From 25b5a058d77b30c1aab5c20c55d4a6fa5fee8f0f Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Mon, 22 Jul 2024 14:17:14 +0000 Subject: [PATCH 1/4] ci: remove pull_request_target trigger --- .github/labels.yml | 50 ++++++------ .github/workflows/codeql.yml | 55 ++++++------- .github/workflows/coverage.yml | 23 ------ .github/workflows/lint.yml | 28 +------ .github/workflows/scorecard.yml | 8 +- .github/workflows/tests.yml | 135 +++++++++++--------------------- 6 files changed, 98 insertions(+), 201 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index b02c0a53..53679914 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -16,72 +16,72 @@ color: ededed description: "" -- name: 'type: bug' +- name: "type: bug" color: db4437 - description: Error or flaw in code with unintended results or allowing sub-optimal + description: + Error or flaw in code with unintended results or allowing sub-optimal usage patterns. -- name: 'type: cleanup' +- name: "type: cleanup" color: c5def5 description: An internal cleanup or hygiene concern. -- name: 'type: docs' +- name: "type: docs" color: 0000A0 description: Improvement to the documentation for an API. -- name: 'type: feature request' +- name: "type: feature request" color: c5def5 description: ‘Nice-to-have’ improvement, new feature or different behavior or design. -- name: 'type: process' +- name: "type: process" color: c5def5 description: A process-related concern. May include testing, release, or the like. -- name: 'type: question' +- name: "type: question" color: c5def5 description: Request for information or clarification. -- name: 'priority: p0' +- name: "priority: p0" color: b60205 description: Highest priority. Critical issue. P0 implies highest priority. -- name: 'priority: p1' +- name: "priority: p1" color: ffa03e - description: Important issue which blocks shipping the next release. Will be fixed + description: + Important issue which blocks shipping the next release. Will be fixed prior to next release. -- name: 'priority: p2' +- name: "priority: p2" color: fef2c0 description: Moderately-important priority. Fix may not be included in next release. -- name: 'priority: p3' +- name: "priority: p3" color: ffffc7 description: Desirable enhancement or fix. May not be included in next release. - name: automerge color: 00ff00 description: Merge the pull request once unit tests and other checks pass. -- name: 'automerge: exact' +- name: "automerge: exact" color: 8dd517 - description: Summon MOG for automerging, but approvals need to be against the latest + description: + Summon MOG for automerging, but approvals need to be against the latest commit - name: do not merge color: d93f0b - description: Indicates a pull request not ready for merge, due to either quality + description: + Indicates a pull request not ready for merge, due to either quality or timing. -- name: 'autorelease: pending' +- name: "autorelease: pending" color: ededed description: Release please needs to do its work on this. -- name: 'autorelease: triggered' +- name: "autorelease: triggered" color: ededed description: Release please has triggered a release for this. -- name: 'autorelease: tagged' +- name: "autorelease: tagged" color: ededed description: Release please has completed a release for this. -- name: 'tests: run' - color: 3DED97 - description: Label to trigger Github Action tests. - -- name: 'flakybot: flaky' +- name: "flakybot: flaky" color: 86d9d7 description: Tells the Flaky Bot not to close or comment on this issue. -- name: 'flakybot: quiet' +- name: "flakybot: quiet" color: 86d9d7 description: Tells the Flaky Bot to comment less. -- name: 'flakybot: issue' +- name: "flakybot: issue" color: a9f9f7 description: An issue filed by the Flaky Bot. Should not be added manually. diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a0263826..296fcd9f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,24 +16,18 @@ name: "CodeQL" on: push: - branches: [ "main" ] + branches: ["main"] pull_request: - branches: [ "main" ] + branches: ["main"] paths-ignore: - - '**/*.md' - - '**/*.txt' - pull_request_target: - types: [labeled] - paths-ignore: - - '**/*.md' - - '**/*.txt' + - "**/*.md" + - "**/*.txt" # Declare default permissions as read only. permissions: read-all jobs: analyze: - if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" name: Analyze runs-on: ubuntu-latest permissions: @@ -44,27 +38,24 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'python' ] + language: ["python"] steps: - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 - with: - languages: ${{ matrix.language }} - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually - - name: Autobuild - uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 - with: - category: "/language:${{matrix.language}}" + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually + - name: Autobuild + uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 