From f8d9e7c5a8bd8b14f47f4099c7350339e290ffcd Mon Sep 17 00:00:00 2001 From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com> Date: Fri, 25 Apr 2025 03:32:44 +0000 Subject: [PATCH 1/7] chore: update global workflows --- .github/workflows/codeql.yml | 42 +++++++++++++++++++++++-------- .github/workflows/common-lint.yml | 13 +++++++--- .github/workflows/issues.yml | 9 +++++-- 3 files changed, 47 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4fd5fa2..7fff77b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -6,12 +6,16 @@ # This workflow will analyze all supported languages in the repository using CodeQL Analysis. name: "CodeQL" +permissions: + contents: read on: push: - branches: ["master"] + branches: + - master pull_request: - branches: ["master"] + branches: + - master schedule: - cron: '00 12 * * 0' # every Sunday at 12:00 UTC @@ -22,14 +26,17 @@ concurrency: jobs: languages: name: Get language matrix - runs-on: ubuntu-latest outputs: matrix: ${{ steps.lang.outputs.result }} continue: ${{ steps.continue.outputs.result }} + runs-on: ubuntu-latest steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Get repo languages - uses: actions/github-script@v7 id: lang + uses: actions/github-script@v7 with: script: | // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] @@ -54,6 +61,21 @@ jobs: // Track languages we've already added to avoid duplicates const addedLanguages = new Set() + // Check if workflow files exist to determine if we should add actions language + const fs = require('fs'); + const hasYmlFiles = fs.existsSync('.github/workflows') && + fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml')); + + // Add actions language if workflow files exist + if (hasYmlFiles) { + console.log('Found GitHub Actions workflow files. Adding actions to the matrix.'); + matrix['include'].push({ + "language": "actions", + "os": "ubuntu-latest", + "name": "actions" + }); + } + for (let [key, value] of Object.entries(response.data)) { // remap language if (remap_languages[key.toLowerCase()]) { @@ -94,8 +116,8 @@ jobs: return matrix - name: Continue - uses: actions/github-script@v7 id: continue + uses: actions/github-script@v7 with: script: | // if matrix['include'] is an empty list return false, otherwise true @@ -109,24 +131,22 @@ jobs: analyze: name: Analyze (${{ matrix.name }}) - if: ${{ needs.languages.outputs.continue == 'true' }} + if: needs.languages.outputs.continue == 'true' defaults: run: shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }} env: GITHUB_CODEQL_BUILD: true - needs: [languages] - runs-on: ${{ matrix.os || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + needs: languages permissions: actions: read contents: read security-events: write - + runs-on: ${{ matrix.os || 'ubuntu-latest' }} strategy: fail-fast: false matrix: ${{ fromJson(needs.languages.outputs.matrix) }} - + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} steps: - name: Maximize build space if: >- diff --git a/.github/workflows/common-lint.yml b/.github/workflows/common-lint.yml index 10692ad..77862b8 100644 --- a/.github/workflows/common-lint.yml +++ b/.github/workflows/common-lint.yml @@ -6,11 +6,17 @@ # Common linting. name: common lint +permissions: + contents: read on: pull_request: - branches: [master] - types: [opened, synchronize, reopened] + branches: + - master + types: + - opened + - synchronize + - reopened concurrency: group: "${{ github.workflow }}-${{ github.ref }}" @@ -263,5 +269,4 @@ jobs: - name: YAML - log if: always() && steps.yamllint.outcome == 'failure' - run: | - cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY + run: cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index aec6006..44edba6 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -6,12 +6,17 @@ # Label and un-label actions using `../label-actions.yml`. name: Issues +permissions: {} on: issues: - types: [labeled, unlabeled] + types: + - labeled + - unlabeled discussion: - types: [labeled, unlabeled] + types: + - labeled + - unlabeled jobs: label: From f83030865456426982dd108aa0429d419c86c3d5 Mon Sep 17 00:00:00 2001 From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com> Date: Fri, 25 Apr 2025 03:34:26 +0000 Subject: [PATCH 2/7] chore: update global workflows --- .github/workflows/update-docs.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index ba84de8..572cf3a 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -10,10 +10,14 @@ # Update readthedocs on release events. name: Update docs +permissions: {} on: release: - types: [created, edited, deleted] + types: + - created + - edited + - deleted concurrency: group: "${{ github.workflow }}-${{ github.event.release.tag_name }}" @@ -73,8 +77,7 @@ jobs: - name: Update RTD project # changing the default branch in readthedocs makes "latest" point to that branch/tag # we can also update other properties like description, etc. - if: >- - steps.check.outputs.isLatestRelease == 'true' + if: steps.check.outputs.isLatestRelease == 'true' run: | json_body=$(jq -n \ --arg default_branch "${TAG}" \ From 38c7a31b4561bfedbdf30948cb283ac076824813 Mon Sep 17 00:00:00 2001 From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com> Date: Fri, 25 Apr 2025 03:55:46 +0000 Subject: [PATCH 3/7] chore: update global workflows --- .github/workflows/common-lint.