diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml index c9a810a7b..9b89ee133 100644 --- a/.github/workflows/close-stale-prs.yml +++ b/.github/workflows/close-stale-prs.yml @@ -10,12 +10,14 @@ on: schedule: - cron: "0 18 * * *" # Run the workflow every day at 6PM UTC (10AM PST). +permissions: {} + jobs: stale: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 permissions: pull-requests: write - steps: - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: diff --git a/.github/workflows/issues.yml b/.github/workflows/devops-boards.yaml similarity index 76% rename from .github/workflows/issues.yml rename to .github/workflows/devops-boards.yaml index 434c628a8..9e321a350 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/devops-boards.yaml @@ -11,14 +11,15 @@ concurrency: group: issue-${{ github.event.issue.number }} cancel-in-progress: false -# Extra permissions needed to login with Entra ID service principal via federated identity -permissions: - id-token: write - issues: write +permissions: {} jobs: ado: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + id-token: write + issues: write environment: name: issues steps: @@ -36,19 +37,19 @@ jobs: run: | # The resource ID for Azure DevOps is always 499b84ac-1321-427f-aa17-267ca6975798 # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity - ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv) - echo "::add-mask::$ADO_TOKEN" - echo "ADO_TOKEN=$ADO_TOKEN" >> $GITHUB_ENV + ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken --output tsv) + echo "::add-mask::${ADO_TOKEN}" + echo "ADO_TOKEN=${ADO_TOKEN}" >> "${GITHUB_ENV}" - name: Sync issue to Azure DevOps uses: danhellem/github-actions-issue-to-work-item@8d0ead9b49a65aa66dac6949b1ff149d7ef8b4de # v2.5 env: ado_token: ${{ env.ADO_TOKEN }} - github_token: ${{ secrets.GH_RAD_CI_BOT_PAT }} + github_token: ${{ github.token }} ado_organization: azure-octo ado_project: Incubations - ado_area_path: "Incubations\\Radius" - ado_iteration_path: "Incubations\\Radius" + ado_area_path: Incubations\\Radius + ado_iteration_path: Incubations\\Radius ado_new_state: New ado_active_state: Active ado_close_state: Closed diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml index fbed607ca..70fa9d037 100644 --- a/.github/workflows/pr-checks.yaml +++ b/.github/workflows/pr-checks.yaml @@ -6,10 +6,16 @@ on: pull_request: types: [opened, reopened, synchronize, labeled, unlabeled] +permissions: {} + jobs: check-do-not-merge-tag: name: Check for do-not-merge tag - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + issues: read + pull-requests: read steps: - name: Check for do-not-merge label uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1 diff --git a/.github/workflows/redirect.yml b/.github/workflows/redirect.yml index d0691e89f..c2c66bcb6 100644 --- a/.github/workflows/redirect.yml +++ b/.github/workflows/redirect.yml @@ -19,15 +19,21 @@ on: - "redirect/**" - ".github/workflows/redirect.yml" +permissions: {} + jobs: deploy-website: name: Deploy Redirect Website - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: read steps: - name: Checkout repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: submodules: false + persist-credentials: false - name: Deploy staging site uses: Azure/static-web-apps-deploy@4d27395796ac319302594769cfe812bd207490b1 # v1 @@ -42,7 +48,10 @@ jobs: close_pr_site: name: Close PR Staging Site if: github.event_name == 'pull_request' && github.event.action == 'closed' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: read steps: - name: Close Pull Request id: closepullrequest diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 35ede98d4..6ce028b61 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,6 +11,8 @@ on: default: "" type: string +permissions: {} + env: GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }} GITHUB_EMAIL: radiuscoreteam@service.microsoft.com @@ -18,13 +20,17 @@ env: jobs: release-docs: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: read steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: token: ${{ secrets.GH_RAD_CI_BOT_PAT }} ref: edge path: docs + persist-credentials: false - name: Configure git run: | @@ -40,7 +46,7 @@ jobs: run: | # CHANNEL is the major and minor version of the VERSION_NUMBER (e.g. 0.1) CHANNEL="$(echo ${{ inputs.version }} | cut -d '.' -f 1,2)" - echo "channel=$CHANNEL" >> $GITHUB_OUTPUT + echo "channel=$CHANNEL" >> "${GITHUB_OUTPUT}" - name: Release docs run: | diff --git a/.github/workflows/spellcheck.yaml b/.github/workflows/spellcheck.yaml index a5dc61a59..435ab6139 100644 --- a/.github/workflows/spellcheck.yaml +++ b/.github/workflows/spellcheck.yaml @@ -14,6 +14,8 @@ on: - v*.