Several small fixes to CI scripting (#3905)

* Restore permission to make script work

We need to rework this, but until then things has to work.

* Permission issuers

* We don't try to cancel previous as it doesn't work

* Update

* Renaming, remove deprecated

* Add comments

* Prevent running scorecard on forks

* Update

.github/workflows/build-deskktop-pr.yml

@@ -1,9 +1,14 @@
-name: Build desktop images at PR
+name: Build Desktops at PR
+#
+# Generates supported desktops for uefi-arm64, uefi-x86 and rpi4 if label "desktop is set"
+#
 
 on:
   workflow_dispatch:
+
   pull_request:
     types: [ready_for_review]
+
   pull_request_review:
     types: [submitted]
 
@@ -13,8 +18,10 @@ permissions:
 jobs:
 
   Maintain:
+
     permissions:
       contents: none
+
     if: ${{ github.repository_owner == 'Armbian' && contains( github.event.pull_request.labels.*.name, 'Desktop :desktop_computer:') }}
     uses: armbian/scripts/.github/workflows/build-test-image-docker.yml@master
 

.github/workflows/build-images.yml

@@ -1,4 +1,8 @@
 name: Build Images
+#
+# Generates beta, stable or RC images. You can select build runners. By default it generates all images, but you can build images only for one target
+# Images are placed at www.arnmbian.com and nighly beta also at https://github.com/armbian/build/releases/tag/latest
+#
 
 on:
 
@@ -6,7 +10,9 @@ on:
     - cron: "30 2 */2 * *"
 
   workflow_dispatch:
+
     inputs:
+
       choice:
         type: choice
         description: Build targets
@@ -14,16 +20,19 @@ on:
         - beta
         - stable
         - rc
+
       runner:
         type: choice
         description: Build runners for CLI
         options:
         - small
         - ubuntu-latest
+
       sourcerepo:
         description: Source repository
         required: false
         default: 'nightly'
+
       advanced:
         description: 'Single board (grep -w tinkerboard |)'
         required: false
@@ -33,7 +42,7 @@ jobs:
 
   Cancel:
     name: "Cancel currently active"
-    if: ${{ github.repository_owner == 'Armbian' }}
+    if: ${{ github.repository_owner == 'Armbian' && github.event.schedule == '' }}
     runs-on: small
     steps:
       - uses: n1hility/cancel-previous-runs@v2
@@ -64,6 +73,7 @@ jobs:
     steps:
 
       - run: |
+
           echo "Env: ${{ github.event.inputs.choice }}"
           echo "Env: ${{ github.event.inputs.runner }}"
           echo "Env: ${{ github.event.inputs.sourcerepo }}"

.github/workflows/build-kernel-pr.yml

@@ -1,4 +1,8 @@
-name: Build at pull request
+name: Build Kernels at PR
+#
+# Generates kernels at PR if their code, patches or config was changed in any way. Packages are uploaded as Github action build artefakts
+# Build starts if review is requested or if PR is marked for review
+#
 
 on:
   workflow_dispatch:
@@ -7,14 +11,9 @@ on:
     paths-ignore:
       - .github/workflows
 
-permissions:
-  contents: read
-
 jobs:
 
   Check:
-    permissions:
-      contents: none
     name: Checking
     if: ${{ success() && github.repository_owner == 'Armbian' }}
     uses: armbian/scripts/.github/workflows/check-for-changes.yml@master
@@ -24,8 +23,6 @@ jobs:
       runner: small
 
   Build:
-    permissions:
-      contents: none
     needs: Check
     if: ${{ success() && github.repository_owner == 'Armbian' }}
     uses: armbian/scripts/.github/workflows/build-kernel.yml@master
@@ -46,8 +43,6 @@ jobs:
       KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
 
   jobsend:
-    permissions:
-      contents: none
     name: Cleanup
     needs: [Build]
     runs-on: "small"

.github/workflows/build-train.yml

@@ -1,4 +1,8 @@
 name: Build train
+#
+# Generates kernels at push if their code, patches or config was changed in any way. If those conditions are met, then it also rebuild
+# desktops, firmware, u-boot, update repository and increment nighlty build version.
+#
 
 on:
   workflow_dispatch:
@@ -318,8 +322,7 @@ jobs:
   ##########################################################################################
 
