fix(#49): github actions permission denied

Brewforge · Jan 13, 2024 · f2e436e · f2e436e
1 parent 3808137
commit f2e436e
Show file tree

Hide file tree

Showing 6 changed files with 119 additions and 39 deletions.
diff --git a/.github/actions/brew-tap/action.yml b/.github/actions/brew-tap/action.yml
@@ -0,0 +1,38 @@
+name: Brew Tap
+
+inputs:
+  HOMEBREW_GITHUB_API_TOKEN:
+    description: 'Homebrew GitHub API Token'
+    required: true
+
+runs:
+  using: 'composite'
+
+  steps:
+    - name: Add Tap
+      env:
+        HOMEBREW_GITHUB_API_TOKEN: ${{ inputs.HOMEBREW_GITHUB_API_TOKEN }}
+      shell: bash -ieo pipefail {0}
+      run: |
+        brew tap brewforge/chinese
+        brew update
+
+    - name: Install Homebrew's dependencies
+      shell: bash -ieo pipefail {0}
+      run: |
+        brew install ripgrep sd gcc parallel coreutils
+        brew unlink coreutils && brew link coreutils
+        brew install-bundler-gems --groups "audit,style"
+
+    - uses: oleksiyrudenko/gha-git-credentials@v2-latest
+      with:
+        global: true
+        name: 'Brewforge-Bot'
+        email: '[email protected]'
+        token: '${{ inputs.HOMEBREW_GITHUB_API_TOKEN }}'
+
+    - name: show git context
+      shell: bash -ieo pipefail {0}
+      run: |
+        cat $HOME/.gitconfig
+        cat $GITHUB_ENV
diff --git a/.github/actions/bump-casks/action.yml b/.github/actions/bump-casks/action.yml
@@ -12,9 +12,14 @@ runs:
     - name: Bump outdated casks
       # continue-on-error: true
       env:
+        HOMEBREW_DEVELOPER: '1'
         HOMEBREW_GITHUB_API_TOKEN: ${{ inputs.HOMEBREW_GITHUB_API_TOKEN }}
-      shell: bash
+      shell: bash -ieo pipefail {0}
+      # https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#primary-rate-limit-for-authenticated-users
+      # Github Actions: 5000 requests per hour
+      # 1 * 60 * 24 = 1440 (because bump-pr will checkout a new branch and push to remote)
+      # 1 concurrent parallel jobs, 1 second delay between jobs.
       run: |
-        parallel -j0 --group --halt now,fail=1 \
-          './.github/actions/bump-casks/script.sh {}' \
+        parallel -j1 --delay 1s --group --halt now,fail=1 \
+          "./.github/actions/bump-casks/script.sh {}" \
           ::: $(ls $(brew --repository brewforge/chinese)/Casks/*.rb | xargs -I {} basename {} .rb)
diff --git a/.github/actions/bump-formulas/action.yml b/.github/actions/bump-formulas/action.yml
@@ -12,9 +12,14 @@ runs:
     - name: Bump outdated formulas
       # continue-on-error: true
       env:
+        HOMEBREW_DEVELOPER: '1'
         HOMEBREW_GITHUB_API_TOKEN: ${{ inputs.HOMEBREW_GITHUB_API_TOKEN }}
-      shell: bash
+      shell: bash -ieo pipefail {0}
+      # https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#primary-rate-limit-for-authenticated-users
+      # Github Actions: 5000 requests per hour
+      # 1 * 60 * 24 = 1440 (because bump-pr will checkout a new branch and push to remote)
+      # 1 concurrent parallel jobs, 1 second delay between jobs.
       run: |
-        parallel -j0 --group --halt now,fail=1 \
-          './.github/actions/bump-formulas/script.sh {}' \
+        parallel -j1 --delay 1s --group --halt now,fail=1 \
+          "./.github/actions/bump-formulas/script.sh {}" \
           ::: $(ls $(brew --repository brewforge/chinese)/Formula/*.rb | xargs -I {} basename {} .rb)
diff --git a/.github/actions/homebrew-env/action.yml b/.github/actions/homebrew-env/action.yml
@@ -1,34 +1,17 @@
 name: Homebrew Action
 
-inputs:
-  HOMEBREW_GITHUB_API_TOKEN:
-    description: 'Homebrew GitHub API Token'
-    required: true
-
 runs:
   using: 'composite'
 
   steps:
     - name: Set up Homebrew
-      id: set-up-homebrew
-      uses: Homebrew/actions/setup-homebrew@master
-      with:
-        core: true
-        cask: true
-        test-bot: false
-
-    - name: Add parallel cli
-      shell: bash
+      shell: bash -ieo pipefail {0}
       run: |
-        brew install parallel
-        # makesure brew livecheck works
-        brew livecheck parallel
+        /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
 
-    - name: Add Tap
-      env:
-        HOMEBREW_GITHUB_API_TOKEN: ${{ inputs.HOMEBREW_GITHUB_API_TOKEN }}
-      shell: bash
+    - name: Add Homebrew to PATH
+      shell: bash -ieo pipefail {0}
       run: |
-        brew tap brewforge/chinese
-        brew update
-        brew install ripgrep sd
+        touch $HOME/.bash_profile
+        (echo; echo 'eval "$(/usr/local/bin/brew shellenv)"') >> $HOME/.bash_profile
+        eval "$(/usr/local/bin/brew shellenv)"
diff --git a/.github/actions/linuxbrew-env/action.yml b/.github/actions/linuxbrew-env/action.yml
@@ -0,0 +1,18 @@
+name: Linuxbrew Action
+
+runs:
+  using: 'composite'
+
+  steps:
+    - name: Set up Linuxbrew
+      shell: bash -ieo pipefail {0}
+      run: |
+        sudo apt-get install build-essential procps curl file git
+        /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+
+    - name: Add Linuxbrew to PATH
+      shell: bash -ieo pipefail {0}
+      run: |
+        touch $HOME/.bashrc
+        (echo; echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"') >> $HOME/.bashrc
+        eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
diff --git a/.github/workflows/main.yml → .github/workflows/schedule.yml b/.github/workflows/main.yml → .github/workflows/schedule.yml
@@ -1,17 +1,19 @@
-name: CI
+name: schedule
 
 on:
-  pull_request:
-    branches: [main, bump-*]
-  push:
-    branches: [fix-*]
+  # pull_request:
+  #   branches: [main]
+  # push:
+  #   branches: [fix-*]
   schedule:
     # run every 12 hours
     # - cron: "20 */12 * * *"
     # Every day at 6am
     - cron: "0 6 * * *"
   # allow run manually
-  workflow_dispatch: {}
+  workflow_dispatch:
+
+permissions: write-all
 
 jobs:
   casks:
@@ -24,11 +26,13 @@ jobs:
         os: [macos-latest]
 
     steps:
-      # checkout myself.
       - uses: actions/checkout@v3
 
       - name: Homebrew env
         uses: ./.github/actions/homebrew-env
+
+      - name: Brew Tap
+        uses: ./.github/actions/brew-tap
         with:
           HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
 
@@ -44,18 +48,45 @@ jobs:
 
     strategy:
       matrix:
-        os: [macos-latest, ubuntu-latest]
+        os: [macos-latest]
 
     steps:
-      # checkout myself.
       - uses: actions/checkout@v3
 
       - name: Homebrew env
         uses: ./.github/actions/homebrew-env
+
+      - name: Brew Tap
+        uses: ./.github/actions/brew-tap
         with:
           HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
 
       - name: Bump formulas
         uses: ./.github/actions/bump-formulas
         with:
           HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
+
+  # formulas-linuxbrew:
+  #   name: Bump Formulas in parallel (Linuxbrew)
+  #   if: github.repository == 'brewforge/homebrew-chinese'
+  #   runs-on: ${{ matrix.os }}
+
+  #   strategy:
+  #     matrix:
+  #       os: [ubuntu-latest]
+
+  #   steps:
+  #     - uses: actions/checkout@v3
+
+  #     - name: Linuxbrew env
+  #       uses: ./.github/actions/linuxbrew-env
+
+  #     - name: Brew Tap
+  #       uses: ./.github/actions/brew-tap
+  #       with:
+  #         HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
+
+  #     - name: Bump formulas
+  #       uses: ./.github/actions/bump-formulas
+  #       with:
+  #         HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}