From b34546300ac1c96a801b5d08dd9a800ecf8a5edd Mon Sep 17 00:00:00 2001 From: vernedeng Date: Wed, 25 Feb 2026 17:22:41 +0800 Subject: [PATCH] [INLONG-12083][CI] Upgrade github actions version and specify permission of actions --- .github/labeler.yml | 71 +++++++++++++++---------- .github/workflows/ci_build.yml | 3 ++ .github/workflows/ci_chart_test.yml | 7 ++- .github/workflows/ci_check_format.yml | 3 ++ .github/workflows/ci_check_license.yml | 5 +- .github/workflows/ci_check_pr_title.yml | 3 ++ .github/workflows/ci_docker.yml | 9 ++-- .github/workflows/ci_greeting.yml | 24 ++++----- .github/workflows/ci_labeler.yml | 18 ++++--- .github/workflows/ci_stale.yml | 2 +- .github/workflows/ci_ut.yml | 3 ++ .github/workflows/ci_ut_flink13.yml | 3 ++ .github/workflows/ci_ut_flink15.yml | 3 ++ .github/workflows/ci_ut_flink18.yml | 3 ++ 14 files changed, 103 insertions(+), 54 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index e9525d0e2da..411c79d577e 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -16,51 +16,66 @@ # component/agent: - - 'inlong-agent/**/*' + - changed-files: + - any-glob-to-any-file: 'inlong-agent/**/*' component/dataproxy: - - 'inlong-dataproxy/**/*' + - changed-files: + - any-glob-to-any-file: 'inlong-dataproxy/**/*' component/manager: - - 'inlong-manager/**/*' + - changed-files: + - any-glob-to-any-file: 'inlong-manager/**/*' component/sort: - - 'inlong-sort/**/*' - - 'inlong-sort-standalone/**/*' + - changed-files: + - any-glob-to-any-file: + - 'inlong-sort/**/*' + - 'inlong-sort-standalone/**/*' component/tubemq: - - 'inlong-tubemq/**/*' + - changed-files: + - any-glob-to-any-file: 'inlong-tubemq/**/*' component/dashboard: - - 'inlong-dashboard/**/*' + - changed-files: + - any-glob-to-any-file: 'inlong-dashboard/**/*' component/audit: - - 'inlong-audit/**/*' + - changed-files: + - any-glob-to-any-file: 'inlong-audit/**/*' component/sdk: - - 'inlong-sdk/**/*' + - changed-files: + - any-glob-to-any-file: 'inlong-sdk/**/*' service/ci: - - '.github/actions/**/*' - - '.github/workflows/**/*' - - '.github/labeler.yml' - - '.github/PULL_REQUEST_TEMPLATE.md' - - '.github/ISSUE_TEMPLATE/**/*' + - changed-files: + - any-glob-to-any-file: + - '.github/actions/**/*' + - '.github/workflows/**/*' + - '.github/labeler.yml' + - '.github/PULL_REQUEST_TEMPLATE.md' + - '.github/ISSUE_TEMPLATE/**/*' service/docker: - - '**/Dockerfile' - - '**/*-docker.sh' - - 'inlong-agent/agent-docker/**/*' - - 'inlong-audit/audit-docker/**/*' - - 'inlong-dataproxy/dataproxy-docker/**/*' - - 'inlong-manager/manager-docker/**/*' - - 'inlong-tubemq/tubemq-docker/**/*' - - 'docker/docker-compose/**/*' - - 'docker/build-docker-images.sh' - - 'docker/publish-by-arch.sh' + - changed-files: + - any-glob-to-any-file: + - '**/Dockerfile' + - '**/*-docker.sh' + - 'inlong-agent/agent-docker/**/*' + - 'inlong-audit/audit-docker/**/*' + - 'inlong-dataproxy/dataproxy-docker/**/*' + - 'inlong-manager/manager-docker/**/*' + - 'inlong-tubemq/tubemq-docker/**/*' + - 'docker/docker-compose/**/*' + - 'docker/build-docker-images.sh' + - 'docker/publish-by-arch.sh' service/k8s: - - '.github/ct.yml' - - '.github/kind.yml' - - 'docker/kubernetes/**/*' - - 'inlong-tubemq/tubemq-docker/tubemq-k8s/**/*' \ No newline at end of file + - changed-files: + - any-glob-to-any-file: + - '.github/ct.yml' + - '.github/kind.yml' + - 'docker/kubernetes/**/*' + - 'inlong-tubemq/tubemq-docker/tubemq-k8s/**/*' \ No newline at end of file diff --git a/.github/workflows/ci_build.yml b/.github/workflows/ci_build.yml index ae6d3aefc43..3355389cf45 100644 --- a/.github/workflows/ci_build.yml +++ b/.github/workflows/ci_build.yml @@ -52,6 +52,9 @@ on: - 'inlong-tubemq/**' - '!