diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..9fb62265 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + ignore: + - dependency-name: "yiisoft/*" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 34e479c9..cdf5b471 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -7,15 +7,25 @@ on: pull_request: permissions: - contents: read - checks: write + contents: read # Required to check out repository contents. + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build: + name: Build documentation + permissions: + checks: write # Required by vale-action to publish check annotations. + contents: read # Required to check out repository contents. + runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Fetch styles run: | @@ -24,7 +34,7 @@ jobs: unzip Microsoft.zip -d .github/styles - name: Check - uses: errata-ai/vale-action@reviewdog + uses: errata-ai/vale-action@85f9f7f2c5f449ac0ae5b66662961bae3f77ca6a # tag = reviewdog with: reporter: github-check fail_on_error: false @@ -34,23 +44,30 @@ jobs: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} links: + name: Check links runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 + persist-credentials: false - name: Find files to check id: links shell: bash + env: + EVENT_NAME: ${{ github.event_name }} + PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} + BEFORE_SHA: ${{ github.event.before }} + CURRENT_SHA: ${{ github.sha }} run: | - if [ "${{ github.event_name }}" = "pull_request" ]; then - git diff --name-status --diff-filter=ACMRTD "${{ github.event.pull_request.base.sha }}...HEAD" > changed-files.txt - elif [ "${{ github.event.before }}" = "0000000000000000000000000000000000000000" ]; then - git diff-tree --root --no-commit-id --name-status -r "${{ github.sha }}" > changed-files.txt + if [ "$EVENT_NAME" = "pull_request" ]; then + git diff --name-status --diff-filter=ACMRTD "$PR_BASE_SHA...HEAD" > changed-files.txt + elif [ "$BEFORE_SHA" = "0000000000000000000000000000000000000000" ]; then + git diff-tree --root --no-commit-id --name-status -r "$CURRENT_SHA" > changed-files.txt else - git diff --name-status --diff-filter=ACMRTD "${{ github.event.before }}..${{ github.sha }}" > changed-files.txt + git diff --name-status --diff-filter=ACMRTD "$BEFORE_SHA..$CURRENT_SHA" > changed-files.txt fi check_all=false @@ -82,7 +99,7 @@ jobs: - name: Setup Node.js if: steps.links.outputs.count != '0' - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 cache: npm diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml index 8e20176a..2e7e1df6 100644 --- a/.github/workflows/github-pages.yml +++ b/.github/workflows/github-pages.yml @@ -7,9 +7,7 @@ on: workflow_dispatch: permissions: - contents: read - pages: write - id-token: write + contents: read # Required to check out repository contents. concurrency: group: "pages" @@ -17,13 +15,16 @@ concurrency: jobs: build: + name: Build site runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 cache: npm @@ -35,12 +36,17 @@ jobs: run: npm run build - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4 with: path: src/.vitepress/dist deploy: + name: Deploy site if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} + permissions: + pages: write # Required to publish to GitHub Pages. + id-token: write # Required to authenticate the Pages deployment. + environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} @@ -49,4 +55,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/.github/workflows/translate.yml b/.github/workflows/translate.yml index 5b130cde..b30039b3 100644 --- a/.github/workflows/translate.yml +++ b/.github/workflows/translate.yml @@ -1,7 +1,7 @@ name: Update translations on: - pull_request_target: + pull_request: paths: - '_translations/**' push: @@ -10,31 +10,58 @@ on: - '_translations/**' - 'src/**' +permissions: + contents: read # Required to check out repository contents by default. + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: update-docs: name: Update docs + permissions: + contents: write # Required to push generated translation updates. + runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }} ref: ${{ github.head_ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false - name: Prepare po4a configuration run: _translations/prepare-config.sh - name: Use po4a - uses: vjik/docker-run@v1 + uses: vjik/docker-run@623c9adf6ee99fc8f9fa4e3b0b6b0c25859b69ee # v1 with: image: ghcr.io/yiisoft-contrib/po4a:0.74 volumes: ${{ github.workspace }}:/src workdir: /src/_translations command: po4a po4a.conf && po4a po4a.conf + - name: Configure Git credentials + env: + GH_TOKEN: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }} + run: git config --global credential.helper '!f() { echo username=x-access-token; echo password=$GH_TOKEN; }; f' + - name: Commit changed files - uses: stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: Update translation - file_pattern: '_translations src' + env: + GIT_AUTHOR_NAME: github-actions[bot] + GIT_AUTHOR_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com + GIT_COMMITTER_NAME: github-actions[bot] + GIT_COMMITTER_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com + run: | + git add _translations src + + if git diff --cached --quiet; then + echo "No translation changes to commit." + exit 0 + fi + + git commit -m "Update translation" + git push diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..430255de --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,22 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - master + - main + paths: + - '.github/**.yml' + - '.github/**.yaml' + pull_request: + paths: + - '.github/**.yml' + - '.github/**.yaml' + +permissions: + actions: read # Required by zizmor when reading workflow metadata through the API. + contents: read # Required to read workflow files. + +jobs: + zizmor: + uses: yiisoft/actions/.github/workflows/zizmor.yml@master