Merge branch 'main' into removing-explicit-tokens

.github/workflows/cla.yml

@@ -20,4 +20,4 @@ jobs:
           path-to-signatures: 'signatures/version1/cla.json'
           path-to-document: 'https://github.com/Staffbase/gha-workflows/blob/main/CLA.md'
           branch: 'signatures'
-          allowlist: 0x46616c6b,axdotl,flaxel,kaitimmer,*bot*
+          allowlist: 0x46616c6b,axdotl,flaxel,kaitimmer,timdittler,*bot*

.github/workflows/template_autodev.yml

@@ -46,7 +46,11 @@ on:
         type: string
     secrets:
       token:
-        required: true
+        required: false
+      app_id:
+        required: false
+      private_key:
+        required: false
 
 jobs:
   autodev:
@@ -57,15 +61,27 @@ jobs:
     # check to not trigger if dependabot did something or PR was closed or label is not the configured dev label
     if: github.actor != 'dependabot[bot]' && (github.event_name == 'push' || github.event.label.name == inputs.label || github.event.action == 'closed')
 
+    env:
+      USING_APP_CREDENTIALS: ${{ secrets.app_id != '' && secrets.private_key != '' }}
+
     steps:
+      - name: Get App Token
+        if: ${{ env.USING_APP_CREDENTIALS == 'true' }}
+        uses: tibdex/[email protected]
+        id: get_token
+        with:
+          app_id: ${{ secrets.app_id }}
+          private_key: ${{ secrets.private_key }}
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
-          token: ${{ secrets.token }}
+          token: ${{ env.USING_APP_CREDENTIALS == 'true' && steps.get_token.outputs.token || secrets.token }}
           fetch-depth: 0
+          fetch-tags: false
 
       - name: Autodev
-        uses: staffbase/autodev-action@v1.7.0
+        uses: staffbase/autodev-action@v1.8.2
         with:
           base: ${{ inputs.base }}
           branch: ${{ inputs.branch }}
@@ -77,5 +93,5 @@ jobs:
           labels: ${{ inputs.labels }}
           success_comment: ${{ inputs.success_comment }}
           success_label: ${{ inputs.success_label }}
-          token: ${{ secrets.token }}
+          token: ${{ env.USING_APP_CREDENTIALS == 'true' && steps.get_token.outputs.token || secrets.token }}
           user: ${{ inputs.user }}

.github/workflows/template_gitops.yml

@@ -30,6 +30,10 @@ on:
       gitops-prod:
         required: false
         type: string
+      working-directory:
+        required: false
+        type: string
+        default: '.'
     # waiting for: https://github.com/github-community/community/discussions/17554
     secrets:
       docker-username:
@@ -55,7 +59,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: GitOps (build, push and deploy a new Docker image)
         uses: Staffbase/[email protected]
@@ -75,3 +79,4 @@ jobs:
           gitops-dev: ${{ inputs.gitops-dev }}
           gitops-stage: ${{ inputs.gitops-stage }}
           gitops-prod: ${{ inputs.gitops-prod }}
+          working-directory: ${{ inputs.working-directory }}

.github/workflows/template_jira_tagging.yml

@@ -26,9 +26,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          fetch-tags: false
 
       - name: Fetch ticket Ids
         id: fetchTicketIds
@@ -37,7 +38,7 @@ jobs:
           TAG_MATCHER: ${{ inputs.tag-matcher }}
 
       - name: Add release notes to JIRA tickets
-        uses: Staffbase/github-action-jira-release-tagging@v1.1.0
+        uses: Staffbase/github-action-jira-release-tagging@v1.2.0
         env:
           JIRA_BASEURL: ${{ secrets.jira-url }}
           JIRA_TOKEN: ${{ secrets.jira-token }}

.github/workflows/template_launchdarkly_code_references.yml

@@ -0,0 +1,47 @@
+name: Find LaunchDarkly flag code references
+
+on:
+  workflow_call:
+    inputs:
+      project-key:
+        required: false
+        type: string
+        default: 'default'
+    secrets:
+      access-token:
+        required: true
+
+jobs:
+  launchDarklyCodeReferences:
+
+    name: Find LaunchDarkly flag code references
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Create Files
+        run: |
+          mkdir .launchdarkly
+          cat <<EOT >> .launchdarkly/coderefs.yml
+          aliases:
+            - type: camelcase
+            - type: command
+              command: "./.launchdarkly/flag-alias.sh"
+              timeout: 5
+          EOT
+          cat <<EOT >> .launchdarkly/flag-alias.sh
+          #!/bin/sh
+          read flagKey <&0; echo "[\"\$flagKey\",\"\$(echo \$flagKey | awk '{print tolower(\$0)}' | awk -F'-' '{for(i=1;i<=NF;i++){\$i=toupper(substr(\$i,1,1)) substr(\$i,2)}} 1' OFS='' | awk '{print tolower(substr(\$0,0,1))substr(\$0,2)}')\"]"
+          EOT
+          chmod +x .launchdarkly/flag-alias.sh
+      - name: Show Files
+        run: |
+          cat .launchdarkly/coderefs.yml
+          cat .launchdarkly/flag-alias.sh
+      - name: LaunchDarkly Code References
+        uses: launchdarkly/[email protected]
+        with:
+          accessToken: ${{ secrets.access-token }}
+          projKey: ${{ inputs.project-key }}
+          debug: true

