Skip to content

Bump step-security/harden-runner from 2.10.1 to 2.10.2 (#558) #1259

Bump step-security/harden-runner from 2.10.1 to 2.10.2 (#558)

Bump step-security/harden-runner from 2.10.1 to 2.10.2 (#558) #1259

Workflow file for this run

on:
push:
branches:
- main # Splitting out main here ensures we do not redundantly run this workflow on merge from a PR
pull_request:
branches:
- '*' # Match all branches
permissions:
contents: write
id-token: write
jobs:
fmt:
if: ${{ github.actor != 'panther-bot-automation' }}
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
fulcio.sigstore.dev:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8
- name: Setup Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
with:
python-version: 3.11
- name: Install pipenv
run: make install-pipenv
- name: Install
run: make install
- name: Format
run: make fmt
- name: Commit formatting
run: |
git config --global user.name "panther-bot-automation"
git config --global user.email "[email protected]"
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
BRANCH=${{ github.head_ref }}
git fetch; git checkout ${{ github.head_ref }}
else
BRANCH=${{ github.ref }}
fi
git add -A .
REQUIRES_COMMIT=1
git commit -m "Auto-format files" || REQUIRES_COMMIT=0
if [[ $REQUIRES_COMMIT -eq 0 ]]; then
echo "No auto-formatting needed"
else
echo "Committing auto-formatted files"
git push origin HEAD:$BRANCH
gitsign verify $(git rev-parse HEAD) --certificate-identity-regexp="https://github.com/${{ github.repository }}/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
fi
env:
GH_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}