diff --git a/.github/workflows/on-pull-request.yaml b/.github/workflows/on-pull-request.yaml index 1791212..816ca80 100644 --- a/.github/workflows/on-pull-request.yaml +++ b/.github/workflows/on-pull-request.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest container: qctrl/ci-images:python-3.11-ci steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Download CI tool shell: bash run: | @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest container: qctrl/ci-images:python-3.11-ci steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Download CI tool shell: bash run: | @@ -54,7 +54,7 @@ jobs: matrix: python: ["3.10", "3.11", "3.12", "3.13"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Download CI tool shell: bash run: | @@ -72,7 +72,7 @@ jobs: if: github.event.pull_request.head.repo.fork == true runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Build Sphinx Image run: | docker build -f ./docs/Dockerfile diff --git a/.github/workflows/on-push.yaml b/.github/workflows/on-push.yaml index 64f37b3..1b49114 100644 --- a/.github/workflows/on-push.yaml +++ b/.github/workflows/on-push.yaml @@ -10,33 +10,37 @@ on: jobs: housekeeping: runs-on: ubuntu-latest - container: qctrl/ci-images:python-3.11-ci steps: - - uses: actions/checkout@v4 - - name: Download CI tool - shell: bash - run: | - curl -sSL http://ci.q-ctrl.com | bash - - - name: Vault Login - run: | - ./ci vault login -r ${{ secrets.VAULT_ROLE_ID }} -s ${{ secrets.VAULT_SECRET_ID }} - - name: Inject environment variables - run: | - /scripts/ci env prepareGitHub - - name: Perform housekeeping checks - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global --add safe.directory $GITHUB_WORKSPACE - git config --global user.email "robot@q-ctrl.com" - git config --global user.name "Q-CTRL Robot" - /scripts/housekeeping.sh + - uses: actions/checkout@v6 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + repositories: reusable-workflows + - name: Checkout reusable workflows + uses: actions/checkout@v6 + with: + repository: qctrl/reusable-workflows + token: ${{ steps.app-token.outputs.token }} + path: .github/reusable-workflows + persist-credentials: false + ref: actions/poetry/housekeeping/v2 + - name: Run housekeeping + uses: ./.github/reusable-workflows/.github/actions/poetry/housekeeping + with: + vault-role-id: ${{ secrets.VAULT_ROLE_ID }} + vault-secret-id: ${{ secrets.VAULT_SECRET_ID }} + - name: Cleanup reusable workflows checkout + if: always() + run: rm -rf .github/reusable-workflows linting: runs-on: ubuntu-latest container: qctrl/ci-images:python-3.11-ci steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Download CI tool shell: bash run: | @@ -59,7 +63,7 @@ jobs: matrix: python: ["3.10", "3.11", "3.12", "3.13"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Download CI tool shell: bash run: | @@ -79,7 +83,7 @@ jobs: runs-on: ubuntu-latest container: qctrl/ci-images:python-3.11-ci steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Download CI tool shell: bash run: | diff --git a/.github/workflows/on-release.yaml b/.github/workflows/on-release.yaml index 26a1832..ac2e7f1 100644 --- a/.github/workflows/on-release.yaml +++ b/.github/workflows/on-release.yaml @@ -9,9 +9,32 @@ jobs: runs-on: ubuntu-latest container: qctrl/ci-images:python-3.11-ci steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 0 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + repositories: reusable-workflows + - name: Checkout reusable workflows + uses: actions/checkout@v6 + with: + repository: qctrl/reusable-workflows + token: ${{ steps.app-token.outputs.token }} + path: .github/reusable-workflows + persist-credentials: false + ref: actions/poetry/housekeeping/v2 + - name: Run housekeeping + uses: ./.github/reusable-workflows/.github/actions/poetry/housekeeping + with: + vault-role-id: ${{ secrets.VAULT_ROLE_ID }} + vault-secret-id: ${{ secrets.VAULT_SECRET_ID }} + - name: Cleanup reusable workflows checkout + if: always() + run: rm -rf .github/reusable-workflows - name: Download CI tool shell: bash run: | @@ -22,14 +45,6 @@ jobs: - name: Inject environment variables run: | ./ci env prepareGitHub - - name: Update version in code - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global --add safe.directory $GITHUB_WORKSPACE - git config --global user.email "robot@q-ctrl.com" - git config --global user.name "Q-CTRL Robot" - /scripts/housekeeping.sh - name: Publish publicly env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -43,10 +58,28 @@ jobs: runs-on: ubuntu-latest container: qctrl/ci-images:python-3.11-ci steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + repositories: reusable-workflows + - name: Checkout reusable workflows + uses: actions/checkout@v6 + with: + repository: qctrl/reusable-workflows + token: ${{ steps.app-token.outputs.token }} + path: .github/reusable-workflows + persist-credentials: false + ref: actions/docs/update-docs/v1 - name: Update docs repo - uses: qctrl/reusable-workflows/.github/actions/docs/update-docs@master + uses: ./.github/reusable-workflows/.github/actions/docs/update-docs with: source_branch: master target_branch: master vault-role-id: ${{ secrets.VAULT_ROLE_ID }} vault-secret-id: ${{ secrets.VAULT_SECRET_ID }} + - name: Cleanup reusable workflows checkout + if: always() + run: rm -rf .github/reusable-workflows