workflow updates to handle unified docs #316
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
322
to
338
| if: github.repository == 'hashicorp/vagrant-builders' && !cancelled() && !failure() | ||
| name: Calculate next version | ||
| runs-on: ubuntu-latest | ||
| needs: [vagrant-artifacts] | ||
| outputs: | ||
| version: ${{ steps.calculate-version.outputs.version }} | ||
| steps: | ||
| - name: Authentication | ||
| id: vault-auth | ||
| run: vault-auth | ||
| - name: Secrets | ||
| id: secrets | ||
| uses: hashicorp/vault-action@v2 | ||
| with: | ||
| url: ${{ steps.vault-auth.outputs.addr }} | ||
| caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} | ||
| token: ${{ steps.vault-auth.outputs.token }} | ||
| secrets: | ||
| kv/data/teams/vagrant/hashibot vagrant_token; | ||
| - name: Code Checkout | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Vagrant Code Checkout | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| with: | ||
| repository: hashicorp/vagrant | ||
| path: ./vagrant-source | ||
| token: ${{ steps.secrets.outputs.vagrant_token }} | ||
| fetch-depth: 0 | ||
| - name: Publish Documentation Branches | ||
| run: ./.ci/publish-documentation-branches "${TAG_NAME}" "${VERSION}" ./vagrant-source | ||
| env: | ||
| VERSION: ${{ needs.vagrant-artifacts.outputs.vagrant-version }} | ||
| TAG_NAME: ${{ needs.info.outputs.vagrant-tag }} | ||
| env: | ||
| current_version: ${{ needs.vagrant-artifacts.outputs.vagrant-version }} | ||
| run: | | ||
| major_minor="${current_version%.*}" | ||
| patch="${current_version##*.}" | ||
| ((patch++)) | ||
| new_version="${major_minor}.${patch}" | ||
| printf "version=%s\n" >> "${GITHUB_OUTPUT}" | ||
| new-unified-docs-version: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix this problem, you should add an explicit permissions block to the next-version job in .github/workflows/release.yml, minimizing the permissions to the least privilege necessary. Based on the job's actions (simple calculation and exporting an output), there is no indication that it needs any elevated permissions, so the minimal block should be permissions: contents: read. This will ensure that the GITHUB_TOKEN for this job only has read access to repository contents and cannot perform any write actions. No methods, additional imports, or other definitions are needed; only an update to the job definition in the YAML workflow file is required.
Suggested changeset
1
.github/workflows/release.yml
| @@ -323,6 +323,8 @@ | ||
| name: Calculate next version | ||
| runs-on: ubuntu-latest | ||
| needs: [vagrant-artifacts] | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| version: ${{ steps.calculate-version.outputs.version }} | ||
| steps: |
Copilot is powered by AI and may make mistakes. Always verify output.
chrisroberts
force-pushed
the
unified-docs
branch
2 times, most recently
from
6e17b58 to
e205776
Compare
This provides updates to the release workflow to handle automatic PR generation for documentation on the unified docs site. After the PR is created, it will update the long lived branch with a new directory for the next version pre-filled with the contents of the previous version. An additional workflow is included for scheduled updates of the long lived documentation branch to keep it up-to-date with `main`. All of the unified docs related workflows support being called directly from the GitHub UI.
chrisroberts
force-pushed
the
unified-docs
branch
from
e205776 to
c9381fe
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This provides updates to the release workflow to handle automatic
PR generation for documentation on the unified docs site. After
the PR is created, it will update the long lived branch with a
new directory for the next version pre-filled with the contents
of the previous version. An additional workflow is included for
scheduled updates of the long lived documentation branch to
keep it up-to-date with
main.All of the unified docs related workflows support being called
directly from the GitHub UI.