Merge pull request #2465 from dandi/update-gh-actions

Improvements to GitHub Actions

Author: mvandenburgh

.github/workflows/backend-ci.yml

@@ -8,8 +8,8 @@ on:
       - master
     paths-ignore:
       - "web/**"
-  schedule:
-    - cron: "0 0 * * *"
+permissions:
+  contents: read
 jobs:
   test:
     runs-on: ubuntu-22.04
@@ -23,10 +23,18 @@ jobs:
         env:
           POSTGRES_DB: django
           POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd "pg_isready --username postgres"
+          --health-start-period 30s
+          --health-start-interval 2s
         ports:
           - 5432:5432
       rabbitmq:
-        image: rabbitmq:management
+        image: rabbitmq:management-alpine
+        options: >-
+          --health-cmd "rabbitmq-diagnostics ping"
+          --health-start-period 30s
+          --health-start-interval 2s
         ports:
           - 5672:5672
       minio:
@@ -35,14 +43,17 @@ jobs:
         env:
           MINIO_ROOT_USER: minioAccessKey
           MINIO_ROOT_PASSWORD: minioSecretKey
+        options: >-
+          --health-cmd "mc ready local"
+          --health-timeout 1s
+          --health-start-period 30s
+          --health-start-interval 2s
         ports:
           - 9000:9000
     steps:
       - uses: actions/checkout@v5
       - name: Set up Python
         uses: actions/setup-python@v5
-        with:
-          python-version-file: .python-version
       - name: Install tox
         run: |
           pip install --upgrade pip

.github/workflows/backend-production-deploy.yml

@@ -4,6 +4,9 @@ on:
   release:
     types: [released]
 
+permissions:
+  contents: write
+
 concurrency:
   # If this workflow is already running, cancel it to avoid a scenario
   # where the older run finishes *after* the newer run and overwrites
@@ -19,7 +22,6 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0 # fetch history for all branches and tags
-          token: ${{ secrets.GH_TOKEN }} # use PAT with permissions to push to master
           ref: release
 
       - name: Perform reset
@@ -39,8 +41,6 @@ jobs:
 
       - name: Set up Python
         uses: actions/setup-python@v5
-        with:
-          python-version-file: .python-version
 
       - name: Install Heroku CLI
         run: curl https://cli-assets.heroku.com/install.sh | sh

.github/workflows/backend-staging-deploy.yml

@@ -8,6 +8,9 @@ on:
       - "web/**"
       - "CHANGELOG.md"
 
+permissions:
+  contents: read
+
 concurrency:
   # If this workflow is already running, cancel it to avoid a scenario
   # where the older run finishes *after* the newer run and overwrites
@@ -26,8 +29,6 @@ jobs:
 
       - name: Set up Python
         uses: actions/setup-python@v5
-        with:
-          python-version-file: .python-version
 
       - name: Install Heroku CLI
         run: curl https://cli-assets.heroku.com/install.sh | sh

.github/workflows/cli-integration.yml

@@ -10,6 +10,9 @@ on:
     paths-ignore:
       - "web/**"
 
+permissions:
+  contents: read
+
 jobs:
   build-image:
     runs-on: ubuntu-22.04

.github/workflows/frontend-ci.yml

@@ -4,8 +4,8 @@ on:
   push:
     branches:
       - master
-  schedule:
-    - cron: "0 0 * * *"
+permissions:
+  contents: read
 jobs:
   lint-type-check:
     defaults:
@@ -50,10 +50,18 @@ jobs:
         env:
           POSTGRES_DB: django
           POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd "pg_isready --username postgres"
+          --health-start-period 30s
+          --health-start-interval 2s
         ports:
           - 5432:5432
       rabbitmq:
-        image: rabbitmq:management
+        image: rabbitmq:management-alpine
+        options: >-
+          --health-cmd "rabbitmq-diagnostics ping"
+          --health-start-period 30s
+          --health-start-interval 2s
         ports:
           - 5672:5672
       minio:
@@ -62,6 +70,11 @@ jobs:
         env:
           MINIO_ROOT_USER: minioAccessKey
           MINIO_ROOT_PASSWORD: minioSecretKey
+        options: >-
+          --health-cmd "mc ready local"
+          --health-timeout 1s
+          --health-start-period 30s
+          --health-start-interval 2s
         ports:
           - 9000:9000
     env:
@@ -95,8 +108,6 @@ jobs:
 
     - name: Set up Python
       uses: actions/setup-python@v5
-      with:
-        python-version-file: .python-version
 
     - name: Install web app
       run: yarn install --frozen-lockfile

.github/workflows/release.yml

@@ -5,6 +5,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: write
+
 jobs:
   release:
     if: "!contains(github.event.head_commit.message, 'ci skip') && !contains(github.event.head_commit.message, 'skip ci')"
@@ -13,7 +16,6 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0 # fetch history for all branches and tags
-          token: ${{ secrets.GH_TOKEN }} # use PAT with permissions to push to master
 
       - name: Download latest auto
         run: |
@@ -23,6 +25,6 @@ jobs:
 
       - name: Create Release
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           ~/auto shipit --message="auto shipit - CHANGELOG.md etc"