Bump step-security/harden-runner from 2.10.1 to 2.10.2 (#558) #1259
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: | |
- main # Splitting out main here ensures we do not redundantly run this workflow on merge from a PR | |
pull_request: | |
branches: | |
- '*' # Match all branches | |
permissions: | |
contents: write | |
id-token: write | |
jobs: | |
fmt: | |
if: ${{ github.actor != 'panther-bot-automation' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pypi.org:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
- uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8 | |
- name: Setup Python | |
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b | |
with: | |
python-version: 3.11 | |
- name: Install pipenv | |
run: make install-pipenv | |
- name: Install | |
run: make install | |
- name: Format | |
run: make fmt | |
- name: Commit formatting | |
run: | | |
git config --global user.name "panther-bot-automation" | |
git config --global user.email "[email protected]" | |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
BRANCH=${{ github.head_ref }} | |
git fetch; git checkout ${{ github.head_ref }} | |
else | |
BRANCH=${{ github.ref }} | |
fi | |
git add -A . | |
REQUIRES_COMMIT=1 | |
git commit -m "Auto-format files" || REQUIRES_COMMIT=0 | |
if [[ $REQUIRES_COMMIT -eq 0 ]]; then | |
echo "No auto-formatting needed" | |
else | |
echo "Committing auto-formatted files" | |
git push origin HEAD:$BRANCH | |
gitsign verify $(git rev-parse HEAD) --certificate-identity-regexp="https://github.com/${{ github.repository }}/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | |
fi | |
env: | |
GH_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }} |