mirror of
https://github.com/supabase/supabase.git
synced 2026-06-29 03:50:30 -04:00
Etienne Stalmans
c9cc6cd835
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Chore, CI hardening ## Additional context Hardens all GitHub actions to recommendations of [zizmor](https://docs.zizmor.sh/audits/) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Disabled persistence of checkout credentials across many CI workflows to reduce credential exposure. * Upgraded GitHub App token tooling and tightened generated token permissions for automation. * Added cooldown/rate-limiting to dependency update automation to reduce update churn. * Adjusted workflow-level permissions, required secret inputs for workflow callers, and refactored some job step logic. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46454?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Ali Waseem <waseema393@gmail.com>
92 lines
3.0 KiB
YAML
92 lines
3.0 KiB
YAML
name: Decrease studio lint ratchet baselines
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 0 * * SUN'
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
jobs:
|
|
decrease-baselines:
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
|
|
steps:
|
|
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
|
|
with:
|
|
persist-credentials: false
|
|
sparse-checkout: |
|
|
.github
|
|
apps/studio
|
|
packages
|
|
patches
|
|
|
|
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
|
|
name: Install pnpm
|
|
with:
|
|
run_install: false
|
|
|
|
- name: Use Node.js
|
|
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
|
|
- name: Install deps
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Generate token
|
|
id: app-token
|
|
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
|
|
with:
|
|
client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }}
|
|
private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }}
|
|
permission-contents: write
|
|
permission-pull-requests: write
|
|
|
|
- name: Decrease ESLint ratchet baselines and open PR
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
|
|
run: |
|
|
set -eo pipefail
|
|
DEFAULT_BRANCH=${DEFAULT_BRANCH:-master}
|
|
|
|
BRANCH="bot/decrease-eslint-ratchet-baselines"
|
|
|
|
git fetch origin "$DEFAULT_BRANCH" --depth=1
|
|
if git ls-remote --exit-code --heads origin "$BRANCH" > /dev/null 2>&1; then
|
|
git fetch origin "$BRANCH":"$BRANCH" --depth=1
|
|
git switch "$BRANCH"
|
|
git reset --hard "origin/$DEFAULT_BRANCH"
|
|
else
|
|
git switch --create "$BRANCH" "origin/$DEFAULT_BRANCH"
|
|
fi
|
|
|
|
pnpm --filter studio run lint:ratchet --decrease-baselines
|
|
|
|
if git diff --quiet; then
|
|
echo "No baseline updates detected."
|
|
exit 0
|
|
fi
|
|
|
|
git config user.name 'github-actions[bot]'
|
|
git config user.email 'github-actions[bot]@users.noreply.github.com'
|
|
|
|
git add apps/studio/.github/eslint-rule-baselines.json
|
|
git commit --message "chore: decrease ESLint ratchet baselines"
|
|
git push --force origin "$BRANCH"
|
|
|
|
pr_url=$(gh pr list --state open --head "$BRANCH" --json url --jq '.[0].url // ""' 2>/dev/null || echo "")
|
|
if [ -z "$pr_url" ]; then
|
|
gh pr create \
|
|
--title "[bot] Decrease ESLint ratchet baselines" \
|
|
--body "Automated weekly decrease of ESLint ratchet baselines." \
|
|
--base "$DEFAULT_BRANCH" \
|
|
--head "$BRANCH"
|
|
else
|
|
gh pr comment "$pr_url" --body "Updated ESLint ratchet baselines with the latest weekly decreases."
|
|
fi
|