Merge pull request #141 from usegalaxy-eu/improve-github-action-security

Improve GitHub Actions workflows security
usegalaxy-eu · Nov 18, 2024 · 0958fdb · 0958fdb
2 parents bd3a849 + 11402ce
commit 0958fdb
Show file tree

Hide file tree

Showing 7 changed files with 143 additions and 227 deletions.
diff --git a/.github/actions/galaxy-social/action.yml b/.github/actions/galaxy-social/action.yml
diff --git a/.github/workflows/galaxy_social.yml b/.github/workflows/galaxy_social.yml
@@ -0,0 +1,52 @@
+name: Create Preview
+
+on:
+  pull_request_target:
+    branches: [main]
+    types: [opened, synchronize, reopened, closed]
+    paths:
+      - "posts/**"
+
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "The number of the pull request to create preview for"
+        required: true
+
+jobs:
+  manage_content:
+    name: Manage Content
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install -r requirements.txt
+
+      - name: Run script to create preview or publish contents
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MASTODON_ACCESS_TOKEN: ${{ secrets.MASTODON_ACCESS_TOKEN }}
+          BLUESKY_PASSWORD: ${{ secrets.BLUESKY_PASSWORD }}
+          MATRIX_ACCESS_TOKEN: ${{ secrets.MATRIX_ACCESS_TOKEN }}
+          SLACK_ACCESS_TOKEN: ${{ secrets.SLACK_ACCESS_TOKEN }}
+          MASTODON_EU_FR_TOKEN: ${{ secrets.MASTODON_EU_FR_TOKEN }}
+          LINKEDIN_ACCESS_TOKEN: ${{ secrets.LINKEDIN_ACCESS_TOKEN }}
+          BRC_MASTODON_ACCESS_TOKEN: ${{ secrets.BRC_MASTODON_ACCESS_TOKEN }}
+          BRC_BLUESKY_PASSWORD: ${{ secrets.BRC_BLUESKY_PASSWORD }}
+          BRC_LINKEDIN_ACCESS_TOKEN: ${{ secrets.BRC_LINKEDIN_ACCESS_TOKEN }}
+        run: python -u github_run.py
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
diff --git a/.github/workflows/publish_content.yml b/.github/workflows/publish_content.yml
diff --git a/README.md b/README.md
@@ -74,9 +74,9 @@ For images just drag and drop them here. they will look like this:
 
 4. **Create a Pull Request:** Once your post is ready, [create a pull request](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request?tool=webui#creating-the-pull-request) to the main branch from another branch or [from your fork](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork)
 
-5. **Preview and Review:** After each pull request, the "Create Preview" GitHub action will run. It will generate previews of the content as it would appear on each platform listed under "media" in a comment to the pull request and highlight any errors that need to be fixed before merging.
+5. **Preview and Review:** After each pull request, the GitHub action will run and will generate previews of the content as it would appear on each platform listed under "media" in a comment to the pull request and highlight any errors that need to be fixed before merging.
 
-6. **Publish Your Content:** Upon merging the pull request, the "Publish Content" GitHub action will run. The results will be added to `processed_files.json` in the processed_files branch.
+6. **Publish Your Content:** Upon merging the pull request, the GitHub action will run. The results will be added to `processed_files.json` in the processed_files branch.
 
 By following these steps, you can effectively create and publish posts on Galaxy Social.
 
@@ -106,7 +106,7 @@ The `name` is then used in the `media` tag in the post file (posts/\*.md) to det
 
 5. **Enable the Plugin**: Simply set `enabled: true` to enable the new social media platform. This ensures that it will be implemented when creating posts.
 
-6. **Update publish_content.yml**: Finally, update the `publish_content.yml` file to include an environment variable referencing the token saved in GitHub secrets. Use the following template: (Don't put the prefixed `$` in here)
+6. **Update galaxy_social.yml**: Finally, update the `galaxy_social.yml` file to include an environment variable referencing the token saved in GitHub secrets. Use the following template: (Don't put the prefixed `$` in here)
 
 ```yaml