Merge template repository changes: remal-github-actions/template-typescript (#2544)

Author: remal

.github/workflows/bump-repository-activity.yml

@@ -25,7 +25,7 @@ on:
         type: number
 
 permissions:
-  contents: write
+  id-token: write
 
 concurrency:
   group: bump-repository-activity-${{github.ref}}
@@ -35,42 +35,24 @@ defaults:
   run:
     shell: bash
 
-env:
-  PUSH_BACK_TOKEN: ${{secrets.PUSH_BACK_TOKEN || github.token}}
-
 jobs:
   bump-repository-activity:
     name: Bump repository activity
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-    - name: Get rate limits
-      uses: remal-github-actions/get-rate-limits@v1
-      id: rate-limits
+    - name: Get GitHub Token
+      id: get-token
+      uses: remal/github-repository-token-issuer@v1
       with:
-        githubToken: ${{env.PUSH_BACK_TOKEN}}
-    - name: Make rate limits decision
-      id: decision
-      run: |
-        echo "Core rate limit usage: ${{steps.rate-limits.outputs.coreUsage}}"
-        if [ "${{steps.rate-limits.outputs.coreUsage < 75}}" == "true" ]; then
-          echo "Enough rate limits"
-          echo 'enough=true' >> $GITHUB_OUTPUT
-        else
-          echo "::warning::Not enough rate limits!"
-          if [ "${{github.event_name != 'schedule'}}" == "true" ]; then
-            echo "::warning::Executing anyway, as event is '${{github.event_name}}'"
-            echo 'enough=true' >> $GITHUB_OUTPUT
-          else
-            echo 'enough=false' >> $GITHUB_OUTPUT
-          fi
-        fi
+        scopes: |
+          contents: write
 
     - name: Bump repository activity
-      if: ${{fromJSON(steps.decision.outputs.enough) == true}}
       uses: remal-github-actions/bump-repository-activity@v1
       with:
         dryRun: ${{inputs.dryRun || 'false'}}
-        githubToken: ${{env.PUSH_BACK_TOKEN}}
+        githubToken: ${{steps.get-token.outputs.token}}
+        maxInactivityDays: ${{inputs.maxInactivityDays || 14}}
         bumperFile: 'repository-activity.bumper'
         commitMessage: '[push-back] Bump repository activity'

.github/workflows/cancel-pr-actions.yml

@@ -6,9 +6,9 @@ on:
     - closed
 
 permissions:
-  pull-requests: 'read'
-  checks: 'read'
-  actions: 'write'
+  pull-requests: read
+  checks: read
+  actions: write
 
 jobs:
   cancel-pr-actions:

.github/workflows/check-action-secrets.yml

@@ -11,6 +11,9 @@ on:
   - cron: '15 17 * * *' # sync-with-template: adjust
   workflow_dispatch: { }
 
+permissions:
+  id-token: write
+
 concurrency:
   group: check-action-secrets-${{github.ref}}
   cancel-in-progress: true
@@ -25,30 +28,23 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-    - name: Get rate limits
-      uses: remal-github-actions/get-rate-limits@v1
-      id: rate-limits
-      with:
-        githubToken: ${{secrets.LIST_SECRETS || github.token}}
-    - name: Make rate limits decision
-      id: decision
+    - name: Get repository owner type
+      id: owner-type
       run: |
-        echo "Core rate limit usage: ${{steps.rate-limits.outputs.coreUsage}}"
-        if [ "${{steps.rate-limits.outputs.coreUsage < 75}}" == "true" ]; then
-          echo "Enough rate limits"
-          echo 'enough=true' >> $GITHUB_OUTPUT
-        else
-          echo "::warning::Not enough rate limits!"
-          if [ "${{github.event_name != 'schedule'}}" == "true" ]; then
-            echo "::warning::Executing anyway, as event is '${{github.event_name}}'"
-            echo 'enough=true' >> $GITHUB_OUTPUT
-          else
-            echo 'enough=false' >> $GITHUB_OUTPUT
-          fi
-        fi
+        REPO_JSON=$(curl -s "${{github.api_url}}/repos/${{github.repository}}" -H "Authorization: token ${{github.token}}")
+        OWNER_TYPE=$(echo $REPO_JSON | jq -r '.owner.type')
+        OWNER_TYPE=$(echo "$OWNER_TYPE" | tr '[:upper:]' '[:lower:]')
+        echo "owner-type=$OWNER_TYPE" | tee -a $GITHUB_OUTPUT
+
+    - name: Get GitHub Token
+      id: get-token
+      uses: remal/github-repository-token-issuer@v1
+      with:
+        scopes: |
+          secrets: read
+          ${{steps.owner-type.outputs.owner-type == 'organization' && 'organization_secrets:read' || ''}}
 
     - name: Check action secrets
-      if: ${{fromJSON(steps.decision.outputs.enough) == true}}
       uses: remal-github-actions/check-action-secrets@v1
       with:
-        githubToken: ${{secrets.LIST_SECRETS || github.token}}
+        githubToken: ${{steps.get-token.outputs.token}}

.github/workflows/codeowners-validator.yml

@@ -14,49 +14,14 @@ on:
   workflow_dispatch: { }
 
 permissions:
-  contents: read
+  id-token: write
 
 concurrency:
   group: codeowners-validation-${{github.ref}}
   cancel-in-progress: true
 
