ARCH-1919 - Transfer to Infra-Purple #6
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is the workflow the repository uses to increment itself. | |
| name: Increment Version & Kick off template sync | |
| on: | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| # | |
| # GitHub's standard pull_request workflow trigger prevents write permissions and | |
| # secrets access when the PR is from a public fork. PRs from branches and forks of | |
| # internal/private repos are not limited the same way for the pull_request trigger. | |
| # | |
| # The pull_request_target trigger (which this workflow is using) relaxes some of those | |
| # restrictions and allows PRs from public forks to have write permissions through the | |
| # GH_TOKEN which we need in order to push new tags to the repo through this workflow. | |
| # | |
| # For this workflow, the elevated permissions should not be a problem because: | |
| # • This workflow is only triggered when a PR is closed and the reusable workflow it | |
| # calls only executes if it has been merged to the default branch. This means the PR | |
| # has been reviewed and approved by a CODEOWNER and merged by someone with Write | |
| # access before this workflow with its elevated permissions gets executed. Any code | |
| # that doesn't meet our standards should be caught before it gets to this point. | |
| # • The "Require approval for all outside collaborators" setting is set at the org-level. | |
| # Before a workflow can execute for a PR generated by an outside collaborator, a user | |
| # with Write access must manually approve the request to execute the workflow run. | |
| # Prior to doing so they should have had a chance to review any changes in the PR | |
| pull_request_target: | |
| types: [closed] | |
| jobs: | |
| increment-version: | |
| uses: ./.github/workflows/reusable-increment-version-on-merge.yml | |
| with: | |
| default-branch: main | |
| # We only want to increment the version if these reusable workflows change | |
| files-with-code: 'reusable-build-and-review-pr.yml,reusable-increment-version-on-merge.yml' | |
| dirs-with-code: 'actions' |