Skip to content

fix(ci): add secrets inherit and permissions for release workflow OIDC #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
philcarbone merged 6 commits into from
Feb 7, 2026
Merged

fix(ci): add secrets inherit and permissions for release workflow OIDC #82

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
675bc83
fix(ci): add secrets inherit and permissions for release workflow OIDC
philcarbone Feb 7, 2026
8b1d498
fix(release): remove secrets: inherit to address Sonar security flag
philcarbone Feb 7, 2026
23b7acc
feat(ci): add automated cache cleanup workflows
philcarbone Feb 7, 2026
0257fb3
refactor(ci): remove PR cache cleanup, keep only scheduled
philcarbone Feb 7, 2026
f7ce373
fix(ci): exclude node_modules from SonarCloud analysis
philcarbone Feb 7, 2026
6813ff0
fix(ci): skip SonarCloud analysis on PR branches
philcarbone Feb 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions .github/workflows/cache-cleanup-scheduled.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: Cache Cleanup (Scheduled)

on:
schedule:
- cron: '0 0 * * 0' # Sunday midnight UTC
workflow_dispatch: # Manual trigger

permissions:
actions: write # Required to delete caches

jobs:
cleanup:
name: Cleanup Old Caches
runs-on: ubuntu-latest
steps:
- name: Cleanup Old Caches
env:
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
run: |
echo "Fetching cache list for $REPO..."

# Get all caches sorted by last accessed (oldest first)
gh api "repos/$REPO/actions/caches" \
--jq '.actions_caches | sort_by(.last_accessed_at) | .[] | "\(.id) \(.key) \(.size_in_bytes)"' \
> /tmp/caches.txt

TOTAL=$(wc -l < /tmp/caches.txt | tr -d ' ')
echo "Found $TOTAL caches"

# Keep newest 3 caches, delete rest
KEEP=3
DELETE=$((TOTAL - KEEP))

if [ "$DELETE" -gt 0 ]; then
echo "Deleting $DELETE old caches (keeping newest $KEEP)"

head -n "$DELETE" /tmp/caches.txt | while read -r id key size; do
size_mb=$((size / 1024 / 1024))
echo "Deleting cache $id (${size_mb}MB): $key"
gh api --method DELETE "repos/$REPO/actions/caches/$id" || true
done

echo "✅ Deleted $DELETE old caches"
else
echo "Only $TOTAL caches exist, nothing to delete (keeping $KEEP)"
fi

# Show remaining caches
echo ""
echo "=== Remaining caches ==="
gh api "repos/$REPO/actions/caches" \
--jq '.actions_caches[] | "\(.key): \(.size_in_bytes / 1024 / 1024 | floor)MB"'
9 changes: 8 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,11 @@ env:
DOTNET_NOLOGO: true
DOTNET_CLI_TELEMETRY_OPTOUT: true

# Top-level permissions for the workflow
permissions:
contents: write # For committing version changes and pushing tags
id-token: write # For OIDC trusted publishing (inherited by reusable workflows)

jobs:
version:
name: Calculate Version
Expand Down Expand Up @@ -202,4 +207,6 @@ jobs:
uses: ./.github/workflows/nuget-publish.yml
with:
tag: v${{ needs.version.outputs.semver }}
# No secrets needed - workflow uses OIDC trusted publishing
# Note: No secrets needed - nuget-publish.yml uses OIDC trusted publishing
# which relies on id-token permission (declared in the called workflow),
# not repository secrets
4 changes: 3 additions & 1 deletion .github/workflows/reusable-quality.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,14 +139,16 @@ jobs:
fi

- name: SonarCloud Analysis
# Only run on main/develop pushes - PR analysis not supported by current SonarCloud plan
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
env:
GITHUB_TOKEN: ${{ github.token }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
dotnet-sonarscanner begin /k:"whizbang-lib_whizbang" /o:"whizbang-lib" \
/d:sonar.token="${SONAR_TOKEN}" \
/d:sonar.host.url="https://sonarcloud.io" \
/d:sonar.exclusions="**/samples/**,**/benchmarks/**,**/*Generated.cs,**/.whizbang-generated/**" \
/d:sonar.exclusions="**/samples/**,**/benchmarks/**,**/node_modules/**,**/*Generated.cs,**/.whizbang-generated/**" \
/d:sonar.cpd.exclusions="**/tests/**,**/tools/**,**/samples/**,**/benchmarks/**,src/Whizbang.Generators/**,src/Whizbang.Generators.Shared/**,src/Whizbang.Data.EFCore.Postgres.Generators/**,src/Whizbang.Transports.HotChocolate.Generators/**,src/Whizbang.Transports.FastEndpoints.Generators/**" \
/d:sonar.coverage.exclusions="**/samples/**,**/benchmarks/**,**/tests/**,**/tools/**,src/Whizbang.Generators/**,src/Whizbang.Generators.Shared/**,src/Whizbang.Data.Schema/**,src/Whizbang.Data.EFCore.Postgres.Generators/**,src/Whizbang.Transports.HotChocolate.Generators/**,src/Whizbang.Transports.FastEndpoints.Generators/**,src/Whizbang.Hosting.Azure.ServiceBus/**,src/Whizbang.Hosting.RabbitMQ/**,src/Whizbang.Data.Dapper.Postgres/**,src/Whizbang.Transports.RabbitMQ/**,src/Whizbang.Data.EFCore.Postgres/**,src/Whizbang.Transports.AzureServiceBus/**,src/Whizbang.Data.Dapper.Sqlite/**,src/Whizbang.Data.Dapper.Custom/**,src/Whizbang.Data.EFCore.Custom/**,src/Whizbang.Data.Postgres/**,src/Whizbang.Testing/**,src/Whizbang.Observability/**,src/Whizbang.SignalR/**" \
/d:sonar.coverageReportPaths="coverage/sonarqube/SonarQube.xml" \
Expand Down
Loading