Commit graph

56 commits

Author SHA1 Message Date
Arian van Putten
af9a980c7d Lock third-party actions
A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags.

This PR changes all third party actions to be explicitly locked.

Dependabot will still work and update these hashes for you


I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues.

Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh

e.g. see https://github.com/ossf/scorecard/issues/2189
2024-06-18 09:17:15 -07:00
Luc Perkins
0e2a61b1f3
Add environment variable for strict mode input 2024-05-23 12:23:56 -03:00
Luc Perkins
7a7f13f9b5
Make strict mode input not required 2024-05-23 12:03:54 -03:00
Luc Perkins
7ce3b51a1d
Update detsys-ts 2024-05-22 15:40:01 -03:00
Graham Christensen
3fa85bcf4c nit: run line 2024-05-09 15:44:43 -04:00
Graham Christensen
d978837d43 Expose all inputs 2024-05-09 15:35:53 -04:00
Graham Christensen
8363f28293 Call the node action instead directly 2024-05-07 23:02:56 -04:00
Luc Perkins
dde5487502
Finish initial rework into TS 2024-04-26 11:55:19 -03:00
Luc Perkins
b1f8684b21
Update Nix shell and add envrc 2024-04-21 19:42:23 -03:00
Luc Perkins
cf6776dfd1
Add initial JS setup 2024-04-21 19:17:03 -03:00
Cole Helbling
a3ccb8f597 Update pedrolamas/handlebars-action to 2.4.0 2024-02-29 07:07:00 -08:00
Cole Helbling
56b3507bfe Update DamianReeves/write-file-action to v1.3 2024-02-28 15:06:00 -08:00
dependabot[bot]
70d01ca550 build(deps): bump pedrolamas/handlebars-action from 2.2.0 to 2.3.0
Bumps [pedrolamas/handlebars-action](https://github.com/pedrolamas/handlebars-action) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/pedrolamas/handlebars-action/releases)
- [Commits](https://github.com/pedrolamas/handlebars-action/compare/v2.2.0...v2.3.0)

---
updated-dependencies:
- dependency-name: pedrolamas/handlebars-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-28 14:55:32 -08:00
dependabot[bot]
0631a12d9a build(deps): bump crazy-max/ghaction-import-gpg from 5 to 6
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 5 to 6.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Commits](https://github.com/crazy-max/ghaction-import-gpg/compare/v5...v6)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-28 14:54:51 -08:00
Morgan Helton
a72d3c5880 update peter-evans/create-pull-request to v6 2024-02-28 14:54:06 -08:00
Pol Dellaiera
e98d4358e3 Bump peter-evans/create-pull-request to v5 2023-10-10 13:22:51 -07:00
Graham Christensen
da2fd6f256
Update action.yml 2023-08-24 00:12:15 -04:00
xgroleau🐢
dec3bc3c9b fix: removed commented commit escaping code 2023-03-29 11:11:22 -07:00
xgroleau🐢
ad81b423ab fix: use multiline string 2023-03-29 11:11:22 -07:00
xgroleau🐢
8a88a06550 fix: pr message fix 2023-03-29 11:11:22 -07:00
xgroleau🐢
9af2d0f36a fix : replace action using deprecated node 12 2023-03-29 11:11:22 -07:00
xgroleau🐢
b55ee105d9 feat: Added nix option
fix: nix options position

Use empty list


fix options
2023-03-29 11:11:22 -07:00
Budiman Jojo
bc75a5b55e expose status of PR 2023-03-27 09:17:55 -07:00
Jörg Thalheim
786e5cf5a2 allow to set base branch of pull request 2023-03-27 08:43:21 -07:00
dependabot[bot]
085c3a0b6d build(deps): bump pedrolamas/handlebars-action from 2.1.0 to 2.2.0
Bumps [pedrolamas/handlebars-action](https://github.com/pedrolamas/handlebars-action) from 2.1.0 to 2.2.0.
- [Release notes](https://github.com/pedrolamas/handlebars-action/releases)
- [Commits](https://github.com/pedrolamas/handlebars-action/compare/v2.1.0...v2.2.0)

---
updated-dependencies:
- dependency-name: pedrolamas/handlebars-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-06 05:55:07 -08:00
dependabot[bot]
cc83127440 build(deps): bump peter-evans/create-pull-request from 3 to 4
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 3 to 4.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](https://github.com/peter-evans/create-pull-request/compare/v3...v4)

---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-03-06 05:46:37 -08:00
Linus Heckemann
114dde340d
Merge pull request #57 from DeterminateSystems/dependabot/github_actions/pedrolamas/handlebars-action-2.1.0
build(deps): bump pedrolamas/handlebars-action from 2.0.0 to 2.1.0
2023-01-27 16:00:40 +01:00
Eric Crosson
876a472251 fix(deps): upgrade DamianReeves/write-file-action to v1.2
https://github.com/DamianReeves/write-file-action/releases/tag/v1.2

This bumps the write-file-action from the Node.js 12 runtime to Node.js
16, avoiding a warning that Node.js 12 actions are deprecated[^1].

