diff --git a/.github/actions/install/action.yaml b/.github/actions/install/action.yaml index eb7e4ede28..6eb9457a10 100644 --- a/.github/actions/install/action.yaml +++ b/.github/actions/install/action.yaml @@ -6,6 +6,9 @@ inputs: description: Whether to install Go and dependencies ts: description: Whether to install Node.js and dependencies + github_token: + description: GitHub token for authentication + required: false runs: using: "composite" @@ -21,20 +24,28 @@ runs: if: ${{ inputs.go == 'true' }} shell: bash working-directory: ./go + env: + GITHUB_TOKEN: ${{ inputs.github_token }} - name: Install tparse run: go install github.com/mfridman/tparse@latest if: ${{ inputs.go == 'true' }} shell: bash working-directory: ./apps/agent + env: + GITHUB_TOKEN: ${{ inputs.github_token }} - name: Install goose run: go install github.com/pressly/goose/v3/cmd/goose@latest shell: bash + env: + GITHUB_TOKEN: ${{ inputs.github_token }} - name: Install Task uses: arduino/setup-task@v2 if: ${{ inputs.go == 'true' }} + env: + GITHUB_TOKEN: ${{ inputs.github_token }} - name: Setup Node if: ${{ inputs.ts == 'true' }} @@ -46,6 +57,8 @@ runs: if: ${{ inputs.ts == 'true' }} with: run_install: false + env: + GITHUB_TOKEN: ${{ inputs.github_token }} - name: Enable corepack if: ${{ inputs.ts == 'true' }} shell: bash @@ -57,6 +70,8 @@ runs: shell: bash run: | echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT + env: + GITHUB_TOKEN: ${{ inputs.github_token }} - uses: actions/cache@v3 if: ${{ inputs.ts == 'true' }} @@ -73,3 +88,6 @@ runs: run: | pnpm install --recursive npm i -g wrangler@latest + env: + GITHUB_TOKEN: ${{ inputs.github_token }} + NPM_TOKEN: ${{ inputs.github_token }} diff --git a/.github/workflows/autofix.ci.yaml b/.github/workflows/autofix.ci.yaml index 14f481ba3c..202110306a 100644 --- a/.github/workflows/autofix.ci.yaml +++ b/.github/workflows/autofix.ci.yaml @@ -15,12 +15,13 @@ jobs: - uses: actions/setup-node@v4 with: node-version: 22 - + token: ${{ secrets.GITHUB_TOKEN }} - name: Install uses: ./.github/actions/install with: ts: true go: true + github_token: ${{ secrets.GITHUB_TOKEN }} - run: pnpm biome format . --write && pnpm biome check . --write diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e0cbb23b2d..7e1ffa3474 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -2,6 +2,9 @@ name: Build on: workflow_call: +permissions: + contents: read + jobs: build: name: Build @@ -16,12 +19,11 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: pnpm turbo run build --filter=./apps/api - - - name: Create .dev.vars run: | cat < .dev.vars @@ -34,17 +36,12 @@ jobs: run: pnpm dev & sleep 15 working-directory: apps/api - - - - name: Load Schema into MySQL run: pnpm drizzle-kit push working-directory: internal/db env: DRIZZLE_DATABASE_URL: "mysql://unkey:password@localhost:3306/unkey" - - - name: Build run: pnpm build env: diff --git a/.github/workflows/changesets.yaml b/.github/workflows/changesets.yaml index 67c628b386..fdf3203a28 100644 --- a/.github/workflows/changesets.yaml +++ b/.github/workflows/changesets.yaml @@ -8,6 +8,10 @@ on: concurrency: ${{ github.workflow }}-${{ github.ref }} +permissions: + contents: write # allow pushing commit & tags + pull-requests: write # allow opening the version PR + jobs: pr: name: Release Packages @@ -20,6 +24,7 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build packages run: pnpm turbo run build --filter='./packages/*' diff --git a/.github/workflows/check_quotas.yml b/.github/workflows/check_quotas.yml index fa647e2e27..ca6467cc74 100644 --- a/.github/workflows/check_quotas.yml +++ b/.github/workflows/check_quotas.yml @@ -23,6 +23,7 @@ jobs: uses: ./.github/actions/install with: go: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build CLI working-directory: ./go diff --git a/.github/workflows/deploy_trigger.yaml b/.github/workflows/deploy_trigger.yaml index 4a9e8934a6..af32ad5c2d 100644 --- a/.github/workflows/deploy_trigger.yaml +++ b/.github/workflows/deploy_trigger.yaml @@ -11,9 +11,11 @@ jobs: - uses: actions/checkout@v4 - name: Install uses: ./.github/actions/install + with: + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Deploy Trigger.dev env: TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }} run: pnpx trigger.dev@3.0.0-beta.23 deploy - working-directory: apps/billing \ No newline at end of file + working-directory: apps/billing diff --git a/.github/workflows/job_clickhouse_migration_preview.yaml b/.github/workflows/job_clickhouse_migration_preview.yaml index d8949342c4..6fe9116f15 