* - edge +permissions: {} + env: ACTION_LINK: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" @@ -23,10 +25,16 @@ concurrency: jobs: spellcheck: name: Spellcheck - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: read + pull-requests: write steps: - name: Checkout docs - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Spellcheck uses: rojopolis/spellcheck-github-actions@6f2326b663e2dbab920da0fc4144b9f3202434ba # 0.54.0 @@ -36,15 +44,19 @@ jobs: - name: Post GitHub workkflow output on failure if: failure() run: | - echo "## :x: Spellcheck Failed" >> $GITHUB_STEP_SUMMARY - echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing." >> $GITHUB_STEP_SUMMARY - echo "### Adding new words" >> $GITHUB_STEP_SUMMARY - echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)" >> $GITHUB_STEP_SUMMARY + { + echo "## :x: Spellcheck Failed" + echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing." + echo "### Adding new words" + echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)" + } >> "${GITHUB_STEP_SUMMARY}" - name: Post GitHub workflow output on success run: | - echo "## :white_check_mark: Spellcheck Passed" >> $GITHUB_STEP_SUMMARY - echo "There are no spelling errors in your PR." >> $GITHUB_STEP_SUMMARY + { + echo "## :white_check_mark: Spellcheck Passed" + echo "There are no spelling errors in your PR." + } >> "${GITHUB_STEP_SUMMARY}" - name: Post GitHub comment on failure if: failure() diff --git a/.github/workflows/upmerge.yaml b/.github/workflows/upmerge.yaml index 21779d36a..34df6d90f 100644 --- a/.github/workflows/upmerge.yaml +++ b/.github/workflows/upmerge.yaml @@ -29,13 +29,19 @@ name: Upmerge docs to edge on: workflow_dispatch: +permissions: {} + jobs: upmerge: name: Upmerge docs to edge - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: write + pull-requests: write steps: # Checkout the edge branch - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: ref: edge # https://github.com/actions/checkout/issues/125#issuecomment-570254411 @@ -48,35 +54,35 @@ jobs: run: | git config --global user.email "radiuscoreteam@service.microsoft.com" git config --global user.name "Radius CI Bot" - git remote set-url origin https://$GH_TOKEN@github.com/${{ github.repository }} + git remote set-url origin "https://${GH_TOKEN}@github.com/${{ github.repository }}" # Create a new branch from edge. This branch will be used to PR back into edge. - name: Create new branch run: | - export DATE=$(date +%Y-%m-%d) - export RAND=$(openssl rand -hex 2) - export BRANCH_NAME=upmerge/$DATE-$RAND - echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV - git checkout -b $BRANCH_NAME + DATE=$(date +%Y-%m-%d) + RAND=$(openssl rand -hex 2) + BRANCH_NAME="upmerge/${DATE}-${RAND}" + echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_ENV}" + git checkout -b "${BRANCH_NAME}" # Merge changes from the github.ref branch, i.e., the branch from which the workflow is triggered. That # branch is assumed to be the current release branch, but could be any branch. # If there are no changes, stop the workflow. - name: Upmerge docs run: | - export SOURCE_BRANCH=$(basename ${{ github.ref }}) + SOURCE_BRANCH=$(basename ${{ github.ref }}) echo "Upmerging docs from $SOURCE_BRANCH to edge" - git fetch origin $SOURCE_BRANCH - git merge --no-commit origin/$SOURCE_BRANCH + git fetch origin "${SOURCE_BRANCH}" + git merge --no-commit "origin/${SOURCE_BRANCH}" git checkout edge -- docs/config.toml docs/layouts/partials/hooks/body-end.html git commit --signoff --message "Upmerge to edge" if git diff --quiet edge; then - echo "No changes to merge from $SOURCE_BRANCH to edge" - echo "NO_CHANGES=true" >> $GITHUB_ENV + echo "No changes to merge from ${SOURCE_BRANCH} to edge" + echo "NO_CHANGES=true" >> "${GITHUB_ENV}" else - echo "Pushing $BRANCH_NAME for PR to edge" - git push --set-upstream origin $BRANCH_NAME + echo "Pushing ${BRANCH_NAME} for PR to edge" + git push --set-upstream origin "${BRANCH_NAME}" fi # Create a PR from the new branch to edge @@ -84,4 +90,5 @@ jobs: if: env.NO_CHANGES != 'true' env: GH_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }} - run: gh pr create --title "Upmerge to edge" --body "Upmerge to edge (kicked off by @${{ github.triggering_actor }})" --base edge --head $BRANCH_NAME + run: | + gh pr create --title "Upmerge to edge" --body "Upmerge to edge (kicked off by @${{ github.triggering_actor }})" --base edge --head "${BRANCH_NAME}" diff --git a/.github/workflows/validate-bicep.yaml b/.github/workflows/validate-bicep.yaml index fbdf4c8a0..71b2dac44 100644 --- a/.github/workflows/validate-bicep.yaml +++ b/.github/workflows/validate-bicep.yaml @@ -28,13 +28,20 @@ on: - edge - v* +permissions: {} + jobs: build: name: Validate Bicep Code - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: read steps: - name: Check out repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Setup and verify bicep CLI run: | diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml index a03e9bddc..2a12675d9 100644 --- a/.github/workflows/website.yaml +++ b/.github/workflows/website.yaml @@ -14,15 +14,16 @@ on: - edge - v*.