Use a PAT when pushing from update-gem-version-artifacts.yaml.
#13
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Gem Version Artifacts | |
| on: | |
| pull_request: | |
| types: [opened, synchronize] | |
| jobs: | |
| update-dependencies: | |
| # Only run on Dependabot PRs | |
| if: ${{ github.actor == 'dependabot[bot]' }} | |
| runs-on: ubuntu-latest | |
| # The 'permissions' here apply to the GITHUB_TOKEN, but we'll actually be pushing with the PAT | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Git Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| # We still need to check out using GITHUB_TOKEN so we can make local changes, | |
| # but the push will use the personal access token. | |
| ref: ${{ github.head_ref }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@2a18b06812b0e15bb916e1df298d3e740422c47e # v1.203.0 | |
| with: | |
| ruby-version: "3.4" | |
| bundler-cache: true | |
| - name: Update RBS collection | |
| run: bundle exec rbs collection update | |
| - name: Update gem version constraints | |
| run: script/update_gem_constraints | |
| - name: Commit and push if changed | |
| run: | | |
| if [[ -n "$(git status --porcelain)" ]]; then | |
| git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git config --local user.name "github-actions[bot]" | |
| git add rbs_collection.lock.yaml Gemfile Gemfile.lock *.gemspec | |
| git commit -m "Update gem version artifacts." | |
| # Push with PAT so it triggers "on: pull_request" or "on: push" events | |
| # Replace "block" with your actual GitHub org/user, if different. | |
| git push "https://github-actions[bot]:${{ secrets.PAT_FOR_PUSHING_AND_TRIGGERING_CI }}@github.com/block/elasticgraph.git" HEAD:${{ github.head_ref }} | |
| fi | |