diff --git a/.github/actions/python-environment/action.yml b/.github/actions/python-environment/action.yml index 88c311138..2e0ba3559 100644 --- a/.github/actions/python-environment/action.yml +++ b/.github/actions/python-environment/action.yml @@ -45,10 +45,11 @@ runs: - name: Set up Poetry (${{ inputs.poetry-version }}) shell: bash run: | - POETRY_VERSION="${{ inputs.poetry-version }}" "$PYTHON_BINARY" "${{ github.action_path }}/ext/get_poetry.py" + POETRY_VERSION="${INPUTS_POETRY_VERSION}" "$PYTHON_BINARY" "${{ github.action_path }}/ext/get_poetry.py" echo "$HOME/.local/bin" >> $GITHUB_PATH env: PYTHON_BINARY: "python${{ inputs.python-version }}" + INPUTS_POETRY_VERSION: ${{ inputs.poetry-version }} - name: Setup cache variables id: setup-cache-variables @@ -77,16 +78,20 @@ runs: working-directory: ${{ inputs.working-directory }} shell: bash run: | - EXTRAS=$(echo "${{ inputs.extras }}" | tr -d ' ') + EXTRAS=$(echo "${INPUTS_EXTRAS}" | tr -d ' ') if [[ -n "$EXTRAS" ]]; then poetry install --extras "$EXTRAS" else poetry install fi + env: + INPUTS_EXTRAS: ${{ inputs.extras }} - name: Validate Poetry environment working-directory: ${{ inputs.working-directory }} shell: bash run: | poetry run python --version - poetry run python --version | grep "${{ inputs.python-version }}" + poetry run python --version | grep "${INPUTS_PYTHON_VERSION}" + env: + INPUTS_PYTHON_VERSION: ${{ inputs.python-version }} diff --git a/.github/actions/security-issues/action.yml b/.github/actions/security-issues/action.yml index 64e67b470..a8fcc7601 100644 --- a/.github/actions/security-issues/action.yml +++ b/.github/actions/security-issues/action.yml @@ -44,12 +44,16 @@ runs: - name: Create Security Issue Report shell: bash run: | - ${{ inputs.command }} | tee input + ${INPUTS_COMMAND} | tee input + env: + INPUTS_COMMAND: ${{ inputs.command }} - name: Convert Report To Common Input Format shell: bash run: | - tbx security cve convert ${{inputs.format}} < input | tee cves.jsonl + tbx security cve convert ${INPUTS_FORMAT} < input | tee cves.jsonl + env: + INPUTS_FORMAT: ${{inputs.format}} - name: Filter Issues env: @@ -62,9 +66,10 @@ runs: - name: Create Issues env: GH_TOKEN: ${{ inputs.github-token }} + INPUTS_PROJECT: ${{ inputs.project }} shell: bash run: | - tbx security cve create --project "${{ inputs.project }}" < issues.jsonl | tee created.jsonl + tbx security cve create --project "${INPUTS_PROJECT}" < issues.jsonl | tee created.jsonl - name: Define Output Parameter id: get-created-issues diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index f60b739d9..4b6befafa 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Build & Publish on: @@ -18,6 +18,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 72a414a4f..2703e43b1 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: CD on: diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index 78e4161e8..a2e251a8e 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Check Release Tag on: @@ -16,6 +16,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -27,4 +29,5 @@ jobs: - name: Check Release Tag id: check-release-tag # make sure the pushed/created tag matched the project version - run: "[[ `poetry version --short` == ${{ github.ref_name }} ]]" + run: |- + [[ "$(poetry version --short)" == "$GITHUB_REF_NAME" ]] diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 3ce5eddb5..89a4bf141 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Checks on: @@ -15,6 +15,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -41,6 +43,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -66,6 +70,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -102,6 +108,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -128,6 +136,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -158,6 +168,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -179,6 +191,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -200,6 +214,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a9541cdaf..e44f4b0b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: CI on: diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index e36ce8b60..157e32fb5 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Dependency Update on: @@ -21,15 +21,17 @@ jobs: id: check-out-repository uses: actions/checkout@v6 with: + persist-credentials: true fetch-depth: 0 - name: Fail if not running on the default branch id: check-branch if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/github-script@v8 - with: - script: | - core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + env: + CURRENT_BRANCH: ${{ github.ref }} + run: | + echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH" + exit 1 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/fast-tests.yml b/.github/workflows/fast-tests.yml index 24f775b29..b692b8e38 100644 --- a/.github/workflows/fast-tests.yml +++ b/.github/workflows/fast-tests.