**.md' +permissions: + contents: read + jobs: build: name: Build diff --git a/.github/workflows/ci_chart_test.yml b/.github/workflows/ci_chart_test.yml index a8ae336620c..4e4a8b78816 100644 --- a/.github/workflows/ci_chart_test.yml +++ b/.github/workflows/ci_chart_test.yml @@ -40,6 +40,9 @@ env: CT_CONFIG_PATH: '.github/ct.yml' KIND_CONFIG_PATH: '.github/kind.yml' +permissions: + contents: read + jobs: chart-test: name: Lint and test charts @@ -57,12 +60,12 @@ jobs: submodules: true - name: Set up Helm - uses: azure/setup-helm@v1 + uses: azure/setup-helm@v4 with: version: v3.5.0 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v5 with: python-version: 3.7 diff --git a/.github/workflows/ci_check_format.yml b/.github/workflows/ci_check_format.yml index a0738d875e0..d1766102ebd 100644 --- a/.github/workflows/ci_check_format.yml +++ b/.github/workflows/ci_check_format.yml @@ -19,6 +19,9 @@ name: InLong Code Format Check on: [ push, pull_request ] +permissions: + contents: read + jobs: build: name: Code Format Check diff --git a/.github/workflows/ci_check_license.yml b/.github/workflows/ci_check_license.yml index 56b534a20ab..d97687bbbd6 100644 --- a/.github/workflows/ci_check_license.yml +++ b/.github/workflows/ci_check_license.yml @@ -19,6 +19,9 @@ name: InLong Check License Header on: [ push, pull_request ] +permissions: + contents: read + jobs: check-license: name: Check license header @@ -28,7 +31,7 @@ jobs: uses: actions/checkout@v4 - name: Check license header - uses: apache/skywalking-eyes@v0.3.0 + uses: apache/skywalking-eyes@v0.6.0 with: log: info config: .licenserc.yaml diff --git a/.github/workflows/ci_check_pr_title.yml b/.github/workflows/ci_check_pr_title.yml index eac17191657..77e340f2fd3 100644 --- a/.github/workflows/ci_check_pr_title.yml +++ b/.github/workflows/ci_check_pr_title.yml @@ -25,6 +25,9 @@ on: - edited - synchronize +permissions: + contents: read + jobs: check: name: Check pull request title diff --git a/.github/workflows/ci_docker.yml b/.github/workflows/ci_docker.yml index 3ed84f2e36e..eb184df32fa 100644 --- a/.github/workflows/ci_docker.yml +++ b/.github/workflows/ci_docker.yml @@ -46,6 +46,9 @@ on: - 'inlong-tubemq/tubemq-docker/**' - '!**.md' +permissions: + contents: read + jobs: docker: name: Docker build and push @@ -90,16 +93,16 @@ jobs: distribution: adopt - name: Set up Python - uses: actions/setup-python@v3 + uses: actions/setup-python@v5 with: python-version: 3.7 - name: Set up QEMU dependency - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Cache Maven packages uses: actions/cache@v4 diff --git a/.github/workflows/ci_greeting.yml b/.github/workflows/ci_greeting.yml index 554273e652e..e2219d3f560 100644 --- a/.github/workflows/ci_greeting.yml +++ b/.github/workflows/ci_greeting.yml @@ -18,31 +18,29 @@ name: InLong Greeting on: - pull_request: + pull_request_target: types: - opened issues: types: - opened +permissions: + issues: write + pull-requests: write + jobs: greeting: - name: Greeting + name: Greet First-Time Contributors runs-on: ubuntu-22.04 - permissions: - issues: write - pull-requests: write steps: - - name: Interact with newcomers - uses: actions/first-interaction@v1 - continue-on-error: true + - uses: actions/first-interaction@v3 with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: | - Hello @${{ github.actor }}, thank you for submitting a PR to InLong ๐Ÿ’– We will respond as soon as possible โณ - This seems to be your first PR ๐ŸŒ  Please be sure to follow our [Contribution Guidelines](https://inlong.apache.org/community/how-to-contribute). - If you have any questions in the meantime, you can also ask us on the [InLong Discussions](https://github.com/apache/inlong/discussions) ๐Ÿ” issue-message: | Hello @${{ github.actor }}, thank you for opening your first issue in InLong ๐Ÿงก We will respond as soon as possible โณ If this is a bug report, please provide screenshots or error logs for us to reproduce your issue, so we can do our best to fix it. If you have any questions in the meantime, you can also ask us on the [InLong Discussions](https://github.com/apache/inlong/discussions) ๐Ÿ” + pr-message: | + Hello @${{ github.actor }}, thank you for submitting a PR to InLong ๐Ÿ’– We will respond as soon as possible โณ + This seems to be your first PR ๐ŸŒ  Please be sure to follow our [Contribution Guidelines](https://inlong.apache.org/community/how-to-contribute). + If you have any questions in the meantime, you can also ask us on the [InLong Discussions](https://github.com/apache/inlong/discussions) ๐Ÿ” diff --git a/.github/workflows/ci_labeler.yml b/.github/workflows/ci_labeler.yml index 76075d8bb1d..53ccee294be 100644 --- a/.github/workflows/ci_labeler.yml +++ b/.github/workflows/ci_labeler.yml @@ -17,19 +17,25 @@ name: InLong Pull Request Labeler -on: pull_request +on: + pull_request_target: + types: + - opened + - synchronize + - reopened + +permissions: + contents: read + pull-requests: write jobs: label: name: Label runs-on: ubuntu-22.04 - permissions: - contents: read - pull-requests: write steps: - name: Label the PR - uses: actions/labeler@v4 + uses: actions/labeler@v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: .github/labeler.yml - sync-labels: true + sync-labels: true \ No newline at end of file diff --git a/.github/workflows/ci_stale.yml b/.github/workflows/ci_stale.yml index 916e04c27dc..291dc5d3d61 100644 --- a/.github/workflows/ci_stale.yml +++ b/.github/workflows/ci_stale.yml @@ -30,7 +30,7 @@ jobs: pull-requests: write steps: - name: Mark issues and PRs - uses: actions/stale@v5 + uses: actions/stale@v9 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This issue is stale because it has been open for 60 days with no activity.' diff --git a/.github/workflows/ci_ut.yml b/.github/workflows/ci_ut.yml index fcc4cdb6655..0ddf04663db 100644 --- a/.github/workflows/ci_ut.yml +++ b/.github/workflows/ci_ut.yml @@ -52,6 +52,9 @@ on: - 'inlong-tubemq/**' - '!**.md' +permissions: + contents: read + jobs: unit-test: name: Unit Test diff --git a/.github/workflows/ci_ut_flink13.yml b/.github/workflows/ci_ut_flink13.yml index 9084e34a3aa..d1976642e65 100644 --- a/.github/workflows/ci_ut_flink13.yml +++ b/.github/workflows/ci_ut_flink13.yml @@ -31,6 +31,9 @@ on: - 'inlong-sort/**' - '!**.md' +permissions: + contents: read + jobs: unit-test: name: Unit Test diff --git a/.github/workflows/ci_ut_flink15.yml b/.github/workflows/ci_ut_flink15.yml index 53b88957e0b..eb7b32dab04 100644 --- a/.github/workflows/ci_ut_flink15.yml +++ b/.github/workflows/ci_ut_flink15.yml @@ -31,6 +31,9 @@ on: - 'inlong-sort/**' - '!**.md' +permissions: + contents: read + jobs: unit-test: name: Unit Test diff --git a/.github/workflows/ci_ut_flink18.yml b/.github/workflows/ci_ut_flink18.yml index d86ea53bfcb..9d45c02adf0 100644 --- a/.github/workflows/ci_ut_flink18.yml +++ b/.github/workflows/ci_ut_flink18.yml @@ -31,6 +31,9 @@ on: - 'inlong-sort/**' - '!**.md' +permissions: + contents: read + jobs: unit-test: name: Unit Test