31bacdea..67c849b1 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -15,37 +15,14 @@ name: Code Coverage on: pull_request: - pull_request_target: - types: [labeled] # Declare default permissions as read only. permissions: read-all jobs: coverage: - if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write steps: - - name: Remove PR Label - if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - try { - await github.rest.issues.removeLabel({ - name: 'tests: run', - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number - }); - } catch (e) { - console.log('Failed to remove label. Another job may have already removed it!'); - } - - name: Setup Python uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index faef3510..e839f6b6 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,51 +15,25 @@ name: Lint on: pull_request: - pull_request_target: - types: [labeled] # Declare default permissions as read only. permissions: read-all jobs: lint: - if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" name: Run lint runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write steps: - - name: Remove PR Label - if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - try { - await github.rest.issues.removeLabel({ - name: 'tests: run', - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number - }); - } catch (e) { - console.log('Failed to remove label. Another job may have already removed it!'); - } - - name: Setup Python uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: "3.12" - + - name: Install nox run: pip install nox - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Run nox lint session run: nox --sessions lint diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 45b7fd84..d78f59b7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -18,9 +18,9 @@ on: branch_protection_rule: schedule: # weekly on Sunday - - cron: '0 20 * * 0' + - cron: "0 20 * * 0" push: - branches: [ "main" ] + branches: ["main"] # Declare default permissions as read only. permissions: read-all @@ -44,7 +44,7 @@ jobs: with: results_file: results.sarif results_format: sarif - + - name: Filter SARIF to skip false positives # filter out DangerousWorkflow alerts as they do not account for safe use of labels to trigger actions env: @@ -53,7 +53,7 @@ jobs: SCORECARD_SKIPPED_RULE_IDS_JSON=$(echo $SCORECARD_SKIPPED_RULE_IDS | jq -cR 'split(",")') # Trim the SARIF file to remove false positive detections cat results.sarif | jq '.runs[].results |= map(select(.ruleId as $id | '$SCORECARD_SKIPPED_RULE_IDS_JSON' | all($id != .)))' > resultsFiltered.sarif - + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 2f414016..eaabd3a0 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -18,18 +18,14 @@ on: push: branches: - main - pull_request_target: - types: [labeled] schedule: - - cron: '0 2 * * *' + - cron: "0 2 * * *" # Declare default permissions as read only. permissions: read-all jobs: integration: - # run job on proper workflow event triggers (skip job for pull_request event from forks and only run pull_request_target for "tests: run" label) - if: "${{ (github.event.action != 'labeled' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) || github.event.label.name == 'tests: run' }}" name: integration tests runs-on: ${{ matrix.os }} strategy: @@ -43,28 +39,8 @@ jobs: issues: write pull-requests: write steps: - - name: Remove PR label - if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - try { - await github.rest.issues.removeLabel({ - name: 'tests: run', - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number - }); - } catch (e) { - console.log('Failed to remove label. Another job may have already removed it!'); - } - - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Setup Python ${{ matrix.python-version }} uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 @@ -74,56 +50,56 @@ jobs: - name: Install nox run: pip install nox - - id: 'auth' - name: 'Authenticate to Google Cloud' + - id: "auth" + name: "Authenticate to Google Cloud" uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: - workload_identity_provider: ${{ secrets.PROVIDER_NAME }} - service_account: ${{ secrets.SERVICE_ACCOUNT }} + workload_identity_provider: ${{ vars.PROVIDER_NAME }} + service_account: ${{ vars.SERVICE_ACCOUNT }} access_token_lifetime: 600s - - id: 'secrets' + - id: "secrets" name: Get secrets uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3 with: secrets: |- - MYSQL_CONNECTION_NAME:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_CONNECTION_NAME - MYSQL_IAM_CONNECTION_NAME:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_IAM_CONNECTION_NAME - MYSQL_USER:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_USER - MYSQL_IAM_USER:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_USER_IAM_PYTHON - MYSQL_PASS:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_PASS - MYSQL_DB:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_DB - POSTGRES_CONNECTION_NAME:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CONNECTION_NAME - POSTGRES_IAM_CONNECTION_NAME:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_IAM_CONNECTION_NAME - POSTGRES_USER:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_USER - POSTGRES_IAM_USER:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_USER_IAM_PYTHON - POSTGRES_PASS:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_PASS - POSTGRES_DB:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_DB - SQLSERVER_CONNECTION_NAME:${{ secrets.