lywsvip/supabase
1
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-06-06 22:23:54 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
supabase/.github/workflows/docs-sync-auto-troubleshooting.yml
Etienne Stalmans c9cc6cd835 chore: cleanup gh actions (#46454) 
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Chore, CI hardening


## Additional context

Hardens all GitHub actions to recommendations of
[zizmor](https://docs.zizmor.sh/audits/)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Disabled persistence of checkout credentials across many CI workflows
to reduce credential exposure.
* Upgraded GitHub App token tooling and tightened generated token
permissions for automation.
* Added cooldown/rate-limiting to dependency update automation to reduce
update churn.
* Adjusted workflow-level permissions, required secret inputs for
workflow callers, and refactored some job step logic.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46454?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Ali Waseem <waseema393@gmail.com>
2026-05-28 17:31:04 +02:00

89 lines
3.3 KiB
YAML
Raw Permalink Blame History

# Sync AI-generated troubleshooting guides from supabase/troubleshooting
name: Sync from supabase/troubleshooting
on:
repository_dispatch:
types: [sync_from_upstream]
workflow_dispatch:
permissions:
contents: write
pull-requests: write
jobs:
sync:
runs-on: ubuntu-latest
steps:
- name: Checkout supabase/supabase
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
persist-credentials: true
- name: Install pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
with:
run_install: false
- name: Use Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- name: Install deps
run: pnpm install --frozen-lockfile
- name: Create GitHub App token for supabase/troubleshooting
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.DOCS_GITHUB_APP_CLIENT_ID }}
private-key: ${{ secrets.DOCS_GITHUB_APP_PRIVATE_KEY_V2 }}
repositories: troubleshooting
permission-contents: read
- name: Checkout supabase/troubleshooting
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
persist-credentials: false
token: ${{ steps.app-token.outputs.token }}
repository: supabase/troubleshooting
path: troubleshooting-upstream
- name: Generate PR token
id: pr-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.GH_AUTOFIX_APP_CLIENT_ID }}
private-key: ${{ secrets.GH_AUTOFIX_PRIVATE_KEY }}
permission-pull-requests: write
- name: Sync supabase/troubleshooting changes back to supabase/supabase
env:
GH_TOKEN: ${{ steps.pr-token.outputs.token }}
run: |
git config user.name 'github-docs-bot'
git config user.email 'github-docs-bot@supabase.com'
BRANCH_NAME="bot/sync-troubleshooting"
EXISTING_BRANCH=$(git ls-remote --heads origin $BRANCH_NAME)
if [[ -n "$EXISTING_BRANCH" ]]; then
git push origin --delete $BRANCH_NAME
fi
git checkout -b $BRANCH_NAME
rsync --archive --verbose --ignore-existing ./troubleshooting-upstream/guides/ ./apps/docs/content/troubleshooting/
pnpm format
git add apps/docs/content/troubleshooting/
if git diff --quiet --cached; then
echo "No changes to sync"
exit 0
fi
git commit --message "Sync from supabase/troubleshooting"
git push origin $BRANCH_NAME
if gh pr list --state open --head $BRANCH_NAME --json number --jq '.[0].number' | grep -q .; then
gh pr comment "$BRANCH_NAME" --body "Updated troubleshooting sync with latest changes."
else
gh pr create --title "[bot] Sync from supabase/troubleshooting" --body "This PR syncs the latest troubleshooting guides from the supabase/troubleshooting repository." --head $BRANCH_NAME
fi
Reference in New Issue View Git Blame Copy Permalink