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Fast-Tests on: @@ -21,6 +21,7 @@ jobs: id: check-out-repository uses: actions/checkout@v6 with: + persist-credentials: false fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index c8ab77894..dceb9c487 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Publish Documentation on: @@ -18,6 +18,7 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index dfd410fb6..cc8e849b0 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Build Matrix (All Versions) on: @@ -18,6 +18,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index c57464a79..bab0ffb02 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Build Matrix (Exasol) on: @@ -18,6 +18,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index c991d5a68..c671c36f3 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Build Matrix (Python) on: @@ -18,6 +18,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/merge-gate.yml b/.github/workflows/merge-gate.yml index 7b53ab8b2..c7e00c394 100644 --- a/.github/workflows/merge-gate.yml +++ b/.github/workflows/merge-gate.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Merge-Gate on: @@ -24,7 +24,8 @@ jobs: - run-fast-checks - run-fast-tests uses: ./.github/workflows/report.yml - secrets: inherit + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} permissions: contents: read @@ -66,6 +67,7 @@ jobs: # If you need additional jobs to be part of the merge gate, add them below needs: - run-fast-checks + - run-fast-tests - run-slow-checks - merge-gate-extension # To prevent accidentally merges, this step is required. For more details diff --git a/.github/workflows/periodic-validation.yml b/.github/workflows/periodic-validation.yml index dc1276af8..574b66c0e 100644 --- a/.github/workflows/periodic-validation.yml +++ b/.github/workflows/periodic-validation.yml @@ -1,28 +1,51 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Periodic-Validation on: schedule: # At 00:00 on Saturday. (https://crontab.guru) - cron: "0 0 * * 6" + workflow_dispatch: jobs: + restrict-to-default-branch: + name: Restrict to Default Branch + runs-on: "ubuntu-24.04" + permissions: + contents: read + + steps: + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + env: + CURRENT_BRANCH: ${{ github.ref }} + run: | + echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH" + exit 1 + run-fast-checks: name: Fast Checks uses: ./.github/workflows/checks.yml + needs: + - restrict-to-default-branch permissions: contents: read run-fast-tests: name: Fast Tests uses: ./.github/workflows/fast-tests.yml + needs: + - restrict-to-default-branch permissions: contents: read run-slow-checks: name: Slow Checks uses: ./.github/workflows/slow-checks.yml + needs: + - restrict-to-default-branch secrets: inherit permissions: contents: read @@ -34,6 +57,7 @@ jobs: - run-fast-tests - run-slow-checks uses: ./.github/workflows/report.yml - secrets: inherit + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} permissions: contents: read diff --git a/.github/workflows/pr-merge.yml b/.github/workflows/pr-merge.yml index 8dd06a584..9507e2523 100644 --- a/.github/workflows/pr-merge.yml +++ b/.github/workflows/pr-merge.yml @@ -1,5 +1,5 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: PR-Merge on: diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 7ff2917b3..8e2bc1d91 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -1,9 +1,12 @@ # Generated and maintained by the exasol-toolbox. -# Last generated with exasol-toolbox version 8.1.0. +# Last generated with exasol-toolbox version 8.1.1. name: Status Report on: workflow_call: + secrets: + SONAR_TOKEN: + required: true jobs: @@ -11,14 +14,13 @@ jobs: runs-on: "ubuntu-24.04" permissions: contents: read - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/.github/workflows/test-python-environment.yml b/.github/workflows/test-python-environment.yml index 2280904d2..f05267e9a 100644 --- a/.github/workflows/test-python-environment.yml +++ b/.github/workflows/test-python-environment.yml @@ -15,16 +15,18 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - id: diff + env: + BASE_REF: ${{ github.base_ref || 'main' }} run: | # Always run if the current branch is main - if [ "${{ github.ref_name }}" == "main" ]; then + if [ "${GITHUB_REF_NAME}" == "main" ]; then echo "Branch is main, forcing run." echo "should_run=true" >> $GITHUB_OUTPUT # Otherwise, check if any relevant files were changed in this PR else - BASE_REF=${{ github.base_ref || 'main' }} if git diff --quiet "origin/$BASE_REF...HEAD" -- .github/actions/python-environment; then echo "No changes in .github/actions/python-environment, skipping." echo "should_run=false" >> $GITHUB_OUTPUT @@ -66,6 +68,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -80,8 +84,10 @@ jobs: - name: Validate Python Version id: validate-python-version + env: + PYTHON_VERSION: ${{ matrix.python-version }} run: | poetry run which python poetry run python --version poetry env list - poetry run python --version | grep "${{ matrix.python-version }}" + poetry run python --version | grep "$PYTHON_VERSION" diff --git a/.workflow-patcher.yml b/.workflow-patcher.yml index 20418f095..bdf6d52fe 100644 --- a/.workflow-patcher.yml +++ b/.workflow-patcher.yml @@ -10,4 +10,5 @@ workflows: id: check-out-repository uses: actions/checkout@v6 with: + persist-credentials: false fetch-depth: 0 diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index fb4737052..3c4319881 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -1,3 +1,12 @@ # Unreleased ## Summary + +## Feature + +* #854: Added `workflow_dispatch` for `periodic-validation.yml` + +## Refactoring + +* #852: Modified `merge-gate` to ensure `run-fast-tests` succeeds +* #811: Modified workflow templates to not persist-credentials, not provide attacker-controllable inlines, and not pass more secrets to `report.yml` diff --git a/doc/user_guide/features/github_workflows/index.rst b/doc/user_guide/features/github_workflows/index.rst index 225df16f8..0e699d9a8 100644 --- a/doc/user_guide/features/github_workflows/index.rst +++ b/doc/user_guide/features/github_workflows/index.rst @@ -308,7 +308,7 @@ coverage to Sonar for an overall report. .. literalinclude:: ../../../../exasol/toolbox/templates/github/workflows/periodic-validation.yml :language: yaml :start-at: schedule: - :end-at: - cron: "0 0 * * 6" + :end-at: workflow_dispatch: .. mermaid:: diff --git a/exasol/toolbox/templates/github/workflows/build-and-publish.yml b/exasol/toolbox/templates/github/workflows/build-and-publish.yml index 60ded6a57..6c42834b4 100644 --- a/exasol/toolbox/templates/github/workflows/build-and-publish.yml +++ b/exasol/toolbox/templates/github/workflows/build-and-publish.yml @@ -17,6 +17,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index 26bfd7833..ff48d6a69 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -15,6 +15,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -26,4 +28,5 @@ jobs: - name: Check Release Tag id: check-release-tag # make sure the pushed/created tag matched the project version - run: "[[ `poetry version --short` == ${{ github.ref_name }} ]]" + run: | + [[ "$(poetry version --short)" == "$GITHUB_REF_NAME" ]] diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index ea70f6c5c..9d88c6c87 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -14,6 +14,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -40,6 +42,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -65,6 +69,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -101,6 +107,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -127,6 +135,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -157,6 +167,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -178,6 +190,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -199,6 +213,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index fc35e61ea..f24573f54 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -20,15 +20,17 @@ jobs: id: check-out-repository uses: actions/checkout@v6 with: + persist-credentials: true fetch-depth: 0 - name: Fail if not running on the default branch id: check-branch if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/github-script@v8 - with: - script: | - core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + env: + CURRENT_BRANCH: ${{ github.ref }} + run: | + echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH" + exit 1 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/fast-tests.yml b/exasol/toolbox/templates/github/workflows/fast-tests.yml index 39cee71da..c6f03c94f 100644 --- a/exasol/toolbox/templates/github/workflows/fast-tests.yml +++ b/exasol/toolbox/templates/github/workflows/fast-tests.yml @@ -19,6 +19,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml index 6f5d5a150..e7ef3210a 100644 --- a/exasol/toolbox/templates/github/workflows/gh-pages.yml +++ b/exasol/toolbox/templates/github/workflows/gh-pages.yml @@ -17,6 +17,7 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/matrix-all.yml b/exasol/toolbox/templates/github/workflows/matrix-all.yml index f5695bde7..c24c2f2db 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-all.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-all.yml @@ -17,6 +17,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml index 0e3b93f98..18b3b851b 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml @@ -17,6 +17,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/matrix-python.yml b/exasol/toolbox/templates/github/workflows/matrix-python.yml index 9d330d137..062426ff1 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-python.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-python.yml @@ -17,6 +17,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/merge-gate.yml b/exasol/toolbox/templates/github/workflows/merge-gate.yml index c738dad1f..7e4b28173 100644 --- a/exasol/toolbox/templates/github/workflows/merge-gate.yml +++ b/exasol/toolbox/templates/github/workflows/merge-gate.yml @@ -23,7 +23,8 @@ jobs: - run-fast-checks - run-fast-tests uses: ./.github/workflows/report.yml - secrets: inherit + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} permissions: contents: read @@ -67,6 +68,7 @@ jobs: # If you need additional jobs to be part of the merge gate, add them below needs: - run-fast-checks + - run-fast-tests - run-slow-checks (% if workflow_extension.merge_gate %) - merge-gate-extension diff --git a/exasol/toolbox/templates/github/workflows/periodic-validation.yml b/exasol/toolbox/templates/github/workflows/periodic-validation.yml index ff0734e86..16a18697c 100644 --- a/exasol/toolbox/templates/github/workflows/periodic-validation.yml +++ b/exasol/toolbox/templates/github/workflows/periodic-validation.yml @@ -5,23 +5,46 @@ on: schedule: # At 00:00 on Saturday. (https://crontab.guru) - cron: "0 0 * * 6" + workflow_dispatch: jobs: + restrict-to-default-branch: + name: Restrict to Default Branch + runs-on: "(( os_version ))" + permissions: + contents: read + + steps: + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + env: + CURRENT_BRANCH: ${{ github.ref }} + run: | + echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH" + exit 1 + run-fast-checks: name: Fast Checks uses: ./.github/workflows/checks.yml + needs: + - restrict-to-default-branch permissions: contents: read run-fast-tests: name: Fast Tests uses: ./.github/workflows/fast-tests.yml + needs: + - restrict-to-default-branch permissions: contents: read run-slow-checks: name: Slow Checks uses: ./.github/workflows/slow-checks.yml + needs: + - restrict-to-default-branch secrets: inherit permissions: contents: read @@ -33,6 +56,7 @@ jobs: - run-fast-tests - run-slow-checks uses: ./.github/workflows/report.yml - secrets: inherit + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} permissions: contents: read diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index da14a6f0e..3a2081bab 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -3,6 +3,9 @@ name: Status Report on: workflow_call: + secrets: + SONAR_TOKEN: + required: true jobs: @@ -10,14 +13,13 @@ jobs: runs-on: "(( os_version ))" permissions: contents: read - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index b961e19ae..618e1790a 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -28,6 +28,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment