chore(deps): update gitguardian/ggshield-action action to v1.36.0 #163
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CID" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| debug_enabled: | |
| description: "Run the workflow with tmate.io debugging enabled" | |
| required: true | |
| type: boolean | |
| default: false | |
| run_build_images: | |
| description: "Run build-images job" | |
| required: false | |
| type: boolean | |
| default: false | |
| run_execute_workflow: | |
| description: "Run execute-workflow job" | |
| required: false | |
| type: boolean | |
| default: false | |
| pull_request: | |
| types: [opened, labeled, reopened, synchronize] | |
| paths-ignore: | |
| - "testing/**" | |
| - "**.md" | |
| - "*" | |
| - "!flake.nix" | |
| - "!flake.lock" | |
| push: | |
| branches: | |
| - "main" | |
| - "beta" | |
| paths-ignore: | |
| - "testing/**" | |
| - "**.md" | |
| - "*" | |
| - "!flake.nix" | |
| - "!flake.lock" | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| actions: write | |
| contents: read | |
| jobs: | |
| scan: | |
| name: gitguardian | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| with: | |
| fetch-depth: 0 # fetch all history so multiple commits can be scanned | |
| - name: GitGuardian scan | |
| uses: GitGuardian/ggshield-action@53910b10ce6646fb7c6e353f55f26ed96d0cff1b # v1.32.0 | |
| env: | |
| GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
| GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
| GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| set-variables: | |
| needs: scan | |
| runs-on: ubuntu-latest | |
| outputs: | |
| debug: ${{ steps.set-variables.outputs.debug }} | |
| skip_ci: ${{ steps.set-variables.outputs.skip_ci }} | |
| skip_tests: ${{ steps.set-variables.outputs.skip_tests }} | |
| checkout_ref: ${{ steps.set-variables.outputs.checkout_ref }} | |
| steps: | |
| - name: Set action variables | |
| id: set-variables | |
| run: | | |
| DEBUG="false" | |
| SKIP_CI="false" | |
| SKIP_TESTS="false" | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| DEBUG="${{ inputs.debug_enabled }}" | |
| fi | |
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
| if ${{ contains(github.event.pull_request.labels.*.name, 'skip-ci') }}; then | |
| SKIP_CI="true" | |
| fi | |
| if ${{ contains(github.event.pull_request.labels.*.name, 'skip-tests') }}; then | |
| SKIP_TESTS="true" | |
| fi | |
| if ${{ contains(github.event.pull_request.labels.*.name, 'actions-debug') }}; then | |
| DEBUG="true" | |
| fi | |
| CHECKOUT_REF="${{ github.event.pull_request.head.ref }}" | |
| else | |
| CHECKOUT_REF="${{ github.ref }}" | |
| fi | |
| echo "DEBUG=$DEBUG" | |
| echo "SKIP_CI=$SKIP_CI" | |
| echo "SKIP_TESTS=$SKIP_TESTS" | |
| echo "DEBUG=$DEBUG" >> $GITHUB_OUTPUT | |
| echo "SKIP_CI=$SKIP_CI" >> $GITHUB_OUTPUT | |
| echo "SKIP_TESTS=$SKIP_TESTS" >> $GITHUB_OUTPUT | |
| echo "CHECKOUT_REF=$CHECKOUT_REF" >> $GITHUB_OUTPUT | |
| nixci: | |
| needs: set-variables | |
| runs-on: ubuntu-latest | |
| concurrency: | |
| group: nixci-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| steps: | |
| - name: Install dependencies | |
| shell: bash | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -yq zstd | |
| sudo apt-get clean | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@75ffa7fc743135e1db864b699d78402ccc8ed988 # ratchet:DeterminateSystems/nix-installer-action@main | |
| with: | |
| extra-conf: 'system-features = nixos-test benchmark big-parallel kvm' | |
| # - name: Run the Magic Nix Cache | |
| # uses: DeterminateSystems/magic-nix-cache-action@main | |
| - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 | |
| with: | |
| name: "${{ vars.CACHIX_CACHE_NAME }}" | |
| authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| extraPullNames: srid | |
| - name: Setup tmate debug session | |
| uses: mxschmitt/action-tmate@a283f9441d2d96eb62436dc46d7014f5d357ac22 # ratchet:mxschmitt/action-tmate@v3 | |
| if: ${{ inputs.debug_enabled }} | |
| - name: Build | |
| run: | | |
| nix run github:srid/nixci -- build | |
| build-nix-images: | |
| runs-on: ubuntu-latest | |
| needs: [set-variables] | |
