-
Notifications
You must be signed in to change notification settings - Fork 0
114 lines (97 loc) · 4.2 KB
/
Copy pathupdate-github-actions.yaml
File metadata and controls
114 lines (97 loc) · 4.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Update GitHub Actions
on:
schedule:
- cron: "17 5 * * 1"
workflow_dispatch: null
concurrency:
group: update-github-actions
cancel-in-progress: false
permissions:
contents: read # needed to checkout repository contents
jobs:
update:
name: Update Action Pins
runs-on: ubuntu-latest
permissions:
contents: write # needed to push workflow pin updates
steps:
- name: Checkout Repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install Homebrew tools
run: |
NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
brew install pinact zizmor
- name: Update Pins
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
pinact run --update
pinact run --verify
zizmor --persona=pedantic .
- name: Commit Updates
env:
GITHUB_REF_NAME: ${{ github.ref_name }}
WORKFLOW_SIGNING_KEY: ${{ secrets.WORKFLOW_SIGNING_KEY }}
WORKFLOW_SIGNING_PASSPHRASE: ${{ secrets.WORKFLOW_SIGNING_PASSPHRASE }}
WORKFLOW_UPDATE_TOKEN: ${{ secrets.WORKFLOW_UPDATE_TOKEN }}
run: |
if git diff --quiet -- .github/workflows; then
exit 0
fi
if [ -z "${WORKFLOW_UPDATE_TOKEN}" ]; then
printf '%s\n' 'WORKFLOW_UPDATE_TOKEN is not configured; skipping workflow pin push.'
printf '%s\n' 'Use a fine-grained token with repository Contents and Workflows write access.'
git diff -- .github/workflows
exit 0
fi
git config user.name "4evy"
git config user.email "git@ps1.sh"
if [ -n "${WORKFLOW_SIGNING_KEY}" ]; then
signing_key_file="${RUNNER_TEMP}/workflow-signing-key"
printf '%s\n' "${WORKFLOW_SIGNING_KEY}" >"${signing_key_file}"
chmod 600 "${signing_key_file}"
if grep -q "BEGIN OPENSSH PRIVATE KEY" "${signing_key_file}"; then
git config gpg.format ssh
git config user.signingkey "${signing_key_file}"
git config commit.gpgsign true
else
export GNUPGHOME="${RUNNER_TEMP}/gnupg"
mkdir -p "${GNUPGHOME}"
chmod 700 "${GNUPGHOME}"
gpg --batch --import "${signing_key_file}"
if [ -n "${WORKFLOW_SIGNING_PASSPHRASE}" ]; then
export WORKFLOW_SIGNING_PASSPHRASE_FILE="${RUNNER_TEMP}/gpg-passphrase"
printf '%s' "${WORKFLOW_SIGNING_PASSPHRASE}" >"${WORKFLOW_SIGNING_PASSPHRASE_FILE}"
chmod 600 "${WORKFLOW_SIGNING_PASSPHRASE_FILE}"
fi
# shellcheck disable=SC2016
{
printf '%s\n' '#!/usr/bin/env bash'
printf '%s\n' 'if [ -n "${WORKFLOW_SIGNING_PASSPHRASE_FILE:-}" ]; then'
printf '%s\n' ' exec gpg --batch --yes --pinentry-mode loopback --passphrase-file "${WORKFLOW_SIGNING_PASSPHRASE_FILE}" "$@"'
printf '%s\n' 'fi'
printf '%s\n' 'exec gpg --batch --yes "$@"'
} >"${RUNNER_TEMP}/gpg-sign"
chmod 700 "${RUNNER_TEMP}/gpg-sign"
git config gpg.program "${RUNNER_TEMP}/gpg-sign"
signing_key="$(
gpg --batch --list-secret-keys --with-colons git@ps1.sh |
awk -F: '/^fpr:/ { print $10; exit }'
)"
if [ -z "${signing_key}" ]; then
printf '%s\n' 'WORKFLOW_SIGNING_KEY is configured, but no key for git@ps1.sh was imported.'
exit 1
fi
git config user.signingkey "${signing_key}"
git config commit.gpgsign true
fi
fi
git add .github/workflows
git commit -m "chore: update GitHub Actions pins"
git push \
"https://x-access-token:${WORKFLOW_UPDATE_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" \
"HEAD:${GITHUB_REF_NAME}"