From 410e489bfcd94325d106ccc8524bac97c5168a4b Mon Sep 17 00:00:00 2001 From: cpanato Date: Tue, 26 Mar 2024 16:59:18 +0100 Subject: [PATCH] add job to delete old/stale branches created by the automation --- .github/chainguard/delete-branches.sts.yaml | 8 +++++ .github/workflows/delete-old-branches.yaml | 34 +++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 .github/chainguard/delete-branches.sts.yaml create mode 100644 .github/workflows/delete-old-branches.yaml diff --git a/.github/chainguard/delete-branches.sts.yaml b/.github/chainguard/delete-branches.sts.yaml new file mode 100644 index 000000000..c4913715b --- /dev/null +++ b/.github/chainguard/delete-branches.sts.yaml @@ -0,0 +1,8 @@ +issuer: https://token.actions.githubusercontent.com +subject: repo:wolfi-dev/advisories:ref:refs/heads/main +claim_pattern: + workflow_ref: wolfi-dev/advisories/.github/workflows/delete-old-branches.yaml@refs/heads/main + +permissions: + contents: write + pull_requests: read diff --git a/.github/workflows/delete-old-branches.yaml b/.github/workflows/delete-old-branches.yaml new file mode 100644 index 000000000..1cf843aa3 --- /dev/null +++ b/.github/workflows/delete-old-branches.yaml @@ -0,0 +1,34 @@ +name: Delete old branches + +on: + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +jobs: + cleanup_old_branches: + runs-on: ubuntu-latest + + if: github.repository == 'wolfi-dev/advisories' + + permissions: + id-token: write + + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 + id: octo-sts + with: + scope: ${{ github.repository }} + identity: delete-branches + + - uses: wolfi-dev/actions/install-wolfictl@main + + - name: Delete Branches that matches adv- + run: | + wolfictl gh gc branch https://github.com/wolfi-dev/advisories --match "adv-" + env: + GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}