chore(deps): update 1password/load-secrets-action digest to dafbe7c (… #1557
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: QA | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*" | |
| pull_request: | |
| types: | |
| [ | |
| opened, | |
| synchronize, | |
| reopened, | |
| ready_for_review, | |
| converted_to_draft, | |
| closed, | |
| ] | |
| pull_request_review: | |
| types: [submitted, dismissed] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ github.event_name }}-${{ github.event.action || 'default' }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| jobs: | |
| qa: | |
| name: QA | |
| runs-on: namespace-profile-network-bootstrapper | |
| timeout-minutes: 10 | |
| if: | | |
| github.event_name == 'push' || | |
| (github.event_name == 'pull_request' && github.event.action != 'closed') || | |
| github.event_name == 'pull_request_review' | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| issues: write | |
| security-events: write | |
| actions: read | |
| packages: write | |
| steps: | |
| - name: Checkout repository | |
| uses: namespacelabs/nscloud-checkout-action@8d38dddb292f119b5c9afb0d930ab614dec5d46f # v8 | |
| with: | |
| fetch-depth: ${{ github.event_name == 'push' && 2 || 0 }} | |
| - name: Setup 1Password | |
| uses: 1password/load-secrets-action/configure@dafbe7cb03502b260e2b2893c753c352eee545bf # v3 | |
| with: | |
| service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
| - name: Load all secrets | |
| id: secrets | |
| uses: 1password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf # v3 | |
| with: | |
| export-env: true | |
| env: | |
| SLACK_BOT_TOKEN: op://platform/slack-bot/SLACK_BOT_TOKEN | |
| SLACK_CHANNEL_ID: op://platform/slack-bot/SLACK_CHANNEL_ID | |
| PAT_TOKEN: op://platform/github-commit-pat/credential | |
| HARBOR_USER: op://platform/harbor/username | |
| HARBOR_PASS: op://platform/harbor/password | |
| # Label QA as running and notify Slack (only for non-draft PRs) | |
| - name: Label QA as running | |
| if: | | |
| github.event_name == 'pull_request' && | |
| github.event.pull_request.draft == false | |
| uses: settlemint/shared-actions/.github/actions/build-status-labeler@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| workflow_status: "running" | |
| # Initial Slack notification - creates or updates message | |
| - name: Send Slack notification for QA starting | |
| if: | | |
| github.event_name == 'pull_request' && | |
| github.event.pull_request.draft == false | |
| uses: settlemint/shared-actions/.github/actions/slack-pr-notifier@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| pr_title: ${{ github.event.pull_request.title }} | |
| pr_url: ${{ github.event.pull_request.html_url }} | |
| pr_author: ${{ github.event.pull_request.user.login }} | |
| pr_author_type: ${{ github.event.pull_request.user.type }} | |
| pr_author_avatar: ${{ github.event.pull_request.user.avatar_url }} | |
| slack_bot_token: ${{ env.SLACK_BOT_TOKEN }} | |
| slack_channel_id: ${{ env.SLACK_CHANNEL_ID }} | |
| # Setup dependencies for QA (skip for draft PRs) | |
| - name: Setup dependencies | |
| uses: settlemint/shared-actions/.github/actions/setup-dependencies@main | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| npm_token: ${{ env.NPM_TOKEN }} | |
| disable_node: "true" | |
| - name: Login to GitHub Container Registry | |
| if: | | |
| github.event_name == 'push' || | |
| (github.event_name == 'pull_request' && github.event.pull_request.draft == false) | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run linting | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| run: bun check | |
| - name: Run tests | |
| id: qa-tests | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| run: bun test --coverage | |
| - name: Run type checking | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| run: bun typecheck | |
| - name: Set version | |
| id: version | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| run: bun run tools/version.ts | |
| - name: Run docs | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| run: bun run docs:cli | |
| # Commit generated version metadata and README updates on release tags | |
| - name: Auto-commit release assets | |
| if: github.event_name == 'push' && steps.version.outputs.tag == 'latest' | |
| uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7 | |
| with: | |
| commit_message: "chore(release): sync generated assets [skip ci]" | |
| branch: main | |
| file_pattern: "package.json README.md" | |
