diff --git a/.github/actions/setup-bot/action.yml b/.github/actions/setup-bot/action.yml new file mode 100644 index 000000000..0be2f43bf --- /dev/null +++ b/.github/actions/setup-bot/action.yml @@ -0,0 +1,33 @@ +name: 'Setup GitHub App Bot' +description: 'Generates a GitHub App Token and configures Git for a bot' +inputs: + app-id: + description: 'GitHub App ID' + required: True + private-key: + description: 'GitHub App Private Key' + required: True +outputs: + token: + description: 'Generated GitHub App Token' + value: ${{ steps.generate-token.outputs.token }} + committer: + description: 'Committer string for Git' + value: "${{ steps.generate-token.outputs.app-slug }}[bot] <${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com>" + app-slug: + description: 'GitHub App slug' + value: ${{ steps.generate-token.outputs.app-slug }} +runs: + using: 'composite' + steps: + - name: Generate a GitHub App Token + id: generate-token + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + with: + app-id: ${{ inputs.app-id }} + private-key: ${{ inputs.private-key }} + - name: Configure Git + run: | + git config --global user.name "${{ steps.generate-token.outputs.app-slug }}[bot]" + git config --global user.email "${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com" + shell: bash diff --git a/.github/workflows/check_properties.yml b/.github/workflows/check_properties.yml index 6825f59f9..c8640ff37 100644 --- a/.github/workflows/check_properties.yml +++ b/.github/workflows/check_properties.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest permissions: issues: write # Allow posting comments on issues/PRs - pull-requests: write + pull-requests: write # Allow writing to pull requests steps: - name: Harden Runner uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 @@ -25,10 +25,12 @@ jobs: - name: Checkout main branch first uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + - name: Setup GitHub App Bot + id: setup-bot + uses: ./.github/actions/setup-bot with: - python-version: "3.12" + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - name: Get PR data id: get-pr-data @@ -219,7 +221,7 @@ jobs: const comment = comments.data.find(c => c.body.includes("## 🚀 Translation Verification Summary")); // Only update or create comments by the action user - const expectedActor = "github-actions[bot]"; + const expectedActor = "${{ steps.setup-bot.outputs.app-slug }}[bot]"; if (comment && comment.user.login === expectedActor) { // Update existing comment diff --git a/.github/workflows/licenses-update.yml b/.github/workflows/licenses-update.yml index a810dbeb0..e040e5436 100644 --- a/.github/workflows/licenses-update.yml +++ b/.github/workflows/licenses-update.yml @@ -16,52 +16,50 @@ jobs: permissions: contents: write pull-requests: write + repository-projects: write # Required for enabling automerge steps: - name: Harden Runner uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - - name: Generate GitHub App Token - id: generate-token - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + - name: Check out code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Setup GitHub App Bot + id: setup-bot + uses: ./.github/actions/setup-bot with: app-id: ${{ secrets.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - - name: Check out code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up JDK 17 uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: java-version: "17" distribution: "adopt" - - uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0 + - name: Setup Gradle + uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0 - - name: check the licenses for compatibility + - name: Check licenses for compatibility run: ./gradlew clean checkLicense - - name: FAILED - check the licenses for compatibility + - name: Upload artifact on failure if: failure() uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dependencies-without-allowed-license.json - path: | - build/reports/dependency-license/dependencies-without-allowed-license.json + path: build/reports/dependency-license/dependencies-without-allowed-license.json retention-days: 3 - - name: Move and Rename License File + - name: Move and rename license file run: | mv build/reports/dependency-license/index.json src/main/resources/static/3rdPartyLicenses.json - - name: Set up git config - run: | - git config --global user.name "stirlingbot[bot]" - git config --global user.email "1113334+stirlingbot[bot]@users.noreply.github.com" - - - name: Run git add + - name: Commit changes run: | git add src/main/resources/static/3rdPartyLicenses.json git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV @@ -71,15 +69,15 @@ jobs: if: env.CHANGES_DETECTED == 'true' uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: - token: ${{ steps.generate-token.outputs.token }} + token: ${{ steps.setup-bot.outputs.token }} commit-message: "Update 3rd Party Licenses" - committer: "stirlingbot[bot] <1113334+stirlingbot[bot]@users.noreply.github.com>" - author: "stirlingbot[bot] <1113334+stirlingbot[bot]@users.noreply.github.com>" + committer: ${{ steps.setup-bot.outputs.committer }} + author: ${{ steps.setup-bot.outputs.committer }} signoff: true branch: update-3rd-party-licenses title: "Update 3rd Party Licenses" body: | - Auto-generated by StirlingBot + Auto-generated by ${{ steps.setup-bot.outputs.app-slug }}[bot] labels: licenses,github-actions draft: false delete-branch: true @@ -89,4 +87,4 @@ jobs: if: steps.cpr.outputs.pull-request-operation == 'created' run: gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}" env: - GH_TOKEN: ${{ steps.generate-token.outputs.token }} + GH_TOKEN: ${{ steps.setup-bot.outputs.token }} diff --git a/.github/workflows/pre_commit.yml b/.github/workflows/pre_commit.yml index ce10a6c3e..5cca4e76e 100644 --- a/.github/workflows/pre_commit.yml +++ b/.github/workflows/pre_commit.yml @@ -20,58 +20,49 @@ jobs: with: egress-policy: audit - - name: Generate GitHub App Token - id: generate-token - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 - with: - app-id: ${{ secrets.GH_APP_ID }} - private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - - - name: Get GitHub App User ID - id: get-user-id - run: echo "user-id=$(gh api "/users/${{ steps.generate-token.outputs.app-slug }}[bot]" --jq .id)" >> $GITHUB_OUTPUT - env: - GH_TOKEN: ${{ steps.generate-token.outputs.token }} - - - id: committer - run: | - echo "string=${{ steps.generate-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com>" >> "$GITHUB_OUTPUT" - - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + + - name: Setup GitHub App Bot + id: setup-bot + uses: ./.github/actions/setup-bot + with: + app-id: ${{ secrets.