CI: go.work sync: Force use GitHub-provided token #35
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sync go.work on PRs | |
| # Uses the RUN_WORKFLOW_FROM_WORKFLOW secret if available. Otherwise it is | |
| # necessary to reopen a PR to run more workflows. | |
| name: Sync go.work | |
| on: | |
| pull_request_target: | |
| types: [ opened, reopened, synchronize ] | |
| paths: | |
| - '**/go.mod' | |
| - '**/go.sum' | |
| - 'go.work' | |
| permissions: | |
| contents: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref_name }} | |
| cancel-in-progress: true | |
| jobs: | |
| update-sum: | |
| # We only run this for pull requests from the same repository. This is | |
| # important for security reasons, as we use pull_request_target. | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Because the GitHub-provided token doesn't trigger further actions runs, | |
| # try to use a secret if available. | |
| - name: Determine checkout token | |
| id: has-token | |
| run: echo "has-token=$HAS_TOKEN" >> "$GITHUB_OUTPUT" | |
| env: | |
| # Temporarily disable use of token; we don't have a correct token set up | |
| # (so we fail to push), so using the GitHub-provided token that doesn't | |
| # trigger subsequent checks is better than failing to push. | |
| HAS_TOKEN: ${{ false && secrets.RUN_WORKFLOW_FROM_WORKFLOW != '' }} | |
| FOO: ${{ false }} | |
| BAR: ${{ false && true }} | |
| - name: Checkout with token | |
| if: steps.has-token.outputs.has-token == 'true' | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: true | |
| ref: ${{ github.head_ref }} | |
| fetch-depth: 3 | |
| token: ${{ secrets.RUN_WORKFLOW_FROM_WORKFLOW }} | |
| - name: Checkout without token | |
| if: steps.has-token.outputs.has-token != 'true' | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: true | |
| ref: ${{ github.head_ref }} | |
| fetch-depth: 3 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: package.json | |
| - run: corepack enable | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: package.json | |
| cache: yarn | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.work | |
| cache-dependency-path: '**/go.sum' | |
| - name: Determine go.mod files | |
| id: go-files | |
| run: >- | |
| printf "go-files=%s go.work\n" | |
| "$(git ls-files '**/go.mod' '**/go.sum' | tr '\r\n' ' ')" | |
| >> "$GITHUB_OUTPUT" | |
| - run: yarn install --frozen-lockfile | |
| - run: yarn lint:go:fix | |
| - name: Check for changes | |
| id: changed | |
| run: | | |
| if [ -n "$(git status --porcelain -- $GO_FILES)" ]; then | |
| echo changed=true >> "$GITHUB_OUTPUT" | |
| else | |
| echo changed= >> "$GITHUB_OUTPUT" | |
| fi | |
| env: | |
| GO_FILES: ${{ steps.go-files.outputs.go-files }} | |
| - name: Commit changes | |
| if: steps.changed.outputs.changed | |
| run: >- | |
| git | |
| -c user.name="$GIT_AUTHOR_NAME" | |
| -c user.email="$GIT_AUTHOR_EMAIL" | |
| commit | |
| --message='Update go modules' | |
| --message="Signed-off-by: $GIT_AUTHOR_NAME <$GIT_AUTHOR_EMAIL>" | |
| -- | |
| $GO_FILES | |
| env: | |
| GIT_AUTHOR_NAME: Rancher Desktop Dependency Manager | |
| GIT_AUTHOR_EMAIL: donotuse@rancherdesktop.io | |
| GO_FILES: ${{ steps.go-files.outputs.go-files }} | |
| - name: Push changes | |
| if: steps.changed.outputs.changed | |
| run: | | |
| git show | |
| git push origin ${{ github.head_ref }} |