From 7ac7eabd1b782d4132bb183c0be5e5c428c9e321 Mon Sep 17 00:00:00 2001 From: martincostello Date: Sat, 15 Feb 2025 14:41:34 +0000 Subject: [PATCH 1/4] Lint PowerShell scripts - Add a PowerShell linter. - Fix PowerShell lint warnings. - Update actionlint to v1.7.7. --- .github/workflows/actions-lint.yml | 44 ------------------ .github/workflows/lint.yml | 72 ++++++++++++++++++++++++++++++ bench/benchmarks.ps1 | 2 +- build.ps1 | 23 +++++----- eng/bump-version.ps1 | 2 +- eng/update-changelog.ps1 | 30 ++++++------- 6 files changed, 101 insertions(+), 72 deletions(-) delete mode 100644 .github/workflows/actions-lint.yml create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/actions-lint.yml b/.github/workflows/actions-lint.yml deleted file mode 100644 index faff71418b5..00000000000 --- a/.github/workflows/actions-lint.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: actions-lint - -on: - push: - branches: - - main - - release/* - paths-ignore: - - '**/*.gitattributes' - - '**/*.gitignore' - - '**/*.md' - pull_request: - branches: - - main - - release/* - - dotnet-vnext - workflow_dispatch: - -permissions: - contents: read - -env: - FORCE_COLOR: 3 - TERM: xterm - -jobs: - lint: - runs-on: ubuntu-latest - - steps: - - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - filter: 'tree:0' - show-progress: false - - - name: Add actionlint problem matcher - run: echo "::add-matcher::.github/actionlint-matcher.json" - - - name: Lint workflows - uses: docker://rhysd/actionlint@sha256:5acca218639222e4afbc82fc6e9ef56cbe646ade3b07f3f5ec364b638258a244 # v1.7.0 - with: - args: -color diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000000..73bdd1e95ab --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,72 @@ +name: lint + +on: + push: + branches: + - main + - release/* + paths-ignore: + - '**/*.gitattributes' + - '**/*.gitignore' + - '**/*.md' + pull_request: + branches: + - main + - release/* + - dotnet-vnext + workflow_dispatch: + +permissions: {} + +jobs: + lint: + runs-on: ubuntu-latest + + env: + FORCE_COLOR: 3 + POWERSHELL_YAML_VERSION: '0.4.12' + PSSCRIPTANALYZER_VERSION: '1.23.0' + TERM: xterm + + permissions: + contents: read + + steps: + + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + filter: 'tree:0' + show-progress: false + + - name: Add actionlint problem matcher + run: echo "::add-matcher::.github/actionlint-matcher.json" + + - name: Lint workflows + uses: docker://rhysd/actionlint@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # v1.7.7 + with: + args: -color + + - name: Lint PowerShell in workflows + uses: martincostello/lint-actions-powershell@5942e3350ee5bd8f8933cec4e1185d13f0ea688f # v1.0.0 + with: + powershell-yaml-version: ${{ env.POWERSHELL_YAML_VERSION }} + psscriptanalyzer-version: ${{ env.PSSCRIPTANALYZER_VERSION }} + treat-warnings-as-errors: true + + - name: Lint PowerShell scripts + shell: pwsh + run: | + $settings = @{ + IncludeDefaultRules = $true + Severity = @("Error", "Warning") + } + $issues = Invoke-ScriptAnalyzer -Path ${env:GITHUB_WORKSPACE} -Recurse -ReportSummary -Settings $settings + foreach ($issue in $issues) { + $severity = $issue.Severity.ToString() + $level = $severity.Contains("Error") ? "error" : $severity.Contains("Warning") ? "warning" : "notice" + Write-Output "::${level} file=$($issue.ScriptName),line=$($issue.Line),title=PSScriptAnalyzer::$($issue.Message)" + } + if ($issues.Count -gt 0) { + exit 1 + } diff --git