From 764f90833112b2dfb62c98860da22e8fd48bc8cf Mon Sep 17 00:00:00 2001 From: saicheran Date: Wed, 13 Aug 2025 19:09:15 -0400 Subject: [PATCH 01/10] call reusable workflows --- .github/workflows/pr_add_jira_summary.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml index 199d6e71d..adbff0e16 100644 --- a/.github/workflows/pr_add_jira_summary.yml +++ b/.github/workflows/pr_add_jira_summary.yml @@ -1,4 +1,7 @@ name: Add JIRA issue summary +permissions: + contents: read + pull-requests: write on: pull_request_target: From d00429b1f1b571e45657d62b3d42aae8ead8f472 Mon Sep 17 00:00:00 2001 From: saicheran Date: Wed, 13 Aug 2025 20:47:26 -0400 Subject: [PATCH 02/10] Refactor workflows to reuse components for JIRA issue creation and static analysis --- .github/workflows/pr_add_jira_summary.yml | 7 ++++--- .github/workflows/python_analysis.yml | 9 ++++++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml index adbff0e16..669789c4b 100644 --- a/.github/workflows/pr_add_jira_summary.yml +++ b/.github/workflows/pr_add_jira_summary.yml @@ -1,7 +1,5 @@ name: Add JIRA issue summary -permissions: - contents: read - pull-requests: write + on: pull_request_target: @@ -10,4 +8,7 @@ on: jobs: call-workflow-add-jira-issue-summary: uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main + permissions: + contents: read + pull-requests: write secrets: inherit diff --git a/.github/workflows/python_analysis.yml b/.github/workflows/python_analysis.yml index 0d6a6e7a5..c285db962 100644 --- a/.github/workflows/python_analysis.yml +++ b/.github/workflows/python_analysis.yml @@ -24,21 +24,28 @@ concurrency: jobs: call-workflow-static-analysis: name: Static analysis + permissions: + contents: read + pull-requests: read uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-static_analysis.yml@main with: package-manager: 'conda' app-name: 'geoapps' python-version: '3.10' + call-workflow-pytest: name: Pytest + permissions: + contents: read + pull-requests: read uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-pytest.yml@main with: package-manager: 'conda' python-versions: '["3.10"]' os: '["ubuntu-latest", "windows-latest"]' + lfs: true cache-number: 1 codecov-reference-python-version: '3.10' codecov-reference-os: '["windows-latest"]' - lfs: true secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} From 566a697f40237779cc00e2c0d47bd0f22e0ffacd Mon Sep 17 00:00:00 2001 From: saicheran Date: Wed, 13 Aug 2025 21:06:12 -0400 Subject: [PATCH 03/10] Refactor JIRA issue creation workflow permissions and remove obsolete pytest workflows for Unix and Windows --- .github/workflows/issue_to_jira.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml index e58f93902..7724de1e9 100644 --- a/.github/workflows/issue_to_jira.yml +++ b/.github/workflows/issue_to_jira.yml @@ -7,6 +7,9 @@ on: jobs: call-workflow-create-jira-issue: uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main + permissions: + contents: read + issues: write secrets: inherit with: project-key: 'GEOPY' From 1734955c56fffea48cd2e2679f49f6430738d44f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= Date: Wed, 13 Aug 2025 22:51:41 -0400 Subject: [PATCH 04/10] add workflow to run zizmor --- .github/workflows/zizmor-security.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/zizmor-security.yml diff --git a/.github/workflows/zizmor-security.yml b/.github/workflows/zizmor-security.yml new file mode 100644 index 000000000..03caa5f7c --- /dev/null +++ b/.github/workflows/zizmor-security.yml @@ -0,0 +1,26 @@ +name: Zizmor analysis + +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + branches: + - develop + - main + - release/** + - feature/** + - hotfix/** + push: + branches: + - main + - develop + - feature/** + - hotfix/** + - release/** + +jobs: + call-workflow-zizmor: + name: Zizmor analysis + permissions: + contents: read + actions: read + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-security.yml@main From 80cda4907ecbb45c4e08b2b45939ad08bb2368d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= Date: Wed, 13 Aug 2025 22:58:11 -0400 Subject: [PATCH 05/10] address zizmor warnings --- .github/workflows/issue_to_jira.yml | 10 ++++++---- .github/workflows/pr_add_jira_summary.yml | 11 ++++++++--- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml index 7724de1e9..75917d64e 100644 --- a/.github/workflows/issue_to_jira.yml +++ b/.github/workflows/issue_to_jira.yml @@ -1,4 +1,7 @@ name: Create JIRA issue +permissions: + contents: read + issues: write on: issues: @@ -7,10 +10,9 @@ on: jobs: call-workflow-create-jira-issue: uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main - permissions: - contents: read - issues: write - secrets: inherit + secrets: + JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }} + JIRA_URL: ${{ secrets.JIRA_URL }} with: project-key: 'GEOPY' components: '[{"name": "geoapps"}]' diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml index 669789c4b..a4cc5ea5c 100644 --- a/.github/workflows/pr_add_jira_summary.yml +++ b/.github/workflows/pr_add_jira_summary.yml @@ -1,9 +1,11 @@ name: Add JIRA issue summary - on: - pull_request_target: + pull_request: types: [opened, synchronize] +permissions: + contents: read + pull-requests: write jobs: call-workflow-add-jira-issue-summary: @@ -11,4 +13,7 @@ jobs: permissions: contents: read pull-requests: write - secrets: inherit + secrets: + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} From c2c880a0bd6188fafecf90d85b50d544586a19b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= Date: Wed, 13 Aug 2025 22:59:15 -0400 Subject: [PATCH 06/10] do not repopulate PR title upon changes remove synchronize event trigger --- .github/workflows/pr_add_jira_summary.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml index a4cc5ea5c..4147698d4 100644 --- a/.github/workflows/pr_add_jira_summary.yml +++ b/.github/workflows/pr_add_jira_summary.yml @@ -2,7 +2,7 @@ name: Add JIRA issue summary on: pull_request: - types: [opened, synchronize] + types: [opened] permissions: contents: read pull-requests: write From 921911ee3d0b7c802ee60e3280afd72f31b5b04f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= Date: Wed, 13 Aug 2025 23:41:50 -0400 Subject: [PATCH 07/10] do not run Jira related workflows on forks --- .github/workflows/issue_to_jira.yml | 1 + .github/workflows/pr_add_jira_summary.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml index 75917d64e..8a7d4a43a 100644 --- a/.github/workflows/issue_to_jira.yml +++ b/.github/workflows/issue_to_jira.yml @@ -9,6 +9,7 @@ on: jobs: call-workflow-create-jira-issue: + if: github.event.pull_request.head.repo.full_name == 'MiraGeoscience/geoapps' # do not run on repository forks uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main secrets: JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }} diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml index 4147698d4..5baf9cd63 100644 --- a/.github/workflows/pr_add_jira_summary.yml +++ b/.github/workflows/pr_add_jira_summary.yml @@ -9,6 +9,7 @@ permissions: jobs: call-workflow-add-jira-issue-summary: + if: github.event.pull_request.head.repo.full_name == 'MiraGeoscience/geoapps' # do not run on repository forks uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main permissions: contents: read From 9984e9e90596c8c0e72268d5d007173776a3bac3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= Date: Wed, 13 Aug 2025 23:42:21 -0400 Subject: [PATCH 08/10] fix secrets for Jira workflow --- .github/workflows/issue_to_jira.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml index 8a7d4a43a..7e5a8f4df 100644 --- a/.github/workflows/issue_to_jira.yml +++ b/.github/workflows/issue_to_jira.yml @@ -12,8 +12,9 @@ jobs: if: github.event.pull_request.head.repo.full_name == 'MiraGeoscience/geoapps' # do not run on repository forks uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main secrets: - JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }} - JIRA_URL: ${{ secrets.JIRA_URL }} + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} with: project-key: 'GEOPY' components: '[{"name": "geoapps"}]' From 53227c1be2187538e6431a5174f98816505e1817 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= Date: Thu, 14 Aug 2025 00:33:19 -0400 Subject: [PATCH 09/10] fix condition for issue_to_jira workflow --- .github/workflows/issue_to_jira.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml index 7e5a8f4df..de8b53b47 100644 --- a/.github/workflows/issue_to_jira.yml +++ b/.github/workflows/issue_to_jira.yml @@ -9,7 +9,7 @@ on: jobs: call-workflow-create-jira-issue: - if: github.event.pull_request.head.repo.full_name == 'MiraGeoscience/geoapps' # do not run on repository forks + if: github.repository == 'MiraGeoscience/geoapps' # do not run on repository forks uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main secrets: JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} From ff9a537f3003ae34dce35dfb3bad60b5d2462c5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= Date: Thu, 14 Aug 2025 00:49:48 -0400 Subject: [PATCH 10/10] improve conditions and comments --- .github/workflows/issue_to_jira.yml | 2 +- .github/workflows/pr_add_jira_summary.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml index de8b53b47..d9d55ee67 100644 --- a/.github/workflows/issue_to_jira.yml +++ b/.github/workflows/issue_to_jira.yml @@ -9,7 +9,7 @@ on: jobs: call-workflow-create-jira-issue: - if: github.repository == 'MiraGeoscience/geoapps' # do not run on repository forks + if: startsWith(github.repository, 'MiraGeoscience/') # run on the Mira repo only uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main secrets: JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml index 5baf9cd63..7080902ab 100644 --- a/.github/workflows/pr_add_jira_summary.yml +++ b/.github/workflows/pr_add_jira_summary.yml @@ -9,7 +9,7 @@ permissions: jobs: call-workflow-add-jira-issue-summary: - if: github.event.pull_request.head.repo.full_name == 'MiraGeoscience/geoapps' # do not run on repository forks + if: startsWith(github.event.pull_request.head.repo.full_name, 'MiraGeoscience/') # run if PR originates from the Mira repo only uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main permissions: contents: read