зеркало из https://github.com/github/docs.git
86 строки
3.2 KiB
YAML
86 строки
3.2 KiB
YAML
name: Sync Secret Scanning data
|
|
|
|
# **What it does**: This updates the data used by the secret scanning patterns page.
|
|
# **Why we have it**: To automate updates to the secret scanning pattern data in our public-facing documentation.
|
|
# **Who does it impact**: Docs engineering, content writers.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:22 PST
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
# This allows a subsequently queued workflow run to interrupt previous runs
|
|
concurrency:
|
|
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
update-secret-scanning-file:
|
|
if: github.repository == 'github/docs-internal'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
|
|
|
- uses: ./.github/actions/node-npm-setup
|
|
|
|
- name: Sync secret scanning data
|
|
id: secret-scanning-sync
|
|
env:
|
|
# need to use a token from a user with access to
|
|
# github/token-scanning-service for this step
|
|
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
|
|
run: |
|
|
npm run sync-secret-scanning
|
|
|
|
- name: Create a pull request
|
|
env:
|
|
# Needed for gh
|
|
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
|
|
run: |
|
|
# If nothing to commit, exit now. It's fine.
|
|
changes=$(git diff --name-only | wc -l)
|
|
untracked=$(git status --untracked-files --short | wc -l)
|
|
if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
|
|
echo "There are no changes to commit. Exiting..."
|
|
exit 0
|
|
fi
|
|
|
|
git config --global user.name "docs-bot"
|
|
git config --global user.email "77750099+docs-bot@users.noreply.github.com"
|
|
|
|
branchname=sync-secret-scanning-${{ steps.secret-scanning-sync.outputs.sha }}
|
|
|
|
remotesha=$(git ls-remote --heads origin $branchname)
|
|
if [ -n "$remotesha" ]; then
|
|
# output is not empty, it means the remote branch exists
|
|
echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..."
|
|
exit 0
|
|
fi
|
|
|
|
git checkout -b $branchname
|
|
git add .
|
|
git commit -m "Add updated secret scanning data"
|
|
git push origin $branchname
|
|
|
|
echo "Creating pull request..."
|
|
gh pr create \
|
|
--title "Sync secret scanning data" \
|
|
--body '👋 humans. This PR updates the secret scanning data with the latest changes from github/token-scanning-service.
|
|
|
|
/cc @github/docs-content-security-products
|
|
|
|
If CI does not pass or other problems arise, contact #docs-engineering on Slack.' \
|
|
--repo github/docs-internal \
|
|
--label secret-scanning-pipeline,'skip FR board',ready-for-doc-review
|
|
|
|
- uses: ./.github/actions/slack-alert
|
|
if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
|
|
with:
|
|
slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
|
|
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
|