diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 212fcc8..89138e5 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,2 @@ * @Staffbase/workflow-enthusiasts -.github/workflows/template_testio_trigger_test.yml @Staffbase/bomberman +.github/workflows/template_testio_trigger_test.yml @Staffbase/pokemon diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 5400630..8c6b127 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -12,7 +12,7 @@ jobs: steps: - name: "CLA Assistant" if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request' - uses: cla-assistant/github-action@v2.4.0 + uses: cla-assistant/github-action@v2.6.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PERSONAL_ACCESS_TOKEN: ${{ secrets.OSS_CONTRIBUTOR_LICENSE_AGREEMENT }} diff --git a/.github/workflows/template_autodev.yml b/.github/workflows/template_autodev.yml index 7d2663d..8e05335 100644 --- a/.github/workflows/template_autodev.yml +++ b/.github/workflows/template_autodev.yml @@ -67,7 +67,7 @@ jobs: steps: - name: Get App Token if: ${{ env.USING_APP_CREDENTIALS == 'true' }} - uses: actions/create-github-app-token@v1.10.0 + uses: actions/create-github-app-token@v1.11.0 id: get_token with: app-id: ${{ secrets.app_id }} diff --git a/.github/workflows/template_automerge_dependabot.yml b/.github/workflows/template_automerge_dependabot.yml index 3d5dae2..f3634ee 100644 --- a/.github/workflows/template_automerge_dependabot.yml +++ b/.github/workflows/template_automerge_dependabot.yml @@ -12,6 +12,16 @@ on: default: "squash" required: false type: string + update-types: + description: "Types of version update to allow (possible values are: minor, major, patch)" + default: "patch,minor" + required: false + type: string + include-pre-release: + description: "Include pre-release updates" + default: false + required: false + type: boolean secrets: app_id: required: true @@ -28,7 +38,7 @@ jobs: steps: - name: Get App Token - uses: actions/create-github-app-token@v1.10.0 + uses: actions/create-github-app-token@v1.11.0 id: get_token with: app-id: ${{ secrets.app_id }} @@ -36,15 +46,30 @@ jobs: - name: Load dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2.1.0 + uses: dependabot/fetch-metadata@v2.2.0 with: github-token: ${{ steps.get_token.outputs.token }} - name: Enable auto-merge for Dependabot PRs if: >- - (steps.metadata.outputs.update-type == 'version-update:semver-patch' || - steps.metadata.outputs.update-type == 'version-update:semver-minor') && - !startsWith(steps.metadata.outputs.previous-version, '0.') + ( + inputs.include-pre-release || + !startsWith(steps.metadata.outputs.previous-version, '0.') + ) && + ( + ( + contains(inputs.update-types, 'major') && + steps.metadata.outputs.update-type == 'version-update:semver-major' + ) || + ( + contains(inputs.update-types, 'minor') && + steps.metadata.outputs.update-type == 'version-update:semver-minor' + ) || + ( + contains(inputs.update-types, 'patch') && + steps.metadata.outputs.update-type == 'version-update:semver-patch' + ) + ) run: | gh pr review --approve "$PR_URL" diff --git a/.github/workflows/template_gitops.yml b/.github/workflows/template_gitops.yml index 4679a37..9260c7d 100644 --- a/.github/workflows/template_gitops.yml +++ b/.github/workflows/template_gitops.yml @@ -6,7 +6,7 @@ on: docker-registry: required: false type: string - default: "staffbase.jfrog.io" + default: "registry.staffbase.com" docker-build-args: required: false type: string @@ -29,6 +29,9 @@ on: required: false type: string default: sb-images/${{ github.event.repository.name }} + docker-custom-tag: + required: false + type: string gitops-dev: required: false type: string @@ -49,11 +52,11 @@ on: gitops-user: required: false type: string - default: "Staffbot" + default: "staffbase-actions" gitops-email: required: false type: string - default: "staffbot@staffbase.com" + default: "staffbase-actions[bot]@users.noreply.github.com" working-directory: required: false type: string @@ -93,7 +96,7 @@ jobs: - name: Get App Token if: ${{ env.USING_APP_CREDENTIALS == 'true' }} - uses: actions/create-github-app-token@v1.10.0 + uses: actions/create-github-app-token@v1.11.0 id: get_token with: app-id: ${{ secrets.app-id }} @@ -101,7 +104,7 @@ jobs: owner: ${{inputs.gitops-organization }} - name: GitOps (build, push and deploy a new Docker image) - uses: Staffbase/gitops-github-action@v5.5 + uses: Staffbase/gitops-github-action@v6.2 with: docker-registry: ${{ inputs.docker-registry }} docker-username: ${{ secrets.docker-username }} @@ -116,6 +119,7 @@ jobs: docker-disable-retagging: ${{ inputs.docker-disable-retagging }} docker-file: ${{ inputs.docker-file }} docker-image: ${{ inputs.docker-image }} + docker-custom-tag: ${{ inputs.docker-custom-tag }} gitops-organization: ${{ inputs.gitops-organization }} gitops-repository: ${{ inputs.gitops-repository }} gitops-user: ${{ inputs.gitops-user }} diff --git a/.github/workflows/template_jira_tagging.yml b/.github/workflows/template_jira_tagging.yml index c3f6b80..ba8c2d0 100644 --- a/.github/workflows/template_jira_tagging.yml +++ b/.github/workflows/template_jira_tagging.yml @@ -33,12 +33,12 @@ jobs: - name: Fetch ticket Ids id: fetchTicketIds - uses: Staffbase/github-action-issue-id-collection@v1.1.0 + uses: Staffbase/github-action-issue-id-collection@v1.2.0 env: TAG_MATCHER: ${{ inputs.tag-matcher }} - name: Add release notes to JIRA tickets - uses: Staffbase/github-action-jira-release-tagging@v1.3.1 + uses: Staffbase/github-action-jira-release-tagging@v1.4.0 env: JIRA_BASEURL: ${{ secrets.jira-url }} JIRA_TOKEN: ${{ secrets.jira-token }} diff --git a/.github/workflows/template_release_drafter.yml b/.github/workflows/template_release_drafter.yml index de50f3a..2162c7d 100644 --- a/.github/workflows/template_release_drafter.yml +++ b/.github/workflows/template_release_drafter.yml @@ -36,7 +36,7 @@ jobs: steps: - name: Get App Token if: ${{ env.USING_APP_CREDENTIALS == 'true' }} - uses: actions/create-github-app-token@v1.10.0 + uses: actions/create-github-app-token@v1.11.0 id: get_token with: app-id: ${{ secrets.app_id }} diff --git a/.github/workflows/template_secret_scan.yml b/.github/workflows/template_secret_scan.yml index ea50bbf..d9e9da1 100644 --- a/.github/workflows/template_secret_scan.yml +++ b/.github/workflows/template_secret_scan.yml @@ -17,7 +17,7 @@ jobs: fetch-tags: false - name: TruffleHog OSS - uses: trufflesecurity/trufflehog@v3.78.0 + uses: trufflesecurity/trufflehog@v3.82.2 with: path: ./ base: ${{ github.event.repository.default_branch }} diff --git a/.github/workflows/versions.yml b/.github/workflows/versions.yml index f3dd2de..fd1f359 100644 --- a/.github/workflows/versions.yml +++ b/.github/workflows/versions.yml @@ -15,14 +15,14 @@ jobs: sed -i -E 's/(v[0-9]+.[0-9]+.[0-9]+)/${{ github.ref_name }}/g' README.md - name: Get App Token - uses: actions/create-github-app-token@v1.10.1 + uses: actions/create-github-app-token@v1.11.0 id: get_token with: app-id: ${{ vars.STAFFBASE_ACTIONS_APP_ID }} private-key: ${{ secrets.STAFFBASE_ACTIONS_PRIVATE_KEY }} - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@v7 with: token: ${{ steps.get_token.outputs.token }} title: ":memo: Update Readme Versions" diff --git a/README.md b/README.md index 68f5b8e..ba8dcb3 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ on: jobs: : - uses: Staffbase/gha-workflows/.github/workflows/template_*.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_*.yml@v6.1.0 with: ... ``` @@ -43,12 +43,16 @@ on: jobs: dependabot: - uses: Staffbase/gha-workflows/.github/workflows/template_automerge_dependabot.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_automerge_dependabot.yml@v6.1.0 with: # optional: ⚠️ only enable the force merge if you want to do the merge just now force: true # optional: choose strategy when merging (default: squash) strategy: rebase, merge + # optional: choose which types of update you want to allow (default: minor,patch) + update-types: major,minor,patch + # optional: choose if you want to allow versions with semver 0.X.X (default: false) + include-pre-release: true secrets: # identifier of the GitHub App for authentication app_id: ${{ }} @@ -74,7 +78,7 @@ on: jobs: autodev: - uses: Staffbase/gha-workflows/.github/workflows/template_autodev.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_autodev.yml@v6.1.0 with: # optional: base branch from which the history originates, default: main base: master @@ -99,7 +103,7 @@ jobs: token: ${{ }} # optional: identifier of the GitHub App for authentication app_id: ${{ }} - # optional: private key of the GitHub App + # optional: private key of the GitHub App private_key: ${{ }} ``` @@ -116,7 +120,7 @@ on: [ push ] jobs: gitops: - uses: Staffbase/gha-workflows/.github/workflows/template_gitops.