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_CONNECTION_NAME - SQLSERVER_USER:${{ secrets.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_USER - SQLSERVER_PASS:${{ secrets.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_PASS - SQLSERVER_DB:${{ secrets.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_DB + MYSQL_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_CONNECTION_NAME + MYSQL_IAM_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_IAM_CONNECTION_NAME + MYSQL_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_USER + MYSQL_IAM_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_USER_IAM_PYTHON + MYSQL_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_PASS + MYSQL_DB:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_DB + POSTGRES_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CONNECTION_NAME + POSTGRES_IAM_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_IAM_CONNECTION_NAME + POSTGRES_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_USER + POSTGRES_IAM_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_USER_IAM_PYTHON + POSTGRES_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_PASS + POSTGRES_DB:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_DB + SQLSERVER_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_CONNECTION_NAME + SQLSERVER_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_USER + SQLSERVER_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_PASS + SQLSERVER_DB:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_DB - name: Run tests env: - MYSQL_CONNECTION_NAME: '${{ steps.secrets.outputs.MYSQL_CONNECTION_NAME }}' - MYSQL_IAM_CONNECTION_NAME: '${{ steps.secrets.outputs.MYSQL_IAM_CONNECTION_NAME }}' - MYSQL_USER: '${{ steps.secrets.outputs.MYSQL_USER }}' - MYSQL_IAM_USER: '${{ steps.secrets.outputs.MYSQL_IAM_USER }}' - MYSQL_PASS: '${{ steps.secrets.outputs.MYSQL_PASS }}' - MYSQL_DB: '${{ steps.secrets.outputs.MYSQL_DB }}' - POSTGRES_CONNECTION_NAME: '${{ steps.secrets.outputs.POSTGRES_CONNECTION_NAME }}' - POSTGRES_IAM_CONNECTION_NAME: '${{ steps.secrets.outputs.POSTGRES_IAM_CONNECTION_NAME }}' - POSTGRES_USER: '${{ steps.secrets.outputs.POSTGRES_USER }}' - POSTGRES_IAM_USER: '${{ steps.secrets.outputs.POSTGRES_IAM_USER }}' - POSTGRES_PASS: '${{ steps.secrets.outputs.POSTGRES_PASS }}' - POSTGRES_DB: '${{ steps.secrets.outputs.POSTGRES_DB }}' - SQLSERVER_CONNECTION_NAME: '${{ steps.secrets.outputs.SQLSERVER_CONNECTION_NAME }}' - SQLSERVER_USER: '${{ steps.secrets.outputs.SQLSERVER_USER }}' - SQLSERVER_PASS: '${{ steps.secrets.outputs.SQLSERVER_PASS }}' - SQLSERVER_DB: '${{ steps.secrets.outputs.SQLSERVER_DB }}' + MYSQL_CONNECTION_NAME: "${{ steps.secrets.outputs.MYSQL_CONNECTION_NAME }}" + MYSQL_IAM_CONNECTION_NAME: "${{ steps.secrets.outputs.MYSQL_IAM_CONNECTION_NAME }}" + MYSQL_USER: "${{ steps.secrets.outputs.MYSQL_USER }}" + MYSQL_IAM_USER: "${{ steps.secrets.outputs.MYSQL_IAM_USER }}" + MYSQL_PASS: "${{ steps.secrets.outputs.MYSQL_PASS }}" + MYSQL_DB: "${{ steps.secrets.outputs.MYSQL_DB }}" + POSTGRES_CONNECTION_NAME: "${{ steps.secrets.outputs.POSTGRES_CONNECTION_NAME }}" + POSTGRES_IAM_CONNECTION_NAME: "${{ steps.secrets.outputs.POSTGRES_IAM_CONNECTION_NAME }}" + POSTGRES_USER: "${{ steps.secrets.outputs.POSTGRES_USER }}" + POSTGRES_IAM_USER: "${{ steps.secrets.outputs.POSTGRES_IAM_USER }}" + POSTGRES_PASS: "${{ steps.secrets.outputs.POSTGRES_PASS }}" + POSTGRES_DB: "${{ steps.secrets.outputs.POSTGRES_DB }}" + SQLSERVER_CONNECTION_NAME: "${{ steps.secrets.outputs.SQLSERVER_CONNECTION_NAME }}" + SQLSERVER_USER: "${{ steps.secrets.outputs.SQLSERVER_USER }}" + SQLSERVER_PASS: "${{ steps.secrets.outputs.SQLSERVER_PASS }}" + SQLSERVER_DB: "${{ steps.secrets.outputs.SQLSERVER_DB }}" run: nox -s system-${{ matrix.python-version }} - + - name: FlakyBot (Linux) # only run flakybot on periodic (schedule) and continuous (push) events if: ${{ (github.event_name == 'schedule' || github.event_name == 'push') && runner.os == 'Linux' && always() }} @@ -144,9 +120,9 @@ jobs: curl https://github.com/googleapis/repo-automation-bots/releases/download/flakybot-1.1.0/flakybot-darwin-amd64 -o flakybot -s -L chmod +x ./flakybot ./flakybot --repo ${{github.repository}} --commit_hash ${{github.sha}} --build_url https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} - + unit: - # run job on proper workflow event