Skip to content

Bump Microsoft.EntityFrameworkCore.Sqlite and Microsoft.Bcl.AsyncInterfaces #12

Bump Microsoft.EntityFrameworkCore.Sqlite and Microsoft.Bcl.AsyncInterfaces

Bump Microsoft.EntityFrameworkCore.Sqlite and Microsoft.Bcl.AsyncInterfaces #12

Workflow file for this run

name: 'CI Security'
on:
pull_request_target:
types: [ opened, reopened, labeled, synchronize ]
branches:
- dev
- master
concurrency:
group: "ci-security-${{ github.head_ref || github.run_id }}-${{ github.event_name }}"
cancel-in-progress: true
jobs:
security-checkpoint:
name: Check CI Clearance
runs-on: ubuntu-latest
permissions:
pull-requests: write
if: (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id || github.event.pull_request.user.id == 49699333) && github.event.pull_request.state == 'open'
steps:
- name: Comment on new Fork PR
if: github.event.action == 'opened' && !contains(github.event.pull_request.labels.*.name, 'CI Cleared') && github.event.pull_request.user.id != 49699333
uses: thollander/actions-comment-pull-request@1d3973dc4b8e1399c0620d3f2b1aa5e795465308
with:
message: Thank you for contributing to ${{ github.event.pull_request.base.repo.name }}! The workflow '${{ github.workflow }}' requires repository secrets and will not run without approval. Maintainers can add the `CI Cleared` label to allow it to run. Note that any changes to ci-security.yml will not be reflected in the run.
- name: Comment on dependabot PR
if: github.event.action == 'opened' && !contains(github.event.pull_request.labels.*.name, 'CI Cleared') && github.event.pull_request.user.id == 49699333
uses: thollander/actions-comment-pull-request@1d3973dc4b8e1399c0620d3f2b1aa5e795465308
with:
message: Set the milestone to the next minor version, check for supply chain attacks, and then add the `CI Cleared` label to allow CI to run.
- name: "Remove Stale 'CI Cleared' Label"
if: github.event.action == 'synchronize' || github.event.action == 'reopened'
uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0
with:
labels: CI Cleared
- name: "Remove 'CI Approval Required' Label"
if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0
with:
labels: CI Approval Required
- name: "Add 'CI Approval Required' Label"
if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8
with:
labels: CI Approval Required
github_token: ${{ github.token }}
- name: Fail if PR has Unlabeled new Commits from User
if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
run: exit 1
ci-dispatch:
name: Start CI Pipeline
runs-on: ubuntu-latest
needs: security-checkpoint
permissions:
actions: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: "refs/pull/${{ github.event.pull_request.number }}/merge"
- name: Generate Temporary Branch to Reference Merge
run: git push -f origin ${{ github.event.pull_request.number }}-merge
- name: Send Workflow Dispatch
uses: lasith-kg/dispatch-workflow@5623bf13f09bbbbdb549ec692b070307f39b66ac #v2.0.0 + setup_node@v4
with:
dispatch-method: workflow_dispatch
owner: ${{ github.repository_owner }}
repo: ${{ github.event.pull_request.base.repo.name }}
ref: ${{ github.event.pull_request.number }}-merge
workflow: ci-pipeline.yml
token: ${{ github.token }}
workflow-inputs: |
{
"pull_request_number": "${{ github.event.pull_request.number }}"
}
- name: Delete Temporary Branch
if: always()
run: git push -d origin ${{ github.event.pull_request.number }}-merge