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/common-lint.yml b/.github/workflows/common-lint.yml index 77862b8..a854c08 100644 --- a/.github/workflows/common-lint.yml +++ b/.github/workflows/common-lint.yml @@ -83,9 +83,10 @@ jobs: - name: C++ - Clang format lint if: always() && steps.cpp_files.outputs.found_files - uses: DoozyX/clang-format-lint-action@v0.18 + uses: DoozyX/clang-format-lint-action@v0.20 with: source: ${{ steps.cpp_files.outputs.found_files }} + clangFormatVersion: '20' extensions: 'c,cpp,h,hpp,m,mm' style: file inplace: false From 7e020ddcc57f40f94b6e76ff83783288a29d14ac Mon Sep 17 00:00:00 2001 From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com> Date: Fri, 25 Apr 2025 17:51:14 +0000 Subject: [PATCH 4/7] chore: update global workflows --- .github/workflows/codeql.yml | 3 ++- .github/workflows/common-lint.yml | 2 +- .github/workflows/issues.yml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7fff77b..702d8d1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,5 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. @@ -238,4 +238,5 @@ jobs: with: name: sarif-results-${{ matrix.language }}-${{ runner.os }} path: sarif-results + if-no-files-found: error retention-days: 1 diff --git a/.github/workflows/common-lint.yml b/.github/workflows/common-lint.yml index a854c08..524be6f 100644 --- a/.github/workflows/common-lint.yml +++ b/.github/workflows/common-lint.yml @@ -1,5 +1,5 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index 44edba6..5bd4e88 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -1,5 +1,5 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. From 2a2c70c3ef92caa0dfb2ed27be7f01aed8aae1e9 Mon Sep 17 00:00:00 2001 From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com> Date: Fri, 25 Apr 2025 17:52:53 +0000 Subject: [PATCH 5/7] chore: update global workflows --- .github/workflows/update-docs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 572cf3a..04e1e90 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -1,9 +1,9 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. -# Use the `rtd` repository label to identify repositories that should trigger have this workflow. +# To use, add the `rtd` repository label to identify repositories that should trigger this workflow. # If the project slug is not the repository name, add a repository variable named `READTHEDOCS_SLUG` with the value of # the ReadTheDocs project slug. From 80758cee513df34ff0d54be02dd727bf6acb8c51 Mon Sep 17 00:00:00 2001 From: LizardByte-bot <108553330+LizardByte-bot@users.noreply.github.com> Date: Fri, 25 Apr 2025 22:08:43 +0000 Subject: [PATCH 6/7] chore: update global workflows --- .github/workflows/codeql.yml | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 702d8d1..c9949dd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -70,9 +70,10 @@ jobs: if (hasYmlFiles) { console.log('Found GitHub Actions workflow files. Adding actions to the matrix.'); matrix['include'].push({ + "category": "/language:actions", "language": "actions", - "os": "ubuntu-latest", - "name": "actions" + "name": "actions", + "os": "ubuntu-latest" }); } @@ -100,11 +101,18 @@ jobs: // set name for matrix let name = osList.length === 1 ? normalizedKey : `${normalizedKey}, ${os}` + // set category for matrix + let category = `/language:${normalizedKey}` + if (normalizedKey === 'cpp') { + category = `/language:cpp-${os.split('-')[0]}` + } + // add to matrix matrix['include'].push({ + "category": category, "language": normalizedKey, - "os": os, - "name": name + "name": name, + "os": os }) } } @@ -194,8 +202,7 @@ jobs: - third-party # Pre autobuild - # create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository - # create a file named .codeql-build-${{ matrix.language }}.sh in the root of your repository + # create a file named .codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh in the root of your repository - name: Prebuild id: prebuild run: | @@ -214,7 +221,7 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - category: "/language:${{matrix.language}}" + category: "${{ matrix.category }}" output: sarif-results upload: failure-only @@ -231,6 +238,7 @@ jobs: - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: + category: "${{ matrix.category }}" sarif_file: sarif-results/${{ matrix.language }}.sarif - name: Upload loc as a Build Artifact From 18854d5b969e2d13fb45e9e3d487896eec014eaa Mon Sep 17 00:00:00 2001 From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com> Date: Sat, 26 Apr 2025 17:05:10 -0400 Subject: [PATCH 7/7] ci(workflows): add permissions and general cleanup --- .github/workflows/ci.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 68b0a60..05a5472 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,6 +3,8 @@ # For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages name: CI +permissions: + contents: read on: pull_request: @@ -30,6 +32,8 @@ jobs: release_generate_release_notes: ${{ steps.setup_release.outputs.release_generate_release_notes }} release_tag: ${{ steps.setup_release.outputs.release_tag }} release_version: ${{ steps.setup_release.outputs.release_version }} + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Checkout @@ -59,8 +63,7 @@ jobs: id: test env: FORCE_COLOR: true - run: | - npm test + run: npm test - name: Build env: @@ -95,7 +98,7 @@ jobs: verbose: true release: - if: ${{ needs.setup_release.outputs.publish_release == 'true' }} + if: needs.setup_release.outputs.publish_release == 'true' needs: - setup_release - build @@ -115,15 +118,15 @@ jobs: token: ${{ secrets.GH_BOT_TOKEN }} publish-gpr: - if: ${{ needs.setup_release.outputs.publish_release == 'true' }} + if: needs.setup_release.outputs.publish_release == 'true' needs: - setup_release - build - runs-on: ubuntu-latest permissions: contents: read id-token: write # required for provenance packages: write + runs-on: ubuntu-latest strategy: fail-fast: false matrix: @@ -144,8 +147,7 @@ jobs: scope: '@lizardbyte' - name: Update package.json - run: | - npm version ${{ needs.setup_release.outputs.release_version }} --no-git-tag-version + run: npm version ${{ needs.setup_release.outputs.release_version }} --no-git-tag-version - name: Install dependencies run: npm install