diff --git a/.github/gh-bot.yml b/.github/gh-bot.yml deleted file mode 100644 index 21908a40c..000000000 --- a/.github/gh-bot.yml +++ /dev/null @@ -1,30 +0,0 @@ -version: v1 -debug: true -action: - printConfig: false - release: - retry: 15s - actionName: Release - allowOps: - - cuisongliu -bot: - prefix: / - spe: _ - allowOps: - - sealos-ci-robot - - sealos-release-robot - email: sealos-ci-robot@sealos.io - username: sealos-ci-robot -repo: - org: false - -message: - success: | - 🤖 says: Hooray! The action {{.Body}} has been completed successfully. 🎉 - format_error: | - 🤖 says: ‼️ There is a formatting issue with the action, kindly verify the action's format. - permission_error: | - 🤖 says: ‼️ The action doesn't have permission to trigger. - release_error: | - 🤖 says: ‼️ Release action failed. - Error details: {{.Error}} diff --git a/.github/workflows/docs-preview.yml b/.github/workflows/docs-preview.yml index e66e5d64e..9d635773d 100644 --- a/.github/workflows/docs-preview.yml +++ b/.github/workflows/docs-preview.yml @@ -1,7 +1,7 @@ name: Preview FastGPT docs on: - pull_request_target: + pull_request: paths: - 'docSite/**' workflow_dispatch: @@ -72,6 +72,8 @@ jobs: alias-domains: | #Optional fastgpt-staging.vercel.app docsOutput: + permissions: + pull-requests: write needs: [deploy-preview] runs-on: ubuntu-latest steps: @@ -79,18 +81,13 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Write md - run: | - echo "# 🤖 Generated by deploy action" > report.md - echo "[👀 Visit Preview](${{ needs.deploy-preview.outputs.url }})" >> report.md - cat report.md - - name: Gh Rebot for Sealos - uses: labring/gh-rebot@v0.0.6 - if: ${{ (github.event_name == 'pull_request_target') }} + - uses: actions/github-script@v7 with: - version: v0.0.6 - env: - GH_TOKEN: '${{ secrets.GH_PAT }}' - SEALOS_TYPE: 'pr_comment' - SEALOS_FILENAME: 'report.md' - SEALOS_REPLACE_TAG: 'DEFAULT_REPLACE_DEPLOY' + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '[👀 Visit Preview](${{ needs.deploy-preview.outputs.url }})' + }) diff --git a/.github/workflows/docs-sync_imgs.yml b/.github/workflows/docs-sync_imgs.yml index 19dc28ab2..7ef8cfb80 100644 --- a/.github/workflows/docs-sync_imgs.yml +++ b/.github/workflows/docs-sync_imgs.yml @@ -1,6 +1,6 @@ name: Sync images on: - pull_request_target: + pull_request: branches: - main paths: @@ -15,13 +15,6 @@ jobs: sync: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v3 - if: ${{ (github.event_name == 'pull_request_target') }} - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - name: Checkout uses: actions/checkout@v3 @@ -32,4 +25,4 @@ jobs: CONFIG_PATH: .github/sync_imgs.yml ORIGINAL_MESSAGE: true SKIP_PR: true - COMMIT_EACH_FILE: false \ No newline at end of file + COMMIT_EACH_FILE: false diff --git a/.github/workflows/fastgpt-build-image-personal.yml b/.github/workflows/fastgpt-build-image-personal.yml index f0edad535..8271782bc 100644 --- a/.github/workflows/fastgpt-build-image-personal.yml +++ b/.github/workflows/fastgpt-build-image-personal.yml @@ -9,6 +9,11 @@ on: - 'main' jobs: build-fastgpt-images: + permissions: + packages: write + contents: read + attestations: write + id-token: write runs-on: ubuntu-20.04 if: github.repository != 'labring/FastGPT' steps: @@ -32,7 +37,7 @@ jobs: with: registry: ghcr.io username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PAT }} + password: ${{ secret.GITHUB_TOKEN }} - name: Set DOCKER_REPO_TAGGED based on branch or tag run: | echo "DOCKER_REPO_TAGGED=ghcr.io/${{ github.repository_owner }}/fastgpt:latest" >> $GITHUB_ENV diff --git a/.github/workflows/fastgpt-build-image.yml b/.github/workflows/fastgpt-build-image.yml index ccd54859c..70926860e 100644 --- a/.github/workflows/fastgpt-build-image.yml +++ b/.github/workflows/fastgpt-build-image.yml @@ -9,6 +9,11 @@ on: - 'v*' jobs: build-fastgpt-images: + permissions: + packages: write + contents: read + attestations: write + id-token: write runs-on: ubuntu-20.04 steps: # install env @@ -39,7 +44,7 @@ jobs: with: registry: ghcr.io username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PAT }} + password: ${{ secret.GITHUB_TOKEN }} - name: Login to Ali Hub uses: docker/login-action@v2 with: @@ -91,6 +96,11 @@ jobs: -t ${Docker_Hub_Latest} \ . build-fastgpt-images-sub-route: + permissions: + packages: write + contents: read + attestations: write + id-token: write runs-on: ubuntu-20.04 steps: # install env @@ -121,7 +131,7 @@ jobs: with: registry: ghcr.io username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PAT }} + password: ${{ secret.GITHUB_TOKEN }} - name: Login to Ali Hub uses: docker/login-action@v2 with: @@ -174,6 +184,11 @@ jobs: -t ${Docker_Hub_Latest} \ . build-fastgpt-images-sub-route-gchat: + permissions: + packages: write + contents: read + attestations: write + id-token: write runs-on: ubuntu-20.04 steps: # install env @@ -204,7 +219,7 @@ jobs: with: registry: ghcr.io username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PAT }} + password: ${{ secret.GITHUB_TOKEN }} - name: Login to Ali Hub uses: docker/login-action@v2 with: diff --git a/.github/workflows/fastgpt-preview-image.yml b/.github/workflows/fastgpt-preview-image.yml index 1622cce2a..adbefade4 100644 --- a/.github/workflows/fastgpt-preview-image.yml +++ b/.github/workflows/fastgpt-preview-image.yml @@ -1,10 +1,15 @@ name: Preview FastGPT images on: - pull_request_target: + pull_request: workflow_dispatch: jobs: preview-fastgpt-images: + permissions: + packages: write + contents: read + attestations: write + id-token: write runs-on: ubuntu-20.04 steps: - name: Checkout @@ -48,20 +53,13 @@ jobs: --cache-to=type=local,dest=/tmp/.buildx-cache \ -t ${DOCKER_REPO_TAGGED} \ . - # Add write md step after build - - name: Write md - run: | - echo "# 🤖 Generated by deploy action" > report.md - echo "📦 Preview Image: \`${DOCKER_REPO_TAGGED}\`" >> report.md - cat report.md - - - name: Gh Rebot for Sealos - uses: labring/gh-rebot@v0.0.6 - if: ${{ (github.event_name == 'pull_request_target') }} + - uses: actions/github-script@v7 with: - version: v0.0.6 - env: - GH_TOKEN: '${{ secrets.GH_PAT }}' - SEALOS_TYPE: 'pr_comment' - SEALOS_FILENAME: 'report.md' - SEALOS_REPLACE_TAG: 'DEFAULT_REPLACE_DEPLOY' + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Preview Image: ${{ env.DOCKER_REPO_TAGGED }}' + }) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 25f7fb771..bcbb5b7b6 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -8,6 +8,11 @@ on: jobs: helm: + permissions: + packages: write + contents: read + attestations: write + id-token: write runs-on: ubuntu-20.04 steps: - name: Checkout @@ -20,7 +25,7 @@ jobs: run: echo "tag=$(git describe --tags)" >> $GITHUB_OUTPUT - name: Release Helm run: | - echo ${{ secrets.GH_PAT }} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin + echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin export APP_VERSION=${{ steps.vars.outputs.tag }} export HELM_VERSION=${{ steps.vars.outputs.tag }} export HELM_REPO=ghcr.io/${{ github.repository_owner }} diff --git a/.github/workflows/sandbox-build-image.yml b/.github/workflows/sandbox-build-image.yml index 8e58daf46..873582cf3 100644 --- a/.github/workflows/sandbox-build-image.yml +++ b/.github/workflows/sandbox-build-image.yml @@ -8,6 +8,11 @@ on: - 'v*' jobs: build-fastgpt-sandbox-images: + permissions: + packages: write + contents: read + attestations: write + id-token: write runs-on: ubuntu-20.04 steps: # install env @@ -38,7 +43,7 @@ jobs: with: registry: ghcr.io username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PAT }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Ali Hub uses: docker/login-action@v2 with: