From 02611c8d6f069d5239e884b50d33ea382fe9f841 Mon Sep 17 00:00:00 2001 From: Hector Alfaro Date: Tue, 17 Oct 2023 16:32:51 -0400 Subject: [PATCH] Prefix use of composite action with a checkout (#44582) --- .github/workflows/auto-close-dependencies.yml | 3 ++- .github/workflows/check-for-spammy-issues.yml | 4 +++- .github/workflows/close-bad-repo-sync-prs.yml | 2 ++ .github/workflows/close-on-invalid-label.yaml | 3 +++ .../confirm-internal-staff-work-in-docs.yml | 4 +++- .../workflows/copy-api-issue-to-internal.yml | 4 +++- .github/workflows/merged-notification.yml | 3 +++ ...ve-existing-issues-to-the-correct-repo.yml | 12 ++++++---- .github/workflows/move-help-wanted-issues.yml | 4 +++- .../move-new-issues-to-correct-docs-repo.yml | 4 +++- .../move-reopened-issues-to-triage.yaml | 3 +++ .github/workflows/needs-sme-stale-check.yaml | 3 +++ .github/workflows/needs-sme-workflow.yml | 1 + .github/workflows/no-response.yaml | 3 +++ .../notify-when-maintainers-cannot-edit.yaml | 3 +++ .github/workflows/remove-from-fr-board.yaml | 4 +++- .../secret-scanning-pattern-table-updates.yml | 9 ++++--- .github/workflows/site-policy-reminder.yml | 4 +++- .github/workflows/stale.yml | 3 +++ .../transfer-api-issue-to-openapi.yml | 4 +++- .github/workflows/triage-issue-comments.yml | 3 +++ .github/workflows/triage-issues.yml | 3 +++ .github/workflows/triage-pull-requests.yml | 3 +++ .github/workflows/triage-stale-check.yml | 5 ++++ .../triage-unallowed-contributions.yml | 3 +++ src/workflows/tests/actions-workflows.js | 24 +++++++++++++++++++ 26 files changed, 104 insertions(+), 17 deletions(-) diff --git a/.github/workflows/auto-close-dependencies.yml b/.github/workflows/auto-close-dependencies.yml index 5e30d319be..fa92c54233 100644 --- a/.github/workflows/auto-close-dependencies.yml +++ b/.github/workflows/auto-close-dependencies.yml @@ -66,7 +66,8 @@ jobs: console.error(`Failed to lock the pull request. Error: ${error}`) throw error } - + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/check-for-spammy-issues.yml b/.github/workflows/check-for-spammy-issues.yml index 7b95210caa..a4e7fcad31 100644 --- a/.github/workflows/check-for-spammy-issues.yml +++ b/.github/workflows/check-for-spammy-issues.yml @@ -9,7 +9,7 @@ on: types: [opened] permissions: - contents: none + contents: read jobs: spammy-title-check: @@ -81,6 +81,8 @@ jobs: console.log(error); } + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/close-bad-repo-sync-prs.yml b/.github/workflows/close-bad-repo-sync-prs.yml index 57dd4b3494..339d919a3f 100644 --- a/.github/workflows/close-bad-repo-sync-prs.yml +++ b/.github/workflows/close-bad-repo-sync-prs.yml @@ -61,6 +61,8 @@ jobs: body: "Please leave this `repo-sync` branch to the robots!\n\nI'm going to close this pull request now, but feel free to open a new issue or ask any questions in [discussions](https://github.com/github/docs/discussions)!" }) + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/close-on-invalid-label.yaml b/.github/workflows/close-on-invalid-label.yaml index 869d01eec1..abcc522dc5 100644 --- a/.github/workflows/close-on-invalid-label.yaml +++ b/.github/workflows/close-on-invalid-label.yaml @@ -11,6 +11,7 @@ on: types: [labeled] permissions: + contents: read issues: write pull-requests: write @@ -32,6 +33,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: gh pr close ${{ github.event.pull_request.html_url }} + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/confirm-internal-staff-work-in-docs.yml b/.github/workflows/confirm-internal-staff-work-in-docs.yml index 07aa051adf..92db48d7ac 100644 --- a/.github/workflows/confirm-internal-staff-work-in-docs.yml +++ b/.github/workflows/confirm-internal-staff-work-in-docs.yml @@ -14,7 +14,7 @@ on: - opened permissions: - contents: none + contents: read jobs: check-team-membership: @@ -80,6 +80,8 @@ jobs: bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }} text: <@${{github.actor}}> opened https://github.com/github/docs/issues/${{ github.event.number || github.event.issue.number }} publicly on the github/docs repo instead of a private repo. They have been notified via a new issue in the private repo to confirm this was intentional. + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/copy-api-issue-to-internal.yml b/.github/workflows/copy-api-issue-to-internal.yml index e979e50983..b90bb5a1e4 100644 --- a/.github/workflows/copy-api-issue-to-internal.yml +++ b/.github/workflows/copy-api-issue-to-internal.yml @@ -10,7 +10,7 @@ on: - labeled permissions: - contents: none + contents: read jobs: transfer-issue: @@ -71,6 +71,8 @@ jobs: NEW_ISSUE: ${{ env.NEW_ISSUE }} OLD_ISSUE: ${{ github.event.issue.html_url }} + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/merged-notification.yml b/.github/workflows/merged-notification.yml index 92f5dcdeda..c8c206b022 100644 --- a/.github/workflows/merged-notification.yml +++ b/.github/workflows/merged-notification.yml @@ -12,6 +12,7 @@ on: permissions: issues: write pull-requests: write + contents: read jobs: comment: @@ -27,6 +28,8 @@ jobs: body: "Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. If you're looking for your next contribution, check out our [help wanted issues](https://github.com/github/docs/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22) :zap:" }) + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/move-existing-issues-to-the-correct-repo.yml b/.github/workflows/move-existing-issues-to-the-correct-repo.yml index 560b37e66b..4461be1450 100644 --- a/.github/workflows/move-existing-issues-to-the-correct-repo.yml +++ b/.github/workflows/move-existing-issues-to-the-correct-repo.yml @@ -8,7 +8,7 @@ on: workflow_dispatch: permissions: - contents: none + contents: read jobs: transfer_issues: @@ -24,7 +24,7 @@ jobs: script: | const owner = 'github' const originalRepo = 'docs-internal' - let correctRepo = process.env.TEAM_ENGINEERING_REPO + let correctRepo = process.env.TEAM_ENGINEERING_REPO const correctRepoObject = await github.rest.repos.get({ owner: owner, @@ -58,15 +58,15 @@ jobs: } } }` - + const variables = { id: issueNodeId, repositoryId: correctRepositoryNodeId } - + const graph = await github.graphql(mutation, variables) console.log('GraphQL mutation result:\n' + JSON.stringify(graph)) - + // Add the same labels to the new issue const newIssueNumber = graph.transferIssue.issue.number await github.rest.issues.addLabels({ @@ -78,6 +78,8 @@ jobs: } } + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/move-help-wanted-issues.yml b/.github/workflows/move-help-wanted-issues.yml index 376c36e387..30f066e060 100644 --- a/.github/workflows/move-help-wanted-issues.yml +++ b/.github/workflows/move-help-wanted-issues.yml @@ -10,7 +10,7 @@ on: - labeled permissions: - contents: none + contents: read jobs: move_issues: @@ -27,6 +27,8 @@ jobs: column: Help wanted repo-token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }} + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/move-new-issues-to-correct-docs-repo.yml b/.github/workflows/move-new-issues-to-correct-docs-repo.yml index a398365a07..2a1e7eb122 100644 --- a/.github/workflows/move-new-issues-to-correct-docs-repo.yml +++ b/.github/workflows/move-new-issues-to-correct-docs-repo.yml @@ -12,7 +12,7 @@ on: - reopened permissions: - contents: none + contents: read jobs: transfer_issue: @@ -89,6 +89,8 @@ jobs: labels: context.payload.issue.labels.map(label => label.name), }) + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/move-reopened-issues-to-triage.yaml b/.github/workflows/move-reopened-issues-to-triage.yaml index 020da40c1f..0f78bd66ea 100644 --- a/.github/workflows/move-reopened-issues-to-triage.yaml +++ b/.github/workflows/move-reopened-issues-to-triage.yaml @@ -10,6 +10,7 @@ on: - reopened permissions: + contents: read repository-projects: write jobs: @@ -42,6 +43,8 @@ jobs: console.log(e); } + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/needs-sme-stale-check.yaml b/.github/workflows/needs-sme-stale-check.yaml index 31ce02720c..ae7808f071 100644 --- a/.github/workflows/needs-sme-stale-check.yaml +++ b/.github/workflows/needs-sme-stale-check.yaml @@ -9,6 +9,7 @@ on: - cron: '20 16 * * *' # Run each day at 16:20 UTC / 8:20 PST permissions: + contents: read issues: write pull-requests: write @@ -30,6 +31,8 @@ jobs: stale-pr-label: SME stale days-before-pr-close: -1 # never close + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/needs-sme-workflow.yml b/.github/workflows/needs-sme-workflow.yml index 5caaf8077a..5e9683f4b3 100644 --- a/.github/workflows/needs-sme-workflow.yml +++ b/.github/workflows/needs-sme-workflow.yml @@ -11,6 +11,7 @@ on: types: [labeled] permissions: + contents: read issues: write pull-requests: write diff --git a/.github/workflows/no-response.yaml b/.github/workflows/no-response.yaml index 06a1729683..03c21060e3 100644 --- a/.github/workflows/no-response.yaml +++ b/.github/workflows/no-response.yaml @@ -15,6 +15,7 @@ on: - cron: '20 * * * *' # Run each hour at 20 minutes past permissions: + contents: read issues: write pull-requests: write @@ -47,6 +48,8 @@ jobs: if you have the information we requested, or open a [new issue](https://github.com/github/docs/issues/new/choose) to describing your changes. Then we can begin the review process. + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/notify-when-maintainers-cannot-edit.yaml b/.github/workflows/notify-when-maintainers-cannot-edit.yaml index bb9760fe61..156a9d623b 100644 --- a/.github/workflows/notify-when-maintainers-cannot-edit.yaml +++ b/.github/workflows/notify-when-maintainers-cannot-edit.yaml @@ -10,6 +10,7 @@ on: - opened permissions: + contents: read pull-requests: write jobs: @@ -63,6 +64,8 @@ jobs: console.log(e); } + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/remove-from-fr-board.yaml b/.github/workflows/remove-from-fr-board.yaml index 9649f51109..b9fc01f361 100644 --- a/.github/workflows/remove-from-fr-board.yaml +++ b/.github/workflows/remove-from-fr-board.yaml @@ -10,7 +10,7 @@ on: types: remove_from_docs_FR_board permissions: - contents: none + contents: read jobs: remove_from_FR_board: @@ -30,6 +30,8 @@ jobs: GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} PR_URL: https://github.com/${{ github.event.client_payload.command.repository.full_name }}/pull/${{ github.event.client_payload.command.resource.number }} + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/secret-scanning-pattern-table-updates.yml b/.github/workflows/secret-scanning-pattern-table-updates.yml index e4974e83dd..296e0577b3 100644 --- a/.github/workflows/secret-scanning-pattern-table-updates.yml +++ b/.github/workflows/secret-scanning-pattern-table-updates.yml @@ -9,9 +9,12 @@ on: types: [opened] paths: - data/secret-scanning.yml + permissions: + contents: read pull-requests: write repository-projects: write + jobs: Process-secret-scanning-PR: runs-on: ubuntu-latest @@ -30,13 +33,13 @@ jobs: in the _/data/secret-scanning.yml_ file. The data in this file is used to populate the tables in the '[Secret scanning patterns](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets)' article at build time. - + - The secret scanning team updates this file fairly regularly, and raises PRs in the `docs-internal` repository to update our docs accordingly. We've agreed to review these PRs **quickly** as the changes are already effective when these PRs reach us. - + - Anyone in the Docs Content team can review and merge this PR. A few guidelines: - You can only merge this PR if it's had a technical review (see who's approved it in the 'Reviewers' section in the top right corner). - To test that the changes appear on Staging, look at the preview of the 'Secret scanning patterns' file. You may need to use the product picker to look at the table for different GitHub products, and test the versioning. - - If you don't feel comfortable reviewing this PR, please post a link to it in the #code-security-docs Slack channel so someone from the Dependencies & Secrets focus team can take a look. + - If you don't feel comfortable reviewing this PR, please post a link to it in the #code-security-docs Slack channel so someone from the Dependencies & Secrets focus team can take a look. - For more information about this automation, and the reasons why we have decided to implement it, see [About automations for Dependencies & Secrets](https://github.com/github/docs-content/blob/main/focus-areas/code-security/about-automations-for-dependencies-and-secrets.md#secret-scanning-prs-adding-new-supported-patterns) in the 'docs-content' repository. diff --git a/.github/workflows/site-policy-reminder.yml b/.github/workflows/site-policy-reminder.yml index 3ef974fc10..2f718b494e 100644 --- a/.github/workflows/site-policy-reminder.yml +++ b/.github/workflows/site-policy-reminder.yml @@ -10,7 +10,7 @@ on: permissions: pull-requests: write - contents: none + contents: read jobs: run: @@ -29,6 +29,8 @@ jobs: <@github/site-policy-admins>, when these changes are ready to be synced to the site policy repo for the 24-hour or 30-day [review window](https://github.com/github/site-policy#whats-the-process), run the [site policy sync action](https://github.com/github/docs-internal/actions/workflows/site-policy-sync.yml) from this PR's branch. When these changes are ready to be merged in `docs-internal`, let the Docs team know on Slack in #docs-content and a writer will merge this PR. + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3c6f38b687..f55b0baa2b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,6 +9,7 @@ on: - cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:20 