gmeligio · gmeligio · Sep 8, 2024 · Sep 8, 2024 · Sep 8, 2024 · Sep 8, 2024
diff --git a/.github/workflows/build_push_image.yml b/.github/workflows/build_push_image.yml
@@ -14,8 +14,8 @@ on:
 jobs:
   build_push_android:
     permissions:
+      # Allow to write packages to push the container image to the Github Container Registry
       packages: write
-      contents: read
     runs-on: ubuntu-22.04
     env:
       IMAGE_REPOSITORY_NAME: flutter-android
@@ -25,6 +25,13 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
+      - name: Generate authentication token with GitHub App
+        uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.VERIFIED_COMMIT_ID }}
+          private-key: ${{ secrets.VERIFIED_COMMIT_KEY }}
+
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         with:
@@ -84,16 +91,6 @@ jobs:
             android_build_tools_version=${{ env.ANDROID_BUILD_TOOLS_VERSION }}
             android_platform_versions=${{ env.ANDROID_PLATFORM_VERSIONS }}
 
-      - name: Record image in Docker Scout environment
-        id: docker-scout-environment
-        uses: docker/scout-action@e71a6e518e912cc9094cb8c89e29bb0dcef01668 #v1
-        with:
-          command: environment
-          # Use the Docker Hub image that is the first tag in the metadata
-          image: registry://${{ fromJson(steps.metadata.outputs.json).tags[0] }}
-          environment: prod
-          organization: ${{ secrets.DOCKER_HUB_USERNAME }}
-
       - name: Test image
         uses: plexsystems/container-structure-test-action@c0a028aa96e8e82ae35be556040340cbb3e280ca # v0.3.0
         with:
@@ -124,6 +121,21 @@ jobs:
           short-description: ${{ github.event.repository.description }}
           readme-filepath: readme.md
 
+      - name: Record image in Docker Scout environment
+        id: docker-scout-environment
+        uses: docker/scout-action@e71a6e518e912cc9094cb8c89e29bb0dcef01668 #v1
+        with:
+          command: environment
+          # Use the Docker Hub image that is the first tag in the metadata
+          image: registry://${{ fromJson(steps.metadata.outputs.json).tags[0] }}
+          environment: prod
+          organization: ${{ secrets.DOCKER_HUB_USERNAME }}
+
+      - name: Update bootstrap image tag in environment variable
+        run: gh variable set FLUTTER_VERSION --body "${{ env.FLUTTER_VERSION }}"
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+
       # TODO: Use kaniko for building and pushing after slowness is solved
       # TODO: https://github.com/GoogleContainerTools/kaniko/issues/970
       # TODO: https://github.com/GoogleContainerTools/kaniko/issues/875

diff --git a/.github/workflows/pr_image.yml b/.github/workflows/pr_image.yml
@@ -11,11 +11,11 @@ on:
 jobs:
   test_image:
     permissions:
+      # Allow to write packages for the docker/scout-action to write a comment
       packages: write
-      contents: read
-      # pull-requests write permission is needed for the docker/scout-action to write a comment
+      # Allow to write pull requests for the docker/scout-action to write a comment
       pull-requests: write
-      # security-events write permission is needed for github/codeql-action/upload-sarif to upload SARIF results
+      # Allow to write security events for github/codeql-action/upload-sarif to upload SARIF results
       security-events: write 
     runs-on: ubuntu-22.04
     env:

diff --git a/.github/workflows/update_flutter_dependencies.yml b/.github/workflows/update_flutter_dependencies.yml
@@ -12,6 +12,7 @@ jobs:
     permissions:
       # Enable OIDC token because Gitsign creates keys based on the GitHub runner OIDC credentials
       # id-token: write
+      # Allow to write contents to push commits
       contents: write
       # Allow to read packages to pull the container image from GitHub Container Registry
       packages: read

diff --git a/.github/workflows/update_flutter_version.yml b/.github/workflows/update_flutter_version.yml
@@ -7,7 +7,9 @@ jobs:
     permissions:
       # Enable OIDC token because Gitsign creates keys based on the GitHub runner OIDC credentials
       # id-token: write
+      # Allow to write contents to push commits
       contents: write
+      # Allow to write pull requests to push commits and write comments
       pull-requests: write
     runs-on: ubuntu-22.04
     steps:

diff --git a/script/copyFlutterVersion.js b/script/copyFlutterVersion.js
@@ -1,10 +1,10 @@
-module.exports = async ({ core}) => {
+module.exports = async ({ core }) => {
   const fs = require('fs')
-  
+
   const flutterVersionPath = 'config/flutter_version.json'
   const flutterVersionData = fs.readFileSync(flutterVersionPath, 'utf8')
   const fluterVersionJson = JSON.parse(flutterVersionData)
-  
+
   const versionPath = 'config/version.json'
   const versionData = fs.readFileSync(versionPath, 'utf8')
   let versionJson = JSON.parse(versionData)

diff --git a/script/updateFastlaneVersion.js b/script/updateFastlaneVersion.js
@@ -7,7 +7,7 @@ module.exports = async ({ core, fetch }) => {
     const response = await fetch(versionFileUrl)
 
     const data = await response.json()
-    
+
     version = data.version
   } catch (error) {
     console.error(

diff --git a/script/updateFlutterVersion.js b/script/updateFlutterVersion.js
@@ -1,12 +1,13 @@
 module.exports = async ({ core, fetch }) => {
-  const linuxReleasesUrl = 'https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json'
+  const linuxReleasesUrl =
+    'https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json'
   const stableReleasePattern = /^\d+\.\d+\.\d+$/g
   const resultPath = 'config/flutter_version.json'
-  
+
   /**
    * Downloads the flutter releases from URL
-   * 
-   * @param {*} fileUrl 
+   *
+   * @param {*} fileUrl
    * @returns object|boolean
    */
   async function downloadReleases(fileUrl) {
@@ -23,9 +24,9 @@ module.exports = async ({ core, fetch }) => {
       return false
     }
   }
-  
+
   const linuxReleasesResponse = await downloadReleases(linuxReleasesUrl)
-  
+
   if (linuxReleasesResponse === false) {
     core.setFailed(
       `Could not download Flutter version manifest from ${fileUrl}.`
@@ -34,14 +35,16 @@ module.exports = async ({ core, fetch }) => {
     return false
   }
 
-  const {releases} = linuxReleasesResponse
-  const latestRelease = releases.find((r) => r.version.match(stableReleasePattern))
+  const { releases } = linuxReleasesResponse
+  const latestRelease = releases.find((r) =>
+    r.version.match(stableReleasePattern)
+  )
 
   const fs = require('fs')
   const data = fs.readFileSync(resultPath, 'utf8')
   const oldJson = JSON.parse(data)
 
-  const {version, channel, hash: commit} = latestRelease
+  const { version, channel, hash: commit } = latestRelease
 
   // Update result file, i.e. version.json
   const newJson = {