apricote/releaser-pleaser
1
0
Fork 0
mirror of https://github.com/apricote/releaser-pleaser.git synced 2026-01-13 21:21:03 +00:00
Code Issues Projects Releases Packages Wiki Activity
releaser-pleaser/.github/workflows/releaser-pleaser.yaml
Julian Tölle 2567f0ae8b
ci: run on pr updates from main branch (#30) 
With `pull_request`, we run in the context of the pull request branch.

- This means we run with the code from the PR branch, possibly breaking
  the current release PR for this repo with in-progress, unreviewed changes.
- This means that the secret is not available on Pull Requests from
  forks.

Switching to `pull_request_target` means we always run in the scope of
the original repository. The secret is available and the code is checked
out from our main branch.

`pull_request_target` has security considerations, but they do not apply
here as we do not check out or run code from the (external, malicious) PR.
2024-08-25 17:16:43 +02:00

45 lines
1.3 KiB
YAML
Raw Blame History

name: releaser-pleaser
on:
push:
branches: [main]
# Using pull_request_target to avoid tainting the actual release PR with code from open feature pull requests
pull_request_target:
types:
- edited
- labeled
- unlabeled
permissions: {}
jobs:
releaser-pleaser:
# TODO: if: push or pull_request.closed
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: main
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
# Build container image from current commit and replace image ref in `action.yml`
# Without this, any new flags in `action.yml` would break the job in this repository until the new
# version is released. But a new version can only be released if this job works.
- uses: ko-build/setup-ko@v0.7
- run: ko build --bare --local --tags ci github.com/apricote/releaser-pleaser/cmd/rp
- run: mkdir -p .github/actions/releaser-pleaser
- run: "sed -i 's|image: .*$|image: ghcr.io/apricote/releaser-pleaser:ci|g' action.yml"
# Dogfood the action to make sure it works for users.
- name: releaser-pleaser
uses: ./
with:
token: ${{ secrets.RELEASER_PLEASER_TOKEN }}
extra-files: |
action.yml
Reference in a new issue View git blame Copy permalink