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - name: Set up Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: 3.12 cache: 'pip' # caching pip dependencies + - name: Run Pre-Commit Hooks run: | pip install --require-hashes -r ./.github/scripts/requirements_pre_commit.txt + - run: pre-commit run --all-files -c .pre-commit-config.yaml continue-on-error: true - - name: Set up git config - run: | - git config --global user.name ${{ steps.generate-token.outputs.app-slug }}[bot] - git config --global user.email "${{ steps.get-user-id.outputs.user-id }}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com" + - name: git add run: | git add . git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV + - name: Create Pull Request if: env.CHANGES_DETECTED == 'true' uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: - token: ${{ steps.generate-token.outputs.token }} + token: ${{ steps.setup-bot.outputs.token }} commit-message: ":file_folder: pre-commit" - committer: ${{ steps.committer.outputs.string }} - author: ${{ steps.committer.outputs.string }} + committer: ${{ steps.setup-bot.outputs.committer }} + author: ${{ steps.setup-bot.outputs.committer }} signoff: true branch: pre-commit - title: "🤖 format everything with pre-commit by <${{ steps.generate-token.outputs.app-slug }}>" + title: "🤖 format everything with pre-commit by ${{ steps.setup-bot.outputs.app-slug }}" body: | - Auto-generated by [create-pull-request][1] with **${{ steps.generate-token.outputs.app-slug }}** + Auto-generated by [create-pull-request][1] with **${{ steps.setup-bot.outputs.app-slug }}** [1]: https://github.com/peter-evans/create-pull-request draft: false diff --git a/.github/workflows/sync_files.yml b/.github/workflows/sync_files.yml index fe790c65b..72aff82f1 100644 --- a/.github/workflows/sync_files.yml +++ b/.github/workflows/sync_files.yml @@ -16,44 +16,7 @@ permissions: contents: read jobs: - read_bot_entries: - runs-on: ubuntu-latest - outputs: - userName: ${{ steps.get-user-id.outputs.user_name }} - userEmail: ${{ steps.get-user-id.outputs.user_email }} - committer: ${{ steps.committer.outputs.committer }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - name: Generate GitHub App Token - id: generate-token - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 - with: - app-id: ${{ secrets.GH_APP_ID }} - private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - - - name: Get GitHub App User ID - id: get-user-id - run: | - USER_NAME="${{ steps.generate-token.outputs.app-slug }}[bot]" - USER_ID=$(gh api "/users/$USER_NAME" --jq .id) - USER_EMAIL="$USER_ID+$USER_NAME@users.noreply.github.com" - echo "user_name=$USER_NAME" >> "$GITHUB_OUTPUT" - echo "user_email=$USER_EMAIL" >> "$GITHUB_OUTPUT" - echo "user-id=$USER_ID" >> "$GITHUB_OUTPUT" - env: - GH_TOKEN: ${{ steps.generate-token.outputs.token }} - - - id: committer - run: | - COMMITTER="${{ steps.get-user-id.outputs.user_name }} <${{ steps.get-user-id.outputs.user_email }}>" - echo "committer=$COMMITTER" >> "$GITHUB_OUTPUT" - sync-files: - needs: ["read_bot_entries"] runs-on: ubuntu-latest steps: - name: Harden Runner @@ -61,34 +24,29 @@ jobs: with: egress-policy: audit - - name: Generate GitHub App Token - id: generate-token - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Setup GitHub App Bot + id: setup-bot + uses: ./.github/actions/setup-bot with: app-id: ${{ vars.GH_APP_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.12" - cache: 'pip' # caching pip dependencies + cache: "pip" # caching pip dependencies - name: Sync translation property files run: | python .github/scripts/check_language_properties.py --reference-file "src/main/resources/messages_en_GB.properties" --branch main - - name: Set up git config - run: | - git config --global user.name ${{ needs.read_bot_entries.outputs.userName }} - git config --global user.email ${{ needs.read_bot_entries.outputs.userEmail }} - - - name: Run git add + - name: Commit translation files run: | git add src/main/resources/messages_*.properties - git diff --staged --quiet || git commit -m ":memo: Sync translation files" || echo "no changes" + git diff --staged --quiet || git commit -m ":memo: Sync translation files" || echo "No changes detected" - name: Install dependencies run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt @@ -100,15 +58,16 @@ jobs: - name: Run git add run: | git add README.md - git diff --staged --quiet || git commit -m ":memo: Sync README.md" || echo "no changes" + git diff --staged --quiet || git commit -m ":memo: Sync README.md" || echo "No changes detected" - name: Create Pull Request + if: always() uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: - token: ${{ steps.generate-token.outputs.token }} + token: ${{ steps.setup-bot.outputs.token }} commit-message: Update files - committer: ${{ needs.read_bot_entries.outputs.committer }} - author: ${{ needs.read_bot_entries.outputs.committer }} + committer: ${{ steps.setup-bot.outputs.committer }} + author: ${{ steps.setup-bot.outputs.committer }} signoff: true branch: sync_readme title: ":globe_with_meridians: Sync Translations + Update README Progress Table"