generated from wr-projects/github-template
-
Notifications
You must be signed in to change notification settings - Fork 0
177 lines (153 loc) · 6.26 KB
/
pullrequest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# SPDX-FileCopyrightText: 2022 WebReady Projects <https://github.com/wr-projects/>
#
# SPDX-License-Identifier: MIT
---
name: Pipeline - Pull Request
on:
pull_request:
types: [ opened, reopened ]
permissions:
contents: read
pull-requests: write
jobs:
# More info: https://github.com/GitGuardian/ggshield-action
gitguardian:
name: GitGuardian Scanner
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.gitguardian.com:443
github.com:443
- name: Checkout & Authentication
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
persist-credentials: false
fetch-depth: 0
- name: GitGuardian Scanner
uses: GitGuardian/gg-shield-action@5a76f0fb3013bab9d8fbf749309a7b6408b3ec90
with:
args: -v --all-policies
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
# More info: https://github.com/actions/dependency-review-action
dependency-review:
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
fetch-depth: 0
# More info: https://github.com/actions/dependency-review-action
- name: Dependency Review
uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4
with:
config-file: './.github/config/workflows/dependency-review.yml'
# More info: https://github.com/AlbertHernandez/working-label-action
working_label:
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
with:
application_id: ${{ secrets.ID_WORKLABELBOT }}
application_private_key: ${{ secrets.ID_WORKLABELBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
# More info: https://github.com/AlbertHernandez/working-label-action
- name: Working Label
uses: AlbertHernandez/working-label-action@398809d95be33f8f631c0f02e1d0e8cd8fbf8e73
with:
work_in_progress_label: 'type:🚧chore'
ready_to_review_label: 'status:⌛awaiting-review'
env:
GITHUB_TOKEN: ${{ steps.get_token.outputs.token }}
# More info: https://github.com/pineapplelol/emojify-pr-title
emojify-pr-title:
runs-on: ubuntu-latest
needs: [gitguardian]
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
with:
application_id: ${{ secrets.ID_EMOJIFYBOT }}
application_private_key: ${{ secrets.PEM_EMOJIFYBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
- name: Emojify PR Title
uses: pineapplelol/emojify-pr-title@a380b02ff04e737a60066bcd0a8c45f1f7a1a709
with:
use-fuzzy: false
use-emoji-map: true
emoji-map: 'https://raw.githubusercontent.com/wr-projects/github-template/main/.github/config/workflows/emoji_mapping.json'
require-space: true
# More info: https://github.com/hiwelo/new-dependencies-action
check_new_dependencies:
runs-on: ubuntu-latest
needs: [gitguardian]
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db
with:
application_id: ${{ secrets.ID_CHECKDEPSBOT }}
application_private_key: ${{ secrets.PEM_CHECKDEPSBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
- name: Check for new dependencies
uses: hiwelo/new-dependencies-action@e4175e14484328f9ab56df91e420e90ad5031c08