Skip to content

ci: grant dependabot status update permissions #8059

ci: grant dependabot status update permissions

ci: grant dependabot status update permissions #8059

Workflow file for this run

---
name: Compliance
on:
push:
branches: [main]
pull_request:
branches: [main]
merge_group:
types: [checks_requested]
branches: [main]
permissions:
contents: read # This is required for actions/checkout
id-token: write # This is required for requesting the JWT/OIDC
statuses: write # Required for dependabot PRs https://github.com/ouzi-dev/commit-status-updater?tab=readme-ov-file#workflow-permissions
jobs:
duvet:
runs-on: ubuntu-latest
steps:
- name: Clone s2n-tls
uses: actions/checkout@v3
- name: Clone s2n-quic
uses: actions/checkout@v3
with:
repository: aws/s2n-quic
path: ./s2n-quic
submodules: true
- name: Run duvet action
uses: ./s2n-quic/.github/actions/duvet
with:
s2n-quic-dir: ./s2n-quic
report-script: compliance/generate_report.sh
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2ntlsGHAS3Session
aws-s3-bucket-name: s2n-tls-ci-artifacts
aws-s3-region: us-west-2
cdn: https://d3fqnyekunr9xg.cloudfront.net
- name: Extract RFC spec data
working-directory: ./compliance
run: ./initialize_duvet.sh
shell: bash
- name: Check if there are uncommitted changes
run: |
# If this fails you need to run `cd compliance && ./compliance/initialize_duvet.sh`
#
# Use 'git status --porcelain' instead of 'git diff --exit-code' since git diff
# only detects diffs but fails to detect new files. Ignore the s2n-quic dir
# `(:!s2n-quic)` since we explicitly clone the repo as part of this job.
git_status=$(git status --porcelain -- ':!s2n-quic')
if [ -n "$git_status" ]; then
echo "Found uncommitted changes:"
echo "$git_status"
exit 1
else
echo "Workspace is clean"
fi
shell: bash