From bc5a6c144c770931d017d2d0aa05dde1cc238efb Mon Sep 17 00:00:00 2001 From: madomado Date: Thu, 3 Jul 2025 19:44:04 +0800 Subject: [PATCH] feat(ci): add no_upload_srpms label (#5758) * feat(ci): add no_upload_srpms label This also fixes manual builds to support subrepos properly. * to make sure it actually works * manually set permissions --- .github/workflows/autobuild.yml | 4 +++- .github/workflows/bootstrap.yml | 3 ++- .github/workflows/build.yml | 9 +++++++-- .github/workflows/json-build.yml | 3 +++ .github/workflows/sync.yml | 4 +++- .github/workflows/update-branch.yml | 2 ++ .github/workflows/update-comps.yml | 2 ++ .github/workflows/update-nightly.yml | 2 ++ .github/workflows/update-weekly.yml | 2 ++ .github/workflows/update.yml | 2 ++ anda/fonts/nerd-fonts/anda.hcl | 3 +++ 11 files changed, 31 insertions(+), 5 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 1b7398c403..08aef1e445 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -1,6 +1,8 @@ # for each folder in anda/ # generate a new workflow for each folder in anda/ name: Automatically build packages +permissions: + contents: read on: push: paths: @@ -96,7 +98,7 @@ jobs: terra${{ matrix.version }}${{ matrix.pkg.labels['subrepo'] && '-$subrepo' || '' }} anda-build/rpm/rpms/* - name: Upload source packages to subatomic - if: github.event_name == 'push' + if: github.event_name == 'push' && matrix.pkg.labels['no_upload_srpms'] != '1' run: | subrepo="${{ matrix.pkg.labels.subrepo }}" subatomic-cli upload --prune \ diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index 30b6c2e863..f5e0bcfeb5 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -1,5 +1,6 @@ name: Bootstrap Andaman and Subatomic - +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 85f12ebc76..5982ed7085 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,6 @@ name: Manual Builds +permissions: + contents: read on: workflow_dispatch: inputs: @@ -81,17 +83,20 @@ jobs: - name: Upload packages to subatomic run: | + subrepo="${{ fromJson(steps.art.outputs.labels).subrepo }}" subatomic-cli upload --prune \ --server https://subatomic.fyralabs.com \ --token ${{ secrets.SUBATOMIC_TOKEN }} \ - terra${{ matrix.version }}${{ fromJson(steps.art.outputs.labels)['extra'] && '-extras' }} anda-build/rpm/rpms/* + terra${{ matrix.version }}${{ fromJson(steps.art.outputs.labels)['subrepo'] && '-$subrepo' }} anda-build/rpm/rpms/* - name: Upload source packages to subatomic + if: fromJson(steps.art.outputs.labels)['no_upload_srpms'] != '1' run: | + subrepo="${{ fromJson(steps.art.outputs.labels).subrepo }}" subatomic-cli upload --prune \ --server https://subatomic.fyralabs.com \ --token ${{ secrets.SUBATOMIC_TOKEN }} \ - terra${{ matrix.version }}${{ fromJson(steps.art.outputs.labels)['extra'] && '-extras' }}-source anda-build/rpm/srpm/* + terra${{ matrix.version }}${{ fromJson(steps.art.outputs.labels)['subrepo'] && '-$subrepo' }}-source anda-build/rpm/srpm/* - name: Notify Madoguchi (Success) if: success() diff --git a/.github/workflows/json-build.yml b/.github/workflows/json-build.yml index 6f0c72a50e..033e16519a 100644 --- a/.github/workflows/json-build.yml +++ b/.github/workflows/json-build.yml @@ -1,4 +1,6 @@ name: JSON Build +permissions: + contents: read on: workflow_dispatch: inputs: @@ -67,6 +69,7 @@ jobs: terra${{ matrix.version }}${{ matrix.pkg.labels['subrepo'] && '-$subrepo' || '' }} anda-build/rpm/rpms/* - name: Upload source packages to subatomic + if: matrix.pkg.labels['no_upload_srpms'] != '1' run: | subrepo="${{ matrix.pkg.labels.subrepo }}" subatomic-cli upload --prune \ diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index fdd4824ec0..f061efc1d3 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -1,5 +1,7 @@ name: Automatic backport/sync action - +permissions: + contents: write + pull-requests: write on: pull_request_target: types: ["labeled", "closed"] diff --git a/.github/workflows/update-branch.yml b/.github/workflows/update-branch.yml index acb04d0dae..4cb045cfc3 100644 --- a/.github/workflows/update-branch.yml +++ b/.github/workflows/update-branch.yml @@ -1,4 +1,6 @@ name: Update per branch +permissions: + contents: write on: schedule: - cron: "*/30 * * * *" diff --git a/.github/workflows/update-comps.yml b/.github/workflows/update-comps.yml index 107a1511d6..463e2b8598 100644 --- a/.github/workflows/update-comps.yml +++ b/.github/workflows/update-comps.yml @@ -1,4 +1,6 @@ name: Push comps updates +permissions: + contents: read on: push: diff --git a/.github/workflows/update-nightly.yml b/.github/workflows/update-nightly.yml index c645b2b71d..8d9211ce69 100644 --- a/.github/workflows/update-nightly.yml +++ b/.github/workflows/update-nightly.yml @@ -1,4 +1,6 @@ name: Nightly Update +permissions: + contents: write on: schedule: - cron: "0 0 * * *" diff --git a/.github/workflows/update-weekly.yml b/.github/workflows/update-weekly.yml index 9d68edece2..a3159354d3 100644 --- a/.github/workflows/update-weekly.yml +++ b/.github/workflows/update-weekly.yml @@ -1,4 +1,6 @@ name: Weekly Update +permissions: + contents: write on: schedule: - cron: "0 0 * * *" diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index b63ad29afc..7c3364b0ec 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -1,4 +1,6 @@ name: Update +permissions: + contents: write on: schedule: - cron: "*/10 * * * *" diff --git a/anda/fonts/nerd-fonts/anda.hcl b/anda/fonts/nerd-fonts/anda.hcl index db05b8ecef..50ebcbb342 100644 --- a/anda/fonts/nerd-fonts/anda.hcl +++ b/anda/fonts/nerd-fonts/anda.hcl @@ -3,4 +3,7 @@ project pkg { rpm { spec = "nerd-fonts.spec" } + labels { + no_upload_srpms = 1 + } }