diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c637ad2fd..ad5bef3e6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,19 +13,23 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: collect: + name: Collect DEVFAMILY and OS combinations runs-on: ubuntu-latest container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read outputs: build-matrix: "${{ steps.matrix.outputs.matrix }}" steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create build matrix id: matrix @@ -38,8 +42,6 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read needs: collect strategy: matrix: @@ -48,15 +50,19 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | git config --global --add safe.directory "$PWD" - name: Build ${{ matrix.device }} + env: + DEVFAMILY: ${{ matrix.device }} + OS: ${{ matrix.os }} run: | - make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \ - VERSION=${{ github.ref_name }} + make VERSION=${GITHUB_REF_NAME} - name: Upload artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml index e98c34d7b..25094d377 100644 --- a/.github/workflows/check-files.yml +++ b/.github/workflows/check-files.yml @@ -7,10 +7,17 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,12 +25,12 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | @@ -33,6 +40,8 @@ jobs: git switch master - name: Run check_files.py + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -53,7 +62,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/check_toc_txt.yml b/.github/workflows/check_toc_txt.yml index d8c9ecda6..7a6f17442 100644 --- a/.github/workflows/check_toc_txt.yml +++ b/.github/workflows/check_toc_txt.yml @@ -8,10 +8,17 @@ on: # yamllint disable-line rule:truthy - 'source/**' - 'configs/*/*_toc.txt' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -19,12 +26,12 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | @@ -34,6 +41,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -54,7 +63,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml index c54a4cf03..88bf508c4 100644 --- a/.github/workflows/comment.yml +++ b/.github/workflows/comment.yml @@ -10,13 +10,14 @@ on: # yamllint disable-line rule:truthy types: - completed +permissions: + pull-requests: write # Required to leave a comment on a review + jobs: comment: name: Comment runs-on: ubuntu-latest if: ${{ github.event.workflow_run.event == 'pull_request' }} - permissions: - pull-requests: write steps: - name: Download artifact diff --git a/.github/workflows/commit-check.yml b/.github/workflows/commit-check.yml index c4933e4fb..9750a3b18 100644 --- a/.github/workflows/commit-check.yml +++ b/.github/workflows/commit-check.yml @@ -1,23 +1,25 @@ --- name: Commit Check -on: # yamllint disable-line rule:truthy - pull_request: - branches: ['master'] +on: [pull_request] # yamllint disable-line rule:truthy + +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read jobs: commit-check: name: Commit Check runs-on: ubuntu-latest - permissions: - contents: read - issues: write - pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Check commit uses: commit-check/commit-check-action@v2 diff --git a/.github/workflows/component-owners.yml b/.github/workflows/component-owners.yml index 59f35f80a..cca01ef87 100644 --- a/.github/workflows/component-owners.yml +++ b/.github/workflows/component-owners.yml @@ -1,20 +1,19 @@ --- name: "component-owners" -on: # yamllint disable-line rule:truthy - # It's insecure to use pull_request_target if you intend to check out code - # from that PR. This just reads the config file in the pull request base, and - # is not an issue currently. We will need to use this to comment on PRs coming - # from forked repositories. - pull_request_target: - branches: [master] +# It's insecure to use pull_request_target if you intend to check out code +# from that PR. This just reads the config file in the pull request base, and +# is not an issue currently. We will need to use this to comment on PRs coming +# from forked repositories. +on: [pull_request_target] # yamllint disable-line rule:truthy + +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true permissions: - # Clamp permissions since pull_request_target workflows granted full - # read/write repository permission by default contents: read - issues: write - pull-requests: write + pull-requests: write # Required to set reviewers jobs: component-owners: diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1bfd50c2c..87bd3e0ee 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,6 +8,13 @@ on: # yamllint disable-line rule:truthy types: - completed +concurrency: + group: pages + cancel-in-progress: true + +permissions: + contents: read + jobs: agregate: name: Agregate build artifacts @@ -16,12 +23,12 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Add directory to safe dir overrides run: | @@ -51,8 +58,7 @@ jobs: runs-on: ubuntu-latest needs: agregate permissions: - pages: write - id-token: write + pages: write # Required for deployment to GitHub Pages steps: - name: Update github page deployment diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 061a1d992..eb9100110 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,21 +7,28 @@ on: # yamllint disable-line rule:truthy - 'docker/**' - requirements.txt +concurrency: + group: docker + cancel-in-progress: true + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +permissions: + contents: read + packages: write # Required to push image to ghcr.io + jobs: build: name: Build runs-on: ubuntu-latest - permissions: - contents: read - packages: write steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/rstcheck.yml b/.github/workflows/rstcheck.yml index 04a45c93d..bbb834dd3 100644 --- a/.github/workflows/rstcheck.yml +++ b/.github/workflows/rstcheck.yml @@ -7,10 +7,17 @@ on: # yamllint disable-line rule:truthy paths: - 'source/**' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: lint: name: Lint @@ -18,12 +25,12 @@ jobs: container: image: ghcr.io/texasinstruments/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Update refs and settings run: | @@ -33,6 +40,8 @@ jobs: git switch master - name: Run rstcheck + env: + EVENT_NUMBER: ${{ github.event.number }} run: | # Disable color output export NO_COLOR=true @@ -53,7 +62,7 @@ jobs: # Prepare the artifacts mkdir -p ./results - echo "${{ github.event.number }}" > ./results/id + echo "$EVENT_NUMBER" > ./results/id cp "$GITHUB_STEP_SUMMARY" ./results/summary echo "$(wc -l < _new-warn.log)" > ./results/problem-count diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 1c493f94f..4b8b8bb8e 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -3,10 +3,17 @@ name: "vale" on: [pull_request] # yamllint disable-line rule:truthy +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + defaults: run: shell: bash +permissions: + contents: read + jobs: vale: name: vale @@ -14,8 +21,6 @@ jobs: container: image: ghcr.io/staticrocket/processor-sdk-doc:latest options: --entrypoint /bin/bash - permissions: - contents: read steps: - name: Prepare GitHub workdir @@ -24,6 +29,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get changed files id: changed-files diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 967316adc..56a8ed1d8 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -8,6 +8,13 @@ on: # yamllint disable-line rule:truthy - '**.yaml' - '**.yml' +concurrency: + group: ${{ github.workflow }}-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read + jobs: yamllint: name: yamllint @@ -15,6 +22,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: yamllint uses: reviewdog/action-yamllint@v1