| if: ${{ needs.set-variables.outputs.skip_ci != 'true' && ( contains(github.event.pull_request.labels.*.name, 'build-images') || contains(github.event.pull_request.labels.*.name, 'execute-workflow') || (github.event_name == 'workflow_dispatch' && inputs.run_build_images) || (github.event_name == 'workflow_dispatch' && inputs.run_execute_workflow) ) }} | |
| concurrency: | |
| group: bni-${{ matrix.image }}-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| packages: write | |
| # environment: | |
| # name: development | |
| # url: "https://ghcr.io/cameronraysmith/nixpod" | |
| strategy: | |
| matrix: | |
| image: [nixpod, codenix, ghanix, jupnix] | |
| steps: | |
| - name: Maximize build space | |
| # uses: easimon/maximize-build-space@fc881a613ad2a34aca9c9624518214ebc21dfc0c # ratchet:easimon/maximize-build-space@v10 | |
| uses: cameronraysmith/maximize-build-space@fdf0c06b18d92be98aa64cb68ae4ea4c9bc4794d # ratchet:cameronraysmith/maximize-build-space@print-usage | |
| with: | |
| build-mount-path: /nix | |
| build-mount-path-ownership: "root:root" | |
| root-reserve-mb: 34816 | |
| swap-size-mb: 1024 | |
| remove-dotnet: "true" | |
| remove-android: "true" | |
| remove-codeql: "true" | |
| remove-docker-images: "true" | |
| - name: Install dependencies | |
| shell: bash | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -yq zstd | |
| sudo apt-get clean | |
| - name: Setup build environment | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4 | |
| with: | |
| ref: ${{ needs.set-variables.outputs.checkout_ref }} | |
| - name: Build ${{ matrix.image }} image | |
| uses: ./.github/actions/build-nix-image | |
| with: | |
| triggerEventName: ${{ github.event_name }} | |
| imageName: "${{ matrix.image }}" | |
| imageFQN: "ghcr.io/cameronraysmith/${{ matrix.image }}" | |
| nixCommand: "nix run .#${{ matrix.image }}Manifest --impure --accept-flake-config --print-build-logs --show-trace" | |
| releaseVersion: "" | |
| cachixCacheName: ${{ vars.CACHIX_CACHE_NAME }} | |
| cachixAuthToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| artifactRegistryPassword: ${{ secrets.ARTIFACT_REGISTRY_PASSWORD }} | |
| # gcpProjectId: ${{ secrets.GCP_PROJECT_ID }} | |
| # encodedGARCredentials: ${{ secrets.ENCODED_GAR_SA_CREDS }} | |
| debnix: | |
| runs-on: ubuntu-latest | |
| needs: set-variables | |
| if: ${{ needs.set-variables.outputs.skip_ci != 'true' && ( contains(github.event.pull_request.labels.*.name, 'build-images') || contains(github.event.pull_request.labels.*.name, 'execute-workflow') || (github.event_name == 'workflow_dispatch' && inputs.run_build_images) || (github.event_name == 'workflow_dispatch' && inputs.run_execute_workflow) ) }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| concurrency: | |
| group: debnix-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Tag Build and Push Testing Container | |
| uses: ./.github/actions/tag-build-push-container | |
| with: | |
| registry: ghcr.io | |
| image-name: ${{ github.repository_owner }}/${{ github.job }} | |
| containerfile-path: "containers/Containerfile.${{ github.job }}" | |
| push-condition: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'build-images') }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| debjupnix: | |
| runs-on: ubuntu-latest | |
| needs: set-variables | |
| if: ${{ needs.set-variables.outputs.skip_ci != 'true' && ( contains(github.event.pull_request.labels.*.name, 'build-images') || contains(github.event.pull_request.labels.*.name, 'execute-workflow') || (github.event_name == 'workflow_dispatch' && inputs.run_build_images) || (github.event_name == 'workflow_dispatch' && inputs.run_execute_workflow) ) }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| concurrency: | |
| group: debjupnix-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Tag Build and Push Testing Container | |
| uses: ./.github/actions/tag-build-push-container | |
| with: | |
| registry: ghcr.io | |
| image-name: ${{ github.repository_owner }}/${{ github.job }} | |
| containerfile-path: "containers/Containerfile.debnix" | |
| push-condition: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'build-images') }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| build-args: | | |
