From 4f6782a152e06de9a4dea3527f7331be9174c5af Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 15 Jan 2024 15:23:46 -0500 Subject: [PATCH 1/3] Use organization-managed access tokens --- .github/workflows/actions-versions-updater.yml | 11 +++++++++-- .github/workflows/bump-version.yml | 8 +++++++- .github/workflows/first_pull_request.yml | 6 ++++++ .github/workflows/main.yml | 4 ++++ .github/workflows/publish-pypi.yml | 3 +++ .github/workflows/tag-testpypi.yml | 5 +++++ 6 files changed, 34 insertions(+), 3 deletions(-) diff --git a/.github/workflows/actions-versions-updater.yml b/.github/workflows/actions-versions-updater.yml index bb05b24e..19c081e9 100644 --- a/.github/workflows/actions-versions-updater.yml +++ b/.github/workflows/actions-versions-updater.yml @@ -6,19 +6,26 @@ on: - cron: '0 0 1 * *' workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + actions: write + contents: write + pull-requests: write steps: - uses: actions/checkout@v4.1.1 with: # This requires a personal access token with the privileges to push directly to `main` - token: ${{ secrets.WORKFLOW_TOKEN }} + token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }} persist-credentials: true - name: Run GitHub Actions Version Updater uses: saadmk11/github-actions-version-updater@v0.8.1 with: - token: ${{ secrets.WORKFLOW_TOKEN }} + token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }} committer_email: 'bumpversion[bot]@ouranos.ca' committer_username: 'update-github-actions[bot]' pull_request_title: '[bot] Update GitHub Action Versions' diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 38fbaad9..5b5f67e2 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -28,9 +28,15 @@ on: - xhydro/__init__.py workflow_dispatch: +permissions: + contents: read + jobs: bump_patch_version: runs-on: ubuntu-latest + permissions: + actions: read + contents: write steps: - uses: actions/checkout@v4 with: @@ -54,5 +60,5 @@ jobs: uses: ad-m/github-push-action@master with: force: false - github_token: ${{ secrets.BUMPVERSION_TOKEN }} + github_token: ${{ secrets.BUMP_VERSION_TOKEN }} branch: ${{ github.ref }} diff --git a/.github/workflows/first_pull_request.yml b/.github/workflows/first_pull_request.yml index adc51fe0..1450d3c3 100644 --- a/.github/workflows/first_pull_request.yml +++ b/.github/workflows/first_pull_request.yml @@ -5,10 +5,16 @@ on: types: - opened +permissions: + contents: read + jobs: welcome: name: Welcome runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/github-script@v6 with: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index dbf1616a..d9a0ac2c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,6 +12,10 @@ on: - xhydro/__init__.py pull_request: +permissions: + contents: read + pull-requests: read + jobs: lint: name: Lint (Python${{ matrix.python-version }}) diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 04e42d9d..a991ece7 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -5,6 +5,9 @@ on: types: - published +permissions: + contents: read + jobs: build-n-publish-pypi: name: Build and publish Python 🐍 distributions 📦 to PyPI diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml index 54eb2cbe..45e68bcb 100644 --- a/.github/workflows/tag-testpypi.yml +++ b/.github/workflows/tag-testpypi.yml @@ -5,11 +5,16 @@ on: tags: - 'v*.*' # Push events to matching v*, i.e. v1.0, v20.15.10 +permissions: + contents: read + jobs: release: name: Create Release from tag runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/v') && endsWith(github.ref, '.0') + permissions: + contents: write steps: - name: Checkout code uses: actions/checkout@v4 From 0f26a5a0ec7e23a64d82f23ea5cd6dbb6a21cf3e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 15 Jan 2024 20:25:53 +0000 Subject: [PATCH 2/3] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- pyproject.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index ac75f0bf..49c07bd7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -123,7 +123,6 @@ filename = ".cruft.json" search = "\"version\": \"{current_version}\"" replace = "\"version\": \"{new_version}\"" - [tool.coverage.run] relative_files = true include = ["xhydro/*"] From f90a0a10b53b939991aa08721522cd0d5c192eb0 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 15 Jan 2024 17:09:00 -0500 Subject: [PATCH 3/3] commit to re-run RTD --- .github/workflows/actions-versions-updater.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/actions-versions-updater.yml b/.github/workflows/actions-versions-updater.yml index 19c081e9..91a64cf5 100644 --- a/.github/workflows/actions-versions-updater.yml +++ b/.github/workflows/actions-versions-updater.yml @@ -22,6 +22,7 @@ jobs: # This requires a personal access token with the privileges to push directly to `main` token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }} persist-credentials: true + - name: Run GitHub Actions Version Updater uses: saadmk11/github-actions-version-updater@v0.8.1 with: