ci: grant dependabot status update permissions #8059
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Compliance | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
merge_group: | |
types: [checks_requested] | |
branches: [main] | |
permissions: | |
contents: read # This is required for actions/checkout | |
id-token: write # This is required for requesting the JWT/OIDC | |
statuses: write # Required for dependabot PRs https://github.com/ouzi-dev/commit-status-updater?tab=readme-ov-file#workflow-permissions | |
jobs: | |
duvet: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Clone s2n-tls | |
uses: actions/checkout@v3 | |
- name: Clone s2n-quic | |
uses: actions/checkout@v3 | |
with: | |
repository: aws/s2n-quic | |
path: ./s2n-quic | |
submodules: true | |
- name: Run duvet action | |
uses: ./s2n-quic/.github/actions/duvet | |
with: | |
s2n-quic-dir: ./s2n-quic | |
report-script: compliance/generate_report.sh | |
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole | |
role-session-name: S2ntlsGHAS3Session | |
aws-s3-bucket-name: s2n-tls-ci-artifacts | |
aws-s3-region: us-west-2 | |
cdn: https://d3fqnyekunr9xg.cloudfront.net | |
- name: Extract RFC spec data | |
working-directory: ./compliance | |
run: ./initialize_duvet.sh | |
shell: bash | |
- name: Check if there are uncommitted changes | |
run: | | |
# If this fails you need to run `cd compliance && ./compliance/initialize_duvet.sh` | |
# | |
# Use 'git status --porcelain' instead of 'git diff --exit-code' since git diff | |
# only detects diffs but fails to detect new files. Ignore the s2n-quic dir | |
# `(:!s2n-quic)` since we explicitly clone the repo as part of this job. | |
git_status=$(git status --porcelain -- ':!s2n-quic') | |
if [ -n "$git_status" ]; then | |
echo "Found uncommitted changes:" | |
echo "$git_status" | |
exit 1 | |
else | |
echo "Workspace is clean" | |
fi | |
shell: bash |