-action
- name: Working Label
uses: AlbertHernandez/working-label-action@398809d95be33f8f631c0f02e1d0e8cd8fbf8e73
with:
work_in_progress_label: 'type:🚧chore'
ready_to_review_label: 'status:⌛awaiting-review'
env:
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
# More info: https://github.com/pineapplelol/emojify-pr-title
emojify-pr-title:
runs-on: ubuntu-latest
needs: [gitguardian]
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
with:
application_id: ${{ secrets.ID_EMOJIFYBOT }}
application_private_key: ${{ secrets.PEM_EMOJIFYBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
- name: Emojify PR Title
uses: pineapplelol/emojify-pr-title@a380b02ff04e737a60066bcd0a8c45f1f7a1a709
with:
use-fuzzy: false
use-emoji-map: true
emoji-map: 'https://raw.githubusercontent.com/wr-projects/github-template/main/.github/config/workflows/emoji_mapping.json'
require-space: true
# More info: https://github.com/hiwelo/new-dependencies-action
check_new_dependencies:
runs-on: ubuntu-latest
needs: [gitguardian]
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
with:
application_id: ${{ secrets.ID_CHECKDEPSBOT }}
application_private_key: ${{ secrets.PEM_CHECKDEPSBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
- name: Check for new dependencies
uses: hiwelo/new-dependencies-action@e4175e14484328f9ab56df91e420e90ad5031c08