a/bench/benchmarks.ps1 b/bench/benchmarks.ps1 index 4f7548d037d..2d058b83bd9 100644 --- a/bench/benchmarks.ps1 +++ b/bench/benchmarks.ps1 @@ -8,7 +8,7 @@ Param( $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" -Write-Host "Running benchmarks..." +Write-Output "Running benchmarks..." $additionalArgs = @() diff --git a/build.ps1 b/build.ps1 index ca1cfcdd00f..dea76c539ae 100755 --- a/build.ps1 +++ b/build.ps1 @@ -40,7 +40,7 @@ Param( $ErrorActionPreference = "Stop" $ProgressPreference = "SilentlyContinue" -Write-Host "Preparing to run build script..." +Write-Output "Preparing to run build script..." # Should we show verbose messages? if ($Verbose.IsPresent) @@ -50,12 +50,6 @@ if ($Verbose.IsPresent) $TOOLS_DIR = Join-Path $PSScriptRoot "tools" -# Is this a dry run? -$UseDryRun = ""; -if ($WhatIf.IsPresent) { - $UseDryRun = "-dryrun" -} - # Make sure tools folder exists if ((Test-Path $PSScriptRoot) -and !(Test-Path $TOOLS_DIR)) { New-Item -Path $TOOLS_DIR -Type directory | out-null @@ -70,8 +64,7 @@ if (-Not $SkipToolPackageRestore.IsPresent) Write-Verbose -Message "Restoring tools from NuGet..." - $NuGetOutput = Invoke-Expression "& dotnet tool restore" - Write-Verbose ($NuGetOutput | Out-String) + & dotnet tool restore | Write-Verbose Pop-Location if ($LASTEXITCODE -ne 0) @@ -80,7 +73,15 @@ if (-Not $SkipToolPackageRestore.IsPresent) } } +# Is this a dry run? +$additionalArgs = @(); +if ($WhatIf.IsPresent) { + $additionalArgs += "-dryrun" +} + # Start Cake -Write-Host "Running build script..." -Invoke-Expression "dotnet dotnet-cake `"$Script`" --target=`"$Target`" --configuration=`"$Configuration`" --verbosity=`"$Verbosity`" $UseDryRun" +Write-Output "Running build script..." + +& dotnet cake $Script "--target=$Target" "--configuration=$Configuration" "--verbosity=$Verbosity" $additionalArgs + exit $LASTEXITCODE diff --git a/eng/bump-version.ps1 b/eng/bump-version.ps1 index b6579054601..a2cadebf156 100644 --- a/eng/bump-version.ps1 +++ b/eng/bump-version.ps1 @@ -18,7 +18,7 @@ if ($ReleaseVersion.StartsWith("v")) { $version = [System.Version]::new($ReleaseVersion) $releasedVersion = $version.ToString() -Write-Host "Bumping version from $($pollyVersion.InnerText) to $releasedVersion" +Write-Output "Bumping version from $($pollyVersion.InnerText) to $releasedVersion" $pollyVersion.InnerText = $releasedVersion diff --git a/eng/update-changelog.ps1 b/eng/update-changelog.ps1 index 21c9b92f75f..6862936b3c6 100644 --- a/eng/update-changelog.ps1 +++ b/eng/update-changelog.ps1 @@ -11,7 +11,7 @@ if ($ReleaseVersion.StartsWith("v")) { $ReleaseVersion = $ReleaseVersion.Substring(1) } -Write-Host "Updating CHANGELOG for v$ReleaseVersion" +Write-Output "Updating CHANGELOG for v$ReleaseVersion" $repo = Join-Path $PSScriptRoot ".." $changelog = Join-Path $repo "CHANGELOG.md" @@ -27,20 +27,20 @@ $entry = [System.Collections.Generic.List[string]]@( $releaseNotes = $ReleaseNotesText.Split("`n") | Select-Object -Skip 1 foreach ($line in $releaseNotes) { -if ($line -eq "") { - continue -} -if ($line.StartsWith("##")) { - break -} -if (!$line.StartsWith("* ")) { - continue -} - -# Update the user's login to link to their GitHub profile -$line = $line -Replace "\@(([a-zA-Z0-9\-]+))", ('[@$1](' + $GitHubServerUrl + '/$1)') - -$entry.Add($line) + if ($line -eq "") { + continue + } + if ($line.StartsWith("##")) { + break + } + if (!