-
Notifications
You must be signed in to change notification settings - Fork 0
170 lines (147 loc) · 6.05 KB
/
pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
---
name: Pipeline - Pull Request
on:
pull_request:
types: [opened, reopened]
permissions:
contents: read
pull-requests: write
jobs:
# More info: https://github.com/GitGuardian/ggshield-action
gitguardian:
name: GitGuardian Scanner
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.gitguardian.com:443
github.com:443
- name: Checkout & Authentication
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f
with:
persist-credentials: false
fetch-depth: 0
- name: GitGuardian Scanner
uses: GitGuardian/gg-shield-action@3af6bd67c964cffe01a0f8f5c0dd04b8cda99e6b
with:
args: -v --all-policies
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
# More info: https://github.com/actions/dependency-review-action
dependency-review:
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f
with:
fetch-depth: 0
# More info: https://github.com/actions/dependency-review-action
- name: Dependency Review
uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70
with:
config-file: "./.github/config/workflows/dependency-review.yml"
# More info: https://github.com/AlbertHernandez/working-label-action
working_label:
runs-on: ubuntu-latest
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
with:
application_id: ${{ secrets.ID_WORKLABELBOT }}
application_private_key: ${{ secrets.ID_WORKLABELBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
# More info: https://github.com/AlbertHernandez/working-label-action
- name: Working Label
uses: AlbertHernandez/working-label-action@398809d95be33f8f631c0f02e1d0e8cd8fbf8e73
with:
work_in_progress_label: "type:🚧chore"
ready_to_review_label: "status:⌛awaiting-review"
# More info: https://github.com/pineapplelol/emojify-pr-title
emojify-pr-title:
runs-on: ubuntu-latest
needs: [gitguardian]
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
with:
application_id: ${{ secrets.ID_EMOJIFYBOT }}
application_private_key: ${{ secrets.PEM_EMOJIFYBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
- name: Emojify PR Title
uses: pineapplelol/emojify-pr-title@a380b02ff04e737a60066bcd0a8c45f1f7a1a709
with:
use-emoji-map: true
emoji-map: "https://raw.githubusercontent.com/habbaz-dev/github-template/main/.github/config/workflows/emoji-mapping.json"
require-space: true
# More info: https://github.com/hiwelo/new-dependencies-action
check_new_dependencies:
runs-on: ubuntu-latest
needs: [gitguardian]
steps:
# More info: https://github.com/step-security/harden-runner.
- name: Harden Runner
id: harden_runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
# More info: https://github.com/peter-murray/workflow-application-token-action.
- name: Get token
id: get_token
uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3
with:
application_id: ${{ secrets.ID_CHECKDEPSBOT }}
application_private_key: ${{ secrets.PEM_CHECKDEPSBOT }}
# More info: https://github.com/actions/checkout.
- name: Checkout & Authentication
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f
with:
token: ${{ steps.get_token.outputs.token }}
persist-credentials: false
fetch-depth: 0
- name: Check for new dependencies
uses: hiwelo/new-dependencies-action@e4175e14484328f9ab56df91e420e90ad5031c08