Murzaby/Adguardhome
1
0
Fork 0
mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-06-28 03:41:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Pull request: ADG-12053-imp-gh-workflow-permissions

Browse source 
Squashed commit of the following:

commit 8cb31a510bc3983032337c513df8859bd6e89333
Merge: 3a3ff8e40 3f153ea7c
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Mon Apr 20 10:41:36 2026 +0700

    Merge remote-tracking branch 'origin/master' into ADG-12053-imp-gh-workflow-permissions

commit 3a3ff8e40892a704450ec3bff450b2d8a070af41
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Apr 16 09:09:10 2026 +0700

    gh workflows: fmt

commit 1848eae324130791899c95881f3187bf1bb586a5
Merge: 95f300892 a3b73ef42
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Apr 15 09:30:14 2026 +0700

    Merge remote-tracking branch 'origin/master' into ADG-12053-imp-gh-workflow-permissions

commit 95f3008923925415b7bf04f92e7be01790c10c23
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Apr 15 09:29:43 2026 +0700

    gh workflows: add more docs

commit 7a66a9be296861eebb04594791f281dcacc67482
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Apr 15 09:19:34 2026 +0700

    gh workflows: rm potential duplicates

commit 28ac45baa25920fba370c386c6d21492870415f9
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Apr 14 16:20:35 2026 +0700

    gh workflows: fmt

commit 31cd4dfab221e16b242cbd6beef9f796852ea201
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Apr 14 11:46:48 2026 +0700

    gh workflows: fmt

commit 1cd766f351d98af2d183d1795ecb30891a1c997c
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Apr 14 11:43:03 2026 +0700

    gh workflows: imp permissions
This commit is contained in:
Dimitry Kolyshev 2026-04-20 03:50:35 +00:00
parent 3f153ea7cb
commit 9e153fbd99
3 changed files with 167 additions and 148 deletions
Download patch file Download diff file Expand all files Collapse all files

