Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve GitHub Actions Security #1722

Merged
merged 12 commits into from
Dec 13, 2024
4 changes: 4 additions & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# These owners will be the default owners for everything in
# the repo. They will be requested for review when someone
# opens a pull request.
* @SkalskiP @LinasKo @onuralpszr
6 changes: 4 additions & 2 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,15 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
interval: "weekly"
commit-message:
prefix: ⬆️
target-branch: "develop"
# Python
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
interval: "weekly"
commit-message:
prefix: ⬆️
target-branch: "develop"
37 changes: 23 additions & 14 deletions .github/workflows/clear-cache.yml
Original file line number Diff line number Diff line change
@@ -1,33 +1,42 @@

name: Clear cache

on:
schedule:
- cron: '0 0 1 * *'
workflow_dispatch:
schedule:
- cron: "0 0 1 * *" # Run at midnight on the first day of every month
workflow_dispatch:

# Restrict permissions by default
permissions:
actions: write
actions: write # Required for cache management

jobs:
clear-cache:
name: Clear cache
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Clear cache
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
LinasKo marked this conversation as resolved.
Show resolved Hide resolved
script: |
console.log("About to clear")
console.log("Starting cache cleanup...")
const caches = await github.rest.actions.getActionsCacheList({
owner: context.repo.owner,
repo: context.repo.repo,
})

let deletedCount = 0
for (const cache of caches.data.actions_caches) {
console.log(cache)
github.rest.actions.deleteActionsCacheById({
owner: context.repo.owner,
repo: context.repo.repo,
cache_id: cache.id,
})
console.log(`Deleting cache: ${cache.key} (${cache.size_in_bytes} bytes)`)
try {
await github.rest.actions.deleteActionsCacheById({
owner: context.repo.owner,
repo: context.repo.repo,
cache_id: cache.id,
})
deletedCount++
} catch (error) {
console.error(`Failed to delete cache ${cache.key}: ${error.message}`)
}
}
console.log("Clear completed")
console.log(`Cache cleanup completed. Deleted ${deletedCount} caches.`)
22 changes: 22 additions & 0 deletions .github/workflows/combine-dependabot-prs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Combine Dependabot PRs

on:
schedule:
- cron: "0 1 * * 3" # Wednesday at 01:00
workflow_dispatch: # allows you to manually trigger the workflow

permissions:
contents: write
pull-requests: write
checks: read

jobs:
combine-prs:
name: Combine
runs-on: ubuntu-latest
steps:
- name: combine-prs
id: combine-prs
uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0
with:
labels: combined-pr
64 changes: 0 additions & 64 deletions .github/workflows/notebook-bot.yml

This file was deleted.

21 changes: 10 additions & 11 deletions .github/workflows/poetry-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,18 @@ name: 🔧 Poetry Check and Installation Test Workflow
on:
push:
paths:
- 'poetry.lock'
- 'pyproject.toml'
- "poetry.lock"
- "pyproject.toml"
pull_request:
paths:
- 'poetry.lock'
- 'pyproject.toml'
- "poetry.lock"
- "pyproject.toml"
workflow_dispatch:

jobs:
poetry-tests:
name: Poetry install and check
timeout-minutes: 10
strategy:
fail-fast: false
matrix:
Expand All @@ -20,15 +22,15 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: 📥 Checkout the repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: 🐍 Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ matrix.python-version }}

- name: 📦 Install the base dependencies
run: python -m pip install --upgrade poetry
- name: 📜 Setup Poetry
uses: abatilo/actions-poetry@e78f54a89cb052fff327414dd9ff010b5d2b4dbd # v3.0.1

- name: 🔍 Check the correctness of the project config
run: poetry check
Expand All @@ -38,6 +40,3 @@ jobs:

- name: 🧪 Run the Import test
run: poetry run python -c "import supervision; from supervision import assets; from supervision import metrics; print(supervision.__version__)"

alexnorell marked this conversation as resolved.
Show resolved Hide resolved
- name: 🧪 Run the pytests
run: poetry run python -m pytest ./test
53 changes: 0 additions & 53 deletions .github/workflows/publish-dev-docs.yml

This file was deleted.

60 changes: 60 additions & 0 deletions .github/workflows/publish-docs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: Build and Publish Docs

on:
push:
branches:
- develop
workflow_dispatch:
release:
types: [published]

# Ensure only one concurrent deployment
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.ref}}
cancel-in-progress: true

# Restrict permissions by default
permissions:
contents: write # Required for committing to gh-pages
pages: write # Required for deploying to Pages
pull-requests: write # Required for PR comments

jobs:
deploy:
name: Publish Docs
runs-on: ubuntu-latest
timeout-minutes: 10
strategy:
matrix:
python-version: ["3.10"]
steps:
- name: 📥 Checkout the repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: 🐍 Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ matrix.python-version }}

- name: 📜 Setup Poetry
uses: abatilo/actions-poetry@e78f54a89cb052fff327414dd9ff010b5d2b4dbd # v3.0.1

- name: 📦 Install dependencies
run: |
poetry install --with=docs

- name: ⚙️ Configure git for github-actions
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"

- name: 🚀 Deploy Development Docs
alexnorell marked this conversation as resolved.
Show resolved Hide resolved
if: (github.event_name == 'push' && github.ref == 'refs/heads/develop') || github.event_name == 'workflow_dispatch')
run: |
MKDOCS_GIT_COMMITTERS_APIKEY=${{ secrets.GITHUB_TOKEN }} poetry run mike deploy --push develop

- name: 🚀 Deploy Release Docs
if: github.event_name == 'release' && github.event.action == 'published'
run: |
latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
MKDOCS_GIT_COMMITTERS_APIKEY=${{ secrets.GITHUB_TOKEN }} poetry run mike deploy --push --update-aliases $latest_tag latest
55 changes: 0 additions & 55 deletions .github/workflows/publish-release-docs.yml

This file was deleted.

Loading
Loading