Improve build_cts_json.yaml workflow security #100
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build 'cts.json' | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| permissions: {} | |
| jobs: | |
| build-cts: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 'lts/*' | |
| - name: Run build | |
| run: ./build.sh | |
| # To be safe, verify that either there are no changes or only `cts.json` has changed | |
| - name: Verify no unexpected changes | |
| run: | | |
| # Check for changes to any file other than `cts.json`, | |
| # see https://stackoverflow.com/a/29374503 | |
| # Note that this does not detect new untracked files | |
| if ! git diff --exit-code --quiet -- . ':!cts.json'; then | |
| echo "Unexpected changes:" | |
| git diff -- . ':!cts.json' | |
| exit 1 | |
| fi | |
| - name: Upload cts.json artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cts-json | |
| path: cts.json | |
| if-no-files-found: error | |
| # Privileged job which pushes cts.json changes to the repository | |
| push-cts-changes: | |
| # Only run for push events on `main` branch | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| needs: build-cts | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Allow the job to push the changed file to the repository | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Download artifact from previous job | |
| - name: Download cts.json artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: cts-json | |
| # Commit and push changes; has no effect if the file did not change | |
| # Important: The push event will not trigger any other workflows, see | |
| # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs | |
| - name: Commit & push changes | |
| uses: stefanzweifel/git-auto-commit-action@v5 | |
| with: | |
| commit_message: 'Update `cts.json`' | |
| file_pattern: 'cts.json' |