213
.github/workflows/build.yml vendored
View file

@ -1,20 +1,25 @@
'name': 'build'
# Permissions are disabled for all the jobs by default, and then overridden for
# specific jobs if needed. This is a recommended practice for security reasons,
# and also allows to avoid mistakes with permissions when creating new jobs.
#
# See https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions.
'permissions': {}
'env':
'GO_VERSION': '1.26.2'
'NODE_VERSION': '20'
'on':
'push':
'branches':
- '*'
- '*'
'tags':
- 'v*'
- 'v*'
'pull_request':
'jobs':
'test':
'runs-on': '${{ matrix.os }}'
'permissions':
'contents': 'read'
'env':
'GO111MODULE': 'on'
'GOPROXY': 'https://goproxy.cn'
@ -22,101 +27,109 @@
'fail-fast': false
'matrix':
'os':
- 'ubuntu-latest'
- 'macOS-latest'
- 'windows-latest'
- 'ubuntu-latest'
- 'macOS-latest'
- 'windows-latest'
'steps':
- 'name': 'Checkout'
'uses': 'actions/checkout@v2'
'with':
'fetch-depth': 0
- 'name': 'Set up Go'
'uses': 'actions/setup-go@v3'
'with':
'go-version': '${{ env.GO_VERSION }}'
- 'name': 'Set up Node'
'uses': 'actions/setup-node@v1'
'with':
'node-version': '${{ env.NODE_VERSION }}'
- 'name': 'Set up Go modules cache'
'uses': 'actions/cache@v4'
'with':
'path': '~/go/pkg/mod'
'key': "${{ runner.os }}-go-${{ hashFiles('go.sum') }}"
'restore-keys': '${{ runner.os }}-go-'
- 'name': 'Get npm cache directory'
'id': 'npm-cache'
'run': 'echo "::set-output name=dir::$( npm config get cache )"'
- 'name': 'Set up npm cache'
'uses': 'actions/cache@v4'
'with':
'path': '${{ steps.npm-cache.outputs.dir }}'
'key': "${{ runner.os }}-node-${{ hashFiles('client/package-lock.json') }}"
'restore-keys': '${{ runner.os }}-node-'
- 'name': 'Run tests'
'shell': 'bash'
'run': 'make VERBOSE=1 deps test go-bench go-fuzz'
- 'name': 'Upload coverage'
'uses': 'codecov/codecov-action@v1'
'if': "success() && matrix.os == 'ubuntu-latest'"
'with':
'token': '${{ secrets.CODECOV_TOKEN }}'
'file': './coverage.txt'
- 'name': 'Checkout'
'uses': 'actions/checkout@v2'
'with':
'fetch-depth': 0
# Set to false to avoid GITHUB_TOKEN leaking.
#
# See https://github.com/actions/checkout/issues/485#issuecomment-934422611.
'persist-credentials': false
- 'name': 'Set up Go'
'uses': 'actions/setup-go@v3'
'with':
'go-version': '${{ env.GO_VERSION }}'
- 'name': 'Set up Node'
'uses': 'actions/setup-node@v1'
'with':
'node-version': '${{ env.NODE_VERSION }}'
- 'name': 'Set up Go modules cache'
'uses': 'actions/cache@v4'
'with':
'path': '~/go/pkg/mod'
'key': "${{ runner.os }}-go-${{ hashFiles('go.sum') }}"
'restore-keys': '${{ runner.os }}-go-'
- 'name': 'Get npm cache directory'
'id': 'npm-cache'
'run': 'echo "::set-output name=dir::$( npm config get cache )"'
- 'name': 'Set up npm cache'
'uses': 'actions/cache@v4'
'with':
'path': '${{ steps.npm-cache.outputs.dir }}'
'key': "${{ runner.os }}-node-${{ hashFiles('client/package-lock.json') }}"
'restore-keys': '${{ runner.os }}-node-'
- 'name': 'Run tests'
'shell': 'bash'
'run': 'make VERBOSE=1 deps test go-bench go-fuzz'
- 'name': 'Upload coverage'
'uses': 'codecov/codecov-action@v1'
'if': "success() && matrix.os == 'ubuntu-latest'"
'with':
'token': '${{ secrets.CODECOV_TOKEN }}'
'file': './coverage.txt'
'build-release':
'runs-on': 'ubuntu-latest'
'needs': 'test'
'permissions':
'contents': 'read'
'steps':
- 'name': 'Checkout'
'uses': 'actions/checkout@v2'
'with':
'fetch-depth': 0
- 'name': 'Set up Go'
'uses': 'actions/setup-go@v3'
'with':
'go-version': '${{ env.GO_VERSION }}'
- 'name': 'Set up Node'
'uses': 'actions/setup-node@v1'
'with':
'node-version': '${{ env.NODE_VERSION }}'
- 'name': 'Set up Go modules cache'
'uses': 'actions/cache@v4'
'with':
'path': '~/go/pkg/mod'
'key': "${{ runner.os }}-go-${{ hashFiles('go.sum') }}"
'restore-keys': '${{ runner.os }}-go-'
- 'name': 'Get npm cache directory'
'id': 'npm-cache'
'run': 'echo "::set-output name=dir::$(npm config get cache)"'
- 'name': 'Set up npm cache'
'uses': 'actions/cache@v4'
'with':
'path': '${{ steps.npm-cache.outputs.dir }}'
'key': "${{ runner.os }}-node-${{ hashFiles('client/package-lock.json') }}"
'restore-keys': '${{ runner.os }}-node-'
- 'name': 'Set up Snapcraft'
'run': 'sudo snap install snapcraft --classic'
- 'name': 'Set up QEMU'
'uses': 'docker/setup-qemu-action@v3'
- 'name': 'Set up Docker Buildx'
'uses': 'docker/setup-buildx-action@v3'
'with':
'install': true
- 'name': 'Run snapshot build'
# Set a custom version string, since the checkout@v2 action does not seem
# to know about the master branch, while the version script uses it to
# count the number of commits within the branch.
'run': 'make SIGN=0 VERBOSE=1 VERSION="v0.0.0-github" build-release build-docker'
- 'name': 'Checkout'
'uses': 'actions/checkout@v2'
'with':
'fetch-depth': 0
# Set to false to avoid GITHUB_TOKEN leaking.
#
# See https://github.com/actions/checkout/issues/485#issuecomment-934422611.
'persist-credentials': false
- 'name': 'Set up Go'
'uses': 'actions/setup-go@v3'
'with':
'go-version': '${{ env.GO_VERSION }}'
- 'name': 'Set up Node'
'uses': 'actions/setup-node@v1'
'with':
'node-version': '${{ env.NODE_VERSION }}'
- 'name': 'Set up Go modules cache'
'uses': 'actions/cache@v4'
'with':
'path': '~/go/pkg/mod'
'key': "${{ runner.os }}-go-${{ hashFiles('go.sum') }}"
'restore-keys': '${{ runner.os }}-go-'
- 'name': 'Get npm cache directory'
'id': 'npm-cache'
'run': 'echo "::set-output name=dir::$(npm config get cache)"'
- 'name': 'Set up npm cache'
'uses': 'actions/cache@v4'
'with':
'path': '${{ steps.npm-cache.outputs.dir }}'
'key': "${{ runner.os }}-node-${{ hashFiles('client/package-lock.json') }}"
'restore-keys': '${{ runner.os }}-node-'
- 'name': 'Set up Snapcraft'
'run': 'sudo snap install snapcraft --classic'
- 'name': 'Set up QEMU'
'uses': 'docker/setup-qemu-action@v3'
- 'name': 'Set up Docker Buildx'
'uses': 'docker/setup-buildx-action@v3'
'with':
'install': true
- 'name': 'Run snapshot build'
# Set a custom version string, since the checkout@v2 action does not seem
# to know about the master branch, while the version script uses it to
# count the number of commits within the branch.
'run': 'make SIGN=0 VERBOSE=1 VERSION="v0.0.0-github" build-release build-docker'
'notify':
'needs':
- 'build-release'
- 'build-release'
# Secrets are not passed to workflows that are triggered by a pull request
# from a fork.
#
# Use always() to signal to the runner that this job must run even if the
# previous ones failed.
'if':
'if': |
${{
always() &&
github.repository_owner == 'AdguardTeam' &&
@ -126,14 +139,18 @@
)
}}
'runs-on': 'ubuntu-latest'
'permissions':
# Required by workflow-conclusion-action to check workflow status.
'actions': 'read'
'contents': 'read'
'steps':
- 'name': 'Conclusion'
'uses': 'technote-space/workflow-conclusion-action@v1'
- 'name': 'Send Slack notif'
'uses': '8398a7/action-slack@v3'
'with':
'status': '${{ env.WORKFLOW_CONCLUSION }}'
'fields': 'repo, message, commit, author, workflow'
'env':
'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}'
'SLACK_WEBHOOK_URL': '${{ secrets.SLACK_WEBHOOK_URL }}'
- 'name': 'Conclusion'
'uses': 'technote-space/workflow-conclusion-action@v1'
- 'name': 'Send Slack notif'
'uses': '8398a7/action-slack@v3'
'with':
'status': '${{ env.WORKFLOW_CONCLUSION }}'
'fields': 'repo, message, commit, author, workflow'
'env':
'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}'
'SLACK_WEBHOOK_URL': '${{ secrets.SLACK_WEBHOOK_URL }}'

84
.github/workflows/lint.yml vendored
View file

@ -1,48 +1,64 @@
'name': 'lint'
# Permissions are disabled for all the jobs by default, and then overridden for
# specific jobs if needed. This is a recommended practice for security reasons,
# and also allows to avoid mistakes with permissions when creating new jobs.
#
# See https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions.
'permissions': {}
'env':
'GO_VERSION': '1.26.2'
'on':
'push':
'tags':
- 'v*'
- 'v*'
'branches':
- '*'
- '*'
'pull_request':
'jobs':
'go-lint':
'runs-on': 'ubuntu-latest'
'permissions':
'contents': 'read'
'steps':
- 'uses': 'actions/checkout@v2'
- 'name': 'Set up Go'
'uses': 'actions/setup-go@v3'
'with':
'go-version': '${{ env.GO_VERSION }}'
- 'name': 'run-lint'
'run': >
make go-deps go-lint
- 'uses': 'actions/checkout@v2'
'with':
# Set to false to avoid GITHUB_TOKEN leaking.
#
# See https://github.com/actions/checkout/issues/485#issuecomment-934422611.
'persist-credentials': false
- 'name': 'Set up Go'
'uses': 'actions/setup-go@v3'
'with':
'go-version': '${{ env.GO_VERSION }}'
- 'name': 'run-lint'
'run': >
make go-deps go-lint
'eslint':
'runs-on': 'ubuntu-latest'
'permissions':
'contents': 'read'
'steps':
- 'uses': 'actions/checkout@v2'
- 'name': 'Install modules'
'run': 'npm --prefix="./client" ci'
- 'name': 'Run ESLint'
'run': 'npm --prefix="./client" run lint'
- 'uses': 'actions/checkout@v2'
'with':
# Set to false to avoid GITHUB_TOKEN leaking.
#
# See https://github.com/actions/checkout/issues/485#issuecomment-934422611.
'persist-credentials': false
- 'name': 'Install modules'
'run': 'npm --prefix="./client" ci'
- 'name': 'Run ESLint'
'run': 'npm --prefix="./client" run lint'
'notify':
'needs':
- 'go-lint'
- 'eslint'
- 'go-lint'
- 'eslint'
# Secrets are not passed to workflows that are triggered by a pull request
# from a fork.
#
# Use always() to signal to the runner that this job must run even if the
# previous ones failed.
'if':
'if': |
${{
always() &&
github.repository_owner == 'AdguardTeam' &&
@ -52,14 +68,18 @@
)
}}
'runs-on': 'ubuntu-latest'
'permissions':
# Required by workflow-conclusion-action to check workflow status.
'actions': 'read'
'contents': 'read'
'steps':
- 'name': 'Conclusion'
'uses': 'technote-space/workflow-conclusion-action@v1'
- 'name': 'Send Slack notif'
'uses': '8398a7/action-slack@v3'
'with':
'status': '${{ env.WORKFLOW_CONCLUSION }}'
'fields': 'repo, message, commit, author, workflow'
'env':
'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}'
'SLACK_WEBHOOK_URL': '${{ secrets.SLACK_WEBHOOK_URL }}'
- 'name': 'Conclusion'
'uses': 'technote-space/workflow-conclusion-action@v1'
- 'name': 'Send Slack notif'
'uses': '8398a7/action-slack@v3'
'with':
'status': '${{ env.WORKFLOW_CONCLUSION }}'
'fields': 'repo, message, commit, author, workflow'
'env':
'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}'
'SLACK_WEBHOOK_URL': '${{ secrets.SLACK_WEBHOOK_URL }}'

18
.github/workflows/potential-duplicates.yml vendored
View file

@ -1,18 +0,0 @@
'name': 'potential-duplicates'
'on':
'issues':
'types':
- 'opened'
'jobs':
'run':
'runs-on': 'ubuntu-latest'
'steps':
- 'uses': 'wow-actions/potential-duplicates@v1'
'with':
'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}'
'state': 'all'
'threshold': 0.6
'comment': |
Potential duplicates: {{#issues}}
* [#{{ number }}] {{ title }} ({{ accuracy }}%)
{{/issues}}