| commit_user_name: "SettleMint Release Bot" | |
| commit_user_email: "support@settlemint.com" | |
| env: | |
| GITHUB_TOKEN: ${{ env.PAT_TOKEN }} | |
| - name: Docker meta | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| with: | |
| images: | | |
| ghcr.io/settlemint/network-bootstrapper | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha | |
| type=raw,value=${{ steps.version.outputs.version }} | |
| - name: Build and push | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| uses: docker/build-push-action@601a80b39c9405e50806ae38af30926f9d957c47 # v6 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| provenance: mode=max | |
| sbom: true | |
| # Label QA results (PR only) | |
| - name: Label QA build status | |
| if: | | |
| always() && | |
| github.event_name == 'pull_request' && | |
| steps.qa-tests.conclusion != 'skipped' | |
| uses: settlemint/shared-actions/.github/actions/build-status-labeler@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| workflow_status: ${{ steps.qa-tests.outcome == 'success' && 'success' || 'failure' }} | |
| # Skip redundant notification - handled by consolidated step at the end | |
| # Label PR based on title/branch (PR only) | |
| - name: Label PR based on convention | |
| id: label-pr | |
| if: | | |
| github.event_name == 'pull_request' && | |
| (github.event.action == 'opened' || github.event.action == 'synchronize') | |
| uses: settlemint/shared-actions/.github/actions/pr-labeler@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| pr_title: ${{ github.event.pull_request.title }} | |
| pr_body: ${{ github.event.pull_request.body || '' }} | |
| # Skip redundant notification - handled by consolidated step at the end | |
| # Run secret scanning (PR only) | |
| - name: Run secret scanning | |
| id: secret-scan | |
| if: github.event_name == 'pull_request' | |
| uses: settlemint/shared-actions/.github/actions/secret-scanner@main | |
| continue-on-error: true | |
| # Label secret scanning results (PR only) | |
| - name: Label secret scanning status | |
| if: | | |
| always() && | |
| github.event_name == 'pull_request' && | |
| steps.secret-scan.conclusion != 'skipped' | |
| uses: settlemint/shared-actions/.github/actions/build-status-labeler@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| workflow_status: | |
| ${{ steps.secret-scan.outcome == 'success' && 'success' || 'failure' | |
| }} | |
| # Check PR review status (PR and PR review events only) | |
| - name: Check PR review status | |
| id: pr-review-check | |
| if: | | |
| always() && | |
| (github.event_name == 'pull_request' || github.event_name == 'pull_request_review') | |
| uses: settlemint/shared-actions/.github/actions/pr-review-check@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| pr_author: ${{ github.event.pull_request.user.login }} | |
| event_name: ${{ github.event_name }} | |
| qa_result: ${{ steps.qa-tests.outcome }} | |
| secret_scanning_result: ${{ steps.secret-scan.outcome }} | |
| # Apply final PR status label (PR and PR review events only) | |
| - name: Label PR final status | |
| id: label-final-status | |
| if: | | |
| always() && | |
| (github.event_name == 'pull_request' || github.event_name == 'pull_request_review') | |
| uses: settlemint/shared-actions/.github/actions/pr-status-labeler@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| is_draft: ${{ github.event.pull_request.draft }} | |
| has_approval: ${{ steps.pr-review-check.outputs.has_approval == 'true' }} | |
| qa_status: ${{ steps.pr-review-check.outputs.qa_status }} | |
| # Consolidated Slack notification - updates existing message or creates one if needed | |
| - name: Update Slack notification with final status | |
| if: | | |
| always() && | |
| steps.label-final-status.conclusion == 'success' && | |
| (github.event_name == 'pull_request' || github.event_name == 'pull_request_review') && | |
| github.event.pull_request.draft == false | |
| uses: settlemint/shared-actions/.github/actions/slack-pr-notifier@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| pr_title: ${{ github.event.pull_request.title }} | |
| pr_url: ${{ github.event.pull_request.html_url }} | |
| pr_author: ${{ github.event.pull_request.user.login }} | |
| pr_author_type: ${{ github.event.pull_request.user.type }} | |
| pr_author_avatar: ${{ github.event.pull_request.user.avatar_url }} | |
| slack_bot_token: ${{ env.SLACK_BOT_TOKEN }} | |
| slack_channel_id: ${{ env.SLACK_CHANNEL_ID }} | |
| # Manage auto-merge (PR and PR review events only) | |
