From c759f0474ea937aa005bd2b95f2304c73fcdc8c5 Mon Sep 17 00:00:00 2001 From: Ben Doerr Date: Thu, 24 Apr 2025 12:07:13 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=91=B7=20ci:=20Adds=20labeler=20&=20relea?= =?UTF-8?q?se=20workflows,=20updates=20action=20versions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/changelog.json | 25 ++++++++++++++ .github/labeler.yml | 11 ++++++ .github/workflows/dependency-review.yml | 4 +-- .github/workflows/lint.yml | 46 ++++++++++++------------- .github/workflows/pr-label.yml | 22 ++++++++++++ .github/workflows/release.yml | 37 ++++++++++++++++++++ .github/workflows/scorecard.yml | 8 ++--- .github/workflows/test.yml | 6 ++-- 8 files changed, 126 insertions(+), 33 deletions(-) create mode 100644 .github/changelog.json create mode 100644 .github/labeler.yml create mode 100644 .github/workflows/pr-label.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/changelog.json b/.github/changelog.json new file mode 100644 index 0000000..10320f9 --- /dev/null +++ b/.github/changelog.json @@ -0,0 +1,25 @@ +{ + "categories": [ + { + "title": "## ✨ Features", + "labels": ["enhancement"] + }, + { + "title": "## 🐛 Fixes", + "labels": ["bug"] + }, + { + "title": "## 🎨 Cleanup", + "labels": ["cleanup"] + }, + { + "title": "## 👷 CI/CD", + "labels": ["cicd"] + }, + { + "title": "## 📌 Dependencies", + "labels": ["dependencies"] + } + ], + "template": "${{CHANGELOG}}\n\n## Contributors:\n${{CONTRIBUTORS}}" +} diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..b579602 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,11 @@ +enhancement: + - head-branch: ["^feature", "feature", "^new", "new"] + +bug: + - head-branch: ["^fix", "fix", "^bug", "bug"] + +cicd: + - head-branch: ["^ci", "ci", "^cicd", "cicd"] + +documentation: + - head-branch: ["^docs", "docs"] diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 645e69c..3042671 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,11 +17,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - name: "Checkout Repository" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: "Dependency Review" - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 + uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # v4.6.0 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0803589..7305d1d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -17,17 +17,17 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: tflint - uses: reviewdog/action-tflint@0a8c6a4cc8788c02fe181ea6b8530975688f1a33 # v1.23.2 + uses: reviewdog/action-tflint@41b4770c9d9e50741c20e431986b33124a07ca52 # v1.24.2 with: github_token: ${{ github.token }} reporter: github-pr-review - fail_on_error: "false" + fail_on_error: true filter_mode: file tflint_init: true flags: --no-module --recursive @@ -37,19 +37,19 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: trivy - uses: reviewdog/action-trivy@5f1fa7bde1d2105edfdd0afcca8567fcdcd4692b # v1.12.3 + uses: reviewdog/action-trivy@0cab87b781d62e7b01ca66d2900484dedba06306 # v1.13.10 with: github_token: ${{ github.token }} trivy_command: config trivy_target: "." reporter: github-pr-review - fail_on_error: "false" + fail_on_error: true filter_mode: file golangci-lint: runs-on: ubuntu-latest @@ -57,7 +57,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit @@ -67,7 +67,7 @@ jobs: with: github_token: ${{ github.token }} reporter: github-pr-review - fail_on_error: "false" + fail_on_error: true filter_mode: file workdir: test/ go_version_file: test/go.mod @@ -77,7 +77,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit @@ -90,7 +90,7 @@ jobs: with: github_token: ${{ github.token }} reporter: github-pr-review - fail_on_error: "false" + fail_on_error: true filter_mode: file misspell: runs-on: ubuntu-latest @@ -98,17 +98,17 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: misspell - uses: reviewdog/action-misspell@ef8b22c1cca06c8d306fc6be302c3dab0f6ca12f # v1.23.0 + uses: reviewdog/action-misspell@9daa94af4357dddb6fd3775de806bc0a8e98d3e4 # v1.26.3 with: github_token: ${{ github.token }} reporter: github-pr-review - fail_on_error: "false" + fail_on_error: false filter_mode: file exclude: | ./.git/* @@ -119,17 +119,17 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: alex - uses: reviewdog/action-alex@73756e09c07d6025e86f0ac5605b65f2d4b4b78b # v1.14.0 + uses: reviewdog/action-alex@6083b8ca333981fa617c6828c5d8fb21b13d916b # v1.16.0 with: github_token: ${{ github.token }} reporter: github-pr-review - fail_on_error: "false" + fail_on_error: false filter_mode: file alex_flags: | * .github/* .github/workflows/* docs/* test/* examples/complete/* @@ -139,35 +139,33 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: markdownlint - uses: reviewdog/action-markdownlint@28fb4224271253fedd5079b61de820d6228041fd # v0.25.0 + uses: reviewdog/action-markdownlint@3667398db9118d7e78f7a63d10e26ce454ba5f58 # v0.26.2 with: github_token: ${{ github.token }} reporter: github-pr-review - fail_on_error: "false" + fail_on_error: false filter_mode: file - markdownlint_flags: | - --disable MD033 MD013 -- . actionlint: runs-on: ubuntu-latest permissions: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: actionlint - uses: reviewdog/action-actionlint@7eeec1dd160c2301eb28e1568721837d084558ad # v1.57.0 + uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281 # v1.65.2 with: github_token: ${{ github.token }} reporter: github-pr-review - fail_on_error: "false" + fail_on_error: true filter_mode: file diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml new file mode 100644 index 0000000..ba1d31d --- /dev/null +++ b/.github/workflows/pr-label.yml @@ -0,0 +1,22 @@ +name: Label Pull Request + +on: + pull_request: + +permissions: + contents: read + +jobs: + label: + runs-on: ubuntu-latest + + permissions: + contents: read + pull-requests: write + + steps: + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 #v5.0.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..043b1da --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,37 @@ +name: Publish release + +on: + push: + tags: + - "v*.*.*" + +permissions: + contents: read + +jobs: + release: + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + deployments: write + + steps: + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - uses: mikepenz/release-changelog-builder-action@e92187bd633e680ebfdd15961a7c30b2d097e7ad # v5 + id: build_changelog + with: + configuration: .github/changelog.json + failOnError: "true" + fetchReviewers: "true" + + - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 + if: startsWith(github.ref, 'refs/tags/') + with: + body: ${{steps.build_changelog.outputs.changelog}} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6bcbeac..b901f9e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit @@ -43,7 +43,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -65,7 +65,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: SARIF file path: results.sarif @@ -73,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 698305d..11629af 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,15 +14,15 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden Runner" - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - name: "Checkout" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: "Setup Go" - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version-file: test/go.mod cache: true