diff --git a/.github/actions/comment/action.yml b/.github/actions/comment/action.yml new file mode 100644 index 000000000..5d4660188 --- /dev/null +++ b/.github/actions/comment/action.yml @@ -0,0 +1,31 @@ +--- +name: "comment" +description: "Comment on a given pull request or issue" +inputs: + token: + description: "A token with pull request or issue write permission" + required: true + +runs: + using: "composite" + steps: + - name: Update pr with info from other runners + uses: actions/github-script@v7 + with: + github-token: ${{ inputs.token }} + script: | + var fs = require('fs'); + var issue_number = Number(fs.readFileSync('./results/id')); + var problem_count = Number(fs.readFileSync( + './results/problem-count' + )); + var summary = String(fs.readFileSync('./results/summary')); + + if (problem_count > 0) { + github.rest.issues.createComment({ + owner: context.repo.owner, + issue_number: issue_number, + repo: context.repo.repo, + body: summary + }); + } diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c637ad2fd..ad5bef3e6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,19 +13,23 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: collect: + name: Collect DEVFAMILY and OS combinations runs-on: ubuntu-latest container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read outputs: build-matrix: "${{ steps.matrix.outputs.matrix }}" steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create build matrix id: matrix @@ -38,8 +42,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read needs: collect strategy: matrix: @@ -48,15 +50,19 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | git config --global --add safe.directory "$PWD" - name: Build ${{ matrix.device }} + env: + DEVFAMILY: ${{ matrix.device }} + OS: ${{ matrix.os }} run: | - make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \ - VERSION=${{ github.ref_name }} + make VERSION=${GITHUB_REF_NAME} - name: Upload artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index e98c34d7b..654a2eedd 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -7,10 +7,17 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,12 +25,15 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash + permissions: - contents: read + pull-requests: write # Required to comment on pull requests steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | @@ -33,6 +43,9 @@ jobs: git switch master - name: Run check_files.py + id: check + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -53,17 +66,15 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count # Exit with error if there are new warnings [ "$WARNING_COUNT" -eq "0" ] - - name: Save results - uses: actions/upload-artifact@v4 + - name: Comment + uses: ./.github/actions/comment if: always() with: - name: results - path: results/ - retention-days: 1 + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index d8c9ecda6..2923130ed 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -8,10 +8,17 @@ on: # yamllint disable-line rule:truthy - 'source/**' - 'configs/*/*_toc.txt' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -19,12 +26,15 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash + permissions: - contents: read + pull-requests: write # Required to comment on pull requests steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | @@ -34,6 +44,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -54,17 +66,15 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count # Exit with error if there are new warnings [ "$WARNING_COUNT" -eq "0" ] - - name: Save results - uses: actions/upload-artifact@v4 + - name: Comment + uses: ./.github/actions/comment if: always() with: - name: results - path: results/ - retention-days: 1 + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml deleted file mode 100644 index c54a4cf03..000000000 --- a/.github/workflows/comment.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -name: "comment" - -on: # yamllint disable-line rule:truthy - workflow_run: - workflows: - - rstcheck - - check_toc_txt - - check-files - types: - - completed - -jobs: - comment: - name: Comment - runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.event == 'pull_request' }} - permissions: - pull-requests: write - - steps: - - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: results - run-id: ${{ github.event.workflow_run.id }} - github-token: ${{ secrets.GITHUB_TOKEN }} - path: results - - - name: Update pr with info from other runners - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - var fs = require('fs'); - var issue_number = Number(fs.readFileSync('./results/id')); - var problem_count = Number(fs.readFileSync( - './results/problem-count' - )); - var summary = String(fs.readFileSync('./results/summary')); - - if (problem_count > 0) { - github.rest.issues.createComment({ - owner: context.repo.owner, - issue_number: issue_number, - repo: context.repo.repo, - body: summary - }); - } diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index c4933e4fb..9750a3b18 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -1,23 +1,25 @@ --- name: Commit Check -on: # yamllint disable-line rule:truthy - pull_request: - branches: ['master'] +on: [pull_request] # yamllint disable-line rule:truthy + +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read jobs: commit-check: name: Commit Check runs-on: ubuntu-latest - permissions: - contents: read - issues: write - pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Check commit uses: commit-check/commit-check-action@v2 diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index 59f35f80a..e93aecdfe 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -1,26 +1,27 @@ --- name: "component-owners" -on: # yamllint disable-line rule:truthy - # It's insecure to use pull_request_target if you intend to check out code - # from that PR. This just reads the config file in the pull request base, and - # is not an issue currently. We will need to use this to comment on PRs coming - # from forked repositories. - pull_request_target: - branches: [master] +# It's insecure to use pull_request_target if you intend to check out code +# from that PR. This just reads the config file in the pull request base, and +# is not an issue currently. We will need to use this to comment on PRs coming +# from forked repositories. +on: [pull_request_target] # yamllint disable-line rule:truthy + +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true permissions: - # Clamp permissions since pull_request_target workflows granted full - # read/write repository permission by default contents: read - issues: write - pull-requests: write jobs: component-owners: name: Assign component owners runs-on: ubuntu-latest + permissions: + pull-requests: write # Required to set reviewers + steps: - name: Assign component owners uses: dyladan/component-owners@main diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1bfd50c2c..a4468f363 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,13 @@ on: # yamllint disable-line rule:truthy types: - completed +concurrency: + group: pages + cancel-in-progress: true + +permissions: + contents: read + jobs: agregate: name: Agregate build artifacts @@ -16,12 +23,12 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | @@ -51,8 +58,8 @@ jobs: runs-on: ubuntu-latest needs: agregate permissions: - pages: write - id-token: write + pages: write # Required for deployment to GitHub Pages + id-token: write # Required for deployment to GitHub Pages steps: - name: Update github page deployment diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 061a1d992..bc6922319 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,21 +7,30 @@ on: # yamllint disable-line rule:truthy - 'docker/**' - requirements.txt +concurrency: + group: docker + cancel-in-progress: true + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +permissions: + contents: read + jobs: build: name: Build runs-on: ubuntu-latest + permissions: - contents: read - packages: write + packages: write # Required to push image to ghcr.io steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index 04a45c93d..e6794c92e 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -7,10 +7,17 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,12 +25,15 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash + permissions: - contents: read + pull-requests: write # Required to comment on pull requests steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | @@ -33,6 +43,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -53,17 +65,15 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count # Exit with error if there are new warnings [ "$WARNING_COUNT" -eq "0" ] - - name: Save results - uses: actions/upload-artifact@v4 + - name: Comment + uses: ./.github/actions/comment if: always() with: - name: results - path: results/ - retention-days: 1 + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 1c493f94f..4b8b8bb8e 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -3,10 +3,17 @@ name: "vale" on: [pull_request] # yamllint disable-line rule:truthy +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: vale: name: vale @@ -14,8 +21,6 @@ jobs: container: image: ghcr.io/staticrocket/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Prepare GitHub workdir @@ -24,6 +29,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get changed files id: changed-files diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 967316adc..56a8ed1d8 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -8,6 +8,13 @@ on: # yamllint disable-line rule:truthy - '**.yaml' - '**.yml' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read + jobs: yamllint: name: yamllint @@ -15,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: yamllint uses: reviewdog/action-yamllint@v1