From be4ad774f5553aecc2f2300216223c4003bc8567 Mon Sep 17 00:00:00 2001 From: Jack Wotherspoon Date: Tue, 23 Jul 2024 12:26:16 -0400 Subject: [PATCH] ci: remove pull_request_target trigger (#848) --- .github/labels.yml | 48 +++++------ .github/trusted-contribution.yml | 19 ----- .github/workflows/codeql.yml | 59 ++++++------- .github/workflows/cover.yaml | 22 ----- .github/workflows/govulncheck.yaml | 9 +- .github/workflows/lint.yaml | 22 ----- .github/workflows/tests.yaml | 129 ++++++++++------------------- 7 files changed, 93 insertions(+), 215 deletions(-) delete mode 100644 .github/trusted-contribution.yml diff --git a/.github/labels.yml b/.github/labels.yml index 80f892e6..2e3cb3e1 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -16,72 +16,72 @@ color: ededed description: "" -- name: 'type: bug' +- name: "type: bug" color: db4437 - description: Error or flaw in code with unintended results or allowing sub-optimal + description: + Error or flaw in code with unintended results or allowing sub-optimal usage patterns. -- name: 'type: cleanup' +- name: "type: cleanup" color: c5def5 description: An internal cleanup or hygiene concern. -- name: 'type: docs' +- name: "type: docs" color: 0000A0 description: Improvement to the documentation for an API. -- name: 'type: feature request' +- name: "type: feature request" color: c5def5 description: ‘Nice-to-have’ improvement, new feature or different behavior or design. -- name: 'type: process' +- name: "type: process" color: c5def5 description: A process-related concern. May include testing, release, or the like. -- name: 'type: question' +- name: "type: question" color: c5def5 description: Request for information or clarification. -- name: 'priority: p0' +- name: "priority: p0" color: b60205 description: Highest priority. Critical issue. P0 implies highest priority. -- name: 'priority: p1' +- name: "priority: p1" color: ffa03e - description: Important issue which blocks shipping the next release. Will be fixed + description: + Important issue which blocks shipping the next release. Will be fixed prior to next release. -- name: 'priority: p2' +- name: "priority: p2" color: fef2c0 description: Moderately-important priority. Fix may not be included in next release. -- name: 'priority: p3' +- name: "priority: p3" color: ffffc7 description: Desirable enhancement or fix. May not be included in next release. - name: automerge color: 00ff00 description: Merge the pull request once unit tests and other checks pass. -- name: 'automerge: exact' +- name: "automerge: exact" color: 8dd517 - description: Summon MOG for automerging, but approvals need to be against the latest + description: + Summon MOG for automerging, but approvals need to be against the latest commit - name: do not merge color: d93f0b - description: Indicates a pull request not ready for merge, due to either quality + description: + Indicates a pull request not ready for merge, due to either quality or timing. -- name: 'autorelease: pending' +- name: "autorelease: pending" color: ededed description: Release please needs to do its work on this. -- name: 'autorelease: tagged' +- name: "autorelease: tagged" color: ededed description: Release please has completed a release for this. -- name: 'tests: run' - color: 3DED97 - description: Label to trigger Github Action tests. - -- name: 'flakybot: flaky' +- name: "flakybot: flaky" color: 86d9d7 description: Tells the Flaky Bot not to close or comment on this issue. -- name: 'flakybot: quiet' +- name: "flakybot: quiet" color: 86d9d7 description: Tells the Flaky Bot to comment less. -- name: 'flakybot: issue' +- name: "flakybot: issue" color: a9f9f7 description: An issue filed by the Flaky Bot. Should not be added manually. diff --git a/.github/trusted-contribution.yml b/.github/trusted-contribution.yml deleted file mode 100644 index 80ed9aa1..00000000 --- a/.github/trusted-contribution.yml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -annotations: - - type: label - text: "tests: run" - -trustedContributors: ['renovate-bot', 'gcf-merge-on-green[bot]'] diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5f64dbab..c51d1f56 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,24 +16,18 @@ name: "CodeQL" on: push: - branches: [ "main" ] + branches: ["main"] pull_request: - branches: [ "main" ] + branches: ["main"] paths-ignore: - - '**/*.md' - - '**/*.txt' - pull_request_target: - types: [labeled] - paths-ignore: - - '**/*.md' - - '**/*.txt' + - "**/*.md" + - "**/*.txt" # Declare default permissions as read only. permissions: read-all jobs: analyze: - if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" name: Analyze runs-on: ubuntu-latest permissions: @@ -44,33 +38,30 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'go' ] + language: ["go"] steps: - - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 - with: - go-version: "1.22" - if: ${{ matrix.language == 'go' }} + - name: Setup Go + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + with: + go-version: "1.22" + if: ${{ matrix.language == 'go' }} - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 - with: - languages: ${{ matrix.language }} + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 + with: + languages: ${{ matrix.language }} - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually - - name: Autobuild - uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually + - name: Autobuild + uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 - with: - category: "/language:${{matrix.language}}" + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/cover.yaml b/.github/workflows/cover.yaml index 368f02f4..f00ad5f0 100644 --- a/.github/workflows/cover.yaml +++ b/.github/workflows/cover.yaml @@ -15,36 +15,14 @@ name: code coverage on: pull_request: - pull_request_target: - types: [labeled] # Declare default permissions as read only. permissions: read-all jobs: build: - if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write steps: - - name: Remove PR Label - if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - try { - await github.rest.issues.removeLabel({ - name: 'tests: run', - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number - }); - } catch (e) { - console.log('Failed to remove label. Another job may have already removed it!'); - } - name: Setup Go uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index cf81bea2..112d158a 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -20,12 +20,10 @@ permissions: read-all on: push: branches: - - 'main' + - "main" pull_request: - pull_request_target: - types: [labeled] schedule: - - cron: '0 2 * * *' + - cron: "0 2 * * *" jobs: govulncheck_job: @@ -39,9 +37,6 @@ jobs: check-latest: true - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - id: govulncheck uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # v1 with: diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 622c8cc4..6883f8a3 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -15,46 +15,24 @@ name: lint on: pull_request: - pull_request_target: - types: [labeled] # Declare default permissions as read only. permissions: read-all jobs: build: - if: "${{ github.event.action != 'labeled' || github.event.label.name == 'tests: run' }}" name: Run lint runs-on: ubuntu-latest permissions: issues: write pull-requests: write steps: - - name: Remove PR Label - if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - try { - await github.rest.issues.removeLabel({ - name: 'tests: run', - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number - }); - } catch (e) { - console.log('Failed to remove label. Another job may have already removed it!'); - } - name: Setup Go uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: "1.22" - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - name: go mod tidy run: | go mod tidy && git diff --exit-code diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 5552e7a5..bb66dbf6 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -18,18 +18,14 @@ on: push: branches: - main - pull_request_target: - types: [labeled] schedule: - - cron: '0 2 * * *' + - cron: "0 2 * * *" # Declare default permissions as read only. permissions: read-all jobs: integration: - # run job on proper workflow event triggers (skip job for pull_request event from forks and only run pull_request_target for "tests: run" label) - if: "${{ (github.event.action != 'labeled' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) || github.event.label.name == 'tests: run' }}" name: integration tests runs-on: ${{ matrix.os }} strategy: @@ -37,85 +33,65 @@ jobs: os: [macos-latest, windows-latest, ubuntu-latest] fail-fast: false permissions: - contents: 'read' - id-token: 'write' + contents: "read" + id-token: "write" issues: write pull-requests: write steps: - - name: Remove PR label - if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - try { - await github.rest.issues.removeLabel({ - name: 'tests: run', - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number - }); - } catch (e) { - console.log('Failed to remove label. Another job may have already removed it!'); - } - - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Setup Go uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: "1.22" - - id: 'auth' + - id: auth name: Authenticate to Google Cloud uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: - workload_identity_provider: ${{ secrets.PROVIDER_NAME }} - service_account: ${{ secrets.SERVICE_ACCOUNT }} + workload_identity_provider: ${{ vars.PROVIDER_NAME }} + service_account: ${{ vars.SERVICE_ACCOUNT }} access_token_lifetime: 600s - - id: 'secrets' + - id: secrets name: Get secrets uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3 with: secrets: |- - MYSQL_CONNECTION_NAME:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_CONNECTION_NAME - MYSQL_IAM_CONNECTION_NAME:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_IAM_CONNECTION_NAME - MYSQL_USER:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_USER - MYSQL_USER_IAM:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_USER_IAM_GO - MYSQL_PASS:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_PASS - MYSQL_DB:${{ secrets.GOOGLE_CLOUD_PROJECT }}/MYSQL_DB - POSTGRES_CONNECTION_NAME:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CONNECTION_NAME - POSTGRES_USER:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_USER - POSTGRES_USER_IAM:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_USER_IAM_GO - POSTGRES_PASS:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_PASS - POSTGRES_DB:${{ secrets.GOOGLE_CLOUD_PROJECT }}/POSTGRES_DB - SQLSERVER_CONNECTION_NAME:${{ secrets.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_CONNECTION_NAME - SQLSERVER_USER:${{ secrets.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_USER - SQLSERVER_PASS:${{ secrets.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_PASS - SQLSERVER_DB:${{ secrets.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_DB + MYSQL_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_CONNECTION_NAME + MYSQL_IAM_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_IAM_CONNECTION_NAME + MYSQL_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_USER + MYSQL_USER_IAM:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_USER_IAM_GO + MYSQL_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_PASS + MYSQL_DB:${{ vars.GOOGLE_CLOUD_PROJECT }}/MYSQL_DB + POSTGRES_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CONNECTION_NAME + POSTGRES_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_USER + POSTGRES_USER_IAM:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_USER_IAM_GO + POSTGRES_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_PASS + POSTGRES_DB:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_DB + SQLSERVER_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_CONNECTION_NAME + SQLSERVER_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_USER + SQLSERVER_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_PASS + SQLSERVER_DB:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_DB - name: Run tests env: - MYSQL_CONNECTION_NAME: '${{ steps.secrets.outputs.MYSQL_CONNECTION_NAME }}' - MYSQL_IAM_CONNECTION_NAME: '${{ steps.secrets.outputs.MYSQL_IAM_CONNECTION_NAME }}' - MYSQL_USER: '${{ steps.secrets.outputs.MYSQL_USER }}' - MYSQL_USER_IAM: '${{ steps.secrets.outputs.MYSQL_USER_IAM }}' - MYSQL_PASS: '${{ steps.secrets.outputs.MYSQL_PASS }}' - MYSQL_DB: '${{ steps.secrets.outputs.MYSQL_DB }}' - POSTGRES_CONNECTION_NAME: '${{ steps.secrets.outputs.POSTGRES_CONNECTION_NAME }}' - POSTGRES_USER: '${{ steps.secrets.outputs.POSTGRES_USER }}' - POSTGRES_USER_IAM: '${{ steps.secrets.outputs.POSTGRES_USER_IAM }}' - POSTGRES_PASS: '${{ steps.secrets.outputs.POSTGRES_PASS }}' - POSTGRES_DB: '${{ steps.secrets.outputs.POSTGRES_DB }}' - SQLSERVER_CONNECTION_NAME: '${{ steps.secrets.outputs.SQLSERVER_CONNECTION_NAME }}' - SQLSERVER_USER: '${{ steps.secrets.outputs.SQLSERVER_USER }}' - SQLSERVER_PASS: '${{ steps.secrets.outputs.SQLSERVER_PASS }}' - SQLSERVER_DB: '${{ steps.secrets.outputs.SQLSERVER_DB }}' + MYSQL_CONNECTION_NAME: "${{ steps.secrets.outputs.MYSQL_CONNECTION_NAME }}" + MYSQL_IAM_CONNECTION_NAME: "${{ steps.secrets.outputs.MYSQL_IAM_CONNECTION_NAME }}" + MYSQL_USER: "${{ steps.secrets.outputs.MYSQL_USER }}" + MYSQL_USER_IAM: "${{ steps.secrets.outputs.MYSQL_USER_IAM }}" + MYSQL_PASS: "${{ steps.secrets.outputs.MYSQL_PASS }}" + MYSQL_DB: "${{ steps.secrets.outputs.MYSQL_DB }}" + POSTGRES_CONNECTION_NAME: "${{ steps.secrets.outputs.POSTGRES_CONNECTION_NAME }}" + POSTGRES_USER: "${{ steps.secrets.outputs.POSTGRES_USER }}" + POSTGRES_USER_IAM: "${{ steps.secrets.outputs.POSTGRES_USER_IAM }}" + POSTGRES_PASS: "${{ steps.secrets.outputs.POSTGRES_PASS }}" + POSTGRES_DB: "${{ steps.secrets.outputs.POSTGRES_DB }}" + SQLSERVER_CONNECTION_NAME: "${{ steps.secrets.outputs.SQLSERVER_CONNECTION_NAME }}" + SQLSERVER_USER: "${{ steps.secrets.outputs.SQLSERVER_USER }}" + SQLSERVER_PASS: "${{ steps.secrets.outputs.SQLSERVER_PASS }}" + SQLSERVER_DB: "${{ steps.secrets.outputs.SQLSERVER_DB }}" # specifying bash shell ensures a failure in a piped process isn't lost by using `set -eo pipefail` shell: bash run: | @@ -149,8 +125,6 @@ jobs: ./flakybot --repo ${{github.repository}} --commit_hash ${{github.sha}} --build_url https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} unit: - # run job on proper workflow event triggers (skip job for pull_request event from forks and only run pull_request_target for "tests: run" label) - if: "${{ (github.event.action != 'labeled' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name) || github.event.label.name == 'tests: run' }}" name: "unit tests" runs-on: ubuntu-latest strategy: @@ -162,46 +136,27 @@ jobs: go-version: "1.20" fail-fast: false permissions: - contents: 'read' - id-token: 'write' + contents: read + id-token: write issues: write pull-requests: write env: GOARCH: ${{ matrix.goarch }} steps: - - name: Remove PR label - if: "${{ github.event.action == 'labeled' && github.event.label.name == 'tests: run' }}" - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - try { - await github.rest.issues.removeLabel({ - name: 'tests: run', - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number - }); - } catch (e) { - console.log('Failed to remove label. Another job may have already removed it!'); - } - name: Setup Go ${{ matrix.go-version }} uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ matrix.go-version }} - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.pull_request.head.sha }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - id: 'auth' + - id: auth name: Authenticate to Google Cloud # only needed for Flakybot on periodic (schedule) and continuous (push) events if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }} uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: - workload_identity_provider: ${{ secrets.PROVIDER_NAME }} - service_account: ${{ secrets.SERVICE_ACCOUNT }} + workload_identity_provider: ${{ vars.PROVIDER_NAME }} + service_account: ${{ vars.SERVICE_ACCOUNT }} access_token_lifetime: 600s - name: Run tests if: matrix.goarch == ''