Try experimental workflows

.github/workflows/zz_generated.check_values_schema.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.15.1
+#    devctl@6.17.2-dev
 #
 name: 'Values and schema'
 on:

.github/workflows/zz_generated.create_release.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.15.1
+#    devctl@6.17.2-dev
 #
 name: Create Release
 on:
@@ -93,7 +93,7 @@ jobs:
         uses: giantswarm/[email protected]
         with:
           binary: "architect"
-          version: "6.11.0"
+          version: "6.13.0"
       - name: Install semver
         uses: giantswarm/[email protected]
         with:
@@ -102,6 +102,12 @@ jobs:
           download_url: "https://github.com/fsaintjacques/${binary}-tool/archive/${version}.tar.gz"
           tarball_binary_path: "*/src/${binary}"
           smoke_test: "${binary} --version"
+      - name: Generate a token
+        id: generate_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.HERALD_APP_ID }}
+          private-key: ${{ secrets.HERALD_APP_KEY }}
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Update project.go
@@ -122,22 +128,22 @@ jobs:
           fi
       - name: Set up git identity
         run: |
-          git config --local user.email "[email protected]"
-          git config --local user.name "taylorbot"
+          git config --local user.email "149080493+heraldbot[bot]@users.noreply.github.com"
+          git config --local user.name "HeraldBot[bot]"
       - name: Commit changes
         run: |
           file="${{ needs.gather_facts.outputs.project_go_path }}"
           git add $file
           git commit -m "Bump version to ${{ steps.update_project_go.outputs.new_version }}"
       - name: Push changes
         env:
-          REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git"
+          REMOTE_REPO: "https://${{ github.actor }}:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git"
           branch: "${{ github.ref }}-version-bump"
         run: |
           git push "${REMOTE_REPO}" HEAD:${{ env.branch }}
       - name: Create PR
         env:
-          GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
+          GITHUB_TOKEN: "${{ steps.generate_token.outputs.token }}"
           base: "${{ github.ref }}"
           branch: "${{ github.ref }}-version-bump"
           version: "${{ needs.gather_facts.outputs.version }}"
@@ -153,9 +159,17 @@ jobs:
     outputs:
       upload_url: ${{ steps.create_gh_release.outputs.upload_url }}
     steps:
+      - name: Generate a token
+        id: generate_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.HERALD_APP_ID }}
+          private-key: ${{ secrets.HERALD_APP_KEY }}
       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
           ref: ${{ github.sha }}
       - name: Ensure correct version in project.go
         if: ${{ needs.gather_facts.outputs.project_go_path != '' && needs.gather_facts.outputs.ref_version != 'true' }}
@@ -171,26 +185,25 @@ jobs:
           path: ./CHANGELOG.md
       - name: Set up git identity
         run: |
-          git config --local user.email "[email protected]"
-          git config --local user.name "taylorbot"
+          git config --local user.email "149080493+heraldbot[bot]@users.noreply.github.com"
+          git config --local user.name "HeraldBot[bot]"
       - name: Create tag
         run: |
           version="${{ needs.gather_facts.outputs.version }}"
           git tag "v$version" ${{ github.sha }}
       - name: Push tag
         env:
-          REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git"
+          REMOTE_REPO: "https://${{ github.actor }}:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git"
         run: |
           git push "${REMOTE_REPO}" --tags
       - name: Create release
         id: create_gh_release
-        uses: actions/create-release@v1
+        uses: ncipollo/release-action@v1
         env:
-          GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
+          GITHUB_TOKEN: "${{ steps.generate_token.outputs.token }}"
         with:
           body: ${{ steps.changelog_reader.outputs.changes }}
-          tag_name: "v${{ needs.gather_facts.outputs.version }}"
-          release_name: "v${{ needs.gather_facts.outputs.version }}"
+          tag: "v${{ needs.gather_facts.outputs.version }}"
 
   create-release-branch:
     name: Create release branch

.github/workflows/zz_generated.create_release_pr.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.15.1
+#    devctl@6.17.2-dev
 #
 name: Create Release PR
 on:
@@ -48,6 +48,18 @@ jobs:
       skip: ${{ steps.pr_exists.outputs.skip }}
       version: ${{ steps.gather_facts.outputs.version }}
     steps:
+      - name: Generate a token
+        id: generate_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.HERALD_APP_ID }}
+          private-key: ${{ secrets.HERALD_APP_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
+          ref: ${{ needs.gather_facts.outputs.branch }}
       - name: Gather facts
         id: gather_facts
         run: |
@@ -65,7 +77,7 @@ jobs:
 