$line.StartsWith("* ")) { + continue + } + + # Update the user's login to link to their GitHub profile + $line = $line -Replace "\@(([a-zA-Z0-9\-]+))", ('[@$1](' + $GitHubServerUrl + '/$1)') + + $entry.Add($line) } $index = $lines.IndexOf("") From 4d77100788b46db2035d65d156fbdbb7e6d5a74a Mon Sep 17 00:00:00 2001 From: martincostello Date: Sat, 15 Feb 2025 14:46:02 +0000 Subject: [PATCH 2/4] Fix lint warnings - Fix PowerShell lint warnings in workflows. - Use `${env:}` for consistency. --- .github/workflows/after-release.yml | 6 ++--- .github/workflows/build.yml | 4 ++-- .../workflows/nuget-packages-published.yml | 2 +- .github/workflows/on-push-do-docs.yml | 8 +++---- .github/workflows/updater-approve.yml | 24 +++++++++---------- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/after-release.yml b/.github/workflows/after-release.yml index 2d3fac42f69..85bf980537f 100644 --- a/.github/workflows/after-release.yml +++ b/.github/workflows/after-release.yml @@ -75,7 +75,7 @@ jobs: git rev-parse --verify --quiet "remotes/origin/${branchName}" | Out-Null if ($LASTEXITCODE -eq 0) { - Write-Host "Branch ${branchName} already exists." + Write-Output "Branch ${branchName} already exists." exit 0 } @@ -84,8 +84,8 @@ jobs: git commit -m "Update CHANGELOG`n`nUpdate CHANGELOG and samples for v${env:RELEASE_VERSION}." git push -u origin $branchName - "branch-name=${branchName}" >> $env:GITHUB_OUTPUT - "updated-version=true" >> $env:GITHUB_OUTPUT + "branch-name=${branchName}" >> ${env:GITHUB_OUTPUT} + "updated-version=true" >> ${env:GITHUB_OUTPUT} - name: Create pull request if: steps.push-changes.outputs.updated-version == 'true' diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2fdfc7b297e..494c7a3d45e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -117,8 +117,8 @@ jobs: $manifest = (Get-Content "./.config/dotnet-tools.json" | Out-String | ConvertFrom-Json) $dotnetSignVersion = $manifest.tools.sign.version $dotnetValidateVersion = $manifest.tools.'dotnet-validate'.version - "dotnet-sign-version=${dotnetSignVersion}" >> $env:GITHUB_OUTPUT - "dotnet-validate-version=${dotnetValidateVersion}" >> $env:GITHUB_OUTPUT + "dotnet-sign-version=${dotnetSignVersion}" >> ${env:GITHUB_OUTPUT} + "dotnet-validate-version=${dotnetValidateVersion}" >> ${env:GITHUB_OUTPUT} validate-packages: needs: build diff --git a/.github/workflows/nuget-packages-published.yml b/.github/workflows/nuget-packages-published.yml index 858cbef9faa..42b0fd7d1b4 100644 --- a/.github/workflows/nuget-packages-published.yml +++ b/.github/workflows/nuget-packages-published.yml @@ -75,7 +75,7 @@ jobs: exit 0 } - "published=true" >> $env:GITHUB_OUTPUT + "published=true" >> ${env:GITHUB_OUTPUT} notify-release: runs-on: [ ubuntu-latest ] diff --git a/.github/workflows/on-push-do-docs.yml b/.github/workflows/on-push-do-docs.yml index 9948cc88346..a11f42abdc4 100644 --- a/.github/workflows/on-push-do-docs.yml +++ b/.github/workflows/on-push-do-docs.yml @@ -49,13 +49,13 @@ jobs: $GitStatus = (git status --porcelain) if ([string]::IsNullOrEmpty($GitStatus)) { - Write-Host "No changes to commit." + Write-Output "No changes to commit." exit 0 } $TimeStamp = Get-Date -Format "yyyy-MM-dd-HH-mm" $BranchName = "docs/update-docs-$TimeStamp" - "branchName=$BranchName" >> $env:GITHUB_OUTPUT + "branchName=$BranchName" >> ${env:GITHUB_OUTPUT} $GitEmail = "138034000+polly-updater-bot[bot]@users.noreply.github.com" $GitUser = "polly-updater-bot[bot]" @@ -67,7 +67,7 @@ jobs: git rev-parse --verify --quiet ("remotes/origin/" + $BranchName) | Out-Null