diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d56e23d..56a3a07 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,7 +13,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - + with: + persist-credentials: false - name: Setup Node.js environment uses: actions/setup-node@v4 with: diff --git a/.github/workflows/dependabot-reviewer.yml b/.github/workflows/dependabot-reviewer.yml index 992fe3d..2c71c98 100644 --- a/.github/workflows/dependabot-reviewer.yml +++ b/.github/workflows/dependabot-reviewer.yml @@ -1,6 +1,6 @@ name: Dependabot reviewer -on: pull_request_target +on: pull_request permissions: pull-requests: write diff --git a/.github/workflows/issue_commands.yml b/.github/workflows/issue_commands.yml index 7fb60fb..7fb22ae 100644 --- a/.github/workflows/issue_commands.yml +++ b/.github/workflows/issue_commands.yml @@ -9,13 +9,14 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: - repository: "grafana/grafana-github-actions" + repository: 'grafana/grafana-github-actions' path: ./actions ref: main + persist-credentials: false - name: Install Actions run: npm install --production --prefix ./actions - name: Run Commands uses: ./actions/commands - with: + with: token: ${{secrets.GH_BOT_ACCESS_TOKEN}} - configPath: issue_commands \ No newline at end of file + configPath: issue_commands diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index 3030bc0..b1f1838 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -9,14 +9,19 @@ jobs: publish: name: Publish to NPM & GitHub Package Registry runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write steps: - name: Checkout repository uses: actions/checkout@v4 with: ref: main + persist-credentials: false # limit releases to version changes - https://github.com/EndBug/version-check - name: Check version changes - uses: EndBug/version-check@v2 + uses: EndBug/version-check@36ff30f37c7deabe56a30caa043d127be658c425 id: version_check with: file-url: https://unpkg.com/@grafana/azure-sdk@latest/package.json @@ -24,7 +29,10 @@ jobs: - name: Version update detected if: steps.version_check.outputs.changed == 'true' - run: 'echo "Version change found! New version: ${{ steps.version_check.outputs.version }} (${{ steps.version_check.outputs.type }})"' + env: + VERSION: ${{ steps.version_check.outputs.version }} + TYPE: ${{ steps.version_check.outputs.type }} + run: 'echo "Version change found! New version: ${VERSION} (${TYPE})"' - name: Setup .npmrc file for NPM registry if: steps.version_check.outputs.changed == 'true' @@ -41,11 +49,18 @@ jobs: if: steps.version_check.outputs.changed == 'true' run: yarn build + - name: Get vault secrets + if: steps.version_check.outputs.changed == 'true' + id: vault-secrets + uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses] + with: + repo_secrets: | + NPM_TOKEN=npm-publish:token - name: Publish package to NPM if: steps.version_check.outputs.changed == 'true' run: npm publish --access public --scope grafana env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }} - name: Setup .npmrc file for GitHub Packages if: steps.version_check.outputs.changed == 'true'