           version="$(echo $head | awk -F# '{print $NF}')"
           if [[ $version =~ ^major|minor|patch$ ]]; then
-            gh auth login --with-token <<<$(echo -n ${{ secrets.TAYLORBOT_GITHUB_ACTION }})
+            gh auth login --with-token <<<$(echo -n ${{ steps.generate_token.outputs.token }})
             gh_api_get_latest_release_version()
             {
               if ! version="$(gh api "repos/$1/releases/latest" --jq '.tag_name[1:] | split(".") | .[0], .[1], .[2]')"
@@ -124,12 +136,13 @@ jobs:
       - name: Check if PR exists
         id: pr_exists
         env:
-          GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
           head="${{ steps.gather_facts.outputs.branch }}"
           branch="${head#refs/heads/}" # Strip "refs/heads/" prefix.
-          if gh pr view --repo "${{ github.repository }}" "${branch}" --json state --jq .state | grep -i 'open' > /dev/null; then
-            gh pr view --repo "${{ github.repository }}" "${branch}"
+
+          if gh pr list --head "${branch}" --json state --jq '.[].state' | grep -i 'open' > /dev/null; then
+            gh pr list --head "${branch}"
             echo "skip=true" >> $GITHUB_OUTPUT
           else
             echo "skip=false" >> $GITHUB_OUTPUT
@@ -151,9 +164,17 @@ jobs:
         with:
           binary: "architect"
           version: "6.11.0"
+      - name: Generate a token
+        id: generate_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.HERALD_APP_ID }}
+          private-key: ${{ secrets.HERALD_APP_KEY }}
       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
           ref: ${{ needs.gather_facts.outputs.branch }}
       - name: Prepare release changes
         run: |
@@ -208,8 +229,8 @@ jobs:
           fi
       - name: Set up git identity
         run: |
-          git config --local user.email "[email protected]"
-          git config --local user.name "taylorbot"
+          git config --local user.email "149080493+heraldbot[bot]@users.noreply.github.com"
+          git config --local user.name "HeraldBot[bot]"
       - name: Create release commit
         env:
           version: "${{ needs.gather_facts.outputs.version }}"
@@ -218,12 +239,12 @@ jobs:
           git commit -m "Release v${{ env.version }}"
       - name: Push changes
         env:
-          remote_repo: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git"
+          remote_repo: "https://${{ github.actor }}:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git"
         run: |
           git push "${remote_repo}" HEAD:${{ needs.gather_facts.outputs.branch }}
       - name: Create PR
         env:
-          GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
+          GITHUB_TOKEN: "${{ steps.generate_token.outputs.token }}"
           base: "${{ needs.gather_facts.outputs.base }}"
           version: "${{ needs.gather_facts.outputs.version }}"
         run: |

.github/workflows/zz_generated.fix_vulnerabilities.yaml

@@ -0,0 +1,77 @@
+# DO NOT EDIT. Generated with:
+#
+#    [email protected]
+#
+name: Fix Vulnerabilities
+on:
+  push:
+    branches:
+      - 'renovate/*'
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "Branch where to fix vulnerabilities"
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      branch:
+        required: true
+        type: string
+jobs:
+  gather_facts:
+    name: Gather facts
+    runs-on: ubuntu-22.04
+    outputs:
+      repo_name: ${{ steps.gather_facts.outputs.repo_name }}
+      branch: ${{ steps.gather_facts.outputs.branch }}
+    steps:
+      - name: Gather facts
+        id: gather_facts
+        run: |
+          head="${{ inputs.branch || github.event.ref }}"
+          echo "branch=${head}" >> $GITHUB_OUTPUT
+
+          head="${head#refs/heads/}" # Strip "refs/heads/" prefix.
+          repo_name="$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')"
+          echo "repo_name=\"$repo_name\" base=\"$base\" head=\"$head\" version=\"$version\""
+          echo "repo_name=${repo_name}" >> $GITHUB_OUTPUT
+          echo "head=${head}" >> $GITHUB_OUTPUT
+  run_nancy_fixer:
+    name: Fix vulnerabilities with nancy-fixer
+    runs-on: ubuntu-22.04
+    needs:
+      - gather_facts
+    steps:
+      - name: Generate a token
+        id: generate_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.HERALD_APP_ID }}
+          private-key: ${{ secrets.HERALD_APP_KEY }}
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
+          ref: ${{ needs.gather_facts.outputs.branch }}
+      - name: Install nancy-fixer
+        run: |
+            go install github.com/giantswarm/[email protected]
+            mod upgrade
+      - name: Run nancy-fixer fix
+        run: |
+            nancy-fixer fix
+      - name: Set up git identity
+        run: |
+          git config --local user.email "149080493+heraldbot[bot]@users.noreply.github.com"
+          git config --local user.name "HeraldBot[bot]"
+      - name: Commit new files
+        run: |
+          git add -A
+          git commit -m "Apply fixes for vulnerabilities"
+      - name: Push changes
+        env:
+          remote_repo: "https://${{ github.actor }}:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git"
+        run: |
+          git push "${remote_repo}" HEAD:${{ needs.gather_facts.outputs.branch }}

.github/workflows/zz_generated.gitleaks.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.15.1
+#    devctl@6.17.2-dev
 #
 name: gitleaks