| - name: Manage auto-merge | |
| if: | | |
| always() && | |
| (github.event_name == 'pull_request' || github.event_name == 'pull_request_review') | |
| uses: settlemint/shared-actions/.github/actions/auto-merge@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| pr_author: ${{ github.event.pull_request.user.login }} | |
| pr_author_type: ${{ github.event.pull_request.user.type }} | |
| has_approval: ${{ steps.pr-review-check.outputs.has_approval == 'true' }} | |
| qa_status: ${{ steps.pr-review-check.outputs.qa_status }} | |
| is_draft: ${{ github.event.pull_request.draft }} | |
| merge_method: "squash" | |
| # Handle merged PR notifications | |
| merged: | |
| name: Handle Merged PR | |
| if: | | |
| github.event_name == 'pull_request' && | |
| github.event.action == 'closed' && | |
| github.event.pull_request.merged == true | |
| runs-on: namespace-profile-btp-signer | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| env: | |
| SLACK_BOT_TOKEN: "" | |
| SLACK_CHANNEL_ID: "" | |
| steps: | |
| - name: Checkout repository | |
| uses: namespacelabs/nscloud-checkout-action@8d38dddb292f119b5c9afb0d930ab614dec5d46f # v8 | |
| with: | |
| fetch-depth: ${{ github.event_name == 'push' && 2 || 0 }} | |
| - name: Setup 1Password | |
| uses: 1password/load-secrets-action/configure@dafbe7cb03502b260e2b2893c753c352eee545bf # v3 | |
| with: | |
| service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
| - name: Load Slack secrets | |
| uses: 1password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf # v3 | |
| with: | |
| export-env: true | |
| env: | |
| SLACK_BOT_TOKEN: op://platform/slack-bot/SLACK_BOT_TOKEN | |
| SLACK_CHANNEL_ID: op://platform/slack-bot/SLACK_CHANNEL_ID | |
| - name: Label PR as merged | |
| uses: settlemint/shared-actions/.github/actions/pr-status-labeler@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| is_draft: false | |
| is_merged: true | |
| - name: Update Slack notification for merged PR | |
| uses: settlemint/shared-actions/.github/actions/slack-pr-notifier@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| pr_title: ${{ github.event.pull_request.title }} | |
| pr_url: ${{ github.event.pull_request.html_url }} | |
| pr_author: ${{ github.event.pull_request.user.login }} | |
| pr_author_type: ${{ github.event.pull_request.user.type }} | |
| pr_author_avatar: ${{ github.event.pull_request.user.avatar_url }} | |
| slack_bot_token: ${{ env.SLACK_BOT_TOKEN }} | |
| slack_channel_id: ${{ env.SLACK_CHANNEL_ID }} | |
| wait_time: "15000" | |
| # Handle abandoned (closed but not merged) PR notifications | |
| abandoned: | |
| name: Handle Abandoned PR | |
| if: | | |
| github.event_name == 'pull_request' && | |
| github.event.action == 'closed' && | |
| github.event.pull_request.merged == false | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| env: | |
| SLACK_BOT_TOKEN: "" | |
| SLACK_CHANNEL_ID: "" | |
| steps: | |
| - name: Checkout repository | |
| uses: namespacelabs/nscloud-checkout-action@8d38dddb292f119b5c9afb0d930ab614dec5d46f # v8 | |
| with: | |
| fetch-depth: ${{ github.event_name == 'push' && 2 || 0 }} | |
| - name: Setup 1Password | |
| uses: 1password/load-secrets-action/configure@dafbe7cb03502b260e2b2893c753c352eee545bf # v3 | |
| with: | |
| service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
| - name: Load Slack secrets | |
| uses: 1password/load-secrets-action@dafbe7cb03502b260e2b2893c753c352eee545bf # v3 | |
| with: | |
| export-env: true | |
| env: | |
| SLACK_BOT_TOKEN: op://platform/slack-bot/SLACK_BOT_TOKEN | |
| SLACK_CHANNEL_ID: op://platform/slack-bot/SLACK_CHANNEL_ID | |
| - name: Label PR as abandoned | |
| uses: settlemint/shared-actions/.github/actions/pr-status-labeler@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| is_draft: false | |
| is_abandoned: true | |
| - name: Update Slack notification for abandoned PR | |
| uses: settlemint/shared-actions/.github/actions/slack-pr-notifier@main | |
| with: | |
| pr_number: ${{ github.event.pull_request.number }} | |
| pr_title: ${{ github.event.pull_request.title }} | |
| pr_url: ${{ github.event.pull_request.html_url }} | |
| pr_author: ${{ github.event.pull_request.user.login }} | |
| pr_author_type: ${{ github.event.pull_request.user.type }} | |
| pr_author_avatar: ${{ github.event.pull_request.user.avatar_url }} | |
| slack_bot_token: ${{ env.SLACK_BOT_TOKEN }} | |
| slack_channel_id: ${{ env.SLACK_CHANNEL_ID }} | |
| is_abandoned: true | |
| wait_time: "15000" |