diff --git a/.copier-answers.safe-settings.yml b/.copier-answers.safe-settings.yml index c05f9f3..d375309 100644 --- a/.copier-answers.safe-settings.yml +++ b/.copier-answers.safe-settings.yml @@ -1,3 +1,3 @@ # Changes here will be overwritten by Copier; NEVER EDIT MANUALLY -_commit: v1.1.0 +_commit: v2.0.0 _src_path: https://github.com/dafyddj/copier-safe-settings diff --git a/.github/workflows/libsafe-settings.yml b/.github/workflows/libsafe-settings.yml new file mode 100644 index 0000000..b366610 --- /dev/null +++ b/.github/workflows/libsafe-settings.yml @@ -0,0 +1,72 @@ +name: Apply Safe Settings +on: + workflow_call: + inputs: + admin-repo: + type: string + default: .github + app-id: + required: true + type: string + config-path: + type: string + default: safe-settings + deployment-config-file: + type: string + default: deployment-settings.yml + dry-run: + type: boolean + default: true + skip-dry-run-errors: + type: boolean + default: true + secrets: + private-key: + required: true + +permissions: {} + +jobs: + apply-safe-settings: + permissions: + contents: read + runs-on: ubuntu-24.04 + environment: ${{ github.ref_name == github.event.repository.default_branch && 'production' || 'test' }} + env: + # Version/tag of `github/safe-settings` repository to use: + SAFE_SETTINGS_VERSION: ff7a65655d33006b9820479df0a9e1057a8927e4 # 2.1.17 + + # Path on GHA runner box where safe-settings code downloaded to: + SAFE_SETTINGS_CODE_DIR: .safe-settings-code + steps: + # Self-checkout to access deployment configuration + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + # Checkout of `safe-settings` source repository to run app + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + repository: github/safe-settings + ref: ${{ env.SAFE_SETTINGS_VERSION }} + path: ${{ env.SAFE_SETTINGS_CODE_DIR }} + persist-credentials: false + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + cache: npm + cache-dependency-path: ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json + node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc + - run: npm install + working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} + - name: Run Safe-Settings Full-Sync + continue-on-error: ${{ inputs.dry-run && inputs.skip-dry-run-errors }} + run: | + npm run full-sync + working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} + env: + APP_ID: ${{ inputs.app-id }} + ADMIN_REPO: ${{ inputs.admin-repo }} + CONFIG_PATH: ${{ inputs.config-path }} + DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/${{ inputs.config-path }}/${{ inputs.deployment-config-file }} + FULL_SYNC_NOP: ${{ inputs.dry-run }} + LOG_LEVEL: ${{ vars.SAFE_SETTINGS_LOG_LEVEL || 'debug' }} + PRIVATE_KEY: ${{ secrets.private-key }} diff --git a/.github/workflows/safe-settings.yml b/.github/workflows/safe-settings.yml index da653e1..613f478 100644 --- a/.github/workflows/safe-settings.yml +++ b/.github/workflows/safe-settings.yml @@ -14,54 +14,9 @@ jobs: apply-safe-settings: permissions: contents: read - runs-on: ubuntu-24.04 - environment: ${{ github.ref_name == github.event.repository.default_branch && 'production' || 'test' }} - env: - # Version/tag of `github/safe-settings` repository to use: - SAFE_SETTINGS_VERSION: ff7a65655d33006b9820479df0a9e1057a8927e4 # 2.1.17 - - # Path on GHA runner box where safe-settings code downloaded to: - SAFE_SETTINGS_CODE_DIR: .safe-settings-code - steps: - # Self-checkout of 'admin' repo for access to safe-settings deployment configuration - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - persist-credentials: false - - # Checkout of `safe-settings` source repository to apply all settings - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - repository: github/safe-settings - ref: ${{ env.SAFE_SETTINGS_VERSION }} - path: ${{ env.SAFE_SETTINGS_CODE_DIR }} - persist-credentials: false - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 - with: - cache: npm - cache-dependency-path: ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json - node-version-file: ${{ env.SAFE_SETTINGS_CODE_DIR }}/.nvmrc - - run: npm install - working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} - - name: Run Safe-Settings Full-Sync - run: | - set +e # Allow commands to fail - npm run full-sync - exit_code=$? - echo "Full-sync exit code: $exit_code" - - if [[ "$FULL_SYNC_NOP" == "true" ]]; then - echo "Dry-run mode — ignoring failure" - exit 0 - fi - - exit $exit_code - working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} - env: - APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }} - ADMIN_REPO: ${{ vars.SAFE_SETTINGS_ADMIN_REPO || '.github' }} - CONFIG_PATH: ${{ vars.SAFE_SETTINGS_CONFIG_PATH || 'safe-settings' }} - DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/${{ vars.SAFE_SETTINGS_CONFIG_PATH || 'safe-settings' }}/deployment-settings.yml - FULL_SYNC_NOP: ${{ inputs.dry-run }} - GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }} - LOG_LEVEL: ${{ vars.SAFE_SETTINGS_LOG_LEVEL || 'debug' }} - PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }} + uses: ./.github/workflows/libsafe-settings.yml + with: + app-id: ${{ vars.SAFE_SETTINGS_APP_ID }} + dry-run: ${{ inputs.dry-run }} + secrets: + private-key: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}