From 317f7d970ba3ed38c6803f8f83baa0d52ecdb842 Mon Sep 17 00:00:00 2001 From: Ryan Johnson Date: Wed, 4 Jun 2025 15:41:53 -0400 Subject: [PATCH] chore(gh): update workflows - Sets the default permissions for workflows. - Renames and updates the lock workflow to include discussions scope. - Updates `.gitignore`. Signed-off-by: Ryan Johnson --- .github/workflows/docs.yml | 9 +++-- .github/workflows/issues.yml | 9 +++-- .../workflows/{lock-threads.yml => lock.yml} | 12 ++++--- .github/workflows/pull-requests.yml | 3 +- .github/workflows/release.yml | 35 ++++++++++++------- .github/workflows/stale.yml | 25 +++++++------ .github/workflows/tests.yml | 13 +++++-- .gitignore | 4 +++ 8 files changed, 70 insertions(+), 40 deletions(-) rename .github/workflows/{lock-threads.yml => lock.yml} (76%) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 807c1e7..0cb061a 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,14 +1,17 @@ +--- name: Publish Documentation + on: workflow_dispatch: -permissions: - contents: write + jobs: publish-docs: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout Repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Setup Python diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index 16d6bcd..b2fac32 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -1,5 +1,5 @@ --- -name: Issue Triage +name: Issue Labels on: issues: @@ -9,11 +9,14 @@ on: jobs: label-issues: runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - - name: Apply Issue Triage Labels + - name: Apply Labels uses: github/issue-labeler@c1b0f9f52a63158c4adc09425e858e87b32e9685 # v3.4 with: - repo-token: '${{ secrets.GITHUB_TOKEN }}' + repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: .github/labeler-issues.yml enable-versioned-regex: 0 include-title: 1 diff --git a/.github/workflows/lock-threads.yml b/.github/workflows/lock.yml similarity index 76% rename from .github/workflows/lock-threads.yml rename to .github/workflows/lock.yml index 93337dc..9345f8c 100644 --- a/.github/workflows/lock-threads.yml +++ b/.github/workflows/lock.yml @@ -8,10 +8,14 @@ on: jobs: lock: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + discussions: write steps: - - uses: dessant/lock-threads@d42e5f49803f3c4e14ffee0378e31481265dda22 # v5.0.0 + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: - github-token: '${{ secrets.GITHUB_TOKEN }}' + github-token: ${{ secrets.GITHUB_TOKEN }} issue-comment: > I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active @@ -21,7 +25,7 @@ jobs: If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. - issue-inactive-days: '30' + issue-inactive-days: 30 pr-comment: > I'm going to lock this pull request because it has been closed for 30 days. This helps our maintainers find and focus on the active @@ -31,4 +35,4 @@ jobs: If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. - pr-inactive-days: '30' + pr-inactive-days: 30 diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml index 73c044e..b1fd671 100644 --- a/.github/workflows/pull-requests.yml +++ b/.github/workflows/pull-requests.yml @@ -23,5 +23,6 @@ jobs: - name: Apply Labels uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: + repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: .github/labeler-pull-requests.yml - repo-token: '${{ secrets.GITHUB_TOKEN }}' + diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4d7e443..92aebc3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,19 +1,19 @@ +--- name: Release on: push: tags: - - "v[0-9]+.[0-9]+.[0-9]+*" - -permissions: - contents: write + - v[0-9]+.[0-9]+.[0-9]+* jobs: create-release: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout Repository - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Check Version @@ -129,9 +129,12 @@ jobs: publish-docs: needs: create-release runs-on: ubuntu-latest + permissions: + contents: write + pages: write steps: - name: Checkout Repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.release.tag_name }} fetch-depth: 0 @@ -150,9 +153,11 @@ jobs: publish-module: needs: [create-release, publish-docs] runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout Repository - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.release.tag_name }} fetch-depth: 0 @@ -185,13 +190,18 @@ jobs: Write-Output "SUCCESS: Module dependencies were found." Write-Output "INFO: Required modules are $($requiredModules.ModuleName -join ', ')." Write-Output "INFO: Setting location to the PowerShell modules location on a Ubuntu-based GitHub runner." - Set-Location '/home/runner/.local/share/powershell/Modules/' + Set-Location '/home/runner/.local/share/powershell/Modules/' foreach ($module in $requiredModules) { $requiredModuleName = $module.ModuleName - New-Item $requiredModuleName -ItemType Directory - Write-Output "INFO: Performing workaround for github.com/PowerShell/PowerShell/issues/7722." - Write-Output "INFO: Creating placeholder manifest for $requiredModuleName at $((Get-Location).Path)/$requiredModuleName/$requiredModuleName.psd1" - New-Item "./$requiredModuleName/$requiredModuleName.psd1" -ItemType File + if ($requiredModuleName -eq 'VMware.PowerCLI') { + Write-Output "INFO: Installing version defined in the manifest from the PowerShell Gallery." + Install-Module -Name VMware.PowerCLI -RequiredVersion $module.RequiredVersion -Force + } else { + New-Item $requiredModuleName -ItemType Directory + Write-Output "INFO: Performing workaround for github.com/PowerShell/PowerShell/issues/7722." + Write-Output "INFO: Creating placeholder manifest for $requiredModuleName at $((Get-Location).Path)/$requiredModuleName/$requiredModuleName.psd1" + New-Item "./$requiredModuleName/$requiredModuleName.psd1" -ItemType File + } } } else { Write-Output "INFO: No module dependencies were found." @@ -232,4 +242,3 @@ jobs: } else { Write-Error "FAILED: Module manifest file not found at path '$moduleManifest'." } - \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f45224b..7e54ea8 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,46 +1,45 @@ --- -name: Manage Stale Items +name: Stale on: schedule: - cron: 00 00 * * * - + jobs: stale: runs-on: ubuntu-latest permissions: + contents: read issues: write pull-requests: write steps: - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: - repo-token: '${{ secrets.GITHUB_TOKEN }}' + repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 60 days-before-close: 30 - exempt-issue-labels: 'needs-triage' - exempt-pr-labels: 'needs-review' + exempt-issue-labels: needs-triage + exempt-pr-labels: needs-review + exempt-all-assignees: true remove-stale-when-updated: true delete-branch: false stale-issue-label: stale stale-issue-message: > - 'Marking this issue as stale due to inactivity. This helps us focus + Marking this issue as stale due to inactivity. This helps us focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back - to this one for added context. - - Thank you!' + to this one for added context. stale-pr-label: stale stale-pr-message: > - 'Marking this pull request as stale due to inactivity. This helps us + Marking this pull request as stale due to inactivity. This helps us focus on the active pull requests. If this pull request receives no comments in the next 30 days it will automatically be closed. + If this pull request was automatically closed and you feel this pull request should be reopened, we encourage creating a new pull request - linking back to this one for added context. - - Thank you!' + linking back to this one for added context. diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index bf16460..7485204 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,4 +1,5 @@ -name: Tests +--- +name: Test on: push: @@ -11,14 +12,20 @@ on: jobs: basic_tests: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run Basic Tests working-directory: ${{ github.workspace }} shell: pwsh run: | Write-Output "INFO: Setting PowerShell Gallery as a trusted repository." Set-PSRepository psgallery -InstallationPolicy trusted + Write-Output "INFO: Installing module 'VMware.vSphere.SsoAdmin' from PSGallery." + Install-Module -Name VMware.vSphere.SsoAdmin -confirm:$false -Force + Write-Output "INFO: Installing module 'VMware.PowerCLI' from PSGallery." + Install-Module -Name VMware.PowerCLI -confirm:$false -Force $moduleManifest = (Get-ChildItem -Path $env:GITHUB_WORKSPACE -Filter *.psd1).Name if ($moduleManifest) { Write-Output "SUCCESS: Manifest '$moduleManifest' found in '$env:GITHUB_WORKSPACE'." @@ -34,7 +41,7 @@ jobs: Write-Output "INFO: Reading module manifest '$moduleManifest'." $moduleManifestData = Import-PowerShellDataFile -Path $moduleManifest $requiredModules = $moduleManifestData.RequiredModules - $requiredModules = $requiredModules | Where-Object { $_.ModuleName -ne 'VMware.vSphere.SsoAdmin' } + $requiredModules = $requiredModules | Where-Object { $_.ModuleName -ne 'VMware.vSphere.SsoAdmin' -and $_.ModuleName -ne 'VMware.PowerCLI'} Write-Output "INFO: Required modules are $($requiredModules.ModuleName -join ', ')." foreach ($module in $requiredModules) { $requiredModuleName = $module.ModuleName diff --git a/.gitignore b/.gitignore index 8841ef2..b45fc7a 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,10 @@ ## Ignore desktop services files. **/.DS_Store +# Pester +## Ignore logs directory. +**/tests/logs/*.log + # MkDocs ## Ignore site directory. **/.site/**