-env:
-  VALIDATION_TOKEN: ${{secrets.CODEOWNERS_VALIDATOR_TOKEN && secrets.CODEOWNERS_VALIDATOR_TOKEN || github.token}}
-
 jobs:
-  rate-limits:
-    name: Check rate limits
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-    - name: Get rate limits
-      uses: remal-github-actions/get-rate-limits@v1
-      id: rate-limits
-      with:
-        githubToken: ${{env.VALIDATION_TOKEN || github.token}}
-    - name: Make decision
-      id: decision
-      run: |
-        echo "Core rate limit usage: ${{steps.rate-limits.outputs.coreUsage}}"
-        if [ "${{steps.rate-limits.outputs.coreUsage < 75}}" == "true" ]; then
-          echo "Enough rate limits"
-          echo 'enough=true' >> $GITHUB_OUTPUT
-        else
-          echo "::warning::Not enough rate limits!"
-          if [ "${{github.event_name != 'schedule'}}" == "true" ]; then
-            echo "::warning::Executing anyway, as event is '${{github.event_name}}'"
-            echo 'enough=true' >> $GITHUB_OUTPUT
-          else
-            echo 'enough=false' >> $GITHUB_OUTPUT
-          fi
-        fi
-    outputs:
-      enough: ${{steps.decision.outputs.enough}}
-
   codeowners-validation:
-    needs:
-    - rate-limits
-    if: ${{fromJSON(needs.rate-limits.outputs.enough) == true}}
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
@@ -68,20 +33,22 @@ jobs:
     - name: Get repository owner type
       id: owner-type
       run: |
-        REPO_JSON=$(curl -s "${{github.api_url}}/repos/${{github.repository}}" -H "Authorization: token ${{env.VALIDATION_TOKEN}}")
+        REPO_JSON=$(curl -s "${{github.api_url}}/repos/${{github.repository}}" -H "Authorization: token ${{github.token}}")
         OWNER_TYPE=$(echo $REPO_JSON | jq -r '.owner.type')
         OWNER_TYPE=$(echo "$OWNER_TYPE" | tr '[:upper:]' '[:lower:]')
         echo "owner-type=$OWNER_TYPE" | tee -a $GITHUB_OUTPUT
 
-    - name: Basic CODEOWNERS validation
-      if: ${{steps.owner-type.outputs.owner-type != 'organization'}}
-      uses: mszostok/[email protected]
+    - name: Get GitHub Token
+      id: get-token
+      uses: remal/github-repository-token-issuer@v1
       with:
-        github_access_token: '${{env.VALIDATION_TOKEN}}'
-        checks: 'syntax,duppatterns,files'
+        scopes: |
+          contents: read
+          ${{steps.owner-type.outputs.owner-type == 'organization' && 'members:read' || ''}}
 
-    - name: Full CODEOWNERS validation
-      if: ${{steps.owner-type.outputs.owner-type == 'organization'}}
+    - name: CODEOWNERS validation
+      if: ${{steps.owner-type.outputs.owner-type != 'organization'}}
       uses: mszostok/[email protected]
       with:
-        github_access_token: '${{env.VALIDATION_TOKEN}}'
+        github_access_token: '${{steps.get-token.outputs.token}}'
+        checks: ${{steps.owner-type.outputs.owner-type == 'organization' && '' || 'duppatterns,files,syntax'}}

.github/workflows/rebase-dependabot-pull-requests.yml

@@ -12,9 +12,9 @@ on:
   workflow_dispatch: { }
 
 permissions:
-  contents: read
-  issues: write
   pull-requests: write
+  issues: write
+  contents: read
 
 concurrency:
   group: rebase-dependabot-pull-requests-${{github.ref}}

.github/workflows/sync-with-template.yml

@@ -22,49 +22,39 @@ on:
         - 'true'
         - 'false'
 
+permissions:
+  id-token: write
+
 concurrency:
   group: sync-with-template-${{github.ref}}
   cancel-in-progress: true
 
+env:
+  TEMPLATE_REPOSITORY: ${{secrets.TEMPLATE_REPOSITORY || vars.TEMPLATE_REPOSITORY || ''}}
+
 defaults:
   run:
     shell: bash
 
-env:
-  PUSH_BACK_TOKEN: ${{secrets.PUSH_BACK_TOKEN}}
-
 jobs:
   sync-with-template:
     name: Sync with template repository
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-    - name: Get rate limits
-      uses: remal-github-actions/get-rate-limits@v1
-      id: rate-limits
+    - name: Get GitHub Token
+      id: get-token
+      uses: remal/github-repository-token-issuer@v1
       with:
-        githubToken: ${{env.PUSH_BACK_TOKEN || github.token}}
-    - name: Make rate limits decision
-      id: decision
-      run: |
-        echo "Core rate limit usage: ${{steps.rate-limits.outputs.coreUsage}}"
-        if [ "${{steps.rate-limits.outputs.coreUsage < 75}}" == "true" ]; then
-          echo "Enough rate limits"
-          echo 'enough=true' >> $GITHUB_OUTPUT
-        else
-          echo "::warning::Not enough rate limits!"
-          if [ "${{github.event_name != 'schedule'}}" == "true" ]; then
-            echo "::warning::Executing anyway, as event is '${{github.event_name}}'"
-            echo 'enough=true' >> $GITHUB_OUTPUT
-          else
-            echo 'enough=false' >> $GITHUB_OUTPUT
-          fi
-        fi
+        scopes: |
+          contents: write
+          workflows: write
+          pull_requests: write
+          issues: write
 
     - name: Sync with template repository
-      if: ${{env.PUSH_BACK_TOKEN && fromJSON(steps.decision.outputs.enough) == true}}
       uses: remal-github-actions/sync-with-template@v3
       with:
         dryRun: ${{inputs.dryRun}}
-        githubToken: ${{env.PUSH_BACK_TOKEN}}
-        templateRepository: ${{secrets.TEMPLATE_REPOSITORY || vars.TEMPLATE_REPOSITORY || ''}}
+        githubToken: ${{steps.get-token.outputs.token}}
+        templateRepository: ${{env.TEMPLATE_REPOSITORY}}