From f5e3651cc4204fd3b5a6ab2428887ed36e5983c6 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 23 Jul 2024 14:44:01 -0400 Subject: [PATCH] update workflows --- .github/labeler.yml | 20 ++++++++-------- .github/workflows/bump-version.yml | 37 +++++++++++++++++++----------- 2 files changed, 34 insertions(+), 23 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index c88b1a7..369c8c5 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -8,13 +8,13 @@ # Uncomment the following lines to enable the labeler (requires labels with the same name to exist in the repository) # label 'ci' all automation-related steps and files -#'CI': -# - changed-files: -# - any-glob-to-any-file: -# - '.editorconfig' -# - '.flake8' -# - '.pre-commit-config.yaml' -# - '.yamllint.yml' -# - '.github/workflows/*' -# - 'tox.ini' -# - 'Makefile' +'CI': + - changed-files: + - any-glob-to-any-file: + - '.editorconfig' + - '.flake8' + - '.pre-commit-config.yaml' + - '.yamllint.yml' + - '.github/workflows/*' + - 'tox.ini' + - 'Makefile' diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 5d0211a..3397dbd 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -40,7 +40,6 @@ jobs: runs-on: ubuntu-latest permissions: actions: read - contents: write steps: - name: Harden Runner uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 @@ -48,30 +47,41 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.github.com:443 files.pythonhosted.org:443 github.com:443 pypi.org:443 - - name: Checkout Repository (no persist-credentials) + - name: Generate App Token + id: token_generator + uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3 + with: + app-id: ${{ secrets.OURANOS_HELPER_BOT_ID }} + private-key: ${{ secrets.OURANOS_HELPER_BOT_KEY }} + - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: - persist-credentials: false - fetch-depth: 0 + token: ${{ steps.token_generator.outputs.token }} - name: Set up Python3 uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: "3.x" - - name: Config Commit Bot - run: | - git config --local user.email "bumpversion[bot]@ouranos.ca" - git config --local user.name "bumpversion[bot]" + - name: Import GPG Key + uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 + with: + gpg_private_key: ${{ secrets.OURANOS_HELPER_BOT_GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.OURANOS_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD }} + git_user_signingkey: true + git_commit_gpgsign: true + trust_level: 5 - name: Current Version run: | - CURRENT_VERSION="$(grep -E '__version__' src/xsdba/__init__.py | cut -d ' ' -f3)" + CURRENT_VERSION="$(grep -E '__version__' src/xsdba/__init__.py | cut -d ' ' -f3)" + echo "current_version=${CURRENT_VERSION}" echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV - name: Install CI libraries run: | python -m pip install --require-hashes -r CI/requirements_ci.txt - - name: Conditional Bump Version + - name: Conditional Bump run: | if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version" @@ -80,10 +90,11 @@ jobs: echo "Version is stable, bumping 'patch' version" bump-my-version bump patch fi - bump-my-version show-bump + NEW_VERSION="$(grep -E '__version__' src/xsdba/__init__.py | cut -d ' ' -f3)" + echo "new_version=${NEW_VERSION}" + echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV - name: Push Changes uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 with: force: false - github_token: ${{ secrets.BUMP_VERSION_TOKEN }} - branch: ${{ github.ref }} + branch: ${{ github.ref }} \ No newline at end of file