PST permissions: + contents: read issues: write pull-requests: write @@ -31,6 +32,8 @@ jobs: operations-per-run: 1000 close-issue-reason: not_planned + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/transfer-api-issue-to-openapi.yml b/.github/workflows/transfer-api-issue-to-openapi.yml index 791b3e465f..5a426a0470 100644 --- a/.github/workflows/transfer-api-issue-to-openapi.yml +++ b/.github/workflows/transfer-api-issue-to-openapi.yml @@ -10,7 +10,7 @@ on: - labeled permissions: - contents: none + contents: read jobs: transfer-issue: @@ -57,6 +57,8 @@ jobs: GITHUB_TOKEN: ${{secrets.DOCS_BOT_PAT_WORKFLOW_READORG}} OLD_ISSUE: ${{ github.event.issue.html_url }} + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/triage-issue-comments.yml b/.github/workflows/triage-issue-comments.yml index bb1252f1ac..44e4eea4f0 100644 --- a/.github/workflows/triage-issue-comments.yml +++ b/.github/workflows/triage-issue-comments.yml @@ -10,6 +10,7 @@ on: - created permissions: + contents: read issues: write jobs: @@ -47,6 +48,8 @@ jobs: add-labels: 'triage' ignore-if-labeled: true + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/triage-issues.yml b/.github/workflows/triage-issues.yml index 795e8c569b..d182f90773 100644 --- a/.github/workflows/triage-issues.yml +++ b/.github/workflows/triage-issues.yml @@ -11,6 +11,7 @@ on: - opened permissions: + contents: read issues: write jobs: @@ -24,6 +25,8 @@ jobs: with: add-labels: 'triage' + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/triage-pull-requests.yml b/.github/workflows/triage-pull-requests.yml index 35ba257686..2aeb95a689 100644 --- a/.github/workflows/triage-pull-requests.yml +++ b/.github/workflows/triage-pull-requests.yml @@ -11,6 +11,7 @@ on: - opened permissions: + contents: read issues: write pull-requests: write @@ -25,6 +26,8 @@ jobs: with: add-labels: 'triage' + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/triage-stale-check.yml b/.github/workflows/triage-stale-check.yml index 372aef616f..9d647ed14d 100644 --- a/.github/workflows/triage-stale-check.yml +++ b/.github/workflows/triage-stale-check.yml @@ -9,6 +9,7 @@ on: - cron: '20 16 * * 1-5' # Run every weekday at 16:20 UTC / 8:20 PST permissions: + contents: read issues: write pull-requests: write @@ -31,6 +32,8 @@ jobs: stale-pr-label: 'stale' exempt-pr-labels: 'waiting for review,never-stale,ready to merge' + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} @@ -55,6 +58,8 @@ jobs: stale-pr-label: 'waiting for review' exempt-pr-labels: 'never-stale' + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/.github/workflows/triage-unallowed-contributions.yml b/.github/workflows/triage-unallowed-contributions.yml index edc4ea38eb..4ea659305d 100644 --- a/.github/workflows/triage-unallowed-contributions.yml +++ b/.github/workflows/triage-unallowed-contributions.yml @@ -20,6 +20,7 @@ on: - 'content/actions/deployment/security-hardening-your-deployments/**' permissions: + contents: read pull-requests: write jobs: @@ -101,6 +102,8 @@ jobs: core.setFailed(workflowFailMessage) + - name: Check out repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: ./.github/actions/slack-alert with: slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} diff --git a/src/workflows/tests/actions-workflows.js b/src/workflows/tests/actions-workflows.js index 54920d6b82..173bdbf61e 100644 --- a/src/workflows/tests/actions-workflows.js +++ b/src/workflows/tests/actions-workflows.js @@ -6,6 +6,8 @@ import { flatten } from 'flat' import { chain, get } from 'lodash-es' const actionHashRegexp = /^[A-Za-z0-9-/]+@[0-9a-f]{40}$/ +const checkoutRegexp = /^[actions/checkout]+@[0-9a-f]{40}$/ +const permissionsRegexp = /(read|write)/ const __dirname = path.dirname(fileURLToPath(import.meta.url)) const workflowsDir = path.join(__dirname, '../../../.github/workflows') @@ -69,4 +71,26 @@ describe('GitHub Actions workflows', () => { } } }) + + test.each(workflows)( + 'contains contents:read permissions when permissions are used $filename', + ({ data }) => { + if (data.permissions) { + expect(permissionsRegexp.test(data.permissions.contents)).toBe(true) + } + }, + ) + + test.each(workflows)( + 'performs a checkout before calling composite action $filename', + ({ filename, data }) => { + for (const [name, job] of Object.entries(data.jobs)) { + if (!job.steps.find((step) => checkoutRegexp.test(step.uses))) { + throw new Error( + `Job ${filename} # ${name} missing a checkout before calling the composite action`, + ) + } + } + }, + ) })