| USER=jovyan | |
| UID=1000 | |
| GID=100 | |
| debnixpod: | |
| runs-on: ubuntu-latest | |
| needs: [scan, debnix] | |
| permissions: | |
| contents: read | |
| packages: write | |
| concurrency: | |
| group: debnixpod-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| - name: Tag Build and Push Testing Container | |
| uses: ./.github/actions/tag-build-push-container | |
| with: | |
| registry: ghcr.io | |
| image-name: ${{ github.repository_owner }}/${{ github.job }} | |
| containerfile-path: "containers/Containerfile.${{ github.job }}" | |
| push-condition: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'build-images') }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| # build-deb-images: | |
| # needs: [set-variables, scan] | |
| # runs-on: ubuntu-latest | |
| # permissions: | |
| # contents: read | |
| # packages: write | |
| # concurrency: | |
| # group: ${{ matrix.job }}-${{ github.workflow }}-${{ github.ref }} | |
| # strategy: | |
| # matrix: | |
| # job: [debnix, debjupnix, debnixpod] | |
| # steps: | |
| # - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| # - name: Tag Build and Push Testing Container | |
| # uses: ./.github/actions/tag-build-push-container | |
| # with: | |
| # registry: ghcr.io | |
| # image-name: ${{ github.repository_owner }}/${{ matrix.job }} | |
| # containerfile-path: "containers/Containerfile.${{ matrix.job }}" | |
| # push-condition: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'build-images') }} | |
| # github-token: ${{ secrets.GITHUB_TOKEN }} | |
| # build-args: ${{ matrix.job == 'debjupnix' && 'USER=jovyan\nUID=1000\nGID=100' || '' }} | |
| release: | |
| runs-on: ubuntu-latest | |
| needs: [nixci] | |
| if: ${{ github.repository_owner == 'cameronraysmith' && github.event_name == 'push' }} | |
| permissions: | |
| contents: write | |
| outputs: | |
| version: ${{ steps.semantic-release.outputs.new_release_version }} | |
| git-tag: ${{ steps.semantic-release.outputs.new_release_git_tag }} | |
| released: ${{ steps.semantic-release.outputs.new_release_published }} | |
| git-head: ${{ steps.semantic-release.outputs.new_release_git_head }} | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| with: | |
| fetch-depth: '0' | |
| - name: Get semantic-release version | |
| shell: sh | |
| id: semantic-release-version | |
| run: echo version=$(npm view @cihelper/semanticrelease-preset-generic dependencies.semantic-release) >> $GITHUB_OUTPUT | |
| - name: Run semantic-release | |
| id: semantic-release | |
| uses: cycjimmy/semantic-release-action@cb425203a562475bca039ba4dbf90c7f9ac790f4 # v4 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| semantic_version: ${{ steps.semantic-release-version.outputs.version }} | |
| extra_plugins: "@cihelper/semanticrelease-preset-generic@1" | |
| extends: "@cihelper/semanticrelease-preset-generic" | |
| # publish: | |
| # needs: [release] | |
| # runs-on: "ubuntu-latest" | |
| # if: ${{ needs.release.outputs.released == 'true' }} | |
| # concurrency: | |
| # group: publish-${{ github.workflow }}-${{ github.ref }}-${{ github.sha }} | |
| # cancel-in-progress: true | |
| # permissions: | |
| # id-token: "write" | |
| # contents: "read" | |
| # steps: | |
| # - uses: "actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29" # v4 | |
| # with: | |
| # ref: ${{ needs.release.outputs.git-tag }} | |
| # - uses: "DeterminateSystems/nix-installer-action@75ffa7fc743135e1db864b699d78402ccc8ed988" # ratchet:DeterminateSystems/nix-installer-action@main | |
| # - uses: "DeterminateSystems/flakehub-push@114496f7d11f17ceb7d1466a8aaeaef496b1041f" # ratchet:DeterminateSystems/flakehub-push@main | |
| # with: | |
| # visibility: "public" | |
| # tag: ${{ needs.release.outputs.version }} | |
| publish-nix-images: | |
| runs-on: ubuntu-latest | |
| needs: [release] | |
| if: ${{ needs.release.outputs.released == 'true' }} | |
| concurrency: | |
| group: pni-${{ matrix.image }}-${{ github.workflow }}-${{ github.ref }}-${{ github.sha }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| packages: write | |
| # environment: | |
| # name: development | |
| # url: "https://ghcr.io/cameronraysmith/nixpod" | |
| strategy: | |
