diff --git a/.github/actions/benchmarks/action.yml b/.github/actions/benchmarks/action.yml index 803aa85..4dc5dce 100644 --- a/.github/actions/benchmarks/action.yml +++ b/.github/actions/benchmarks/action.yml @@ -14,7 +14,7 @@ runs: - name: Upload Results if: steps.benchmarks.outcome == 'success' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: Benchmarks-${{ steps.go-version.outputs.version }} path: benchmarks.txt diff --git a/.github/actions/coverage/action.yml b/.github/actions/coverage/action.yml index 6b25c68..6e548aa 100644 --- a/.github/actions/coverage/action.yml +++ b/.github/actions/coverage/action.yml @@ -23,7 +23,7 @@ runs: echo "coverage_status=$status" >> $GITHUB_OUTPUT - name: Upload coverage results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: Coverage-result-${{ steps.go-version.outputs.version }} path: build/coverage* @@ -31,11 +31,14 @@ runs: - name: Enforce coverage shell: bash run: | - if [ "${{ steps.test-coverage.outputs.coverage_status }}" != "0" ]; then + if [ "${STEPS_TEST_COVERAGE_OUTPUTS_COVERAGE_STATUS}" != "0" ]; then echo "Code isn't fully covered!" - if [ "${{ inputs.enforce }}" == "true" ]; then + if [ "${INPUTS_ENFORCE}" == "true" ]; then exit 1 fi else echo "Code is fully covered!" fi + env: + STEPS_TEST_COVERAGE_OUTPUTS_COVERAGE_STATUS: ${{ steps.test-coverage.outputs.coverage_status }} + INPUTS_ENFORCE: ${{ inputs.enforce }} diff --git a/.github/actions/unit-tests/action.yml b/.github/actions/unit-tests/action.yml index b0992ee..e7bc782 100644 --- a/.github/actions/unit-tests/action.yml +++ b/.github/actions/unit-tests/action.yml @@ -29,7 +29,7 @@ runs: - name: Upload test results if: steps.process-test.outcome == 'success' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: Test-result-${{ steps.go-version.outputs.version }} path: junit_report.xml diff --git a/.github/launchdarkly/self.bump-go-versions.sts.yaml b/.github/launchdarkly/self.bump-go-versions.sts.yaml new file mode 100644 index 0000000..fa59a4a --- /dev/null +++ b/.github/launchdarkly/self.bump-go-versions.sts.yaml @@ -0,0 +1,11 @@ +issuer: https://token.actions.githubusercontent.com +subject_pattern: repo:launchdarkly/go-semver:ref:refs/heads/main +claim_pattern: + event_name: workflow_dispatch|schedule + ref: refs/heads/main + ref_protected: "true" + workflow_ref: launchdarkly/go-semver/.github/workflows/check-go-versions.yml@refs/heads/main + +permissions: + contents: write + pull_requests: write diff --git a/.github/workflows/check-go-versions.yml b/.github/workflows/check-go-versions.yml index fc2243d..44f5703 100644 --- a/.github/workflows/check-go-versions.yml +++ b/.github/workflows/check-go-versions.yml @@ -4,19 +4,20 @@ on: - cron: "0 17 * * *" workflow_dispatch: +permissions: {} + jobs: check-go-eol: - runs-on: ubuntu-latest + runs-on: ubuntu-slim outputs: latest: ${{ steps.parse.outputs.latest }} penultimate: ${{ steps.parse.outputs.penultimate }} timeout-minutes: 2 steps: - - uses: actions/checkout@v4 # Perform a GET request to endoflife.date for the Go language. The response # contains all Go releases; we're interested in the 0'th and 1'th (latest and penultimate.) - name: Fetch officially supported Go versions - uses: JamesIves/fetch-api-data-action@396ebea7d13904824f85b892b1616985f847301c # 396ebea7d13904824f85b892b1616985f847301c + uses: JamesIves/fetch-api-data-action@8dc51e982d982157bfd575ed64be3c48b3078037 # v2.5.0 with: endpoint: https://endoflife.date/api/go.json configuration: '{ "method": "GET" }' @@ -27,40 +28,53 @@ jobs: run: | echo "latest=${{ fromJSON(env.fetch-api-data)[0].cycle }}" >> $GITHUB_OUTPUT echo "penultimate=${{ fromJSON(env.fetch-api-data)[1].cycle }}" >> $GITHUB_OUTPUT + create-prs: permissions: - contents: write - pull-requests: write + contents: read + id-token: write needs: check-go-eol - runs-on: ubuntu-latest + runs-on: ubuntu-slim env: - officialLatestVersion: ${{ needs.check-go-eol.outputs.latest }} - officialPenultimateVersion: ${{ needs.check-go-eol.outputs.penultimate }} + OFFICIAL_LATEST_VERSION: ${{ needs.check-go-eol.outputs.latest }} + OFFICIAL_PENULTIMATE_VERSION: ${{ needs.check-go-eol.outputs.penultimate }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false + - name: Get current Go versions id: go-versions run: cat ./.github/variables/go-versions.env > $GITHUB_OUTPUT - name: Update go-versions.env and README.md - if: steps.go-versions.outputs.latest != env.officialLatestVersion + if: steps.go-versions.outputs.latest != env.OFFICIAL_LATEST_VERSION id: update-go-versions run: | - sed -i -e "s#latest=[^ ]*#latest=${{ env.officialLatestVersion }}#g" \ - -e "s#penultimate=[^ ]*#penultimate=${{ env.officialPenultimateVersion }}#g" \ + sed -i -e "s#latest=[^ ]*#latest=${OFFICIAL_LATEST_VERSION}#g" \ + -e "s#penultimate=[^ ]*#penultimate=${OFFICIAL_PENULTIMATE_VERSION}#g" \ ./.github/variables/go-versions.env + + - name: Create GitHub token + uses: launchdarkly/octosts-action@v1 + if: steps.update-go-versions.outcome == 'success' + id: github-token + with: + scope: ${{ github.repository }} + identity: 'self.bump-go-versions' + - name: Create pull request if: steps.update-go-versions.outcome == 'success' - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.github-token.outputs.token }} add-paths: | .github/variables/go-versions.env - branch: "launchdarklyreleasebot/update-to-go${{ env.officialLatestVersion }}-${{ matrix.branch }}" + branch: "launchdarklyreleasebot/update-to-go${{ env.OFFICIAL_LATEST_VERSION }}-${{ matrix.branch }}" author: "LaunchDarklyReleaseBot " committer: "LaunchDarklyReleaseBot " labels: ${{ matrix.branch }} - title: "fix(deps): bump supported Go versions to ${{ env.officialLatestVersion }} and ${{ env.officialPenultimateVersion }}" - commit-message: "Bumps from Go ${{ steps.go-versions.outputs.latest }} -> ${{ env.officialLatestVersion }} and ${{ steps.go-versions.outputs.penultimate }} -> ${{ env.officialPenultimateVersion }}." + title: "fix(deps): bump supported Go versions to ${{ env.OFFICIAL_LATEST_VERSION }} and ${{ env.OFFICIAL_PENULTIMATE_VERSION }}" + commit-message: "Bumps from Go ${{ steps.go-versions.outputs.latest }} -> ${{ env.OFFICIAL_LATEST_VERSION }} and ${{ steps.go-versions.outputs.penultimate }} -> ${{ env.OFFICIAL_PENULTIMATE_VERSION }}." body: | - [ ] I have triggered CI on this PR (either close & reopen this PR in Github UI, or `git commit -m "run ci" --allow-empty && git push`) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 140c4a5..07f7378 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,9 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + jobs: go-versions: uses: ./.github/workflows/go-versions.yml @@ -35,9 +38,11 @@ jobs: matrix: go-version: ${{ fromJSON(needs.go-versions.outputs.matrix) }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: 'false' - name: Setup Go ${{ matrix.go-version }} - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ matrix.go-version }} - name: Test diff --git a/.github/workflows/common_ci.yml b/.github/workflows/common_ci.yml index 61b593c..0592533 100644 --- a/.github/workflows/common_ci.yml +++ b/.github/workflows/common_ci.yml @@ -12,9 +12,11 @@ jobs: runs-on: ubuntu-latest name: 'Unit Tests and Coverage' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: 'false' - name: Setup Go ${{ inputs.go-version }} - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version }} - uses: ./.github/actions/unit-tests @@ -28,9 +30,11 @@ jobs: name: 'Benchmarks' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: 'false' - name: Setup Go ${{ inputs.go-version }} - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ inputs.go-version }} - uses: ./.github/actions/benchmarks diff --git a/.github/workflows/go-versions.yml b/.github/workflows/go-versions.yml index b9d7309..47e39d5 100644 --- a/.github/workflows/go-versions.yml +++ b/.github/workflows/go-versions.yml @@ -36,21 +36,27 @@ on: jobs: go-versions: - runs-on: ubuntu-latest + runs-on: ubuntu-slim outputs: latest: ${{ steps.set-env.outputs.latest }} penultimate: ${{ steps.set-env.outputs.penultimate }} all: ${{ steps.set-matrix.outputs.all }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: 'false' - name: Set Go Versions id: set-env run: cat ./.github/variables/go-versions.env > $GITHUB_OUTPUT - name: Set Go Version Matrices id: set-matrix run: | - if [ "${{ steps.set-env.outputs.penultimate }}" == "${{ steps.set-env.outputs.min }}" ]; then - echo "all=[\"${{ steps.set-env.outputs.latest }}\",\"${{ steps.set-env.outputs.penultimate }}\"]" >> $GITHUB_OUTPUT + if [ "${STEPS_SET_ENV_OUTPUTS_PENULTIMATE}" == "${STEPS_SET_ENV_OUTPUTS_MIN}" ]; then + echo "all=[\"${STEPS_SET_ENV_OUTPUTS_LATEST}\",\"${STEPS_SET_ENV_OUTPUTS_PENULTIMATE}\"]" >> $GITHUB_OUTPUT else - echo "all=[\"${{ steps.set-env.outputs.latest }}\",\"${{ steps.set-env.outputs.penultimate }}\",\"${{ steps.set-env.outputs.min }}\"]" >> $GITHUB_OUTPUT + echo "all=[\"${STEPS_SET_ENV_OUTPUTS_LATEST}\",\"${STEPS_SET_ENV_OUTPUTS_PENULTIMATE}\",\"${STEPS_SET_ENV_OUTPUTS_MIN}\"]" >> $GITHUB_OUTPUT fi + env: + STEPS_SET_ENV_OUTPUTS_PENULTIMATE: ${{ steps.set-env.outputs.penultimate }} + STEPS_SET_ENV_OUTPUTS_MIN: ${{ steps.set-env.outputs.min }} + STEPS_SET_ENV_OUTPUTS_LATEST: ${{ steps.set-env.outputs.latest }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 8f30b3c..7d16ba5 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -6,11 +6,17 @@ on: - main workflow_dispatch: + +permissions: + contents: write + issues: write + pull-requests: write + jobs: release-please: - runs-on: ubuntu-latest + runs-on: ubuntu-slim permissions: contents: write pull-requests: write steps: - - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 14118d4..77e7e60 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -5,6 +5,12 @@ on: # Happen once per day at 1:30 AM - cron: '30 1 * * *' +permissions: + actions: write + contents: read + issues: write + pull-requests: write + jobs: sdk-close-stale: uses: launchdarkly/gh-actions/.github/workflows/sdk-stale.yml@main