From 342883e922d9285565f9d759b5e4ef3225ccef43 Mon Sep 17 00:00:00 2001 From: yihong Date: Tue, 11 Feb 2025 10:38:14 +0800 Subject: [PATCH] ci: safe ci using zizmor check (#5491) * ci: safe ci using zizmor check Signed-off-by: yihong0618 * fix: lines empty Signed-off-by: yihong0618 * fix: delete useless code Signed-off-by: yihong0618 --------- Signed-off-by: yihong0618 --- .github/workflows/apidoc.yml | 2 + .github/workflows/dependency-check.yml | 2 + .github/workflows/dev-build.yml | 18 ++++- .github/workflows/develop.yml | 32 +++++++++ .github/workflows/docbot.yml | 11 +-- .github/workflows/docs.yml | 4 ++ .github/workflows/nightly-build.yml | 14 +++- .github/workflows/nightly-ci.yml | 18 ++++- .../workflows/release-dev-builder-images.yaml | 67 ++++++++++++++----- .github/workflows/release.yml | 28 ++++++-- .github/workflows/schedule.yml | 10 +-- .github/workflows/semantic-pull-request.yml | 4 +- 12 files changed, 169 insertions(+), 41 deletions(-) diff --git a/.github/workflows/apidoc.yml b/.github/workflows/apidoc.yml index 066a2a4517..6bbca5d9a2 100644 --- a/.github/workflows/apidoc.yml +++ b/.github/workflows/apidoc.yml @@ -17,6 +17,8 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 4421264c39..9b542b4a9c 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Rust uses: actions-rust-lang/setup-rust-toolchain@v1 diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml index 6f2be60e67..9fe001aff6 100644 --- a/.github/workflows/dev-build.yml +++ b/.github/workflows/dev-build.yml @@ -82,9 +82,6 @@ env: # The source code will check out in the following path: '${WORKING_DIR}/dev/greptime'. CHECKOUT_GREPTIMEDB_PATH: dev/greptimedb -permissions: - issues: write - jobs: allocate-runners: name: Allocate runners @@ -107,6 +104,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Create version id: create-version @@ -161,6 +159,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Checkout greptimedb uses: actions/checkout@v4 @@ -168,6 +167,7 @@ jobs: repository: ${{ inputs.repository }} ref: ${{ inputs.commit }} path: ${{ env.CHECKOUT_GREPTIMEDB_PATH }} + persist-credentials: true - uses: ./.github/actions/build-linux-artifacts with: @@ -192,6 +192,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Checkout greptimedb uses: actions/checkout@v4 @@ -199,6 +200,7 @@ jobs: repository: ${{ inputs.repository }} ref: ${{ inputs.commit }} path: ${{ env.CHECKOUT_GREPTIMEDB_PATH }} + persist-credentials: true - uses: ./.github/actions/build-linux-artifacts with: @@ -226,6 +228,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Build and push images to dockerhub uses: ./.github/actions/build-images @@ -257,6 +260,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Release artifacts to CN region uses: ./.github/actions/release-cn-artifacts @@ -291,6 +295,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Stop EC2 runner uses: ./.github/actions/stop-runner @@ -316,6 +321,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Stop EC2 runner uses: ./.github/actions/stop-runner @@ -334,10 +340,16 @@ jobs: release-images-to-dockerhub ] runs-on: ubuntu-20.04 + permissions: + issues: write + env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DEVELOP_CHANNEL }} steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/setup-cyborg - name: Report CI status id: report-ci-status diff --git a/.github/workflows/develop.yml b/.github/workflows/develop.yml index c83b1c7db2..fb454b1857 100644 --- a/.github/workflows/develop.yml +++ b/.github/workflows/develop.yml @@ -26,6 +26,8 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: crate-ci/typos@master - name: Check the config docs run: | @@ -38,6 +40,8 @@ jobs: name: Check License Header steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: korandoru/hawkeye@v5 check: @@ -49,6 +53,8 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -70,6 +76,8 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Install taplo run: cargo +stable install taplo-cli --version ^0.9 --locked --force @@ -85,6 +93,8 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -139,6 +149,8 @@ jobs: echo "Disk space after:" df -h - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -192,6 +204,8 @@ jobs: echo "Disk space after:" df -h - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -238,6 +252,8 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -295,6 +311,8 @@ jobs: echo "Disk space after:" df -h - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Kind uses: ./.github/actions/setup-kind - if: matrix.mode.minio @@ -437,6 +455,8 @@ jobs: echo "Disk space after:" df -h - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Kind uses: ./.github/actions/setup-kind - name: Setup Chaos Mesh @@ -562,6 +582,8 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - if: matrix.mode.kafka name: Setup kafka server working-directory: tests-integration/fixtures @@ -589,6 +611,8 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -604,6 +628,8 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -626,6 +652,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Merge Conflict Finder uses: olivernybroe/action-conflict-finder@v4.0 @@ -636,6 +664,8 @@ jobs: needs: [conflict-check, clippy, fmt] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -684,6 +714,8 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/docbot.yml b/.github/workflows/docbot.yml index bd895c53d1..aefa665950 100644 --- a/.github/workflows/docbot.yml +++ b/.github/workflows/docbot.yml @@ -1,18 +1,19 @@ name: Follow Up Docs on: - pull_request_target: + pull_request: types: [opened, edited] -permissions: - pull-requests: write - contents: read - jobs: docbot: runs-on: ubuntu-20.04 + permissions: + pull-requests: write + contents: read timeout-minutes: 10 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./.github/actions/setup-cyborg - name: Maybe Follow Up Docs Issue working-directory: cyborg diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 2aad61cd1a..61f78a84fd 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -34,6 +34,8 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: crate-ci/typos@master license-header-check: @@ -41,6 +43,8 @@ jobs: name: Check License Header steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: korandoru/hawkeye@v5 check: diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index afe01f11ec..3e004272ba 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -70,9 +70,6 @@ env: # The DockerHub image will be greptime/greptimedb-nightly. IMAGE_NAME: greptimedb-nightly -permissions: - issues: write - jobs: allocate-runners: name: Allocate runners @@ -95,6 +92,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Create version id: create-version @@ -147,6 +145,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/build-linux-artifacts with: @@ -168,6 +167,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/build-linux-artifacts with: @@ -193,6 +193,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Build and push images to dockerhub uses: ./.github/actions/build-images @@ -226,6 +227,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Release artifacts to CN region uses: ./.github/actions/release-cn-artifacts @@ -260,6 +262,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Stop EC2 runner uses: ./.github/actions/stop-runner @@ -285,6 +288,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Stop EC2 runner uses: ./.github/actions/stop-runner @@ -303,10 +307,14 @@ jobs: release-images-to-dockerhub ] runs-on: ubuntu-20.04 + permissions: + issues: write env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DEVELOP_CHANNEL }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./.github/actions/setup-cyborg - name: Report CI status id: report-ci-status diff --git a/.github/workflows/nightly-ci.yml b/.github/workflows/nightly-ci.yml index 9f950b111b..90220e948b 100644 --- a/.github/workflows/nightly-ci.yml +++ b/.github/workflows/nightly-ci.yml @@ -9,9 +9,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true -permissions: - issues: write - jobs: sqlness-test: name: Run sqlness test @@ -22,6 +19,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Check install.sh run: ./.github/scripts/check-install-script.sh @@ -46,9 +44,14 @@ jobs: name: Sqlness tests on Windows if: ${{ github.repository == 'GreptimeTeam/greptimedb' }} runs-on: windows-2022-8-cores + permissions: + issues: write timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/setup-cyborg - uses: arduino/setup-protoc@v3 with: @@ -76,6 +79,9 @@ jobs: steps: - run: git config --global core.autocrlf false - uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/setup-cyborg - uses: arduino/setup-protoc@v3 with: @@ -114,6 +120,9 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - uses: cachix/install-nix-action@v27 with: nix_path: nixpkgs=channel:nixos-24.11 @@ -141,6 +150,9 @@ jobs: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DEVELOP_CHANNEL }} steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/setup-cyborg - name: Report CI status id: report-ci-status diff --git a/.github/workflows/release-dev-builder-images.yaml b/.github/workflows/release-dev-builder-images.yaml index 33e6674d9b..2e60736140 100644 --- a/.github/workflows/release-dev-builder-images.yaml +++ b/.github/workflows/release-dev-builder-images.yaml @@ -37,6 +37,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Configure build image version id: set-version @@ -85,48 +86,66 @@ jobs: - name: Push dev-builder-ubuntu image shell: bash if: ${{ inputs.release_dev_builder_ubuntu_image }} + env: + IMAGE_VERSION: ${{ needs.release-dev-builder-images.outputs.version }} + IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }} + ECR_IMAGE_REGISTRY: ${{ vars.ECR_IMAGE_REGISTRY }} + ECR_IMAGE_NAMESPACE: ${{ vars.ECR_IMAGE_NAMESPACE }} run: | docker run -v "${DOCKER_CONFIG:-$HOME/.docker}:/root/.docker:ro" \ -e "REGISTRY_AUTH_FILE=/root/.docker/config.json" \ quay.io/skopeo/stable:latest \ - copy -a docker://docker.io/${{ vars.IMAGE_NAMESPACE }}/dev-builder-ubuntu:${{ needs.release-dev-builder-images.outputs.version }} \ - docker://${{ vars.ECR_IMAGE_REGISTRY }}/${{ vars.ECR_IMAGE_NAMESPACE }}/dev-builder-ubuntu:${{ needs.release-dev-builder-images.outputs.version }} + copy -a docker://docker.io/$IMAGE_NAMESPACE/dev-builder-ubuntu:$IMAGE_VERSION \ + docker://$ECR_IMAGE_REGISTRY/$ECR_IMAGE_NAMESPACE/dev-builder-ubuntu:$IMAGE_VERSION docker run -v "${DOCKER_CONFIG:-$HOME/.docker}:/root/.docker:ro" \ -e "REGISTRY_AUTH_FILE=/root/.docker/config.json" \ quay.io/skopeo/stable:latest \ - copy -a docker://docker.io/${{ vars.IMAGE_NAMESPACE }}/dev-builder-ubuntu:latest \ - docker://${{ vars.ECR_IMAGE_REGISTRY }}/${{ vars.ECR_IMAGE_NAMESPACE }}/dev-builder-ubuntu:latest + copy -a docker://docker.io/$IMAGE_NAMESPACE/dev-builder-ubuntu:latest \ + docker://$ECR_IMAGE_REGISTRY/$ECR_IMAGE_NAMESPACE/dev-builder-ubuntu:latest + - name: Push dev-builder-centos image shell: bash if: ${{ inputs.release_dev_builder_centos_image }} + env: + IMAGE_VERSION: ${{ needs.release-dev-builder-images.outputs.version }} + IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }} + ECR_IMAGE_REGISTRY: ${{ vars.ECR_IMAGE_REGISTRY }} + ECR_IMAGE_NAMESPACE: ${{ vars.ECR_IMAGE_NAMESPACE }} run: | docker run -v "${DOCKER_CONFIG:-$HOME/.docker}:/root/.docker:ro" \ -e "REGISTRY_AUTH_FILE=/root/.docker/config.json" \ quay.io/skopeo/stable:latest \ - copy -a docker://docker.io/${{ vars.IMAGE_NAMESPACE }}/dev-builder-centos:${{ needs.release-dev-builder-images.outputs.version }} \ - docker://${{ vars.ECR_IMAGE_REGISTRY }}/${{ vars.ECR_IMAGE_NAMESPACE }}/dev-builder-centos:${{ needs.release-dev-builder-images.outputs.version }} + copy -a docker://docker.io/$IMAGE_NAMESPACE/dev-builder-centos:$IMAGE_VERSION \ + docker://$ECR_IMAGE_REGISTRY/$ECR_IMAGE_NAMESPACE/dev-builder-centos:$IMAGE_VERSION docker run -v "${DOCKER_CONFIG:-$HOME/.docker}:/root/.docker:ro" \ -e "REGISTRY_AUTH_FILE=/root/.docker/config.json" \ quay.io/skopeo/stable:latest \ - copy -a docker://docker.io/${{ vars.IMAGE_NAMESPACE }}/dev-builder-centos:latest \ - docker://${{ vars.ECR_IMAGE_REGISTRY }}/${{ vars.ECR_IMAGE_NAMESPACE }}/dev-builder-centos:latest + copy -a docker://docker.io/$IMAGE_NAMESPACE/dev-builder-centos:latest \ + docker://$ECR_IMAGE_REGISTRY/$ECR_IMAGE_NAMESPACE/dev-builder-centos:latest + - name: Push dev-builder-android image shell: bash if: ${{ inputs.release_dev_builder_android_image }} + env: + IMAGE_VERSION: ${{ needs.release-dev-builder-images.outputs.version }} + IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }} + ECR_IMAGE_REGISTRY: ${{ vars.ECR_IMAGE_REGISTRY }} + ECR_IMAGE_NAMESPACE: ${{ vars.ECR_IMAGE_NAMESPACE }} run: | docker run -v "${DOCKER_CONFIG:-$HOME/.docker}:/root/.docker:ro" \ -e "REGISTRY_AUTH_FILE=/root/.docker/config.json" \ quay.io/skopeo/stable:latest \ - copy -a docker://docker.io/${{ vars.IMAGE_NAMESPACE }}/dev-builder-android:${{ needs.release-dev-builder-images.outputs.version }} \ - docker://${{ vars.ECR_IMAGE_REGISTRY }}/${{ vars.ECR_IMAGE_NAMESPACE }}/dev-builder-android:${{ needs.release-dev-builder-images.outputs.version }} + copy -a docker://docker.io/$IMAGE_NAMESPACE/dev-builder-android:$IMAGE_VERSION \ + docker://$ECR_IMAGE_REGISTRY/$ECR_IMAGE_NAMESPACE/dev-builder-android:$IMAGE_VERSION docker run -v "${DOCKER_CONFIG:-$HOME/.docker}:/root/.docker:ro" \ -e "REGISTRY_AUTH_FILE=/root/.docker/config.json" \ quay.io/skopeo/stable:latest \ - copy -a docker://docker.io/${{ vars.IMAGE_NAMESPACE }}/dev-builder-android:latest \ - docker://${{ vars.ECR_IMAGE_REGISTRY }}/${{ vars.ECR_IMAGE_NAMESPACE }}/dev-builder-android:latest + copy -a docker://docker.io/$IMAGE_NAMESPACE/dev-builder-android:latest \ + docker://$ECR_IMAGE_REGISTRY/$ECR_IMAGE_NAMESPACE/dev-builder-android:latest + release-dev-builder-images-cn: # Note: Be careful issue: https://github.com/containers/skopeo/issues/1874 and we decide to use the latest stable skopeo container. name: Release dev builder images to CN region runs-on: ubuntu-20.04 @@ -144,29 +163,41 @@ jobs: - name: Push dev-builder-ubuntu image shell: bash if: ${{ inputs.release_dev_builder_ubuntu_image }} + env: + IMAGE_VERSION: ${{ needs.release-dev-builder-images.outputs.version }} + IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }} + ACR_IMAGE_REGISTRY: ${{ vars.ACR_IMAGE_REGISTRY }} run: | docker run -v "${DOCKER_CONFIG:-$HOME/.docker}:/root/.docker:ro" \ -e "REGISTRY_AUTH_FILE=/root/.docker/config.json" \ quay.io/skopeo/stable:latest \ - copy -a docker://docker.io/${{ vars.IMAGE_NAMESPACE }}/dev-builder-ubuntu:${{ needs.release-dev-builder-images.outputs.version }} \ - docker://${{ vars.ACR_IMAGE_REGISTRY }}/${{ vars.IMAGE_NAMESPACE }}/dev-builder-ubuntu:${{ needs.release-dev-builder-images.outputs.version }} + copy -a docker://docker.io/$IMAGE_NAMESPACE/dev-builder-ubuntu:$IMAGE_VERSION \ + docker://$ACR_IMAGE_REGISTRY/$IMAGE_NAMESPACE/dev-builder-ubuntu:$IMAGE_VERSION - name: Push dev-builder-centos image shell: bash if: ${{ inputs.release_dev_builder_centos_image }} + env: + IMAGE_VERSION: ${{ needs.release-dev-builder-images.outputs.version }} + IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }} + ACR_IMAGE_REGISTRY: ${{ vars.ACR_IMAGE_REGISTRY }} run: | docker run -v "${DOCKER_CONFIG:-$HOME/.docker}:/root/.docker:ro" \ -e "REGISTRY_AUTH_FILE=/root/.docker/config.json" \ quay.io/skopeo/stable:latest \ - copy -a docker://docker.io/${{ vars.IMAGE_NAMESPACE }}/dev-builder-centos:${{ needs.release-dev-builder-images.outputs.version }} \ - docker://${{ vars.ACR_IMAGE_REGISTRY }}/${{ vars.IMAGE_NAMESPACE }}/dev-builder-centos:${{ needs.release-dev-builder-images.outputs.version }} + copy -a docker://docker.io/$IMAGE_NAMESPACE/dev-builder-centos:$IMAGE_VERSION \ + docker://$ACR_IMAGE_REGISTRY/$IMAGE_NAMESPACE/dev-builder-centos:$IMAGE_VERSION - name: Push dev-builder-android image shell: bash if: ${{ inputs.release_dev_builder_android_image }} + env: + IMAGE_VERSION: ${{ needs.release-dev-builder-images.outputs.version }} + IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }} + ACR_IMAGE_REGISTRY: ${{ vars.ACR_IMAGE_REGISTRY }} run: | docker run -v "${DOCKER_CONFIG:-$HOME/.docker}:/root/.docker:ro" \ -e "REGISTRY_AUTH_FILE=/root/.docker/config.json" \ quay.io/skopeo/stable:latest \ - copy -a docker://docker.io/${{ vars.IMAGE_NAMESPACE }}/dev-builder-android:${{ needs.release-dev-builder-images.outputs.version }} \ - docker://${{ vars.ACR_IMAGE_REGISTRY }}/${{ vars.IMAGE_NAMESPACE }}/dev-builder-android:${{ needs.release-dev-builder-images.outputs.version }} + copy -a docker://docker.io/$IMAGE_NAMESPACE/dev-builder-android:$IMAGE_VERSION \ + docker://$ACR_IMAGE_REGISTRY/$IMAGE_NAMESPACE/dev-builder-android:$IMAGE_VERSION diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1e66626b34..bee576a142 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -93,10 +93,6 @@ env: # Note: The NEXT_RELEASE_VERSION should be modified manually by every formal release. NEXT_RELEASE_VERSION: v0.12.0 -# Permission reference: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs -permissions: - issues: write # Allows the action to create issues for cyborg. - contents: write # Allows the action to create a release. jobs: allocate-runners: @@ -122,6 +118,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Check Rust toolchain version shell: bash @@ -181,6 +178,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/build-linux-artifacts with: @@ -202,6 +200,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/build-linux-artifacts with: @@ -237,6 +236,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/build-macos-artifacts with: @@ -276,6 +276,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/build-windows-artifacts with: @@ -306,6 +307,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Build and push images to dockerhub uses: ./.github/actions/build-images @@ -341,6 +343,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Release artifacts to CN region uses: ./.github/actions/release-cn-artifacts @@ -377,6 +380,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Publish GitHub release uses: ./.github/actions/publish-github-release @@ -400,6 +404,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Stop EC2 runner uses: ./.github/actions/stop-runner @@ -425,6 +430,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Stop EC2 runner uses: ./.github/actions/stop-runner @@ -441,8 +447,15 @@ jobs: if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} needs: [allocate-runners] runs-on: ubuntu-20.04 + # Permission reference: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs + permissions: + issues: write # Allows the action to create issues for cyborg. + contents: write # Allows the action to create a release. steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/setup-cyborg - name: Bump doc version working-directory: cyborg @@ -461,10 +474,17 @@ jobs: build-windows-artifacts, ] runs-on: ubuntu-20.04 + # Permission reference: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs + permissions: + issues: write # Allows the action to create issues for cyborg. + contents: write # Allows the action to create a release. env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DEVELOP_CHANNEL }} steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/setup-cyborg - name: Report CI status id: report-ci-status diff --git a/.github/workflows/schedule.yml b/.github/workflows/schedule.yml index 608e56ec0a..5943015880 100644 --- a/.github/workflows/schedule.yml +++ b/.github/workflows/schedule.yml @@ -4,18 +4,20 @@ on: - cron: '4 2 * * *' workflow_dispatch: -permissions: - contents: read - issues: write - pull-requests: write jobs: maintenance: name: Periodic Maintenance runs-on: ubuntu-latest + permissions: + contents: read + issues: write + pull-requests: write if: ${{ github.repository == 'GreptimeTeam/greptimedb' }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./.github/actions/setup-cyborg - name: Do Maintenance working-directory: cyborg diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml index 3dae57ff76..a8fd6d05f4 100644 --- a/.github/workflows/semantic-pull-request.yml +++ b/.github/workflows/semantic-pull-request.yml @@ -1,7 +1,7 @@ name: "Semantic Pull Request" on: - pull_request_target: + pull_request: types: - opened - reopened @@ -13,6 +13,8 @@ jobs: timeout-minutes: 10 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./.github/actions/setup-cyborg - name: Check Pull Request working-directory: cyborg