diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml index 8334ab7148..1219cf4c8e 100644 --- a/.github/workflows/audit.yaml +++ b/.github/workflows/audit.yaml @@ -4,6 +4,9 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +permissions: + contents: read + jobs: validate-prod-core-dependencies: name: Validate Core production dependencies diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml new file mode 100644 index 0000000000..b759dd915e --- /dev/null +++ b/.github/workflows/deploy-docs.yml @@ -0,0 +1,84 @@ +name: Deploy Docs to GitHub Pages + +on: + push: + branches: + - main + # Review gh actions docs if you want to further define triggers, paths, etc + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#on + +# Ensure we avoid any race conditions with rapid pushes to main +concurrency: + group: "Deploy to GitHub Pages" + cancel-in-progress: true + +permissions: + contents: read + +jobs: + build: + name: Build Docusaurus + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: false + fetch-depth: 0 + - name: Use Node.js + uses: actions/setup-node@v6 + with: + node-version-file: ".node-version" + - name: restore node_modules + uses: actions/cache@v4 + with: + path: | + packages/node_modules + key: ${{ runner.os }}-${{ hashFiles('packages/yarn.lock') }} + - name: Prepare Environment + run: | + corepack enable + + cd packages + yarn config set cacheFolder /home/runner/publish-docs-cache + yarn install + yarn build:all + env: + CI: true + - name: Run docusaurus + run: | + cd packages/documentation + yarn docs:build + env: + CI: true + - name: Run typedoc + run: | + cd packages + yarn docs:typedoc + cp docs documentation/build/typedoc -R + env: + CI: true + + - name: Upload Build Artifact + uses: actions/upload-pages-artifact@v4 + with: + path: packages/documentation/build + + deploy: + name: Deploy to GitHub Pages + needs: build + + # Grant GITHUB_TOKEN the permissions required to make a Pages deployment + permissions: + pages: write # to deploy to Pages + id-token: write # to verify the deployment originates from an appropriate source + + # Deploy to the github-pages environment + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + + runs-on: ubuntu-latest + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 \ No newline at end of file diff --git a/.github/workflows/node.yaml b/.github/workflows/node.yaml index 44032079af..4734c78bcf 100644 --- a/.github/workflows/node.yaml +++ b/.github/workflows/node.yaml @@ -9,6 +9,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: lint-core: name: Typecheck and Lint Core @@ -103,6 +106,11 @@ jobs: name: Build Core and publish docker image runs-on: ubuntu-latest timeout-minutes: 30 + + permissions: + contents: read + packages: write + steps: - uses: actions/checkout@v6 with: @@ -283,6 +291,10 @@ jobs: matrix: gateway-name: [playout-gateway, mos-gateway, "live-status-gateway"] + permissions: + contents: read + packages: write + steps: - uses: actions/checkout@v6 with: @@ -613,12 +625,12 @@ jobs: env: CI: true - publish-docs: - name: Publish Docs + build-docs: + name: Build Docs runs-on: ubuntu-latest - continue-on-error: true timeout-minutes: 15 + # This is just to ensure the docs build, another job performs the build & publish steps: - uses: actions/checkout@v6 with: @@ -656,13 +668,6 @@ jobs: cp docs documentation/build/typedoc -R env: CI: true - - name: Publish - if: github.ref == 'refs/heads/main' # always publish for just the main branch - uses: peaceiris/actions-gh-pages@v4 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - publish_dir: ./packages/documentation/build - force_orphan: true check-for-multiple-library-versions: name: Check for multiple library versions diff --git a/.github/workflows/prune-container-images.yml b/.github/workflows/prune-container-images.yml index 9fccdf4090..a1fc9496fe 100644 --- a/.github/workflows/prune-container-images.yml +++ b/.github/workflows/prune-container-images.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "12 14 * * *" +permissions: + contents: read + packages: write + jobs: prune-container-images: if: ${{ github.repository_owner == 'Sofie-Automation' }} diff --git a/.github/workflows/prune-tags.yml b/.github/workflows/prune-tags.yml index 9bf477b288..117c2c7700 100644 --- a/.github/workflows/prune-tags.yml +++ b/.github/workflows/prune-tags.yml @@ -14,6 +14,9 @@ on: schedule: - cron: "0 0 * * 0" +permissions: + contents: write + jobs: prune-tags: if: ${{ github.repository_owner == 'Sofie-Automation' }} diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml index a7b8cb1d8c..c85535898f 100644 --- a/.github/workflows/sonar.yaml +++ b/.github/workflows/sonar.yaml @@ -9,6 +9,9 @@ on: types: [opened, synchronize, reopened] workflow_dispatch: +permissions: + contents: read + name: SonarCloud analysis jobs: sonarqube: diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 3f5379e7d2..d12492f71c 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -4,6 +4,10 @@ on: schedule: - cron: "0 10 * * 1" +permissions: + contents: read + packages: read + jobs: trivy: if: ${{ github.repository_owner == 'Sofie-Automation' }}