From 87370f26d6eabdb3fcb0518461a43e192de1aacd Mon Sep 17 00:00:00 2001 From: Fran Mulero Date: Wed, 8 Nov 2023 17:06:12 +0100 Subject: [PATCH] [bitnami/containers] GitHub actions hardening (#52441) * GitHub actions hardening Signed-off-by: Fran Mulero * Allow manual triggering in scheduled jobs Signed-off-by: Fran Mulero * Use env var instead of using github expressions Signed-off-by: Fran Mulero --------- Signed-off-by: Fran Mulero --- .github/dependabot.yml | 10 ++++++ .github/workflows/assign-asset-label.yml | 7 ++-- .github/workflows/ci-pipeline.yml | 42 ++++++++++++++++------- .github/workflows/clossing-issues.yml | 6 +++- .github/workflows/comments.yml | 13 ++++--- .github/workflows/delete-solved-cards.yml | 12 ++++--- .github/workflows/markdown-linter.yml | 12 ++++--- .github/workflows/move-closed-issues.yml | 5 ++- .github/workflows/moving-cards.yml | 29 +++++++++------- .github/workflows/pr-reviews.yml | 9 +++-- .github/workflows/srp-report.yml | 11 ++++-- .github/workflows/stale.yml | 7 ++-- .github/workflows/sync-teams.yml | 12 +++++-- .github/workflows/triage.yml | 13 ++++--- 14 files changed, 129 insertions(+), 59 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000000..d5375e5f1285 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +version: 2 +# Check for updates to GitHub Actions every week +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" \ No newline at end of file diff --git a/.github/workflows/assign-asset-label.yml b/.github/workflows/assign-asset-label.yml index fa7a0d6dd813..867d7b9323af 100644 --- a/.github/workflows/assign-asset-label.yml +++ b/.github/workflows/assign-asset-label.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[Support] Assign asset label' on: pull_request_target: @@ -34,7 +37,7 @@ jobs: echo "name=${assets}" >> $GITHUB_OUTPUT fi - name: Show messages - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 with: script: | if ("${{ steps.get-asset.outputs.result }}" != "ok" ) { @@ -44,6 +47,6 @@ jobs: } - name: Labeling if: ${{ steps.get-asset.outputs.result == 'ok' }} - uses: fmulero/labeler@1.1.0 + uses: fmulero/labeler@d3ef0aadb212cd1656bd6d5ce1e772787bf1682b with: add-labels: "${{ steps.get-asset.outputs.name }}" diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml index 4b19332d7115..b1fdf98d0617 100644 --- a/.github/workflows/ci-pipeline.yml +++ b/.github/workflows/ci-pipeline.yml @@ -23,7 +23,7 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 name: Checkout Repository with: ref: ${{ github.event.pull_request.head.ref }} @@ -54,7 +54,7 @@ jobs: echo "result=skip" >> $GITHUB_OUTPUT fi - name: Check license Headers - uses: apache/skywalking-eyes/header@v0.4.0 + uses: apache/skywalking-eyes/header@6b2529214f6b1ccee3ec92bb0adfeabf6f66f538 if: ${{ steps.get-modified-files.outputs.result == 'success' }} get-containers: runs-on: ubuntu-latest @@ -110,7 +110,7 @@ jobs: matrix: container: ${{ fromJSON(needs.get-containers.outputs.containers) }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 name: Checkout Repository with: # Full history is not required anymore @@ -174,7 +174,7 @@ jobs: steps: - id: get-status name: Check Status - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 with: result-encoding: string script: | @@ -224,12 +224,20 @@ jobs: # Approve the CI's PR automatically, as it has been tested in our internal pipeline already # Approved by the 'github-actions' user; a PR can't be approved by its author - name: PR Approval - uses: hmarr/auto-approve-action@v3.0.0 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 with: - pull-request-number: ${{ github.event.number }} + result-encoding: string + retries: 3 + script: | + github.rest.pulls.createReview({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number, + event: 'APPROVE', + }); - name: Merge id: merge - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 with: result-encoding: string retries: 3 @@ -246,10 +254,18 @@ jobs: # post a comment on the PR and assign a maintainer agent to review it - name: Manual review required if: ${{ always() && steps.merge.outcome != 'success' }} - uses: peter-evans/create-or-update-comment@v3.0.0 - with: - issue-number: ${{ github.event.number }} - # Necessary to trigger support workflows - token: ${{ secrets.BITNAMI_BOT_TOKEN }} - body: | + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 + env: + BODY: | There has been an error during the automated release process. Manual revision is now required. + Please check the related [action_run#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more information. + with: + retries: 3 + script: | + const {BODY} = process.env + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: `${BODY}` + }) diff --git a/.github/workflows/clossing-issues.yml b/.github/workflows/clossing-issues.yml index 8d2c612fd9e9..ae052df46661 100644 --- a/.github/workflows/clossing-issues.yml +++ b/.github/workflows/clossing-issues.yml @@ -1,5 +1,9 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[Support] Close Solved issues' on: + workflow_dispatch: schedule: # Hourly - cron: '0 * * * *' @@ -9,7 +13,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v6.0.1 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 with: any-of-labels: 'solved' stale-issue-label: 'solved' diff --git a/.github/workflows/comments.yml b/.github/workflows/comments.yml index b8eaaa1d5caf..b43181d0090f 100644 --- a/.github/workflows/comments.yml +++ b/.github/workflows/comments.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[Support] Comments based card movements' on: issue_comment: @@ -18,13 +21,13 @@ jobs: pull-requests: read steps: - name: Repo checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Load .env file - uses: xom9ikk/dotenv@v2 + uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68 with: path: .github/workflows/ - name: Move into Pending - uses: peter-evans/create-or-update-project-card@v2 + uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58 if: | (github.actor != 'bitnami-bot' || github.event.issue.user.login != 'bitnami-bot' || github.event.issue.pull_request == null) && contains(fromJson(env.BITNAMI_TEAM), github.actor) && @@ -33,7 +36,7 @@ jobs: project-name: Support column-name: Pending - name: Move into In Progress - uses: peter-evans/create-or-update-project-card@v2 + uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58 if: | (github.actor != 'bitnami-bot' || github.event.issue.user.login != 'bitnami-bot' || github.event.issue.pull_request == null) && (!contains(fromJson(env.BITNAMI_TEAM), github.actor)) && @@ -42,7 +45,7 @@ jobs: project-name: Support column-name: In progress - name: Move into Triage - uses: peter-evans/create-or-update-project-card@v2 + uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58 if: | (github.actor != 'bitnami-bot' || github.event.issue.user.login != 'bitnami-bot' || github.event.issue.pull_request == null) && (!contains(fromJson(env.BITNAMI_TEAM), github.actor)) && diff --git a/.github/workflows/delete-solved-cards.yml b/.github/workflows/delete-solved-cards.yml index 4b9bd59bf866..195adc3e42ba 100644 --- a/.github/workflows/delete-solved-cards.yml +++ b/.github/workflows/delete-solved-cards.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[Support] Delete Solved cards' on: workflow_dispatch: @@ -14,18 +17,19 @@ jobs: contents: read steps: - name: Repo checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 1 - name: Load .env file - uses: xom9ikk/dotenv@v2 + uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68 with: path: .github/workflows/ - - uses: actions/github-script@v6 + - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 with: script: | + const {SOLVED_COLUMN_ID} = process.env const {data: cards} = await github.rest.projects.listCards({ - column_id: ${{ env.SOLVED_COLUMN_ID }}, + column_id: `${SOLVED_COLUMN_ID}`, archived_state: 'all', per_page: 100 }); diff --git a/.github/workflows/markdown-linter.yml b/.github/workflows/markdown-linter.yml index a63138114c14..3721df4bb6d6 100644 --- a/.github/workflows/markdown-linter.yml +++ b/.github/workflows/markdown-linter.