diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index e66a337..d307d36 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -1,5 +1,5 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. @@ -19,13 +19,20 @@ # GitHub runner. name: CI Docker +permissions: + contents: read on: pull_request: - branches: [master] - types: [opened, synchronize, reopened] + branches: + - master + types: + - opened + - synchronize + - reopened push: - branches: [master] + branches: + - master workflow_dispatch: concurrency: @@ -97,10 +104,9 @@ jobs: solution: ${{ steps.find_dotnet.outputs.solution }} setup_release: - if: ${{ needs.check_dockerfiles.outputs.dockerfiles }} name: Setup Release - needs: - - check_dockerfiles + if: needs.check_dockerfiles.outputs.dockerfiles + needs: check_dockerfiles outputs: publish_release: ${{ steps.setup_release.outputs.publish_release }} release_body: ${{ steps.setup_release.outputs.release_body }} @@ -108,6 +114,8 @@ jobs: release_generate_release_notes: ${{ steps.setup_release.outputs.release_generate_release_notes }} release_tag: ${{ steps.setup_release.outputs.release_tag }} release_version: ${{ steps.setup_release.outputs.release_version }} + permissions: + contents: write # read does not work to check squash and merge details runs-on: ubuntu-latest steps: - name: Checkout @@ -115,23 +123,24 @@ jobs: - name: Setup Release id: setup_release - uses: LizardByte/setup-release-action@v2025.102.14715 + uses: LizardByte/setup-release-action@v2025.426.225 with: dotnet: ${{ needs.check_dockerfiles.outputs.dotnet }} github_token: ${{ secrets.GITHUB_TOKEN }} docker: - needs: [check_dockerfiles, setup_release] - if: ${{ needs.check_dockerfiles.outputs.dockerfiles }} - runs-on: ubuntu-22.04 + name: Docker${{ matrix.tag }} + if: needs.check_dockerfiles.outputs.dockerfiles + needs: + - check_dockerfiles + - setup_release permissions: packages: write contents: write + runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: ${{ fromJson(needs.check_dockerfiles.outputs.matrix) }} - name: Docker${{ matrix.tag }} - steps: - name: Maximize build space uses: easimon/maximize-build-space@v10 @@ -256,14 +265,14 @@ jobs: Docker-buildx${{ matrix.tag }}- - name: Log in to Docker Hub - if: ${{ needs.setup_release.outputs.publish_release == 'true' }} # PRs do not have access to secrets + if: needs.setup_release.outputs.publish_release == 'true' # PRs do not have access to secrets uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Log in to the Container registry - if: ${{ needs.setup_release.outputs.publish_release == 'true' }} # PRs do not have access to secrets + if: needs.setup_release.outputs.publish_release == 'true' # PRs do not have access to secrets uses: docker/login-action@v3 with: registry: ghcr.io @@ -271,7 +280,7 @@ jobs: password: ${{ secrets.GH_BOT_TOKEN }} - name: Build artifacts - if: ${{ steps.prepare.outputs.artifacts == 'true' }} + if: steps.prepare.outputs.artifacts == 'true' id: build_artifacts uses: docker/build-push-action@v6 with: @@ -314,7 +323,7 @@ jobs: no-cache-filters: ${{ steps.prepare.outputs.no_cache_filters }} - name: Arrange Artifacts - if: ${{ steps.prepare.outputs.artifacts == 'true' }} + if: steps.prepare.outputs.artifacts == 'true' working-directory: artifacts run: | # debug directory @@ -336,15 +345,18 @@ jobs: rm -f ./provenance.json - name: Upload Artifacts - if: ${{ steps.prepare.outputs.artifacts == 'true' }} + if: steps.prepare.outputs.artifacts == 'true' uses: actions/upload-artifact@v4 with: name: Docker${{ matrix.tag }} path: artifacts/ + if-no-files-found: error - name: Create/Update GitHub Release - if: ${{ needs.setup_release.outputs.publish_release == 'true' && steps.prepare.outputs.artifacts == 'true' }} - uses: LizardByte/create-release-action@v2025.102.13208 + if: > + needs.setup_release.outputs.publish_release == 'true' && + steps.prepare.outputs.artifacts == 'true' + uses: LizardByte/create-release-action@v2025.426.1549 with: allowUpdates: true artifacts: "*artifacts/*" @@ -356,7 +368,9 @@ jobs: token: ${{ secrets.GH_BOT_TOKEN }} - name: Update Docker Hub Description - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + if: > + github.event_name == 'push' && + github.ref == 'refs/heads/master' uses: peter-evans/dockerhub-description@v4 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0291f42..8483473 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,12 +1,19 @@ --- name: CI +permissions: + contents: read on: pull_request: - branches: [master] - types: [opened, synchronize, reopened] + branches: + - master + types: + - opened + - synchronize + - reopened push: - branches: [master] + branches: + - master workflow_dispatch: concurrency: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4fd5fa2..c9949dd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,17 +1,21 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. # This workflow will analyze all supported languages in the repository using CodeQL Analysis. name: "CodeQL" +permissions: + contents: read on: push: - branches: ["master"] + branches: + - master pull_request: - branches: ["master"] + branches: + - master schedule: - cron: '00 12 * * 0' # every Sunday at 12:00 UTC @@ -22,14 +26,17 @@ concurrency: jobs: languages: name: Get language matrix - runs-on: ubuntu-latest outputs: matrix: ${{ steps.lang.outputs.result }} continue: ${{ steps.continue.outputs.result }} + runs-on: ubuntu-latest steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Get repo languages - uses: actions/github-script@v7 id: lang + uses: actions/github-script@v7 with: script: | // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift'] @@ -54,6 +61,22 @@ jobs: // Track languages we've already added to avoid duplicates const addedLanguages = new Set() + // Check if workflow files exist to determine if we should add actions language + const fs = require('fs'); + const hasYmlFiles = fs.existsSync('.github/workflows') && + fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml')); + + // Add actions language if workflow files exist + if (hasYmlFiles) { + console.log('Found GitHub Actions workflow files. Adding actions to the matrix.'); + matrix['include'].push({ + "category": "/language:actions", + "language": "actions", + "name": "actions", + "os": "ubuntu-latest" + }); + } + for (let [key, value] of Object.entries(response.data)) { // remap language if (remap_languages[key.toLowerCase()]) { @@ -78,11 +101,18 @@ jobs: // set name for matrix let name = osList.length === 1 ? normalizedKey : `${normalizedKey}, ${os}` + // set category for matrix + let category = `/language:${normalizedKey}` + if (normalizedKey === 'cpp') { + category = `/language:cpp-${os.split('-')[0]}` + } + // add to matrix matrix['include'].push({ + "category": category, "language": normalizedKey, - "os": os, - "name": name + "name": name, + "os": os }) } } @@ -94,8 +124,8 @@ jobs: return matrix - name: Continue - uses: actions/github-script@v7 id: continue + uses: actions/github-script@v7 with: script: | // if matrix['include'] is an empty list return false, otherwise true @@ -109,24 +139,22 @@ jobs: analyze: name: Analyze (${{ matrix.name }}) - if: ${{ needs.languages.outputs.continue == 'true' }} + if: needs.languages.outputs.continue == 'true' defaults: run: shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }} env: GITHUB_CODEQL_BUILD: true - needs: [languages] - runs-on: ${{ matrix.os || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + needs: languages permissions: actions: read contents: read security-events: write - + runs-on: ${{ matrix.os || 'ubuntu-latest' }} strategy: fail-fast: false matrix: ${{ fromJson(needs.languages.outputs.matrix) }} - + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} steps: - name: Maximize build space if: >- @@ -174,8 +202,7 @@ jobs: - third-party # Pre autobuild - # create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository - # create a file named .codeql-build-${{ matrix.language }}.sh in the root of your repository + # create a file named .codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh in the root of your repository - name: Prebuild id: prebuild run: | @@ -194,7 +221,7 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - category: "/language:${{matrix.language}}" + category: "${{ matrix.category }}" output: sarif-results upload: failure-only @@ -211,6 +238,7 @@ jobs: - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: + category: "${{ matrix.category }}" sarif_file: sarif-results/${{ matrix.language }}.sarif - name: Upload loc as a Build Artifact @@ -218,4 +246,5 @@ jobs: with: name: sarif-results-${{ matrix.language }}-${{ runner.os }} path: sarif-results + if-no-files-found: error retention-days: 1 diff --git a/.github/workflows/common-lint.yml b/.github/workflows/common-lint.yml index 10692ad..524be6f 100644 --- a/.github/workflows/common-lint.yml +++ b/.github/workflows/common-lint.yml @@ -1,16 +1,22 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. # Common linting. name: common lint +permissions: + contents: read on: pull_request: - branches: [master] - types: [opened, synchronize, reopened] + branches: + - master + types: + - opened + - synchronize + - reopened concurrency: group: "${{ github.workflow }}-${{ github.ref }}" @@ -77,9 +83,10 @@ jobs: - name: C++ - Clang format lint if: always() && steps.cpp_files.outputs.found_files - uses: DoozyX/clang-format-lint-action@v0.18 + uses: DoozyX/clang-format-lint-action@v0.20 with: source: ${{ steps.cpp_files.outputs.found_files }} + clangFormatVersion: '20' extensions: 'c,cpp,h,hpp,m,mm' style: file inplace: false @@ -263,5 +270,4 @@ jobs: - name: YAML - log if: always() && steps.yamllint.outcome == 'failure' - run: | - cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY + run: cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index aec6006..5bd4e88 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -1,17 +1,22 @@ --- -# This action is centrally managed in https://github.com//.github/ +# This workflow is centrally managed in https://github.com//.github/ # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in # the above-mentioned repo. # Label and un-label actions using `../label-actions.yml`. name: Issues +permissions: {} on: issues: - types: [labeled, unlabeled] + types: + - labeled + - unlabeled discussion: - types: [labeled, unlabeled] + types: + - labeled + - unlabeled jobs: label: