mirror of
https://github.com/fleetdm/fleet
synced 2026-05-01 18:37:37 +00:00
18256bdf0e
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Upgraded security protections across build and deployment workflows
for enhanced runner environment hardening.
* Strengthened CI/CD infrastructure security measures throughout
automated processes.
* No direct user-facing changes.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
139 lines
5 KiB
YAML
139 lines
5 KiB
YAML
name: Update Testing & QA Maintained Apps
|
|
|
|
on:
|
|
schedule:
|
|
# Run twice daily at 6:00 AM and 6:00 PM UTC
|
|
- cron: '0 6 * * *'
|
|
- cron: '0 18 * * *'
|
|
workflow_dispatch: # Allow manual triggering
|
|
|
|
# This allows a subsequently queued workflow run to interrupt previous runs
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
|
|
cancel-in-progress: true
|
|
|
|
defaults:
|
|
run:
|
|
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
|
|
shell: bash
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
update-apps:
|
|
permissions:
|
|
contents: write # Required to push new branch
|
|
pull-requests: write # Required to open PRs
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout Code
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Install jq
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y jq
|
|
|
|
- name: Update Testing & QA Apps
|
|
id: update-apps
|
|
run: |
|
|
.github/scripts/dogfood-update-testing-qa-apps.sh
|
|
if [ $? -eq 0 ]; then
|
|
# Check if there are any changes
|
|
if git diff --quiet it-and-security/teams/testing-and-qa.yml; then
|
|
echo "changed=false" >> $GITHUB_OUTPUT
|
|
echo "No changes detected"
|
|
else
|
|
echo "changed=true" >> $GITHUB_OUTPUT
|
|
echo "Changes detected"
|
|
git diff it-and-security/teams/testing-and-qa.yml
|
|
fi
|
|
else
|
|
echo "changed=false" >> $GITHUB_OUTPUT
|
|
exit 0
|
|
fi
|
|
|
|
- name: Search for Existing PRs
|
|
if: steps.update-apps.outputs.changed == 'true'
|
|
id: search_pr
|
|
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
|
|
with:
|
|
script: |
|
|
const { data: pullRequests } = await github.rest.pulls.list({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
state: 'open',
|
|
per_page: 100
|
|
});
|
|
const matchingPRs = pullRequests.filter(pr =>
|
|
pr.title.includes('Update Testing & QA maintained apps') ||
|
|
pr.title.includes('Update Testing and QA maintained apps')
|
|
);
|
|
return matchingPRs.map(pr => pr.number);
|
|
|
|
- name: Configure Git
|
|
if: steps.update-apps.outputs.changed == 'true'
|
|
run: |
|
|
git config --local user.email "action@github.com"
|
|
git config --local user.name "GitHub Action"
|
|
|
|
- name: Get current date and time
|
|
if: steps.update-apps.outputs.changed == 'true'
|
|
id: date
|
|
run: echo "date=$(date +'%y%m%d%H%M')" >> $GITHUB_OUTPUT
|
|
|
|
- name: Create Pull Request
|
|
if: steps.update-apps.outputs.changed == 'true'
|
|
id: create-pr
|
|
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
commit-message: |
|
|
Update Testing & QA maintained apps
|
|
|
|
Automatically added new Fleet-maintained apps to the Testing & QA team configuration.
|
|
title: "Update Testing & QA maintained apps"
|
|
body: |
|
|
This PR automatically updates the `fleet_maintained_apps` list in `testing-and-qa.yml` with any new apps from Fleet's maintained apps library.
|
|
|
|
The changes were generated automatically by the [dogfood-update-testing-qa-apps workflow](https://github.com/${{ github.repository }}/actions/workflows/dogfood-update-testing-qa-apps.yml).
|
|
branch: update-testing-qa-apps-${{ steps.date.outputs.date }}
|
|
delete-branch: true
|
|
assignees: allenhouchins
|
|
|
|
- name: Close Existing PRs
|
|
if: steps.update-apps.outputs.changed == 'true' && steps.search_pr.outputs.result != '[]'
|
|
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
|
|
with:
|
|
script: |
|
|
const prNumbers = JSON.parse('${{ steps.search_pr.outputs.result }}');
|
|
const newPrNumber = '${{ steps.create-pr.outputs.pull-request-number }}';
|
|
for (const prNumber of prNumbers) {
|
|
if (prNumber.toString() !== newPrNumber) {
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: prNumber,
|
|
body: `Closing in favor of #${newPrNumber}.`,
|
|
});
|
|
await github.rest.pulls.update({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: prNumber,
|
|
state: 'closed',
|
|
});
|
|
}
|
|
}
|
|
|
|
|
|
|