akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
a437c64fb1d797938783e048aaaed38ba193468d
Charon/.github/workflows/auto-versioning.yml.backup
GitHub Actions 45d54c46e4 chore: remove unused pull-requests permission from auto-versioning workflow 
Remove unused pull-requests: write permission from auto-versioning workflow.
The workflow uses GitHub Release API which only requires contents: write
permission. This follows the principle of least privilege.

Changes:
- Removed unused pull-requests: write permission
- Added documentation for cancel-in-progress: false setting
- Created backup of original workflow file
- QA verification complete with all security checks passing

Security Impact:
- Reduces attack surface by removing unnecessary permission
- Maintains functionality (no breaking changes)
- Follows OWASP and CIS security best practices

Related Issues:
- Fixes GH013 repository rule violation on tag creation
- CVE-2024-45337 in build cache (fix available, not in production)
- CVE-2025-68156 in CrowdSec awaiting upstream fix

QA Report: docs/reports/qa_report.md
2026-01-16 02:34:24 +00:00

96 lines
3.7 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
name: Auto Versioning and Release
on:
push:
branches: [ main ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: write # Required for creating releases via API
jobs:
version:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
fetch-depth: 0
- name: Calculate Semantic Version
id: semver
uses: paulhatch/semantic-version@a8f8f59fd7f0625188492e945240f12d7ad2dca3 # v5.4.0
with:
# The prefix to use to create tags
tag_prefix: "v"
# Regex pattern for major version bump (breaking changes)
# Matches: "feat!:", "fix!:", "BREAKING CHANGE:" in commit messages
major_pattern: "/!:|BREAKING CHANGE:/"
# Regex pattern for minor version bump (new features)
# Matches: "feat:" prefix in commit messages (Conventional Commits)
minor_pattern: "/feat:/"
# Pattern to determine formatting
version_format: "${major}.${minor}.${patch}"
# If no tags are found, this version is used
version_from_branch: "0.0.0"
# This helps it search through history to find the last tag
search_commit_body: true
# Important: This enables the output 'changed' which your other steps rely on
enable_prerelease_mode: false
- name: Show version
run: |
echo "Next version: ${{ steps.semver.outputs.version }}"
echo "Version changed: ${{ steps.semver.outputs.changed }}"
- name: Determine tag name
id: determine_tag
run: |
# Normalize the version: remove any leading 'v' so we don't end up with 'vvX.Y.Z'
RAW="${{ steps.semver.outputs.version }}"
VERSION_NO_V="${RAW#v}"
TAG="v${VERSION_NO_V}"
echo "Determined tag: $TAG"
echo "tag=$TAG" >> $GITHUB_OUTPUT
- name: Check for existing GitHub Release
id: check_release
run: |
TAG=${{ steps.determine_tag.outputs.tag }}
echo "Checking for release for tag: ${TAG}"
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: token ${GITHUB_TOKEN}" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
if [ "${STATUS}" = "200" ]; then
echo "exists=true" >> $GITHUB_OUTPUT
echo " Release already exists for tag: ${TAG}"
else
echo "exists=false" >> $GITHUB_OUTPUT
echo "✅ No existing release found for tag: ${TAG}"
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create GitHub Release (creates tag via API)
if: ${{ steps.semver.outputs.changed == 'true' && steps.check_release.outputs.exists == 'false' }}
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
with:
tag_name: ${{ steps.determine_tag.outputs.tag }}
name: Release ${{ steps.determine_tag.outputs.tag }}
generate_release_notes: true
make_latest: true
draft: false
prerelease: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Output release information
if: ${{ steps.semver.outputs.changed == 'true' && steps.check_release.outputs.exists == 'false' }}
run: |
echo "✅ Successfully created release: ${{ steps.determine_tag.outputs.tag }}"
echo "📦 Release URL: https://github.com/${{ github.repository }}/releases/tag/${{ steps.determine_tag.outputs.tag }}"
Reference in New Issue View Git Blame Copy Permalink