Skip to content

Updating PAT with latest regexs for validation (#552) #1246

Updating PAT with latest regexs for validation (#552)

Updating PAT with latest regexs for validation (#552) #1246

Workflow file for this run

on:
push:
branches:
- main # Splitting out main here ensures we do not redundantly run this workflow on merge from a PR
pull_request:
branches:
- '*' # Match all branches
permissions:
contents: write
id-token: write
jobs:
fmt:
if: ${{ github.actor != 'panther-bot-automation' }}
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
fulcio.sigstore.dev:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
- uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8
- name: Setup Python
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
with:
python-version: 3.11
- name: Install pipenv
run: make install-pipenv
- name: Install
run: make install
- name: Format
run: make fmt
- name: Commit formatting
run: |
git config --global user.name "panther-bot-automation"
git config --global user.email "[email protected]"
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
BRANCH=${{ github.head_ref }}
git fetch; git checkout ${{ github.head_ref }}
else
BRANCH=${{ github.ref }}
fi
git add -A .
REQUIRES_COMMIT=1
git commit -m "Auto-format files" || REQUIRES_COMMIT=0
if [[ $REQUIRES_COMMIT -eq 0 ]]; then
echo "No auto-formatting needed"
else
echo "Committing auto-formatted files"
git push origin HEAD:$BRANCH
gitsign verify $(git rev-parse HEAD) --certificate-identity-regexp="https://github.com/${{ github.repository }}/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
fi
env:
GH_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}