100644 --- a/.github/workflows/job_clickhouse_migration_preview.yaml +++ b/.github/workflows/job_clickhouse_migration_preview.yaml @@ -6,9 +6,6 @@ on: required: true workflow_dispatch: - - - jobs: deploy: environment: Preview @@ -20,10 +17,12 @@ jobs: uses: ./.github/actions/install with: go: true + github_token: ${{ secrets.GITHUB_TOKEN }} - - name: Install gooes + - name: Install goose run: go install github.com/pressly/goose/v3/cmd/goose@latest - + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Migrate run: goose clickhouse "${{ secrets.CLICKHOUSE_URL }}" up diff --git a/.github/workflows/job_clickhouse_migration_production.yaml b/.github/workflows/job_clickhouse_migration_production.yaml index 344e9e1f68..93049808b4 100644 --- a/.github/workflows/job_clickhouse_migration_production.yaml +++ b/.github/workflows/job_clickhouse_migration_production.yaml @@ -6,8 +6,6 @@ on: required: true workflow_dispatch: - - jobs: deploy: environment: ClickHouse Production Migration @@ -19,10 +17,12 @@ jobs: uses: ./.github/actions/install with: go: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Install goose run: go install github.com/pressly/goose/v3/cmd/goose@latest - + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Migrate run: goose clickhouse "${{ secrets.CLICKHOUSE_URL }}" up diff --git a/.github/workflows/job_deploy_api_canary.yaml b/.github/workflows/job_deploy_api_canary.yaml index 452f1b9615..873d70661b 100644 --- a/.github/workflows/job_deploy_api_canary.yaml +++ b/.github/workflows/job_deploy_api_canary.yaml @@ -1,12 +1,10 @@ name: Deploy API Canary on: workflow_call: - secrets: - CLOUDFLARE_API_TOKEN: + secrets: + CLOUDFLARE_API_TOKEN: required: true - - jobs: deploy: environment: Canary @@ -18,6 +16,7 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: pnpm turbo run build --filter='./apps/api' @@ -26,4 +25,4 @@ jobs: run: wrangler deploy --env=canary --var VERSION:$(git rev-parse --short HEAD) working-directory: apps/api env: - CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} \ No newline at end of file + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} diff --git a/.github/workflows/job_deploy_api_enterprise.yaml b/.github/workflows/job_deploy_api_enterprise.yaml index 93d1a53e56..5611d64b35 100644 --- a/.github/workflows/job_deploy_api_enterprise.yaml +++ b/.github/workflows/job_deploy_api_enterprise.yaml @@ -1,8 +1,8 @@ name: Deploy API Enterprise on: workflow_call: - secrets: - CLOUDFLARE_API_TOKEN: + secrets: + CLOUDFLARE_API_TOKEN: required: true description: "Cloudflare API Token" @@ -25,6 +25,7 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: pnpm turbo run build --filter='./apps/api' diff --git a/.github/workflows/job_deploy_api_production.yaml b/.github/workflows/job_deploy_api_production.yaml index 3494018c1c..66e8b51d3b 100644 --- a/.github/workflows/job_deploy_api_production.yaml +++ b/.github/workflows/job_deploy_api_production.yaml @@ -5,8 +5,6 @@ on: CLOUDFLARE_API_TOKEN: required: true - - jobs: deploy: environment: Production @@ -18,6 +16,7 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: pnpm turbo run build --filter='./apps/api' diff --git a/.github/workflows/job_deploy_api_staging.yaml b/.github/workflows/job_deploy_api_staging.yaml index 0a8984ae77..faac9cc474 100644 --- a/.github/workflows/job_deploy_api_staging.yaml +++ b/.github/workflows/job_deploy_api_staging.yaml @@ -1,8 +1,8 @@ name: Deploy API Staging on: workflow_call: - secrets: - CLOUDFLARE_API_TOKEN: + secrets: + CLOUDFLARE_API_TOKEN: required: true jobs: @@ -16,6 +16,7 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: pnpm turbo run build --filter='./apps/api' @@ -24,4 +25,4 @@ jobs: run: wrangler deploy --env=preview --var VERSION:$(git rev-parse --short HEAD) working-directory: apps/api env: - CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} \ No newline at end of file + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} diff --git a/.github/workflows/job_deploy_logdrain_production.yaml b/.github/workflows/job_deploy_logdrain_production.yaml index d1623de4dc..a3d83fe124 100644 --- a/.github/workflows/job_deploy_logdrain_production.yaml +++ b/.github/workflows/job_deploy_logdrain_production.yaml @@ -5,8 +5,6 @@ on: CLOUDFLARE_API_TOKEN: required: true - - jobs: deploy: environment: Production @@ -18,6 +16,7 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: pnpm turbo run build --filter='./apps/logdrain' diff --git a/.github/workflows/job_deploy_workflows.yaml b/.github/workflows/job_deploy_workflows.yaml