diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ca66970..878ebb6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,3 +13,5 @@ updates: commit-message: prefix: "[CHORE](deps)" include: "scope" + cooldown: + default-days: 7 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0fa3d34..a03256f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -7,21 +7,30 @@ on: branches: [main] workflow_dispatch: +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: lint: name: Lint and Format Check runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.11" - name: Install UV - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - name: Install dependencies run: | @@ -38,15 +47,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python 3.11 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.11" - name: Install UV - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - name: Install dependencies run: | @@ -61,15 +72,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.11" - name: Install UV - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - name: Install package run: | @@ -91,12 +104,6 @@ jobs: runs-on: ubuntu-latest if: always() steps: - - name: Check if all jobs passed - run: | - if [ "${{ needs.lint.result }}" != "success" ] || \ - [ "${{ needs.test.result }}" != "success" ] || \ - [ "${{ needs.test-package-install.result }}" != "success" ]; then - echo "One or more checks failed" - exit 1 - fi - echo "All checks passed!" + - uses: lowlydba/are-we-good@98d5377c7f82a14da7abf548a8cd3de01b163556 # v1.0.1 + with: + jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/publish-stac.yaml b/.github/workflows/publish-stac.yaml index 091df7d..f33c88f 100644 --- a/.github/workflows/publish-stac.yaml +++ b/.github/workflows/publish-stac.yaml @@ -7,11 +7,7 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages -permissions: - contents: read - pages: write - id-token: write +permissions: {} # Allow only one concurrent deployment concurrency: @@ -21,21 +17,27 @@ concurrency: jobs: build-and-deploy: name: Build and Deploy STAC Catalog + permissions: + contents: read + pages: write # required to deploy to GitHub Pages + id-token: write # required for OIDC token exchange when deploying to GitHub Pages environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python 3.11 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.11" - name: Install UV - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - name: Install dependencies run: | @@ -46,13 +48,13 @@ jobs: gen-stac --output public_releases - name: Setup Pages - uses: actions/configure-pages@v6 + uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0 - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: "public_releases" - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/staging.yaml b/.github/workflows/staging.yaml index 755f3a2..cf04be5 100644 --- a/.github/workflows/staging.yaml +++ b/.github/workflows/staging.yaml @@ -4,25 +4,32 @@ on: pull_request: branches: [main] -permissions: - contents: read - id-token: write +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build: name: Build STAC Catalog runs-on: ubuntu-latest + permissions: + contents: read + actions: write # required for actions/upload-artifact steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python 3.11 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.11" - name: Install UV - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - name: Install dependencies run: | @@ -33,7 +40,7 @@ jobs: gen-stac --output public_releases - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: stac-catalog path: public_releases @@ -42,25 +49,34 @@ jobs: name: Deploy runs-on: ubuntu-latest needs: build + permissions: + id-token: write # required for OIDC token exchange with AWS + actions: read # required for actions/download-artifact environment: name: staging url: https://staging.overturemaps.org/${{ github.event.repository.name }}/pr/${{ github.event.number }}/catalog.json steps: - name: Configure AWS credentials 🔐 - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 with: role-to-assume: arn:aws:iam::763944545891:role/pages-staging-oidc-overturemaps aws-region: us-west-2 - name: Download artifacts 📥 - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: stac-catalog - name: Copy to S3 run: | - aws s3 sync --delete . s3://overture-managed-staging-usw2/gh-pages/${{ github.event.repository.name }}/pr/${{ github.event.number }}/ + aws s3 sync --delete . s3://overture-managed-staging-usw2/gh-pages/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${GITHUB_EVENT_NUMBER}/ + env: + GITHUB_EVENT_REPOSITORY_NAME: ${{ github.event.repository.name }} + GITHUB_EVENT_NUMBER: ${{ github.event.number }} - name: Bust the Cache - run: aws cloudfront create-invalidation --distribution-id E1KP2IN0H2RGGT --paths "/${{ github.event.repository.name }}/pr/${{ github.event.number }}/*" + run: aws cloudfront create-invalidation --distribution-id E1KP2IN0H2RGGT --paths "/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${GITHUB_EVENT_NUMBER}/*" + env: + GITHUB_EVENT_REPOSITORY_NAME: ${{ github.event.repository.name }} + GITHUB_EVENT_NUMBER: ${{ github.event.number }}