ci: inprove worfklow security

Th3S4mur41 · Sep 18, 2024 · 67257b0 · 67257b0
1 parent dffa130
commit 67257b0
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 68 deletions.
diff --git a/.github/workflows/on_pr.yml → .github/workflows/checks.yml b/.github/workflows/on_pr.yml → .github/workflows/checks.yml
@@ -1,35 +1,28 @@
-# This is workflow runs on push
 #
-name: Pull Request Check
+# Run all checks on PRs and pushes
+#
+name: Checks
 
 # Controls when the action will run.
 on:
- # Trigger workflow for pull requests.
  pull_request:
  types: [opened, synchronize, reopened]
 
+ push:
+ branches: [main, next, beta, alpha]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
 concurrency:
- group: PR_${{ github.head_ref || github.run_id }}
+ group: ${{ github.workflow }}_${{ github.head_ref || github.ref_name || github.run_id }}
  cancel-in-progress: true
 
 jobs:
  lint-pr:
  name: '▶️ actions'
  uses: ./.github/workflows/lint-pr.yml
 
- npm-lint:
- name: '▶️ actions'
- needs: [lint-pr]
- uses: ./.github/workflows/npm-lint.yml
-
- docker:
- name: '▶️ actions'
- needs: [npm-lint]
- uses: ./.github/workflows/docker.yml
- permissions:
- contents: read
- packages: write
-
  codeql:
  name: '▶️ actions'
  needs: [lint-pr]
@@ -41,7 +34,20 @@ jobs:
 
  dependencies:
  name: '▶️ actions'
+ needs: [lint-pr] 
  uses: ./.github/workflows/dependencies.yml
  permissions:
  pull-requests: write
  contents: write
+
+ npm-lint:
+ name: '▶️ actions'
+ uses: ./.github/workflows/npm-lint.yml
+
+ docker:
+ name: '▶️ actions'
+ needs: [npm-lint]
+ uses: ./.github/workflows/docker.yml
+ permissions:
+ contents: read
+ packages: write
diff --git a/.github/workflows/on_push.yml b/.github/workflows/on_push.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,32 @@
+# This workflow triggers the release process after code check is completed
+#
+name: Release
+run-name: ${{ github.event.workflow_run.head_commit.message }} [${{ github.event.workflow_run.id }}]
+
+# Controls when the action will run.
+on:
+ workflow_run:
+ workflows: [Checks]
+ types: [completed]
+ branches: [main, next, beta, alpha]
+
+concurrency:
+ # group: ${{ github.workflow }}_${{ github.head_ref || github.ref || github.run_id }}
+ # Use the name of the triggering workflow run as the concurrency group to avoid conccurency issues
+ group: ${{ github.workflow }}_${{ github.event.workflow_run.head_branch || github.ref_name || github.run_id }}
+ cancel-in-progress: true
+
+jobs:
+ semantic-release:
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ name: '▶️ actions'
+ uses: ./.github/workflows/semantic-release.yml
+ secrets:
+ NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+ GH_TOKEN: ${{ secrets.GH_TOKEN }}
+ permissions:
+ contents: write
+ issues: write
+ pull-requests: write
+ packages: write
+ id-token: write