if ($LASTEXITCODE -eq 0) { - Write-Host "Branch $BranchName already exists." + Write-Output "Branch $BranchName already exists." exit 0 } @@ -75,7 +75,7 @@ jobs: git add . git commit -m "Update the code-snippets in the documentation" git push -u origin $BranchName - "updated-docs=true" >> $env:GITHUB_OUTPUT + "updated-docs=true" >> ${env:GITHUB_OUTPUT} - name: Create pull request if: steps.update-docs.outputs.updated-docs == 'true' diff --git a/.github/workflows/updater-approve.yml b/.github/workflows/updater-approve.yml index f4dcc808884..a7aba465962 100644 --- a/.github/workflows/updater-approve.yml +++ b/.github/workflows/updater-approve.yml @@ -44,7 +44,7 @@ jobs: /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits ` --jq '.[] | { author: .author.login, message: .commit.message }' | ConvertFrom-Json - $expectedUser = $env:UPDATER_LOGIN + $expectedUser = ${env:UPDATER_LOGIN} $onlyDependencyUpdates = $True $onlyChangesFromUser = $True @@ -79,7 +79,7 @@ jobs: # Did we find at least one dependency? $isPatch = $dependencies.Length -gt 0 $onlyTrusted = $dependencies.Length -gt 0 - $trustedPackages = $env:INCLUDE_NUGET_PACKAGES.Split(',') + $trustedPackages = ${env:INCLUDE_NUGET_PACKAGES}.Split(',') foreach ($dependency in $dependencies) { $isPatch = $isPatch -And $dependency.Type -eq "version-update:semver-patch" @@ -95,7 +95,7 @@ jobs: # Microsoft-published NuGet packages that were made by the GitHub # login we expect to make those changes in the other workflow. $isTrusted = (($onlyTrusted -And $isPatch) -And $onlyChangesFromUser) -And $onlyDependencyUpdates - "is-trusted-update=$isTrusted" >> $env:GITHUB_OUTPUT + "is-trusted-update=$isTrusted" >> ${env:GITHUB_OUTPUT} - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -111,16 +111,16 @@ jobs: shell: pwsh run: | $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json - $approvals = $approvals | Where-Object { $_.user.login -eq $env:REVIEWER_LOGIN } + $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} } $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" } if ($approvals.Length -eq 0) { - gh pr checkout "$env:PR_URL" - gh pr review --approve "$env:PR_URL" - gh pr merge --auto --squash "$env:PR_URL" + gh pr checkout "${env:PR_URL}" + gh pr review --approve "${env:PR_URL}" + gh pr merge --auto --squash "${env:PR_URL}" } else { - Write-Host "PR already approved."; + Write-Output "PR already approved."; } - name: Disable auto-merge and dismiss approvals @@ -131,12 +131,12 @@ jobs: shell: pwsh run: | $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json - $approvals = $approvals | Where-Object { $_.user.login -eq $env:REVIEWER_LOGIN } + $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} } $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" } if ($approvals.Length -gt 0) { - gh pr checkout "$env:PR_URL" - gh pr merge --disable-auto "$env:PR_URL" + gh pr checkout "${env:PR_URL}" + gh pr merge --disable-auto "${env:PR_URL}" foreach ($approval in $approvals) { gh api ` --method PUT ` @@ -146,5 +146,5 @@ jobs: } } else { - Write-Host "PR not already approved."; + Write-Output "PR not already approved."; } From cf53d0bd163ec8579f5cb5b4bb83cb5e4e5e9c8c Mon Sep 17 00:00:00 2001 From: martincostello Date: Sat, 15 Feb 2025 15:03:34 +0000 Subject: [PATCH 3/4] Avoid script interpolation - Use environment variables in inline scripts instead of using interpolation to avoid script injection. - Tighten-up some of the default GitHub token permissions. --- .github/workflows/build.yml | 19 ++++++++++++------- .github/workflows/dependabot-approve.yml | 8 +++++--- .github/workflows/dependency-review.yml | 6 ++++-- .github/workflows/gh-pages.yml | 6 ++++-- .github/workflows/on-push-do-docs.yml | 11 ++++++----- .github/workflows/stale.yml | 4 +--- .github/workflows/update-dotnet-sdk.yml | 8 +++++--- .github/workflows/updater-approve.yml | 19 ++++++++++++------- 8 files changed, 49 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 494c7a3d45e..4380c8e35e0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -190,19 +190,22 @@ jobs: env: AZURE_CLIENT_ID: ${{ secrets.SIGN_CLI_APPLICATION_ID }} AZURE_CLIENT_SECRET: ${{ secrets.SIGN_CLI_SECRET }} + AZURE_KEY_VAULT_CERTIFICATE: ${{ secrets.SIGN_CLI_CERT_NAME }} + AZURE_KEY_VAULT_URL: ${{ secrets.SIGN_CLI_VAULT_URI }} AZURE_TENANT_ID: ${{ secrets.SIGN_CLI_TENANT_ID }} + VERBOSITY: ${{ runner.debug == '1' && 'Debug' || 'Warning' }} run: | ./sign code azure-key-vault ` **/*.nupkg ` - --base-directory "${{ github.workspace }}/packages" ` - --file-list "${{ github.workspace }}/signing-config/filelist.txt" ` + --base-directory "${env:GITHUB_WORKSPACE}/packages" ` + --file-list "${env:GITHUB_WORKSPACE}/signing-config/filelist.txt" ` --application-name "Polly" ` --publisher-name "App vNext" ` --description "Polly" ` - --description-url "https://github.com/${{ github.repository }}" ` - --azure-key-vault-certificate "${{ secrets.SIGN_CLI_CERT_NAME }}" ` - --azure-key-vault-url "${{ secrets.SIGN_CLI_VAULT_URI }}" ` - --verbosity "${{ runner.debug == '1' && 'Debug' || 'Warning' }}" + --description-url "https://github.com/${env:GITHUB_REPOSITORY}" ` + --azure-key-vault-certificate ${env:AZURE_KEY_VAULT_CERTIFICATE} ` + --azure-key-vault-url ${env:AZURE_KEY_VAULT_URL} ` + --verbosity "${env:VERBOSITY}" if ($LASTEXITCODE -ne 0) { Write-Output "::error::Failed to sign NuGet packages" exit 1 @@ -348,7 +351,9 @@ jobs: dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }} - name: Push signed NuGet packages to NuGet.org - run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.NUGET_TOKEN }} --skip-duplicate --source https://api.nuget.org/v3/index.json + env: + NUGET_TOKEN: ${{ secrets.NUGET_TOKEN }} + run: dotnet nuget push "*.nupkg" --api-key ${env:NUGET_TOKEN} --skip-duplicate --source https://api.nuget.org/v3/index.json - name: Generate GitHub application token id: generate-application-token diff --git a/.github/workflows/dependabot-approve.yml b/.github/workflows/dependabot-approve.yml index 17ef440b723..b2b0cda1fa1 100644 --- a/.github/workflows/dependabot-approve.yml +++ b/.github/workflows/dependabot-approve.yml @@ -2,14 +2,16 @@ name: dependabot-approve on: pull_request_target -permissions: - contents: read +permissions: {} jobs: review: runs-on: ubuntu-latest if: github.event.repository.fork == false && github.event.pull_request.user.login == 'dependabot[bot]' + permissions: + contents: read + steps: - name: Get dependabot metadata @@ -22,7 +24,7 @@ jobs: with: application_id: ${{ secrets.POLLY_REVIEWER_BOT_APP_ID }} application_private_key: ${{ secrets.POLLY_REVIEWER_BOT_KEY }} - permissions: "contents:write, pull_requests:write, workflows:write" + permissions: 'contents:write, pull_requests:write, workflows:write' - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 72082648c50..eb1e63b69fd 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -7,14 +7,16 @@ on: - release/* - dotnet-vnext -permissions: - contents: read +permissions: {} jobs: dependency-review: runs-on: ubuntu-latest if: github.event.repository.fork == false + permissions: + contents: read + steps: - name: Checkout code diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 01a476c954d..b26699fec0d 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -12,8 +12,7 @@ on: - dotnet-vnext workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: @@ -21,6 +20,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + contents: read + steps: - name: Checkout code diff --git a/.github/workflows/on-push-do-docs.yml b/.github/workflows/on-push-do-docs.yml index a11f42abdc4..ddbc2eb62f1 100644 --- a/.github/workflows/on-push-do-docs.yml +++ b/.github/workflows/on-push-do-docs.yml @@ -62,7 +62,7 @@ jobs: git config user.email $GitEmail | Out-Null git config user.name $GitUser | Out-Null - git remote set-url "${{ github.server_url }}/${{ github.repository }}.git" | Out-Null + git remote set-url "${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}.git" | Out-Null git fetch origin | Out-Null git rev-parse --verify --quiet ("remotes/origin/" + $BranchName) | Out-Null @@ -80,17 +80,18 @@ jobs: - name: Create pull request if: steps.update-docs.outputs.updated-docs == 'true' uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + BRANCH_NAME: ${{ steps.update-docs.outputs.branchName }} with: github-token: ${{ steps.generate-application-token.outputs.token }} script: | const { repo, owner } = context.repo; - const workflowUrl = `${{ github.server_url }}/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`; - const branchName = "${{ steps.update-docs.outputs.branchName }}"; - const result = await github.rest.pulls.create({ + const workflowUrl = `${process.env.GITHUB_SERVER_URL}/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`; + await github.rest.pulls.create({ title: 'Update the code-snippets in the documentation', owner, repo, - head: branchName, + head: process.env.BRANCH_NAME, base: 'main', body: [ 'This PR updates the code-snippets in the documentation.', diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9197262ac47..6a1cbbc7240 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -5,9 +5,7 @@ on: - cron: '30 1 * * *' workflow_dispatch: -permissions: - issues: read - pull-requests: read +permissions: {} jobs: stale: diff --git a/.github/workflows/update-dotnet-sdk.yml b/.github/workflows/update-dotnet-sdk.yml index 7c2d17b605f..49b66f5ae07 100644 --- a/.github/workflows/update-dotnet-sdk.yml +++ b/.github/workflows/update-dotnet-sdk.yml @@ -5,12 +5,13 @@ on: - cron: '0 12 * * WED' workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: update-dotnet-sdk: uses: martincostello/update-dotnet-sdk/.github/workflows/update-dotnet-sdk.yml@758e92b362c4164925583874878423a794cce239 # v3.4.1 + permissions: + contents: read with: labels: "dependencies,.NET" update-nuget-packages: false @@ -32,4 +33,5 @@ jobs: - name: Add security label env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh pr edit "${{ needs.update-dotnet-sdk.outputs.pull-request-html-url }}" --add-label security + PR_URL: ${{ needs.update-dotnet-sdk.outputs.pull-request-html-url }} + run: gh pr edit "${PR_URL}" --add-label security diff --git a/.github/workflows/updater-approve.yml b/.github/workflows/updater-approve.yml index a7aba465962..02251f09c17 100644 --- a/.github/workflows/updater-approve.yml +++ b/.github/workflows/updater-approve.yml @@ -7,8 +7,7 @@ on: - release/* - dotnet-vnext -permissions: - contents: read +permissions: {} jobs: review: @@ -19,6 +18,9 @@ jobs: REVIEWER_LOGIN: "polly-reviewer-bot[bot]" UPDATER_LOGIN: "polly-updater-bot[bot]" + permissions: + contents: read + steps: - name: Generate GitHub application token @@ -27,7 +29,7 @@ jobs: with: application_id: ${{ secrets.POLLY_REVIEWER_BOT_APP_ID }} application_private_key: ${{ secrets.POLLY_REVIEWER_BOT_KEY }} - permissions: "contents:write, pull_requests:write" + permissions: 'contents:write, pull_requests:write' - name: Install powershell-yaml shell: pwsh @@ -38,10 +40,11 @@ jobs: env: INCLUDE_NUGET_PACKAGES: "Microsoft.AspNetCore.,Microsoft.EntityFrameworkCore.,Microsoft.Extensions.,System.Text.Json" GH_TOKEN: ${{ steps.generate-application-token.outputs.token }} + PR_NUMBER: ${{ github.event.pull_request.number }} shell: pwsh run: | $commits = gh api ` - /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits ` + /repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/commits ` --jq '.[] | { author: .author.login, message: .commit.message }' | ConvertFrom-Json $expectedUser = ${env:UPDATER_LOGIN} @@ -107,10 +110,11 @@ jobs: if: steps.check-dependencies.outputs.is-trusted-update == 'true' env: GH_TOKEN: ${{ steps.generate-application-token.outputs.token }} + PR_NUMBER: ${{ github.event.pull_request.number }} PR_URL: ${{ github.event.pull_request.html_url }} shell: pwsh run: | - $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json + $approvals = gh api /repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews | ConvertFrom-Json $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} } $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" } @@ -127,10 +131,11 @@ jobs: if: steps.check-dependencies.outputs.is-trusted-update != 'true' env: GH_TOKEN: ${{ steps.generate-application-token.outputs.token }} + PR_NUMBER: ${{ github.event.pull_request.number }} PR_URL: ${{ github.event.pull_request.html_url }} shell: pwsh run: | - $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json + $approvals = gh api /repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews | ConvertFrom-Json $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} } $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" } @@ -140,7 +145,7 @@ jobs: foreach ($approval in $approvals) { gh api ` --method PUT ` - /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews/$($approval.id)/dismissals ` + /repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews/$($approval.id)/dismissals ` -f message='Cannot approve as other changes have been introduced.' ` -f event='DISMISS' } From 96cdf7ee6eff494b6365b24c5d7dbaa05e78b43d Mon Sep 17 00:00:00 2001 From: martincostello Date: Sat, 15 Feb 2025 15:05:13 +0000 Subject: [PATCH 4/4] Fix lint warning Fix PowerShell syntax in bash command. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4380c8e35e0..b6603eba025 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -353,7 +353,7 @@ jobs: - name: Push signed NuGet packages to NuGet.org env: NUGET_TOKEN: ${{ secrets.NUGET_TOKEN }} - run: dotnet nuget push "*.nupkg" --api-key ${env:NUGET_TOKEN} --skip-duplicate --source https://api.nuget.org/v3/index.json + run: dotnet nuget push "*.nupkg" --api-key "${NUGET_TOKEN}" --skip-duplicate --source https://api.nuget.org/v3/index.json - name: Generate GitHub application token id: generate-application-token