[^1]: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/
2023-01-23 07:15:35 -08:00
Eric Crosson
a0c5484d59 feat: accept list of reviewers and assignees
Pass a list of GitHub usernames through to
peter-evans/create-pull-request.

Assignees are specified with the `pr-assignees` property.
Reviewers are specified with the `pr-reviewers` property.

Both properties expect the value to be a list of GitHub usernames,
separated by either commas or newlines.
2023-01-19 07:29:15 -08:00
Arman Bilge
913da8731c Remove stray > 2022-11-28 08:02:01 -08:00
Arman Bilge
867efeb864 Emails should be in < ... > 2022-11-28 08:02:01 -08:00
Arman Bilge
5e50e4bcfb Allow to customize git author/committer name+email 2022-11-28 08:02:01 -08:00
dependabot[bot]
766761fdfc
build(deps): bump pedrolamas/handlebars-action from 2.0.0 to 2.1.0
Bumps [pedrolamas/handlebars-action](https://github.com/pedrolamas/handlebars-action) from 2.0.0 to 2.1.0.
- [Release notes](https://github.com/pedrolamas/handlebars-action/releases)
- [Commits](https://github.com/pedrolamas/handlebars-action/compare/v2.0.0...v2.1.0)

---
updated-dependencies:
- dependency-name: pedrolamas/handlebars-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 01:17:13 +00:00
Aaron Andersen
0ad9a55048 feat: allow specifying a path to flake.nix within the repository 2022-09-14 07:46:21 -07:00
Nicola Squartini
235f95922e chore: bump crazy-max/ghaction-import-gpg 2022-08-19 11:40:14 -07:00
Nicola Squartini
a8f58509de feat: allow using a subkey for GPG signing 2022-08-19 11:39:18 -07:00
Cole Helbling
4cf0d5d8d6 Prevent template files from being committed 2022-07-29 07:49:05 -07:00
Eduardo Robles Elvira
e23c52bb51
fixing sign-commits boolean variable conditionals 2022-07-15 12:22:17 +01:00
Eduardo Robles Elvira
96af8bfbfc
Adding documentation and support for custom pr-body 2022-07-15 11:44:21 +01:00
Eduardo Robles Elvira
1c5f270731
adding support for gpg commit signing 2022-07-15 05:40:47 +02:00
Arman Bilge
2026a4bf1a
Expose option to configure branch for PR (#36) 2022-06-22 15:44:48 -04:00
Cole Helbling
c58b7816fa Expose the number of the opened PR 2022-04-22 11:46:11 -07:00
a-kenji
a10510d383 Add: script for update flake lock
Take commands out of the `action.yml` file, and put it in a dedicated
shell script.
2022-04-05 08:50:00 -07:00
maydayv7
e00d99112b fix: Re-introduce inputs.pr-title
This is to allow users to override the PR title since the commit message as well as title are processed differently which may lead to errors in how they are displayed. For example, the commit message needs quotations to be escaped
2022-02-01 10:43:22 -08:00
maydayv7
aa902c3538 fix: Support Custom Commit Message 2022-02-01 10:43:22 -08:00
V7
e8bb9f761a feat(cosmetic): Add Support for setting PR Labels 2022-02-01 10:43:22 -08:00
V7
073d38a53e feat(cosmetic): Add Support for Custom PR Title 2022-02-01 10:43:22 -08:00
Jörg Thalheim
0c7c875acc allow to set different github token. 2022-01-26 08:35:20 -08:00
Cole Helbling
2dc5d432c4 Don't use an external script for multiple inputs
All consumers would then have to bring this script into their repo,
since GitHub doesn't have something like Nix's string context.
2021-12-03 10:24:07 -08:00
Cole Helbling
0f6e7d684e Allow consumers to update specific flake inputs 2021-12-01 10:42:07 -08:00