[codex] Add manifest-derived permissions and Postgres RLS (#1108) #690
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: On Merge to Main | |
| # Testing hook validation | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| skip-docs: | |
| description: 'Skip documentation deployment' | |
| required: false | |
| type: boolean | |
| default: false | |
| concurrency: ${{ github.workflow }}-${{ github.ref }} | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true' | |
| permissions: | |
| contents: write | |
| packages: write | |
| pull-requests: write | |
| id-token: write | |
| pages: write | |
| actions: write | |
| jobs: | |
| # Cancel any in-progress PR validation checks when PR is merged | |
| cancel-pr-checks: | |
| name: Cancel PR Validation Checks | |
| if: github.event_name == 'push' | |
| runs-on: arc-happyvertical | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 2 | |
| - name: Extract PR number from merge commit | |
| id: get-pr | |
| run: | | |
| # Get PR number from merge commit message | |
| pr_number=$(git log -1 --pretty=%B | \ | |
| grep -oP '#\K\d+' | head -1) | |
| if [ -n "$pr_number" ]; then | |
| echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT" | |
| echo "📝 Detected merged PR: #$pr_number" | |
| else | |
| echo "ℹ️ No PR number found in commit message" | |
| fi | |
| - name: Cancel in-progress PR workflows | |
| if: steps.get-pr.outputs.pr_number | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| pr_number="${{ steps.get-pr.outputs.pr_number }}" | |
| echo "🔍 Looking for running workflows for PR #$pr_number..." | |
| # Find in-progress workflow runs for on-pull-request.yml | |
| jq_filter='.[] | select(.status == "in_progress"' | |
| jq_filter="$jq_filter"' or .status == "queued")' | |
| jq_filter="$jq_filter"' | select(.headBranch' | |
| jq_filter="$jq_filter"' | test("'"$pr_number"'$"))' | |
| jq_filter="$jq_filter"' | .databaseId' | |
| runs=$(gh run list \ | |
| --repo "${{ github.repository }}" \ | |
| --workflow="on-pull-request.yml" \ | |
| --json databaseId,status,headBranch \ | |
| --jq "$jq_filter" \ | |
| --limit 50) | |
| if [ -z "$runs" ]; then | |
| echo "✅ No running PR workflows to cancel" | |
| exit 0 | |
| fi | |
| # Cancel each in-progress run | |
| cancelled=0 | |
| failed=0 | |
| for run_id in $runs; do | |
| echo "🛑 Cancelling workflow run: $run_id" | |
| if gh run cancel "$run_id" \ | |
| --repo "${{ github.repository }}"; then | |
| ((cancelled++)) | |
| else | |
| ((failed++)) | |
| fi | |
| done | |
| echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | |
| echo "✅ Cancelled $cancelled workflow run(s) for PR #$pr_number" | |
| if [ $failed -gt 0 ]; then | |
| echo "⚠️ Failed to cancel $failed workflow run(s)" | |
| fi | |
| echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | |
| # Run tests | |
| test: | |
| name: Test | |
| if: always() | |
| uses: ./.github/workflows/test.yml | |
| permissions: | |
| contents: read | |
| packages: read | |
| # Build packages | |
| build: | |
| name: Build | |
| needs: test | |
| if: always() && needs.test.result == 'success' | |
| uses: ./.github/workflows/build.yml | |
| permissions: | |
| contents: read | |
| packages: read | |
| # Publish packages and deploy docs | |
| publish: | |
| name: Publish | |
| needs: build | |
| if: | | |
| always() && | |
| needs.build.result == 'success' | |
| uses: ./.github/workflows/publish.yml | |
| secrets: inherit | |
| permissions: | |
| contents: write | |
| issues: write | |
| pull-requests: write | |
| packages: write | |
| id-token: write | |
| pages: write |