workflow updates to handle unified docs#316
Conversation
| if: github.repository == 'hashicorp/vagrant-builders' && !cancelled() && !failure() | ||
| name: Calculate next version | ||
| runs-on: ubuntu-latest | ||
| needs: [vagrant-artifacts] | ||
| outputs: | ||
| version: ${{ steps.calculate-version.outputs.version }} | ||
| steps: | ||
| - name: Authentication | ||
| id: vault-auth | ||
| run: vault-auth | ||
| - name: Secrets | ||
| id: secrets | ||
| uses: hashicorp/vault-action@v2 | ||
| with: | ||
| url: ${{ steps.vault-auth.outputs.addr }} | ||
| caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} | ||
| token: ${{ steps.vault-auth.outputs.token }} | ||
| secrets: | ||
| kv/data/teams/vagrant/hashibot vagrant_token; | ||
| - name: Code Checkout | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Vagrant Code Checkout | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| with: | ||
| repository: hashicorp/vagrant | ||
| path: ./vagrant-source | ||
| token: ${{ steps.secrets.outputs.vagrant_token }} | ||
| fetch-depth: 0 | ||
| - name: Publish Documentation Branches | ||
| run: ./.ci/publish-documentation-branches "${TAG_NAME}" "${VERSION}" ./vagrant-source | ||
| env: | ||
| VERSION: ${{ needs.vagrant-artifacts.outputs.vagrant-version }} | ||
| TAG_NAME: ${{ needs.info.outputs.vagrant-tag }} | ||
| env: | ||
| current_version: ${{ needs.vagrant-artifacts.outputs.vagrant-version }} | ||
| run: | | ||
| major_minor="${current_version%.*}" | ||
| patch="${current_version##*.}" | ||
| ((patch++)) | ||
| new_version="${major_minor}.${patch}" | ||
| printf "version=%s\n" >> "${GITHUB_OUTPUT}" | ||
| new-unified-docs-version: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To fix this problem, you should add an explicit permissions block to the next-version job in .github/workflows/release.yml, minimizing the permissions to the least privilege necessary. Based on the job's actions (simple calculation and exporting an output), there is no indication that it needs any elevated permissions, so the minimal block should be permissions: contents: read. This will ensure that the GITHUB_TOKEN for this job only has read access to repository contents and cannot perform any write actions. No methods, additional imports, or other definitions are needed; only an update to the job definition in the YAML workflow file is required.
| @@ -323,6 +323,8 @@ | ||
| name: Calculate next version | ||
| runs-on: ubuntu-latest | ||
| needs: [vagrant-artifacts] | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| version: ${{ steps.calculate-version.outputs.version }} | ||
| steps: |
6e17b58 to
e205776
Compare
This provides updates to the release workflow to handle automatic PR generation for documentation on the unified docs site. After the PR is created, it will update the long lived branch with a new directory for the next version pre-filled with the contents of the previous version. An additional workflow is included for scheduled updates of the long lived documentation branch to keep it up-to-date with `main`. All of the unified docs related workflows support being called directly from the GitHub UI.
e205776 to
c9381fe
Compare
This provides updates to the release workflow to handle automatic
PR generation for documentation on the unified docs site. After
the PR is created, it will update the long lived branch with a
new directory for the next version pre-filled with the contents
of the previous version. An additional workflow is included for
scheduled updates of the long lived documentation branch to
keep it up-to-date with
main.All of the unified docs related workflows support being called
directly from the GitHub UI.