index 89efb82c80..aff7956623 100644 --- a/.github/workflows/job_deploy_workflows.yaml +++ b/.github/workflows/job_deploy_workflows.yaml @@ -1,12 +1,10 @@ -name: Deploy Logdrain Production +name: Deploy Workflows Production on: workflow_call: - secrets: - CLOUDFLARE_API_TOKEN: + secrets: + CLOUDFLARE_API_TOKEN: required: true - - jobs: deploy: environment: Production @@ -18,12 +16,13 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build - run: pnpm turbo run build --filter='./apps/logdrain' + run: pnpm turbo run build --filter='./apps/workflows' - name: Deploy run: wrangler deploy - working-directory: apps/logdrain + working-directory: apps/workflows env: - CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} \ No newline at end of file + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} diff --git a/.github/workflows/job_test_agent_integration.yaml b/.github/workflows/job_test_agent_integration.yaml index 3800158114..20422be0d1 100644 --- a/.github/workflows/job_test_agent_integration.yaml +++ b/.github/workflows/job_test_agent_integration.yaml @@ -6,7 +6,6 @@ on: required: true type: string - jobs: test_agent_integration: runs-on: ubuntu-latest @@ -17,7 +16,7 @@ jobs: uses: ./.github/actions/install with: go: true - + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: task build diff --git a/.github/workflows/job_test_agent_local.yaml b/.github/workflows/job_test_agent_local.yaml index 4c5276ff9e..64bb705165 100644 --- a/.github/workflows/job_test_agent_local.yaml +++ b/.github/workflows/job_test_agent_local.yaml @@ -2,8 +2,6 @@ name: Test Agent Local on: workflow_call: - - jobs: test_agent_local: runs-on: ubuntu-latest @@ -14,7 +12,7 @@ jobs: uses: ./.github/actions/install with: go: true - + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: task build diff --git a/.github/workflows/job_test_api_canary.yaml b/.github/workflows/job_test_api_canary.yaml index fbbd2178a9..7da7501fb4 100644 --- a/.github/workflows/job_test_api_canary.yaml +++ b/.github/workflows/job_test_api_canary.yaml @@ -33,6 +33,7 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: pnpm turbo run build --filter=./apps/api diff --git a/.github/workflows/job_test_api_local.yaml b/.github/workflows/job_test_api_local.yaml index b73a8eab46..f882e541ee 100644 --- a/.github/workflows/job_test_api_local.yaml +++ b/.github/workflows/job_test_api_local.yaml @@ -21,6 +21,7 @@ jobs: with: ts: true go: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: pnpm turbo run build --filter=./apps/api... diff --git a/.github/workflows/job_test_api_staging.yaml b/.github/workflows/job_test_api_staging.yaml index 31098beeb2..6a97ba9f11 100644 --- a/.github/workflows/job_test_api_staging.yaml +++ b/.github/workflows/job_test_api_staging.yaml @@ -38,6 +38,7 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: pnpm turbo run build --filter=./apps/api diff --git a/.github/workflows/job_test_go_api_local.yaml b/.github/workflows/job_test_go_api_local.yaml index 8ad4f8dc4c..65e62934a7 100644 --- a/.github/workflows/job_test_go_api_local.yaml +++ b/.github/workflows/job_test_go_api_local.yaml @@ -18,6 +18,7 @@ jobs: uses: ./.github/actions/install with: go: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Test run: go test -shuffle=on -timeout=60m $(go run ./scripts/shard-test ${{ matrix.shard }}) diff --git a/.github/workflows/job_test_unit.yaml b/.github/workflows/job_test_unit.yaml index 9de9d48cc3..ab3fa067fe 100644 --- a/.github/workflows/job_test_unit.yaml +++ b/.github/workflows/job_test_unit.yaml @@ -28,6 +28,7 @@ jobs: uses: ./.github/actions/install with: ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build if: ${{ matrix.path != './apps/dashboard' }} run: pnpm turbo run build --filter=${{matrix.path}} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 75b61720ce..6e3c8cca58 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -24,6 +24,7 @@ jobs: with: go: true ts: true + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Login to image repository uses: docker/login-action@v3 diff --git a/.github/workflows/test_agent_local.yaml b/.github/workflows/test_agent_local.yaml index 07f24ee21b..3a6a73d28f 100644 --- a/.github/workflows/test_agent_local.yaml +++ b/.github/workflows/test_agent_local.yaml @@ -2,7 +2,6 @@ name: Test Agent Local on: workflow_call: - jobs: test_agent_local: runs-on: ubuntu-latest @@ -13,7 +12,7 @@ jobs: uses: ./.github/actions/install with: go: true - + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build run: task build