From e83a8d4cbfe0aa2a004dadc5b02dbe9e39a4b49a Mon Sep 17 00:00:00 2001 From: Gilver Date: Sun, 6 Jul 2025 12:36:47 -0500 Subject: [PATCH] feat(ci): add no_upload_srpms label (#5758) (#5784) * feat(ci): add no_upload_srpms label This also fixes manual builds to support subrepos properly. * to make sure it actually works * manually set permissions (cherry picked from commit bc5a6c144c770931d017d2d0aa05dde1cc238efb) Signed-off-by: GildedRoach Co-authored-by: madomado --- .github/workflows/autobuild.yml | 4 +++- .github/workflows/bootstrap.yml | 3 ++- .github/workflows/build.yml | 9 +++++++-- .github/workflows/json-build.yml | 3 +++ .github/workflows/sync.yml | 4 +++- .github/workflows/update-branch.yml | 2 ++ .github/workflows/update-comps.yml | 2 ++ .github/workflows/update-nightly.yml | 2 ++ .github/workflows/update-weekly.yml | 2 ++ .github/workflows/update.yml | 2 ++ anda/fonts/nerd-fonts/anda.hcl | 3 +++ 11 files changed, 31 insertions(+), 5 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 830c3c1636..f78705a9e3 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -1,6 +1,8 @@ # for each folder in anda/ # generate a new workflow for each folder in anda/ name: Automatically build packages +permissions: + contents: read on: push: paths: @@ -97,7 +99,7 @@ jobs: terra${{ matrix.version }}${{ matrix.pkg.labels['subrepo'] && '-$subrepo' || '' }} anda-build/rpm/rpms/* - name: Upload source packages to subatomic - if: github.event_name == 'push' + if: github.event_name == 'push' && matrix.pkg.labels['no_upload_srpms'] != '1' run: | subrepo="${{ matrix.pkg.labels.subrepo }}" subatomic-cli upload --prune \ diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index 3a976df1f6..76760b9a61 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -1,5 +1,6 @@ name: Bootstrap Andaman and Subatomic - +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 78e2b6cd19..22f68af3cb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,6 @@ name: Manual Builds +permissions: + contents: read on: workflow_dispatch: inputs: @@ -90,17 +92,20 @@ jobs: - name: Upload packages to subatomic run: | + subrepo="${{ fromJson(steps.art.outputs.labels).subrepo }}" subatomic-cli upload --prune \ --server https://subatomic.fyralabs.com \ --token ${{ secrets.SUBATOMIC_TOKEN }} \ - terra${{ matrix.version }} anda-build/rpm/rpms/* + terra${{ matrix.version }}${{ fromJson(steps.art.outputs.labels)['subrepo'] && '-$subrepo' }} anda-build/rpm/rpms/* - name: Upload source packages to subatomic + if: fromJson(steps.art.outputs.labels)['no_upload_srpms'] != '1' run: | + subrepo="${{ fromJson(steps.art.outputs.labels).subrepo }}" subatomic-cli upload --prune \ --server https://subatomic.fyralabs.com \ --token ${{ secrets.SUBATOMIC_TOKEN }} \ - terra${{ matrix.version }}-source anda-build/rpm/srpm/* + terra${{ matrix.version }}${{ fromJson(steps.art.outputs.labels)['subrepo'] && '-$subrepo' }}-source anda-build/rpm/srpm/* - name: Notify Madoguchi (Success) if: success() diff --git a/.github/workflows/json-build.yml b/.github/workflows/json-build.yml index 381fd4885e..22ed215279 100644 --- a/.github/workflows/json-build.yml +++ b/.github/workflows/json-build.yml @@ -1,4 +1,6 @@ name: JSON Build +permissions: + contents: read on: workflow_dispatch: inputs: @@ -67,6 +69,7 @@ jobs: terra${{ matrix.version }}${{ matrix.pkg.labels['subrepo'] && '-$subrepo' || '' }} anda-build/rpm/rpms/* - name: Upload source packages to subatomic + if: matrix.pkg.labels['no_upload_srpms'] != '1' run: | subrepo="${{ matrix.pkg.labels.subrepo }}" subatomic-cli upload --prune \ diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index fdd4824ec0..f061efc1d3 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -1,5 +1,7 @@ name: Automatic backport/sync action - +permissions: + contents: write + pull-requests: write on: pull_request_target: types: ["labeled", "closed"] diff --git a/.github/workflows/update-branch.yml b/.github/workflows/update-branch.yml index 8609973783..b8ff917abf 100644 --- a/.github/workflows/update-branch.yml +++ b/.github/workflows/update-branch.yml @@ -1,4 +1,6 @@ name: Update per branch +permissions: + contents: write on: schedule: - cron: "*/30 * * * *" diff --git a/.github/workflows/update-comps.yml b/.github/workflows/update-comps.yml index e6b842c2db..3a5c3e8a55 100644 --- a/.github/workflows/update-comps.yml +++ b/.github/workflows/update-comps.yml @@ -1,4 +1,6 @@ name: Push comps updates +permissions: + contents: read on: push: diff --git a/.github/workflows/update-nightly.yml b/.github/workflows/update-nightly.yml index 911604f912..c4e6141765 100644 --- a/.github/workflows/update-nightly.yml +++ b/.github/workflows/update-nightly.yml @@ -1,4 +1,6 @@ name: Nightly Update +permissions: + contents: write on: schedule: - cron: "0 0 * * *" diff --git a/.github/workflows/update-weekly.yml b/.github/workflows/update-weekly.yml index 38f106b3d2..74b653b5a5 100644 --- a/.github/workflows/update-weekly.yml +++ b/.github/workflows/update-weekly.yml @@ -1,4 +1,6 @@ name: Weekly Update +permissions: + contents: write on: schedule: - cron: "0 0 * * 0" diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 105d818f59..009a1e7d6d 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -1,4 +1,6 @@ name: Update +permissions: + contents: write on: schedule: - cron: "*/10 * * * *" diff --git a/anda/fonts/nerd-fonts/anda.hcl b/anda/fonts/nerd-fonts/anda.hcl index db05b8ecef..50ebcbb342 100644 --- a/anda/fonts/nerd-fonts/anda.hcl +++ b/anda/fonts/nerd-fonts/anda.hcl @@ -3,4 +3,7 @@ project pkg { rpm { spec = "nerd-fonts.spec" } + labels { + no_upload_srpms = 1 + } }