   Bump:
-    permissions:
-      contents: none
+
     needs: [apt-armbian-com,beta-armbian-com,sync-servers]
     if: ${{ success() && github.repository_owner == 'Armbian' }}
     uses: armbian/scripts/.github/workflows/update-version.yml@master

.github/workflows/build-u-boot.yml

@@ -1,4 +1,8 @@
 name: Build u-boot & BSP
+#
+# Manually generates u-boot & BSP packages
+#
+
 
 on:
   workflow_dispatch:

.github/workflows/bump-version.yml

@@ -1,4 +1,7 @@
-name: Bump version
+name: Bump Version
+#
+# Manually bump version of nightly builds
+#
 
 on:
   workflow_dispatch:

.github/workflows/cleanup.yml

@@ -0,0 +1,21 @@
+name: Clean Workflow Logs
+
+on:
+  workflow_dispatch:
+    inputs:
+      days_old:
+        description: "The amount of days old to delete"
+        default: "7"
+        required: false
+
+jobs:
+  clean-logs:
+    if: ${{ github.repository_owner == 'Armbian' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: igorjs/gh-actions-clean-workflow@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          owner: ${{ github.repository_owner }}
+          repo: ${{ github.event.repository.name }}
+          days_old: ${{ github.event.inputs.days_old }}

.github/workflows/lint-scripts-pr.yml

@@ -1,4 +1,7 @@
-name: Lint scripts
+name: Lint On Scripts
+#
+# Run ShellCheck on all scripts and generates report as build artefact
+#
 
 on:
   workflow_dispatch:

.github/workflows/rebase.yml

@@ -1,4 +1,9 @@
 name: Automatic Rebase
+#
+# If you comment "/rebase" to the PR this action rebase the PR
+#
+
+
 on:
   issue_comment:
     types: [created]

.github/workflows/scorecard.yml

@@ -1,4 +1,4 @@
-name: Scorecards supply-chain security
+name: Scorecards Security Scan
 on:
   # Only the default branch is supported.
   branch_protection_rule:
@@ -13,6 +13,7 @@ permissions: read-all
 
 jobs:
   analysis:
+    if: ${{ github.repository_owner == 'Armbian' }}
     name: Scorecards analysis
     runs-on: ubuntu-latest
     permissions:

.github/workflows/smoke-tests.yml

@@ -1,4 +1,7 @@
 name: Smoke tests on DUTs
+#
+# Runs varios tests with latest nighly codebase on a real hardware
+#
 
 on:
   workflow_dispatch:

.github/workflows/update-cache.yml

@@ -1,4 +1,4 @@
-name: Rootfs Caches
+name: Update Rootfs Cache
 
 on:
   workflow_dispatch:

.github/workflows/update-docker.yml

@@ -1,4 +1,7 @@
 name: Update Docker
+#
+# Update Docker images we use for building CI
+#
 
 on:
   workflow_dispatch:

.github/workflows/update-repository.yml

@@ -1,37 +0,0 @@
-name: Update Repository
-
-on:
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-
-  apt-armbian-com:
-    permissions:
-      contents: none
-    uses: armbian/scripts/.github/workflows/update-repository.yml@master
-
-    with:
-      KEY_ID: 'repository'
-
-    secrets:  
-      KEY_REPOSITORY: ${{ secrets.KEY_REPOSITORY }}
-      USER_REPOSITORY: ${{ secrets.USER_REPOSITORY }}
-      HOST_REPOSITORY: ${{ secrets.HOST_REPOSITORY }}
-      KNOWN_HOSTS_REPOSITORY: ${{ secrets.KNOWN_HOSTS_REPOSITORY }}
-
-  beta-armbian-com:
-    permissions:
-      contents: none
-    uses: armbian/scripts/.github/workflows/update-repository.yml@master
-
-    with:
-      KEY_ID: 'repository-beta'
-
-    secrets:  
-      KEY_REPOSITORY: ${{ secrets.KEY_REPOSITORY_BETA }}
-      USER_REPOSITORY: ${{ secrets.USER_REPOSITORY }}
-      HOST_REPOSITORY: ${{ secrets.HOST_REPOSITORY }}
-      KNOWN_HOSTS_REPOSITORY: ${{ secrets.KNOWN_HOSTS_REPOSITORY }}