triggers (skip job for pull_request event from forks and only run pull_request_target for "tests: run" label) + # run job on proper workflow event triggers (skip job for pull_request event from forks and only run pull_request_target for "tests: run" label) if: "${{ (github.event.action != 'labeled' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) || github.event.label.name == 'tests: run' }}" name: unit tests runs-on: ubuntu-latest @@ -160,28 +136,8 @@ jobs: issues: write pull-requests: write steps: - - name: Remove PR label - if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - try { - await github.rest.issues.removeLabel({ - name: 'tests: run', - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number - }); - } catch (e) { - console.log('Failed to remove label. Another job may have already removed it!'); - } - - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Setup Python ${{ matrix.python-version }} uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 @@ -191,14 +147,14 @@ jobs: - name: Install nox run: pip install nox - - id: 'auth' - name: 'Authenticate to Google Cloud' + - id: "auth" + name: "Authenticate to Google Cloud" # only needed for Flakybot on periodic (schedule) and continuous (push) events if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }} uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: - workload_identity_provider: ${{ secrets.PROVIDER_NAME }} - service_account: ${{ secrets.SERVICE_ACCOUNT }} + workload_identity_provider: ${{ vars.PROVIDER_NAME }} + service_account: ${{ vars.SERVICE_ACCOUNT }} access_token_lifetime: 600s - name: Run tests @@ -211,4 +167,3 @@ jobs: curl https://github.com/googleapis/repo-automation-bots/releases/download/flakybot-1.1.0/flakybot -o flakybot -s -L chmod +x ./flakybot ./flakybot --repo ${{github.repository}} --commit_hash ${{github.sha}} --build_url https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} - From 65c01ad6412584c0bbb83e766ddd10283a696d26 Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Mon, 22 Jul 2024 14:32:47 +0000 Subject: [PATCH 2/4] chore: update workflow --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index eaabd3a0..51cc3cb7 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -51,7 +51,7 @@ jobs: run: pip install nox - id: "auth" - name: "Authenticate to Google Cloud" + name: Authenticate to Google Cloud uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: workload_identity_provider: ${{ vars.PROVIDER_NAME }} From 94dcffa2dd51f8085d43ccaa04e3233ec6cefee8 Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Mon, 22 Jul 2024 15:08:31 +0000 Subject: [PATCH 3/4] chore: update workflow --- .github/workflows/tests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 51cc3cb7..4ddff46b 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -50,7 +50,7 @@ jobs: - name: Install nox run: pip install nox - - id: "auth" + - id: auth name: Authenticate to Google Cloud uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: @@ -58,7 +58,7 @@ jobs: service_account: ${{ vars.SERVICE_ACCOUNT }} access_token_lifetime: 600s - - id: "secrets" + - id: secrets name: Get secrets uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3 with: From ab04082df8a03a19ee234184a4f39b4eb8bf76d2 Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Mon, 22 Jul 2024 17:44:34 +0000 Subject: [PATCH 4/4] chore: remove trusted contribution --- .github/trusted-contribution.yml | 19 ------------------- .github/workflows/tests.yml | 6 ++---- 2 files changed, 2 insertions(+), 23 deletions(-) delete mode 100644 .github/trusted-contribution.yml diff --git a/.github/trusted-contribution.yml b/.github/trusted-contribution.yml deleted file mode 100644 index 80ed9aa1..00000000 --- a/.github/trusted-contribution.yml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -annotations: - - type: label - text: "tests: run" - -trustedContributors: ['renovate-bot', 'gcf-merge-on-green[bot]'] diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4ddff46b..3c51989b 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -122,8 +122,6 @@ jobs: ./flakybot --repo ${{github.repository}} --commit_hash ${{github.sha}} --build_url https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} unit: - # run job on proper workflow event triggers (skip job for pull_request event from forks and only run pull_request_target for "tests: run" label) - if: "${{ (github.event.action != 'labeled' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) || github.event.label.name == 'tests: run' }}" name: unit tests runs-on: ubuntu-latest strategy: @@ -147,8 +145,8 @@ jobs: - name: Install nox run: pip install nox - - id: "auth" - name: "Authenticate to Google Cloud" + - id: auth + name: Authenticate to Google Cloud # only needed for Flakybot on periodic (schedule) and continuous (push) events if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }} uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3