.github/workflows/template_release_drafter.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Update Release
-        uses: release-drafter/release-drafter@v5
+        uses: release-drafter/release-drafter@v5.25.0
         with:
           name: ${{ inputs.name }}
           publish: ${{ inputs.publish }}

.github/workflows/template_release_version.yml

@@ -0,0 +1,57 @@
+name: Release Version Detector
+
+on:
+  workflow_call:
+    outputs:
+      new_version:
+        value: ${{ jobs.new_version.outputs.new_version }}
+      new_tag:
+        value: ${{ jobs.new_version.outputs.new_tag }}
+
+jobs:
+  new_version:
+
+    name: Get new release version
+    runs-on: ubuntu-22.04
+
+    outputs:
+      new_version: ${{ steps.set_version.outputs.next_version }}
+      new_tag: ${{ steps.set_version.outputs.next_tag }}
+
+    steps:
+      - name: Detect new release version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        id: set_version
+        run: |
+          DATE=$(date +"%Y%m%d")
+          YEAR=$(date +"%Y")
+          WEEK=$(date +"%-W")
+
+          if [[ $(gh release view -R ${{ github.repository }} 2>&1) =~ "release not found" ]]; then
+            COUNTER=1
+          else
+            # fetch last tag from github
+            OLD_VERSION=`gh api repos/${{ github.repository }}/releases/latest | jq .tag_name -r`
+            PARTS=(${OLD_VERSION//./ })
+            COUNTER=${PARTS[2]}
+            WEEK_FROM_LAST_TAG=${PARTS[1]}
+
+            # if we have a new week we start to count from 0
+            if [ ${WEEK_FROM_LAST_TAG} != ${WEEK} ]; then
+              COUNTER=0
+            fi
+
+            # check if valid tag
+            pattern="v[0-9]+.[0-9]+.[0-9]+$"
+            if ! [[ $OLD_VERSION =~ $pattern ]]; then
+              COUNTER=0
+            fi
+
+            # increase Version
+            COUNTER=$((COUNTER+1))
+          fi
+
+          echo "next_version=${YEAR}.${WEEK}.${COUNTER}" >> $GITHUB_OUTPUT
+          echo "next_tag=v${YEAR}.${WEEK}.${COUNTER}" >> $GITHUB_OUTPUT
+        shell: bash

.github/workflows/template_secret_scan.yml

@@ -11,12 +11,13 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          fetch-tags: false
 
       - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@v3.39.0
+        uses: trufflesecurity/trufflehog@v3.61.0
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}

.github/workflows/template_stale.yml

@@ -36,7 +36,7 @@ jobs:
 
     steps:
       - name: Stale old PRs
-        uses: actions/stale@v8
+        uses: actions/stale@v8.0.0
         with:
           close-pr-message: ${{ inputs.close-pr-message }}
           days-before-pr-stale: ${{ inputs.days-before-pr-stale }}

.github/workflows/template_techdocs.yml

@@ -44,7 +44,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Build and Publish Site
         uses: Staffbase/[email protected]

.github/workflows/template_testio_trigger_test.yml

@@ -0,0 +1,33 @@
+name: TestIO - Trigger Test
+
+on:
+  workflow_call:
+    inputs:
+      testio-slug:
+        required: false
+        type: string
+        default: 'staffbase'
+      testio-product-id:
+        required: true
+        type: string
+    secrets:
+      github-token:
+        required: true
+      testio-token:
+        required: true
+
+jobs:
+  testio-trigger-test:
+
+    name: TestIO - Trigger Test
+    runs-on: ubuntu-22.04
+    if: startsWith(github.event.comment.body, '@bot-testio exploratory-test')     # this is the prefix all subsequent comments must start with
+
+    steps:
+      - name: Trigger Test on TestIO
+        uses: Staffbase/[email protected]
+        with:
+          testio-slug: ${{ inputs.testio-slug }}
+          testio-product-id: ${{ inputs.testio-product-id }}
+          github-token: ${{ secrets.github-token }}
+          testio-token: ${{ secrets.testio-token }}

.github/workflows/template_yaml.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Lint and Annotate
         uses: staffbase/[email protected]

.github/workflows/versions.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout the source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Find and Replace old versions
         run: |
           sed -i -E 's/(v[0-9]+.[0-9]+.[0-9]+)/${{ github.ref_name }}/g' README.md