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[CI/CD] Markdown linter' on: pull_request: @@ -16,20 +19,21 @@ jobs: - name: Install mardownlint run: npm install -g markdownlint-cli@0.33.0 - name: Checkout project - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Execute markdownlint env: DIFF_URL: "${{github.event.pull_request.diff_url}}" TEMP_FILE: "${{runner.temp}}/pr-${{github.event.number}}.diff" + TEMP_OUTPUT: "${{runner.temp}}/output" run: | # This request doesn't consume API calls. curl -Lkso $TEMP_FILE $DIFF_URL files_changed="$(sed -nr 's/[\-\+]{3} [ab]\/(.*)/\1/p' $TEMP_FILE | sort | uniq)" md_files="$(echo "$files_changed" | grep -o ".*\.md$" | sort | uniq || true)" # Create an empty file, useful when the PR changes ignored files - touch ${{runner.temp}}/output + touch "${TEMP_OUTPUT}" exit_code=0 - markdownlint -o ${{runner.temp}}/output ${md_files[@]} || exit_code=$? + markdownlint -o "${TEMP_OUTPUT}" ${md_files[@]} || exit_code=$? while read -r line; do # line format: # file:row[:column] message @@ -45,7 +49,7 @@ jobs: else echo "::warning:: Error processing: ${line}" fi - done < ${{runner.temp}}/output + done < "${TEMP_OUTPUT}" if [[ $exit_code -ne 0 ]]; then echo "::error:: Please review linter messages" exit "$exit_code" diff --git a/.github/workflows/move-closed-issues.yml b/.github/workflows/move-closed-issues.yml index e2113f094aa3..589ff23f92b4 100644 --- a/.github/workflows/move-closed-issues.yml +++ b/.github/workflows/move-closed-issues.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[Support] Move closed issues' on: issues: @@ -17,7 +20,7 @@ jobs: steps: - name: Send to the Solved column id: send-solved - uses: peter-evans/create-or-update-project-card@v2 + uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58 # Send to solve only the issues and PRs created by users or the automated PRs with human review required if: | (github.event.issue != null && github.event.issue.user.login != 'bitnami-bot') || diff --git a/.github/workflows/moving-cards.yml b/.github/workflows/moving-cards.yml index 93d6b353c16d..81746c4fbce6 100644 --- a/.github/workflows/moving-cards.yml +++ b/.github/workflows/moving-cards.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + # This workflow is built to manage the triage support by using GH issues. name: '[Support] Cards movements' on: @@ -49,48 +52,48 @@ jobs: - get-issue steps: - name: Repo checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 1 - name: Load .env file - uses: xom9ikk/dotenv@v2 + uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68 with: path: .github/workflows/ # Now handling the needed labeling - name: Triage labeling # Only if moved into triage if: ${{ github.event.project_card.column_id == env.TRIAGE_COLUMN_ID }} - uses: fmulero/labeler@1.1.0 + uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da with: add-labels: triage remove-labels: on-hold, in-progress, solved - name: From Bitnami labeling if: ${{ github.event.project_card.column_id == env.BITNAMI_COLUMN_ID }} - uses: fmulero/labeler@1.1.0 + uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da with: add-labels: ${{ (needs.get-issue.outputs.author == 'bitnami-bot' && needs.get-issue.outputs.type == 'pull_request') && 'automated, auto-merge' || 'bitnami' }} remove-labels: on-hold, in-progress, triage, solved - name: Verify labeling # Only if moved into bitnami column and the PR is ready for review - # Consecutive calls were fixed in fmulero/labeler@1.1.0, see https://github.com/fmulero/labeler/pull/2 + # Consecutive calls were fixed in fmulero/labeler, see https://github.com/fmulero/labeler/pull/2 if: | github.event.project_card.column_id == env.BITNAMI_COLUMN_ID && needs.get-issue.outputs.type == 'pull_request' && needs.get-issue.outputs.draft == 'false' - uses: fmulero/labeler@1.1.0 + uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da