From 7c77635b25be8846e59b508d1a8e5af857570347 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Mon, 14 Oct 2024 13:50:43 -0400 Subject: [PATCH 1/2] Add workflow to synchronize go mod changes with submodules Signed-off-by: Cody Soyland --- .github/workflows/synchronize-go-mod.yml | 48 ++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/synchronize-go-mod.yml diff --git a/.github/workflows/synchronize-go-mod.yml b/.github/workflows/synchronize-go-mod.yml new file mode 100644 index 0000000..d685ebd --- /dev/null +++ b/.github/workflows/synchronize-go-mod.yml @@ -0,0 +1,48 @@ +name: Synchronize go.mod in submodules + +on: + pull_request: + branches: + - main + types: + - opened + - synchronize + +permissions: + contents: write + +jobs: + synchronize-go-mod: + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Install Go + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod + + - name: Synchronize go.mod in submodules + run: | + go mod tidy + cd examples/oci-image-verification; go mod tidy + + - name: Commit and push changes + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + if [ -n "$(git status --porcelain)" ]; then + echo "Changes detected:" + git diff + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git commit -a -s -m "Synchronize go.mod in submodules" + git push origin HEAD:${{ github.event.pull_request.head.ref }} + else + echo "No changes to commit" + fi From 067557f2dd42b80398b0a91c0beb354fee5cf0b8 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Tue, 29 Oct 2024 12:37:59 -0400 Subject: [PATCH 2/2] Use octo-sts instead of PAT Signed-off-by: Cody Soyland --- .github/chainguard/sync.sts.yaml | 7 +++++++ .github/workflows/synchronize-go-mod.yml | 12 ++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 .github/chainguard/sync.sts.yaml diff --git a/.github/chainguard/sync.sts.yaml b/.github/chainguard/sync.sts.yaml new file mode 100644 index 0000000..11ae628 --- /dev/null +++ b/.github/chainguard/sync.sts.yaml @@ -0,0 +1,7 @@ +issuer: https://token.actions.githubusercontent.com +subject: repo:sigstore/sigstore-go:pull_request +claim_pattern: + actor: "dependabot\[bot\]" + +permissions: + contents: write diff --git a/.github/workflows/synchronize-go-mod.yml b/.github/workflows/synchronize-go-mod.yml index d685ebd..0cca769 100644 --- a/.github/workflows/synchronize-go-mod.yml +++ b/.github/workflows/synchronize-go-mod.yml @@ -17,24 +17,28 @@ jobs: runs-on: ubuntu-latest steps: + - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 + id: octo-sts + with: + scope: sigstore/sigstore-go + identity: sync + - name: Checkout repository uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: ref: ${{ github.event.pull_request.head.ref }} + token: ${{ steps.octo-sts.outputs.token }} - name: Install Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - - name: Synchronize go.mod in submodules + - name: Synchronize go.mod in submodule run: | - go mod tidy cd examples/oci-image-verification; go mod tidy - name: Commit and push changes - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | if [ -n "$(git status --porcelain)" ]; then echo "Changes detected:"