From 0d2b5f605f5e587adb0bafb21b90b99cdb16ab62 Mon Sep 17 00:00:00 2001 From: Ludy87 Date: Sat, 21 Dec 2024 23:40:53 +0100 Subject: [PATCH 1/4] Permission Position moved to top level --- .github/workflows/build.yml | 8 +-- .github/workflows/check_properties.yml | 72 ++--------------------- .github/workflows/update-translations.yml | 70 ++++++++++++++++++++++ 3 files changed, 76 insertions(+), 74 deletions(-) create mode 100644 .github/workflows/update-translations.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cbf05eef..5ade8241 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,17 +7,13 @@ on: branches: ["main"] permissions: + actions: read contents: read + security-events: write jobs: build: runs-on: ubuntu-latest - - permissions: - actions: read - contents: read - security-events: write - strategy: fail-fast: false matrix: diff --git a/.github/workflows/check_properties.yml b/.github/workflows/check_properties.yml index dfc0e276..b365fe1b 100644 --- a/.github/workflows/check_properties.yml +++ b/.github/workflows/check_properties.yml @@ -1,21 +1,18 @@ -name: Check Properties Files +name: Check Properties Files on PR on: pull_request_target: types: [opened, synchronize, reopened] paths: - "src/main/resources/messages_*.properties" - push: - branches: ["main"] - paths: - - "src/main/resources/messages_en_GB.properties" + +permissions: + contents: read jobs: check-files: if: github.event_name == 'pull_request_target' runs-on: ubuntu-latest - permissions: - contents: read steps: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 @@ -164,64 +161,3 @@ jobs: run: | echo "Failing the job because errors were detected." exit 1 - - update-translations-main: - if: github.event_name == 'push' - permissions: - contents: write - pull-requests: write - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Set up Python - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 - with: - python-version: "3.x" - - - name: Run Python script to check files - id: run-check - run: | - echo "Running Python script to check files..." - python .github/scripts/check_language_properties.py \ - --reference-file src/main/resources/messages_en_GB.properties \ - --branch main - - - name: Set up git config - run: | - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - - - name: Add translation keys - run: | - git add src/main/resources/messages_*.properties - git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV - - - name: Create Pull Request - id: cpr - if: env.CHANGES_DETECTED == 'true' - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commit-message: "Update translation files" - committer: GitHub Action - author: GitHub Action - signoff: true - branch: update_translation_files - title: "Update translation files" - add-paths: | - src/main/resources/messages_*.properties - body: | - Auto-generated by [create-pull-request][1] - - [1]: https://github.com/peter-evans/create-pull-request - labels: Translation - draft: false - delete-branch: true - sign-commits: true diff --git a/.github/workflows/update-translations.yml b/.github/workflows/update-translations.yml new file mode 100644 index 00000000..f7107c6d --- /dev/null +++ b/.github/workflows/update-translations.yml @@ -0,0 +1,70 @@ +name: Update Translations + +on: + push: + branches: ["main"] + paths: + - "src/main/resources/messages_en_GB.properties" + +permissions: + contents: write + pull-requests: write + +jobs: + update-translations-main: + if: github.event_name == 'push' + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set up Python + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 + with: + python-version: "3.x" + + - name: Run Python script to check files + id: run-check + run: | + echo "Running Python script to check files..." + python .github/scripts/check_language_properties.py \ + --reference-file src/main/resources/messages_en_GB.properties \ + --branch main + + - name: Set up git config + run: | + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + + - name: Add translation keys + run: | + git add src/main/resources/messages_*.properties + git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV + + - name: Create Pull Request + id: cpr + if: env.CHANGES_DETECTED == 'true' + uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: "Update translation files" + committer: GitHub Action + author: GitHub Action + signoff: true + branch: update_translation_files + title: "Update translation files" + add-paths: | + src/main/resources/messages_*.properties + body: | + Auto-generated by [create-pull-request][1] + + [1]: https://github.com/peter-evans/create-pull-request + labels: Translation + draft: false + delete-branch: true + sign-commits: true From 822ccbabdfd7d57c99a794f855415083374ec337 Mon Sep 17 00:00:00 2001 From: Ludy87 Date: Sat, 21 Dec 2024 23:47:53 +0100 Subject: [PATCH 2/4] Update build.yml --- .github/workflows/build.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5ade8241..ddaf9108 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,14 +6,15 @@ on: pull_request: branches: ["main"] -permissions: - actions: read - contents: read - security-events: write +permissions: read-all jobs: build: runs-on: ubuntu-latest + + permissions: + security-events: write + strategy: fail-fast: false matrix: From e920eb0555a67404677549ef62ebcd06e3c111cb Mon Sep 17 00:00:00 2001 From: Ludy87 Date: Sat, 21 Dec 2024 23:48:02 +0100 Subject: [PATCH 3/4] Update check_properties.yml --- .github/workflows/check_properties.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/check_properties.yml b/.github/workflows/check_properties.yml index b365fe1b..0554c538 100644 --- a/.github/workflows/check_properties.yml +++ b/.github/workflows/check_properties.yml @@ -6,8 +6,7 @@ on: paths: - "src/main/resources/messages_*.properties" -permissions: - contents: read +permissions: read-all jobs: check-files: From 7ccb9db9f9f1f157a1e3e157ee530ab9047b9f5f Mon Sep 17 00:00:00 2001 From: Ludy87 Date: Sat, 21 Dec 2024 23:48:09 +0100 Subject: [PATCH 4/4] Update update-translations.yml --- .github/workflows/update-translations.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-translations.yml b/.github/workflows/update-translations.yml index f7107c6d..141d9a72 100644 --- a/.github/workflows/update-translations.yml +++ b/.github/workflows/update-translations.yml @@ -6,14 +6,15 @@ on: paths: - "src/main/resources/messages_en_GB.properties" -permissions: - contents: write - pull-requests: write +permissions: read-all jobs: update-translations-main: if: github.event_name == 'push' runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2