diff --git a/.github/workflows/continuous-delivery.yml b/.github/workflows/continuous-delivery.yml index bd9f8856..d5f47ac7 100644 --- a/.github/workflows/continuous-delivery.yml +++ b/.github/workflows/continuous-delivery.yml @@ -127,6 +127,8 @@ jobs: (github.ref_name == 'staging' || github.ref_name == 'master') && ((github.ref_name == 'master' && github.event.inputs.merge == 'y' && fromJSON(needs.metadata.outputs.has_diff) && success()) || ((github.event.inputs.merge != 'y' || !fromJSON(needs.metadata.outputs.has_diff)) && !cancelled())) + permissions: + checks: write steps: - name: Get environment URL id: get_url @@ -165,7 +167,7 @@ jobs: docker-compose up -d - name: Finalize Sentry release - uses: getsentry/action-release@e769183448303de84c5a06aaaddf9da7be26d6c7 # v1.7.0 + uses: getsentry/action-release@f6dfa3d84a1c740b94aa45255c5e032b744a095d # v1.9.0 env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: ${{ vars.SENTRY_ORG_NAME }} @@ -205,11 +207,10 @@ jobs: done - name: Update Continuous Delivery check run - uses: guidojw/actions/update-check-run@ec8c080252c6b8903a4431211b78c543609f5f89 # v1.4.6 + uses: LouisBrunner/checks-action@6b626ffbad7cc56fd58627f774b9067e6118af23 # v2.0.0 with: - app_id: ${{ vars.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} sha: ${{ needs.merge.outputs.sha }} + token: ${{ github.token }} name: Continuous Delivery conclusion: ${{ steps.get_conclusion.outputs.conclusion }} details_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index d5c907c1..1ffde851 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -31,7 +31,7 @@ jobs: ref: ${{ inputs.sha }} - name: Build test image - uses: guidojw/actions/build-docker-image@ec8c080252c6b8903a4431211b78c543609f5f89 # v1.4.6 + uses: guidojw/actions/build-docker-image@3ad963828827110a6b716a011f242bf01fdf1db4 # v1.4.7 with: file: Dockerfile build-args: | @@ -71,7 +71,7 @@ jobs: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.7 - name: Load test image - uses: guidojw/actions/load-docker-image@ec8c080252c6b8903a4431211b78c543609f5f89 # v1.4.6 + uses: guidojw/actions/load-docker-image@3ad963828827110a6b716a011f242bf01fdf1db4 # v1.4.7 with: name: app @@ -80,8 +80,8 @@ jobs: RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }} run: | EXIT_STATUS=0 - ./actionlint -ignore 'property "gh_app_private_key" is not defined' -ignore 'SC2153:' \ - -ignore 'property "sha" is not defined in object type {}' || EXIT_STATUS=$? + ./actionlint -ignore 'SC2153:' -ignore 'property "sha" is not defined in object type {}' || \ + EXIT_STATUS=$? docker run -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=postgres -e POSTGRES_HOST=localhost -e \ RAILS_MASTER_KEY --network=host app bin/ci.sh lint || EXIT_STATUS=$? exit $EXIT_STATUS @@ -114,7 +114,7 @@ jobs: echo '::add-matcher::.github/problem-matchers/rspec.json' - name: Load test image - uses: guidojw/actions/load-docker-image@ec8c080252c6b8903a4431211b78c543609f5f89 # v1.4.6 + uses: guidojw/actions/load-docker-image@3ad963828827110a6b716a011f242bf01fdf1db4 # v1.4.7 with: name: app @@ -128,14 +128,14 @@ jobs: - name: Upload coverage report to Codecov if: ${{ !cancelled() }} - uses: codecov/codecov-action@015f24e6818733317a2da2edd6290ab26238649a # v5.0.7 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: fail_ci_if_error: true token: ${{ secrets.CODECOV_TOKEN }} - name: Upload coverage report artifact if: ${{ !cancelled() }} - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: coverage path: coverage/ diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 11ac7bb1..6f53debc 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -54,7 +54,7 @@ jobs: fetch-depth: 0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 @@ -64,7 +64,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push image - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0 with: push: true context: . @@ -77,7 +77,7 @@ jobs: - name: Create Sentry release if: ${{ !(github.event_name == 'workflow_dispatch' && github.workflow == 'Publish Image') }} - uses: getsentry/action-release@e769183448303de84c5a06aaaddf9da7be26d6c7 # v1.7.0 + uses: getsentry/action-release@f6dfa3d84a1c740b94aa45255c5e032b744a095d # v1.9.0 env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: ${{ vars.SENTRY_ORG_NAME }} @@ -91,6 +91,8 @@ jobs: runs-on: ubuntu-latest needs: [metadata, publish] if: github.event_name == 'workflow_dispatch' && github.workflow == 'Publish Image' && always() + permissions: + checks: write steps: - name: Get conclusion id: get_conclusion @@ -106,10 +108,9 @@ jobs: done - name: Update Publish Image check run - uses: guidojw/actions/update-check-run@ec8c080252c6b8903a4431211b78c543609f5f89 # v1.4.6 + uses: LouisBrunner/checks-action@6b626ffbad7cc56fd58627f774b9067e6118af23 # v2.0.0 with: - app_id: ${{ vars.GH_APP_ID }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} + token: ${{ github.token }} name: Publish Image conclusion: ${{ steps.get_conclusion.outputs.conclusion }} details_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}