Changeset View
Standalone View
.github/workflows/validate-codeowners.yml
- This file was added.
name: Validate CODEOWNERS | |||||
on: | |||||
schedule: | |||||
# Runs at 08:00 UTC every day | |||||
- cron: '0 8 * * *' | |||||
jobs: | |||||
build: | |||||
name: Validate CODEOWNERS | |||||
runs-on: ubuntu-20.04 | |||||
steps: | |||||
- uses: mszostok/codeowners-validator@v0.6.0 | |||||
with: | |||||
checks: "files,owners,duppatterns,syntax" | |||||
# GitHub access token is required only if the `owners` check is enabled | |||||
# Token has "repo/public_repo" and "admin:org/read:org" permissions. | |||||
github_access_token: "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" | |||||
jlduran_gmail.com: Is there a reason why a GitHub secret is not used? | |||||
asomersAuthorUnsubmitted Done Inline ActionsPlease explain:what is a "Github secret" and how does one use it? asomers: Please explain:what is a "Github secret" and how does one use it? | |||||
jlduran_gmail.comUnsubmitted Not Done Inline ActionsSure! A thorough explanation here: https://docs.github.com/en/actions/reference/encrypted-secrets A tl;dr would be: Since this is a github_access_token (i.e. a password), albeit access-restricted, should be protected nonetheless. For example, it may have read-only access to security/private branches belonging to that account, since the token is exposed to the public, anyone could read the contents of such branches. By creating a GitHub secret —think of an environment variable for GitHub— you will be able to reference it in any workflow using ${{ secrets.DESCRIPTIVE_NAME }}. For this particular case, after deleting the published one and creating a new one under the name of OWNERS_VALIDATOR_GITHUB_SECRET (for example), one can replace the last line with: github_access_token: ${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }} jlduran_gmail.com: Sure! A thorough explanation here:
https://docs.github.com/en/actions/reference/encrypted… | |||||
asomersAuthorUnsubmitted Done Inline ActionsWell, that does look like the correct thing to do. But I can't do it, because I don't have admin rights to the Github repo. Maybe @imp does, or knows who does? asomers: Well, that does look like the correct thing to do. But I can't do it, because I don't have… |
Is there a reason why a GitHub secret is not used?