diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c637ad2fd..ad5bef3e6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,19 +13,23 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: collect: + name: Collect DEVFAMILY and OS combinations runs-on: ubuntu-latest container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read outputs: build-matrix: "${{ steps.matrix.outputs.matrix }}" steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create build matrix id: matrix @@ -38,8 +42,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read needs: collect strategy: matrix: @@ -48,15 +50,19 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | git config --global --add safe.directory "$PWD" - name: Build ${{ matrix.device }} + env: + DEVFAMILY: ${{ matrix.device }} + OS: ${{ matrix.os }} run: | - make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \ - VERSION=${{ github.ref_name }} + make VERSION=${GITHUB_REF_NAME} - name: Upload artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index e98c34d7b..25094d377 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -7,10 +7,17 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,12 +25,12 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | @@ -33,6 +40,8 @@ jobs: git switch master - name: Run check_files.py + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -53,7 +62,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index d8c9ecda6..7a6f17442 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -8,10 +8,17 @@ on: # yamllint disable-line rule:truthy - 'source/**' - 'configs/*/*_toc.txt' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -19,12 +26,12 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | @@ -34,6 +41,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -54,7 +63,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index c54a4cf03..88bf508c4 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -10,13 +10,14 @@ on: # yamllint disable-line rule:truthy types: - completed +permissions: + pull-requests: write # Required to leave a comment on a review + jobs: comment: name: Comment runs-on: ubuntu-latest if: ${{ github.event.workflow_run.event == 'pull_request' }} - permissions: - pull-requests: write steps: - name: Download artifact diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index c4933e4fb..4105d0d16 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -1,23 +1,26 @@ --- -name: Commit Check -on: # yamllint disable-line rule:truthy - pull_request: - branches: ['master'] +name: "commit-check" + +on: [pull_request] # yamllint disable-line rule:truthy + +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read jobs: commit-check: name: Commit Check runs-on: ubuntu-latest - permissions: - contents: read - issues: write - pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Check commit uses: commit-check/commit-check-action@v2 diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index 59f35f80a..e93aecdfe 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -1,26 +1,27 @@ --- name: "component-owners" -on: # yamllint disable-line rule:truthy - # It's insecure to use pull_request_target if you intend to check out code - # from that PR. This just reads the config file in the pull request base, and - # is not an issue currently. We will need to use this to comment on PRs coming - # from forked repositories. - pull_request_target: - branches: [master] +# It's insecure to use pull_request_target if you intend to check out code +# from that PR. This just reads the config file in the pull request base, and +# is not an issue currently. We will need to use this to comment on PRs coming +# from forked repositories. +on: [pull_request_target] # yamllint disable-line rule:truthy + +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true permissions: - # Clamp permissions since pull_request_target workflows granted full - # read/write repository permission by default contents: read - issues: write - pull-requests: write jobs: component-owners: name: Assign component owners runs-on: ubuntu-latest + permissions: + pull-requests: write # Required to set reviewers + steps: - name: Assign component owners uses: dyladan/component-owners@main diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1bfd50c2c..db9421d5d 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,13 @@ on: # yamllint disable-line rule:truthy types: - completed +concurrency: + group: pages + cancel-in-progress: false + +permissions: + contents: read + jobs: agregate: name: Agregate build artifacts @@ -16,12 +23,12 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | @@ -51,8 +58,8 @@ jobs: runs-on: ubuntu-latest needs: agregate permissions: - pages: write - id-token: write + pages: write # Required for deployment to GitHub Pages + id-token: write # Required for deployment to GitHub Pages steps: - name: Update github page deployment diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 061a1d992..46db12a16 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,5 +1,6 @@ --- -name: Docker Workflow +name: "docker" + on: # yamllint disable-line rule:truthy push: branches: [master] @@ -7,21 +8,30 @@ on: # yamllint disable-line rule:truthy - 'docker/**' - requirements.txt +concurrency: + group: docker + cancel-in-progress: false + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +permissions: + contents: read + jobs: build: name: Build runs-on: ubuntu-latest + permissions: - contents: read - packages: write + packages: write # Required to push image to ghcr.io steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index 04a45c93d..bbb834dd3 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -7,10 +7,17 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,12 +25,12 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | @@ -33,6 +40,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -53,7 +62,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 1c493f94f..1e3fc04ca 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -3,19 +3,24 @@ name: "vale" on: [pull_request] # yamllint disable-line rule:truthy +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: vale: name: vale runs-on: ubuntu-latest container: - image: ghcr.io/staticrocket/processor-sdk-doc:latest + image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Prepare GitHub workdir @@ -24,6 +29,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get changed files id: changed-files @@ -36,7 +43,7 @@ jobs: **.md - name: Run vale checks on modified files - uses: StaticRocket/vale-action@d377866f2e3305ae80ef6ce6516370a7ec4ea55a + uses: vale-cli/vale-action@v2 if: steps.changed-files.outputs.any_changed == 'true' with: fail_on_error: false # to be changed when upstream addresses 84 diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 967316adc..56a8ed1d8 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -8,6 +8,13 @@ on: # yamllint disable-line rule:truthy - '**.yaml' - '**.yml' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read + jobs: yamllint: name: yamllint @@ -15,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: yamllint uses: reviewdog/action-yamllint@v1