Skip to content

🌱 Bump github/codeql-action from 3.27.5 to 3.28.3 #198

🌱 Bump github/codeql-action from 3.27.5 to 3.28.3

🌱 Bump github/codeql-action from 3.27.5 to 3.28.3 #198

name: "[Release] Step 2: Tag next release (Autorun)"
on:
workflow_dispatch:
pull_request:
types: [ closed ]
# TODO: update workflow permissions to least privilege after auditing all the APIs used
# permissions: # limit the permissions of the GITHUB_TOKEN to reading repository contents
# contents: read
jobs:
create_release:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'release') && contains(github.event.pull_request.user.login, 'google-flank-bot[bot]') && contains(github.event.pull_request.title, 'release notes for')
steps:
- name: Harden Runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
# TODO: change to 'egress-policy: block' after auditing a number of runs and updating the allowed-endpoints option accordingly
- uses: actions/checkout@v4
- uses: tibdex/github-app-token@v2
id: generate-token
with:
app_id: ${{ secrets.FLANK_RELEASE_APP_ID }}
private_key: ${{ secrets.FLANK_RELEASE_PRIVATE_KEY }}
- name: Download flankScripts and add it to PATH.
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./gradlew :flank-scripts:download
echo "./flank-scripts/bash" >> $GITHUB_PATH
- name: Set next release tag variable
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
TAG=$(flankScripts release next_tag --token="$GH_TOKEN")
echo "NEXT_RELEASE_TAG=$(echo $TAG)" >> $GITHUB_ENV
- name: Push tag
id: tag_version
uses: mathieudutour/github-tag-action@v5
with:
github_token: ${{ steps.generate-token.outputs.token }}
custom_tag: ${{ env.NEXT_RELEASE_TAG }}
tag_prefix: ''