public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e2e89a81663dfdab284e945bc508c33a6eadddb
grafana/.github/workflows/pr-patch-check-event.yml
Kevin Yu 8c4f33102e CI: update permissions on workflows which get external secrets (#104792) (#105791) 
update permissions

(cherry picked from commit e36d774d0c)

Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com>
2025-05-21 13:56:06 -07:00

64 lines
2.1 KiB
YAML
Raw Blame History

# Owned by grafana-delivery-squad
# Intended to be dropped into the base repo Ex: grafana/grafana
name: Dispatch check for patch conflicts
run-name: dispatch-check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
on:
pull_request_target:
types:
- opened
- reopened
- synchronize
branches:
- "main"
- "v*.*.*"
- "release-*"
permissions: {}
# Since this is run on a pull request, we want to apply the patches intended for the
# target branch onto the source branch, to verify compatibility before merging.
jobs:
dispatch-job:
permissions:
id-token: write
contents: read
actions: write
env:
HEAD_REF: ${{ github.head_ref }}
BASE_REF: ${{ github.base_ref }}
REPO: ${{ github.repository }}
SENDER: ${{ github.event.sender.login }}
SHA: ${{ github.sha }}
PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
runs-on: ubuntu-latest
steps:
- name: "Generate token"
id: generate_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
with:
# App needs Actions: Read/Write for the grafana/security-patch-actions repo
app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
- name: "Dispatch job"
uses: actions/github-script@v7
with:
github-token: ${{ steps.generate_token.outputs.token }}
script: |
const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
await github.rest.actions.createWorkflowDispatch({
owner: 'grafana',
repo: 'security-patch-actions',
workflow_id: 'test-patches-event.yml',
ref: 'main',
inputs: {
src_repo: REPO,
src_ref: HEAD_REF,
src_merge_sha: SHA,
src_pr_commit_sha: PR_COMMIT_SHA,
patch_repo: REPO + '-security-patches',
patch_ref: BASE_REF,
triggering_github_handle: SENDER
}
})
Reference in New Issue View Git Blame Copy Permalink