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_gitops.yml@v6.1.0 with: # optional: host of the docker registry, default: "staffbase.jfrog.io" docker-registry: "" @@ -133,13 +137,15 @@ jobs: docker-file: # optional: name of the docker image, default: private/ docker-image: + # optional: custom tag for the productive docker image which is preferred over the tag generated by the workflow + docker-custom-tag: # optional: organization of the gitops repository, default: github.repository_owner gitops-organization: # optional: repository where to update the files, default: mops gitops-repository: "" - # optional: user which does the commit, default: "Staffbot" + # optional: user which does the commit, default: "staffbase-actions" gitops-user: "" - # optional: email of the user which does the commit, default: "staffbot@staffbase.com" + # optional: email of the user which does the commit, default: "staffbase-actions[bot]@users.noreply.github.com" gitops-email: "" # optional: files which should be updated for dev gitops-dev: |- @@ -189,7 +195,7 @@ on: jobs: jira_annotate: - uses: Staffbase/gha-workflows/.github/workflows/template_jira_tagging.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_jira_tagging.yml@v6.1.0 with: # optional: name of the service to add as label, default: name of the repository name: 'component name' @@ -222,7 +228,7 @@ on: jobs: ld_code_references: - uses: Staffbase/gha-workflows/.github/workflows/template_launchdarkly_code_references.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_launchdarkly_code_references.yml@v6.1.0 with: # optional: key of the LD project, default: default project-key: 'my-project' @@ -247,7 +253,7 @@ on: jobs: block: - uses: Staffbase/gha-workflows/.github/workflows/template_merge_block.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_merge_block.yml@v6.1.0 with: # optional: name of the label if the PR should not be merged, default: do not merge label: merge block @@ -275,8 +281,8 @@ on: jobs: update_release_draft: - uses: Staffbase/gha-workflows/.github/workflows/template_release_drafter.yml@v5.5.0 - with: + uses: Staffbase/gha-workflows/.github/workflows/template_release_drafter.yml@v6.1.0 + with: # optional: name of the release name: Version X.Y.Z # optional: should the release be published, default: false @@ -290,7 +296,7 @@ jobs: token: ${{ }} # optional: identifier of the GitHub App for authentication app_id: ${{ }} - # optional: private key of the GitHub App + # optional: private key of the GitHub App private_key: ${{ }} ``` @@ -314,7 +320,7 @@ on: jobs: new_version: - uses: Staffbase/gha-workflows/.github/workflows/template_release_version.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_release_version.yml@v6.1.0 with: # optional: format of the version, default: weekly format: 'quarterly' @@ -332,9 +338,9 @@ on: ``` - + ### Secret Scanning - +
This workflow should be called by a PR and will scan it's commits for leaked credentials. The workflow will fail if any results are found. @@ -345,7 +351,7 @@ on: [pull_request] jobs: trufflehog: - uses: Staffbase/gha-workflows/.github/workflows/template_secret_scan.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_secret_scan.yml@v6.1.0 ```
@@ -364,7 +370,7 @@ on: jobs: stale: - uses: Staffbase/gha-workflows/.github/workflows/template_stale.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_stale.yml@v6.1.0 with: # optional: comment on the stale pull request while closed, default: This stale PR was closed because there was no activity. close-pr-message: your message @@ -401,7 +407,7 @@ on: jobs: techdocs: - uses: Staffbase/gha-workflows/.github/workflows/template_techdocs.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_techdocs.yml@v6.1.0 with: # optional: kind of the Backstage entity, default: Component # ref: https://backstage.io/docs/features/software-catalog/descriptor-format#contents @@ -433,7 +439,7 @@ on: jobs: trigger-testio-test: - uses: Staffbase/gha-workflows/.github/workflows/template_testio_trigger_test.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_testio_trigger_test.yml@v6.1.0 with: # optional: the slug you received from TestIO, defaults to 'staffbase' testio-slug: your TestIO slug @@ -442,7 +448,7 @@ jobs: secrets: # GitHub token to be used for commenting in a PR github-token: ${{ secrets.GITHUB_TOKEN }} - # TestIO token of a user for which the triggered test is created + # TestIO token of a user for which the triggered test is created testio-token: ${{ secrets.TESTIO_TOKEN }} ``` @@ -465,7 +471,7 @@ on: jobs: yamllint: - uses: Staffbase/gha-workflows/.github/workflows/template_yaml.yml@v5.5.0 + uses: Staffbase/gha-workflows/.github/workflows/template_yaml.yml@v6.1.0 with: # optional: name of the running action, default: yamllint / yamllint action-name: your name @@ -494,7 +500,7 @@ Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduc ## License 📄 This project is licensed under the Apache-2.0 License - see the [LICENSE.md](LICENSE) file for details. - +