* -permissions: - id-token: write # Required for requesting the JWT - contents: read # Required for actions/checkout +permissions: {} jobs: build: name: Build Hugo Website if: github.event.action != 'closed' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: read # Required for actions/checkout environment: # If a PR into edge, use 'edge'. If a PR into anywhere else, use 'latest'. If a push, use the branch name. name: ${{ github.event_name == 'pull_request' && (github.base_ref == 'edge' && 'edge' || 'latest') || github.ref_name }} @@ -34,19 +35,21 @@ jobs: HUGO_ENV: production steps: - name: Checkout docs repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: submodules: true + persist-credentials: false - name: Parse release version and set environment variables run: python ./.github/scripts/get_docs_version.py - name: Checkout radius repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: repository: radius-project/radius ref: ${{ env.RELEASE_BRANCH }} path: ./radius + persist-credentials: false - name: Setup Node uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 @@ -80,7 +83,7 @@ jobs: - name: Build Hugo Site run: | cd docs - if [ $GITHUB_EVENT_NAME == 'pull_request' ]; then + if [ "${GITHUB_EVENT_NAME}" == 'pull_request' ]; then STAGING_URL="https://${{ vars.ENV_STATICWEBAPP_BASE }}-${{github.event.number }}.westus2.3.azurestaticapps.net/" fi hugo ${STAGING_URL+-b "$STAGING_URL"} @@ -96,16 +99,21 @@ jobs: name: Deploy Hugo Website to App Service if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' needs: [build] - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + id-token: write # Required for requesting the JWT + contents: read # Required for actions/checkout environment: # If push to edge, use 'edge'. If push to anywhere else, use 'latest'. name: ${{ github.ref_name == 'edge' && 'edge' || 'latest' }} url: ${{ github.ref_name == 'edge' && 'https://edge.docs.radapp.io' || 'https://docs.radapp.io' }} steps: - name: Checkout docs repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: submodules: false + persist-credentials: false - name: Download Hugo artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -130,7 +138,10 @@ jobs: deploy-website: name: Deploy Hugo Website needs: [build] - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: read # Required for actions/checkout environment: # If a PR or push into edge, use 'edge'. If a PR or push into anywhere else, use 'latest'. name: ${{ github.event_name == 'pull_request' && (github.base_ref == 'edge' && 'edge' || 'latest') || (github.ref_name == 'edge' && 'edge' || 'latest') }} @@ -158,7 +169,10 @@ jobs: close_pr_site: name: Close PR Staging Site if: github.event_name == 'pull_request' && github.event.action == 'closed' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: read # Required for actions/checkout environment: # If a PR into edge, use 'edge'. If a PR into anywhere else, use 'latest'. name: ${{ github.base_ref == 'edge' && 'edge' || 'latest' }} @@ -177,19 +191,19 @@ jobs: name: Index site for Algolia if: github.event_name == 'push' needs: ["build", "deploy"] - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 + timeout-minutes: 5 + permissions: + contents: read # Required for actions/checkout environment: # If push to edge, use 'edge'. If push to anywhere else, use 'latest'. name: ${{ github.ref_name == 'edge' && 'edge' || 'latest' }} - env: - ALGOLIA_APP_ID: ${{ secrets.ALGOLIA_API_APPID }} - ALGOLIA_API_KEY: ${{ secrets.ALGOLIA_API_KEY }} - ALGOLIA_INDEX_NAME: ${{ secrets.ENV_ALGOLIA_INDEXNAME }} steps: - name: Checkout docs repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: submodules: false + persist-credentials: false - name: Download Hugo artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -204,3 +218,7 @@ jobs: - name: Index site run: python ./.github/scripts/algolia.py ./site + env: + ALGOLIA_APP_ID: ${{ secrets.ALGOLIA_API_APPID }} + ALGOLIA_API_KEY: ${{ secrets.ALGOLIA_API_KEY }} + ALGOLIA_INDEX_NAME: ${{ secrets.ENV_ALGOLIA_INDEXNAME }}