diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 39c91fb..ccf566b 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -5,12 +5,24 @@ on: push: branches-ignore: - dependabot/** + pull_request: + types: [labeled] permissions: contents: read jobs: build_and_push: + # this basically means do not execute it as dependabot unless it is labeled as ready-for-ci + # because automated processes and pr from forks are dangerous, therefore those prs won't have access to secrets, labeling them acts like allow-listing them + # more details here https://docs.github.com/en/rest/dependabot/secrets?apiVersion=2022-11-28 + # even when re-running an action manually the actor stays the same as of mid 2022, details here https://github.blog/changelog/2022-07-19-differentiating-triggering-actor-from-executing-actor/ + + #https://github.com/actions/runner/issues/1173#issuecomment-1354501147 when false equals true, you have to come up with something ... + if: | + (github.actor == 'dependabot[bot]' && + contains(github.event.issue.labels.*.name, 'ready-for-ci') == 'true') || + github.actor != 'dependabot[bot]' runs-on: ubuntu-latest permissions: packages: write @@ -48,23 +60,31 @@ jobs: tags: ghcr.io/${{ github.repository }}:${{ github.sha }} labels: ${{ steps.docker_meta_img.outputs.labels }} - branch_name: + branch_meta: runs-on: ubuntu-latest outputs: - branch: ${{ steps.extract_branch.outputs.branch }} + branch: ${{ steps.extract_branch_meta.outputs.branch }} + sha: ${{ steps.extract_branch_meta.outputs.sha }} steps: - - name: Extract branch name + - name: Extract branch meta shell: bash - run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT - id: extract_branch + id: extract_branch_meta + run: | + if [ "${{ github.event_name }}" == 'pull_request' ]; then + echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT + echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT + else + echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT + echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT + fi deploy: needs: - build_and_push - - branch_name + - branch_meta uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main with: - branch: ${{ needs.branch_name.outputs.branch }} + branch: ${{ needs.branch_meta.outputs.branch }} secrets: token: ${{ secrets.GITHUB_TOKEN }} DEV_VAULT_BRB: ${{ secrets.DEV_VAULT_BRB }} @@ -86,7 +106,6 @@ jobs: trivy-vulnerability-scanning: needs: - build_and_push - - branch_name runs-on: ubuntu-latest permissions: actions: read