diff --git a/.github/workflows/trigger-docs-patrol.yml b/.github/workflows/trigger-docs-patrol.yml index d8a4edc0..a8ef1646 100644 --- a/.github/workflows/trigger-docs-patrol.yml +++ b/.github/workflows/trigger-docs-patrol.yml @@ -11,14 +11,35 @@ permissions: issues: write pull-requests: write + actions: read jobs: run: uses: ./.github/workflows/gh-aw-docs-patrol.lock.yml secrets: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - create_pr_from_issue: + resolve_created_issue: needs: run + runs-on: ubuntu-slim + outputs: + created_issue_url: ${{ steps.resolve.outputs.created_issue_url }} + steps: + - name: Resolve created issue number + id: resolve + env: + CREATED_ISSUE_NUMBER: ${{ needs.run.outputs.created_issue_number }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPOSITORY: ${{ github.repository }} + run: | + number="$CREATED_ISSUE_NUMBER" + url="" + if [ -n "$number" ]; then + url="$(gh issue view "$number" --repo "$REPOSITORY" --json url --jq '.url')" + fi + echo "created_issue_url=$url" >> "$GITHUB_OUTPUT" + + create_pr_from_issue: + needs: [run, resolve_created_issue] if: ${{ needs.run.outputs.created_issue_number != '' }} uses: ./.github/workflows/gh-aw-create-pr-from-issue.lock.yml with: diff --git a/.github/workflows/trigger-framework-best-practices.yml b/.github/workflows/trigger-framework-best-practices.yml index 40792a4f..8bc1736a 100644 --- a/.github/workflows/trigger-framework-best-practices.yml +++ b/.github/workflows/trigger-framework-best-practices.yml @@ -11,14 +11,35 @@ permissions: issues: write pull-requests: write + actions: read jobs: run: uses: ./.github/workflows/gh-aw-framework-best-practices.lock.yml secrets: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - create_pr_from_issue: + resolve_created_issue: needs: run + runs-on: ubuntu-slim + outputs: + created_issue_url: ${{ steps.resolve.outputs.created_issue_url }} + steps: + - name: Resolve created issue number + id: resolve + env: + CREATED_ISSUE_NUMBER: ${{ needs.run.outputs.created_issue_number }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPOSITORY: ${{ github.repository }} + run: | + number="$CREATED_ISSUE_NUMBER" + url="" + if [ -n "$number" ]; then + url="$(gh issue view "$number" --repo "$REPOSITORY" --json url --jq '.url')" + fi + echo "created_issue_url=$url" >> "$GITHUB_OUTPUT" + + create_pr_from_issue: + needs: [run, resolve_created_issue] if: ${{ needs.run.outputs.created_issue_number != '' }} uses: ./.github/workflows/gh-aw-create-pr-from-issue.lock.yml with: diff --git a/.github/workflows/trigger-text-auditor.yml b/.github/workflows/trigger-text-auditor.yml index f3cd874d..1b8412c7 100644 --- a/.github/workflows/trigger-text-auditor.yml +++ b/.github/workflows/trigger-text-auditor.yml @@ -11,6 +11,7 @@ permissions: issues: write pull-requests: write + actions: read jobs: run: uses: ./.github/workflows/gh-aw-text-auditor.lock.yml @@ -23,8 +24,28 @@ jobs: secrets: COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} - create_pr_from_issue: + resolve_created_issue: needs: run + runs-on: ubuntu-slim + outputs: + created_issue_url: ${{ steps.resolve.outputs.created_issue_url }} + steps: + - name: Resolve created issue number + id: resolve + env: + CREATED_ISSUE_NUMBER: ${{ needs.run.outputs.created_issue_number }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPOSITORY: ${{ github.repository }} + run: | + number="$CREATED_ISSUE_NUMBER" + url="" + if [ -n "$number" ]; then + url="$(gh issue view "$number" --repo "$REPOSITORY" --json url --jq '.url')" + fi + echo "created_issue_url=$url" >> "$GITHUB_OUTPUT" + + create_pr_from_issue: + needs: [run, resolve_created_issue] if: ${{ needs.run.outputs.created_issue_number != '' }} uses: ./.github/workflows/gh-aw-create-pr-from-issue.lock.yml with: diff --git a/scripts/dogfood.sh b/scripts/dogfood.sh index 6b3bddf2..c3b3d038 100755 --- a/scripts/dogfood.sh +++ b/scripts/dogfood.sh @@ -110,13 +110,53 @@ for f in gh-agent-workflows/*/example.yml; do [[ "$dir" == "$remediation" ]] && add_remediation=true && break done if [[ "$add_remediation" == "true" ]]; then - # Ensure permissions allow downstream PR creation job. - sed -E 's/^([[:space:]]*contents: )read$/\1write/; s/^([[:space:]]*pull-requests: )read$/\1write/' "$target" > "$target.tmp" && mv "$target.tmp" "$target" + # Ensure permissions allow downstream PR creation job and artifact reads. + awk ' + BEGIN { in_permissions=0; have_actions=0 } + /^permissions:/ { in_permissions=1; print; next } + in_permissions { + if (/^jobs:/) { + if (!have_actions) print " actions: read" + in_permissions=0 + print + next + } + if ($0 ~ /^ contents: /) sub(/read$/, "write") + if ($0 ~ /^ pull-requests: /) sub(/read$/, "write") + if ($0 ~ /^ actions: /) { + if ($0 ~ /none$/) sub(/none$/, "read") + have_actions=1 + } + print + next + } + { print } + ' "$target" > "$target.tmp" && mv "$target.tmp" "$target" cat >> "$target" <<'EOF' - create_pr_from_issue: + resolve_created_issue: needs: run + runs-on: ubuntu-slim + outputs: + created_issue_url: ${{ steps.resolve.outputs.created_issue_url }} + steps: + - name: Resolve created issue number + id: resolve + env: + CREATED_ISSUE_NUMBER: ${{ needs.run.outputs.created_issue_number }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPOSITORY: ${{ github.repository }} + run: | + number="$CREATED_ISSUE_NUMBER" + url="" + if [ -n "$number" ]; then + url="$(gh issue view "$number" --repo "$REPOSITORY" --json url --jq '.url')" + fi + echo "created_issue_url=$url" >> "$GITHUB_OUTPUT" + + create_pr_from_issue: + needs: [run, resolve_created_issue] if: ${{ needs.run.outputs.created_issue_number != '' }} uses: ./.github/workflows/gh-aw-create-pr-from-issue.lock.yml with: