mirror of
https://github.com/gradle/actions.git
synced 2025-04-16 07:49:18 +08:00
edf5691417
## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @bigdaz. Please merge the Pull Request to incorporate the requested changes. Please tag @bigdaz on your message if you have any questions related to the PR. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
76 lines
2.4 KiB
YAML
76 lines
2.4 KiB
YAML
name: CI-update-dist
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
branches:
|
|
- 'main'
|
|
- 'prerelease/**'
|
|
- 'release/**'
|
|
paths-ignore:
|
|
- 'dist/**'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
update-dist:
|
|
# Only run for the Gradle repository; otherwise when users create pull requests from their `main` branch
|
|
# it would erroneously update `dist` on their branch (and the pull request)
|
|
if: github.repository == 'gradle/actions'
|
|
permissions:
|
|
contents: write
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
token: ${{ secrets.BOT_GITHUB_TOKEN }}
|
|
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
|
|
with:
|
|
node-version: 20
|
|
cache: npm
|
|
cache-dependency-path: sources/package-lock.json
|
|
|
|
- name: Install npm dependencies
|
|
run: |
|
|
npm clean-install
|
|
working-directory: sources
|
|
|
|
- name: Build distribution
|
|
run: |
|
|
npm run check
|
|
npm run compile
|
|
working-directory: sources
|
|
env:
|
|
NODE_OPTIONS: '-r @gradle/develocity-agent/preload'
|
|
DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
|
|
DEVELOCITY_ACCESS_KEY: '${{ secrets.DV_SOLUTIONS_ACCESS_KEY }}'
|
|
|
|
- name: Copy the generated sources/dist directory to the top-level dist
|
|
run: |
|
|
cp -r sources/dist .
|
|
|
|
- name: Import GPG key to sign commits
|
|
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
|
|
with:
|
|
gpg_private_key: ${{ secrets.GH_BOT_PGP_PRIVATE_KEY }}
|
|
passphrase: ${{ secrets.GH_BOT_PGP_PASSPHRASE }}
|
|
git_user_signingkey: true
|
|
git_commit_gpgsign: true
|
|
git_config_global: true
|
|
|
|
# Commit and push changes; has no effect if the files did not change
|
|
# Important: The push event will not trigger any other workflows, see
|
|
# https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
|
|
- name: Commit & push changes
|
|
uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
|
|
with:
|
|
commit_author: bot-githubaction <bot-githubaction@gradle.com>
|
|
commit_user_name: bot-githubaction
|
|
commit_user_email: bot-githubaction@gradle.com
|
|
commit_message: '[bot] Update dist directory'
|
|
file_pattern: dist
|