| matrix: | |
| image: [nixpod, codenix, ghanix, jupnix] | |
| steps: | |
| - name: Maximize build space | |
| # uses: easimon/maximize-build-space@fc881a613ad2a34aca9c9624518214ebc21dfc0c # ratchet:easimon/maximize-build-space@v10 | |
| uses: cameronraysmith/maximize-build-space@fdf0c06b18d92be98aa64cb68ae4ea4c9bc4794d # ratchet:cameronraysmith/maximize-build-space@print-usage | |
| with: | |
| build-mount-path: /nix | |
| build-mount-path-ownership: "root:root" | |
| root-reserve-mb: 34816 | |
| swap-size-mb: 1024 | |
| remove-dotnet: "true" | |
| remove-android: "true" | |
| remove-codeql: "true" | |
| remove-docker-images: "true" | |
| - name: Setup build environment | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4 | |
| with: | |
| ref: ${{ needs.release.outputs.git-tag }} | |
| - name: Install dependencies | |
| shell: bash | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -yq zstd | |
| sudo apt-get clean | |
| - name: Build ${{ matrix.image }} image | |
| uses: ./.github/actions/build-nix-image | |
| with: | |
| triggerEventName: ${{ github.event_name }} | |
| imageName: "${{ matrix.image }}" | |
| imageFQN: "ghcr.io/cameronraysmith/${{ matrix.image }}" | |
| nixCommand: "nix run .#${{ matrix.image }}Manifest --impure --accept-flake-config --print-build-logs --show-trace" | |
| releaseVersion: ${{ needs.release.outputs.version }} | |
| cachixCacheName: ${{ vars.CACHIX_CACHE_NAME }} | |
| cachixAuthToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| artifactRegistryPassword: ${{ secrets.ARTIFACT_REGISTRY_PASSWORD }} | |
| # gcpProjectId: ${{ secrets.GCP_PROJECT_ID }} | |
| # encodedGARCredentials: ${{ secrets.ENCODED_GAR_SA_CREDS }} | |
| publish-debnix: | |
| runs-on: ubuntu-latest | |
| needs: [release] | |
| if: ${{ needs.release.outputs.released == 'true' }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| concurrency: | |
| group: publish-debnix-${{ github.workflow }}-${{ github.ref }}-${{ github.sha }} | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| with: | |
| ref: ${{ needs.release.outputs.git-tag }} | |
| - name: Tag Build and Push Testing Container | |
| uses: ./.github/actions/tag-build-push-container | |
| with: | |
| registry: ghcr.io | |
| image-name: ${{ github.repository_owner }}/debnix | |
| containerfile-path: "containers/Containerfile.debnix" | |
| push-condition: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'build-images') }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| publish-debjupnix: | |
| runs-on: ubuntu-latest | |
| needs: [release] | |
| if: ${{ needs.release.outputs.released == 'true' }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| concurrency: | |
| group: publish-debjupnix-${{ github.workflow }}-${{ github.ref }}-${{ github.sha }} | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| with: | |
| ref: ${{ needs.release.outputs.git-tag }} | |
| - name: Tag Build and Push Testing Container | |
| uses: ./.github/actions/tag-build-push-container | |
| with: | |
| registry: ghcr.io | |
| image-name: ${{ github.repository_owner }}/debjupnix | |
| containerfile-path: "containers/Containerfile.debnix" | |
| push-condition: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'build-images') }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| build-args: | | |
| USER=jovyan | |
| UID=1000 | |
| GID=100 | |
| publish-debnixpod: | |
| runs-on: ubuntu-latest | |
| needs: [release,publish-debnix] | |
| if: ${{ needs.release.outputs.released == 'true' }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| concurrency: | |
| group: publish-debnixpod-${{ github.workflow }}-${{ github.ref }}-${{ github.sha }} | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
| with: | |
| ref: ${{ needs.release.outputs.git-tag }} | |
| - name: Tag Build and Push Testing Container | |
| uses: ./.github/actions/tag-build-push-container | |
| with: | |
| registry: ghcr.io | |
| image-name: ${{ github.repository_owner }}/debnixpod | |
| containerfile-path: "containers/Containerfile.debnixpod" | |
| push-condition: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'build-images') }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} |