build(deps): Bump actions/create-github-app-token from 3.1.1 to 3.2.0 #771
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: 2022-2025 TII (SSRC) and the Ghaf contributors | |
| # | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: check | |
| permissions: | |
| contents: read | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request_target: | |
| branches: | |
| - main | |
| jobs: | |
| authorize: | |
| # Important: 'authorize' must run before checkout to ensure 'authorize.yml' | |
| # runs the base version, not the untrusted version from the PR. | |
| uses: ./.github/workflows/authorize.yml | |
| # Skip running in forked repositories, since the workflow run would fail | |
| # due to missing repository secret(s): | |
| if: ${{ github.repository == 'tiiuae/ghaf-fmo-laptop' }} | |
| with: | |
| github-org: tiiuae | |
| secrets: | |
| read-org-members: ${{ secrets.READ_ORG_MEMBERS }} | |
| run-checks: | |
| needs: [authorize] | |
| if: needs.authorize.outputs.result == 'authorized' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0 | |
| with: | |
| ssh-private-key: | | |
| ${{ secrets.READ_PRIVATE_REPO }} | |
| ${{ secrets.BUILDER_SSH_KEY }} | |
| ${{ secrets.DEVICE_ASSEMBLY_TOOLSET }} | |
| ${{ secrets.ENROLL_MC }} | |
| ${{ secrets.KMS_CLIENT }} | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Rebase | |
| if: ${{ github.base_ref != '' }} | |
| run: | | |
| BASE="origin/${BASE_REF}" | |
| COMMITS="$(git rev-list "$BASE".. --count)" | |
| CONTEXT=5 | |
| echo -e "\n[+] Git log before rebase (with $CONTEXT commits context):" | |
| git log --oneline -n$(( COMMITS + CONTEXT )) | |
| echo -e "\n[+] Rebasing $COMMITS commit(s) on top of '$BASE'" | |
| git config user.email "foo@bar.com"; git config user.name "Foo Bar" | |
| git rebase "$BASE" | |
| echo -e "\n[+] Git log after rebase (with $CONTEXT commits context):" | |
| git log --oneline -n$(( COMMITS + CONTEXT )) | |
| env: | |
| BASE_REF: ${{ github.base_ref }} | |
| - name: Install nix | |
| uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 | |
| - name: Generate token | |
| id: auth | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| owner: tiiuae | |
| - name: Prepare remote builds | |
| run: | | |
| sudo sh -c "echo '${BUILDER_SSH_KNOWN_HOST}' >>/etc/ssh/ssh_known_hosts" | |
| env: | |
| BUILDER_SSH_KNOWN_HOST: ${{ vars.BUILDER_SSH_KNOWN_HOST }} | |
| - name: Run all checks | |
| run: | | |
| # Setup the .netrc file on remote builder: it will be used to access | |
| # the go dependencies in private repositories | |
| tmpdir="$(mktemp --tmpdir=/tmp --dry-run --directory --suffix .gha-check)" | |
| echo "machine github.com login x-access-token password ${APP_TOKEN}" |\ | |
| ssh "${BUILDER_X86}" "mkdir -p $tmpdir; cat > $tmpdir/.netrc" | |
| on_exit () { | |
| echo "Removing $tmpdir on ${BUILDER_X86}" | |
| ssh "${BUILDER_X86}" "rm -fr $tmpdir" | |
| } | |
| trap on_exit EXIT | |
| # Run the checks on remote builder | |
| nix run --inputs-from .# nixpkgs#nix-fast-build -- \ | |
| --remote "${BUILDER_X86}" \ | |
| --flake '.#checks' \ | |
| --always-upload-source \ | |
| --option accept-flake-config true \ | |
| --option extra-sandbox-paths "/tmp/.netrc=$tmpdir/.netrc" \ | |
| --no-download --skip-cached --no-nom | |
| env: | |
| BUILDER_X86: ${{ vars.BUILDER_X86 }} | |
| APP_TOKEN: ${{ steps.auth.outputs.token }} |