with: repo-token: ${{ secrets.BITNAMI_BOT_TOKEN }} add-labels: verify - name: On hold labeling # Only if moved into on hold if: ${{ github.event.project_card.column_id == env.ON_HOLD_COLUMN_ID }} - uses: fmulero/labeler@1.1.0 + uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da with: add-labels: on-hold remove-labels: triage, in-progress, solved - name: In progress labeling # Only if moved into In progress if: ${{ github.event.project_card.column_id == env.IN_PROGRESS_COLUMN_ID }} - uses: fmulero/labeler@1.1.0 + uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da with: add-labels: in-progress remove-labels: on-hold, triage, solved @@ -99,7 +102,7 @@ jobs: if: | github.event.project_card.column_id == env.SOLVED_COLUMN_ID && (needs.get-issue.outputs.author != 'bitnami-bot') - uses: fmulero/labeler@1.1.0 + uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da with: add-labels: solved # Triage is not on the list to know how many issues/PRs are solved @@ -114,18 +117,18 @@ jobs: # The job shouldn't run for solved cards steps: - name: Repo checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 1 - name: Load .env file - uses: xom9ikk/dotenv@v2 + uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68 with: path: .github/workflows/ - name: Assign to a person to work on it # Assign when there is nobody assigned or the card is new. if: | github.event.project_card.column_id != env.SOLVED_COLUMN_ID && (needs.get-issue.outputs.assignees == '[]' || github.event.action == 'created') - uses: pozil/auto-assign-issue@v1.11.0 + uses: pozil/auto-assign-issue@edee9537367a8fbc625d27f9e10aa8bad47b8723 with: numOfAssignee: 1 teams: ${{ github.event.project_card.column_id == env.BITNAMI_COLUMN_ID && env.SUPPORT_TEAM_NAME || env.TRIAGE_TEAM_NAME }} @@ -137,7 +140,7 @@ jobs: github.event.action == 'moved' && needs.get-issue.outputs.assignees != '[]' && github.event.project_card.column_id == env.IN_PROGRESS_COLUMN_ID && github.event.changes.column_id.from == env.TRIAGE_COLUMN_ID - uses: pozil/auto-assign-issue@v1.11.0 + uses: pozil/auto-assign-issue@edee9537367a8fbc625d27f9e10aa8bad47b8723 with: numOfAssignee: 1 removePreviousAssignees: true diff --git a/.github/workflows/pr-reviews.yml b/.github/workflows/pr-reviews.yml index da70c967394d..68fb2a2c1c35 100644 --- a/.github/workflows/pr-reviews.yml +++ b/.github/workflows/pr-reviews.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[Support] Review based card movements' on: pull_request_target: @@ -24,15 +27,15 @@ jobs: (!contains(github.event.pull_request.labels.*.name, 'bitnami')) && (!contains(github.event.pull_request.labels.*.name, 'triage')) steps: - name: Repo checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Load .env file - uses: xom9ikk/dotenv@v2 + uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68 with: path: .github/workflows/ - name: Move into In Progress # Move the card only if the actor is not a Bitnami member if: ${{ !contains(fromJson(env.BITNAMI_TEAM), github.actor) }} - uses: peter-evans/create-or-update-project-card@v2 + uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58 with: project-name: Support column-name: In progress diff --git a/.github/workflows/srp-report.yml b/.github/workflows/srp-report.yml index 3557b8e51433..67948b72b6ec 100644 --- a/.github/workflows/srp-report.yml +++ b/.github/workflows/srp-report.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[SRP] Secure Release Pipeline Report' on: schedule: @@ -24,7 +27,7 @@ jobs: sudo tar xf /tmp/srp-cli.tgz -C /usr/local/bin/ srp config --srp-endpoint ${BAC_SRP_ENDPOINT} srp config auth --client-id=${BAC_SRP_CLIENT_ID} --client-secret=${BAC_SRP_CLIENT_SECRET} - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 name: Checkout Repository with: # No full history required @@ -40,11 +43,13 @@ jobs: --version "1.0" --all-ephemeral true --build-type release echo "uid=${SRP_UID}" >> $GITHUB_OUTPUT - name: Archive SRP report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: source-provenance path: source-provenance.json - id: submit-report name: Submit SRP report + env: + SRP_UID: "${{ steps.build-report.outputs.uid }}" run: | - srp metadata submit --verbose --path ./source-provenance.json --uid "uid.mtd.provenance_2_5.fragment(obj_uid=${{ steps.build-report.outputs.uid }},revision='')" + srp metadata submit --verbose --path ./source-provenance.json --uid "uid.mtd.provenance_2_5.fragment(obj_uid=${SRP_UID},revision='')" diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 424fef0f74a0..71b6d1850d60 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[Support] Close stale issues and PRs' on: workflow_dispatch: @@ -14,7 +17,7 @@ jobs: pull-requests: write steps: # This step will add the stale comment and label for the first 15 days without activity. It won't close any task - - uses: actions/stale@v6.0.1 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.' @@ -25,7 +28,7 @@ jobs: exempt-pr-labels: 'on-hold' operations-per-run: 500 # This step will add the 'solved' label and the last comment before closing the issue or PR. Note that it won't close any issue or PR, they will be closed by the clossing-issues workflow - - uses: actions/stale@v6.0.1 + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.' diff --git a/.github/workflows/sync-teams.yml b/.github/workflows/sync-teams.yml index c9a2e045b8b8..ea17f741ed8b 100644 --- a/.github/workflows/sync-teams.yml +++ b/.github/workflows/sync-teams.yml @@ -1,5 +1,9 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + name: '[Support] Synchronize team members in the .env file' on: + workflow_dispatch: schedule: # Daily - cron: '0 5 * * *' @@ -10,19 +14,21 @@ jobs: runs-on: ubuntu-latest steps: - name: Repo checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: token: ${{ secrets.BITNAMI_BOT_TOKEN }} fetch-depth: 1 - name: Load .env file - uses: xom9ikk/dotenv@v2 + uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68 with: path: .github/workflows/ - name: Updating members of the Bitnami team + env: + TOKEN: ${{ secrets.BITNAMI_BOT_TOKEN }} run: | TEAM_MEMBERS=$(curl --request GET \ --url https://api.github.com/orgs/bitnami/teams/developers/members?per_page=100 \ - --header 'authorization: Bearer ${{ secrets.BITNAMI_BOT_TOKEN }}' \ + --header "authorization: Bearer ${TOKEN}" \ --header 'content-type: application/json' \ | jq 'sort_by(.login)|map(.login)|join(",")') TEAM_MEMBERS='['${TEAM_MEMBERS//','/'","'}']' diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index f96bd2605a4b..df75bc221b2b 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -1,3 +1,6 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + # This workflow is built to manage the triage support by using GH issues. name: '[Support] Organize triage' on: @@ -24,11 +27,11 @@ jobs: contents: read steps: - name: Repo checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 1 - name: Load .env file - uses: xom9ikk/dotenv@v2 + uses: xom9ikk/dotenv@de1ff27d319507880e6621e4d47424c677d95f68 with: path: .github/workflows/ - name: Get author @@ -42,7 +45,7 @@ jobs: echo "type=${type}" >> $GITHUB_OUTPUT - name: Send to the board if: ${{steps.get-issue.outputs.author != 'bitnami-bot' || steps.get-issue.outputs.type != 'pull_request'}} - uses: peter-evans/create-or-update-project-card@v2 + uses: peter-evans/create-or-update-project-card@dfa240db6fe287ceb681e45d6728c1af70452c58 with: project-name: Support # If the author comes from Bitnami, send it to Bitnami. Otherwise, all to Triage @@ -59,11 +62,11 @@ jobs: # a card for the automated PRs only when it is needed. steps: - name: From Bitnami labeling - uses: fmulero/labeler@1.1.0 + uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da with: add-labels: 'automated, auto-merge' - name: Verify labeling - uses: fmulero/labeler@1.1.0 + uses: fmulero/labeler@f49bf680252fc8ac12cbebb6e0ed8ea19d0712da with: # Bitnami bot token is required to trigger CI workflows repo-token: ${{ secrets.BITNAMI_BOT_TOKEN }}