Maintenance #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Scheduled maintenance: audit workflows, check goreleaser config, update action pins. | |
| # | |
| # Runs on the 1st and 15th of each month. | |
| # Can also be triggered manually via workflow_dispatch. | |
| # | |
| # This workflow MUST be audited with zizmor. | |
| # This workflow MUST be using pinned action refs. | |
| # This workflow's pinned action refs SHOULD be updated using 'pinact' | |
| # | |
| # Security notes: | |
| # - Top-level permissions are empty; each job declares only what it needs. | |
| # - All third-party actions are SHA-pinned. Run `pinact run` to reverify. | |
| # - The pinact job creates PRs, so it needs contents:write + pull-requests:write. | |
| # HOWEVER, that requires a stored PAT to grant workflow access: the | |
| # transient GITHUB_TOKEN permissions DO NOT allow this. | |
| # Leaving the code in, commented out, pending future experimentation with an OIDC | |
| # flow to see if I can auto-mint an appropriate short-lived token. | |
| # | |
| # Non-GitHub actions (add to repo Settings > Actions > Allowed actions): | |
| # - go-task/setup-task | |
| # - zizmorcore/zizmor-action | |
| name: Maintenance | |
| on: | |
| schedule: | |
| - cron: '0 9 1,15 * *' # 1st and 15th of each month, 09:00 UTC | |
| workflow_dispatch: | |
| permissions: {} | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: false # let running maintenance finish | |
| jobs: | |
| zizmor-audit: | |
| name: Audit workflows | |
| # zizmor-action uses Docker, thus ubuntu-latest ipv ubuntu-slim | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # we clone the repo | |
| security-events: write # needed for CodeQL Action, used by zizmor, | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Audit workflows with zizmor | |
| uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 | |
| # _could_ use with: advanced-security: false | |
| # that would remove the need for security-events: write | |
| goreleaser-check: | |
| name: Validate GoReleaser config | |
| runs-on: ubuntu-slim | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 | |
| with: | |
| args: check | |
| # pinact-update: | |
| # name: Update action pins | |
| # runs-on: ubuntu-slim | |
| # | |
| # permissions: | |
| # contents: write # push a branch | |
| # pull-requests: write # create a PR | |
| # | |
| # steps: | |
| # - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| # with: | |
| # # zizmor: persist-credentials is required because we need to push a branch to create a PR | |
| # persist-credentials: true | |
| # | |
| # - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| # with: | |
| # go-version-file: go.mod | |
| # cache: false | |
| # | |
| # - name: Install pinact | |
| # # nb: --min-age is in v3, which means we need the v3 module in the install path | |
| # # Introduced with v3.6.0. | |
| # # I opted to run `go get github.com/suzuki-shunsuke/pinact/v3/cmd/pinact@v3.9.0` inside the repo, | |
| # # to get the checksums into go.sum, to provide additional protection. | |
| # # This might cause issues with `go mod tidy` style checks. If so, reject the tidy. | |
| # # Having the tooling checksum available to protect us matters more. | |
| # run: go install github.com/suzuki-shunsuke/pinact/v3/cmd/pinact@v3.9.0 | |
| # env: | |
| # GOBIN: /usr/local/bin | |
| # | |
| # - name: Update action pins | |
| # run: pinact run --update --min-age 6 | |
| # | |
| # - name: Check for changes and create PR | |
| # run: | | |
| # git config user.name "github-actions[bot]" | |
| # # Corresponds to: https://api.github.com/users/github-actions%5Bbot%5D | |
| # git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| # | |
| # if git diff --quiet; then | |
| # echo "No pin updates needed." | |
| # exit 0 | |
| # fi | |
| # | |
| # branch="maintenance/pinact-update-$(date +%Y%m%d)" | |
| # git checkout -b "$branch" | |
| # git add -A .github/ | |
| # git commit -m "chore: update GitHub Actions SHA pins | |
| # | |
| # Automated update by pinact via scheduled maintenance workflow. | |
| # Minimum age cooldown: 4 days." | |
| # | |
| # git push -u origin "$branch" | |
| # | |
| # gh pr create \ | |
| # --title "chore: update GitHub Actions SHA pins" \ | |
| # --body "$(cat <<'EOF' | |
| # ## Summary | |
| # | |
| # Automated SHA pin update for GitHub Actions, generated by the | |
| # scheduled maintenance workflow. | |
| # | |
| # - Tool: [pinact](https://github.com/suzuki-shunsuke/pinact) | |
| # - Cooldown: 4-day minimum age before pinning new versions | |
| # - Schedule: 1st and 15th of each month | |
| # | |
| # Please review the diff to verify the updated SHAs are correct. | |
| # EOF | |
| # )" | |
| # env: | |
| # GH_TOKEN: ${{ github.token }} | |
| # EOF |