Bump elgohr/Publish-Docker-Github-Action from 56d83a64624e457e0dde052abc8baa3fec37b396 to 8a77ff7e106a82f06cefb2670b851ff562c53079 #903
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Security | |
on: | |
pull_request: | |
branches: | |
- dev | |
- master | |
pull_request_target: | |
types: | |
- opened | |
- reopened | |
- labeled | |
- synchronize | |
branches: | |
- dev | |
- master | |
concurrency: | |
group: "ci-security-${{ github.head_ref || github.run_id }}-${{ github.event_name }}" | |
cancel-in-progress: true | |
jobs: | |
security-checkpoint: | |
name: Check CI Clearance | |
if: github.event_name == 'pull_request_target' && (github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id || github.event.pull_request.user.id == 49699333) && github.event.pull_request.state == 'open' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Generate App Token | |
id: app-token-generation | |
uses: actions/create-github-app-token@v1 | |
with: | |
app-id: ${{ secrets.APP_ID }} | |
private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
- name: "Remove Stale 'CI Cleared' Label" | |
if: github.event.action == 'synchronize' || github.event.action == 'reopened' | |
uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 | |
with: | |
labels: CI Cleared | |
github_token: ${{ steps.app-token-generation.outputs.token }} | |
- name: "Remove 'CI Approval Required' Label" | |
if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && contains(github.event.pull_request.labels.*.name, 'CI Cleared')) | |
uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 | |
with: | |
labels: CI Approval Required | |
github_token: ${{ steps.app-token-generation.outputs.token }} | |
- name: "Add 'CI Approval Required' Label" | |
if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared')) | |
uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf | |
with: | |
labels: CI Approval Required | |
github_token: ${{ steps.app-token-generation.outputs.token }} | |
- name: Fail if PR has Unlabeled new Commits from User | |
if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared')) | |
run: exit 1 | |
ci-pipline-workflow-call: | |
name: CI Pipeline | |
needs: security-checkpoint | |
if: (!(cancelled() || failure()) && (needs.security-checkpoint.result == 'success' || (github.event_name != 'pull_request_target' && github.event.pull_request.head.repo.id == github.event.pull_request.base.repo.id && github.event.pull_request.user.id != 49699333))) | |
uses: ./.github/workflows/ci-pipeline.yml | |
secrets: inherit | |
with: | |
pull_request_number: ${{ github.event.pull_request.number }} |