diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml deleted file mode 100644 index 2eeee04..0000000 --- a/.github/workflows/automerge.yml +++ /dev/null @@ -1,66 +0,0 @@ -name: Automerge Dependabot PRs - -# **What it does**: Automatically merge Dependabot PRs that pass the CI workflow run. -# **Why we have it**: Keeps dependencies up-to-date, to avoid security issues. - -on: - workflow_run: - workflows: ["CI"] - types: [completed] - -permissions: - contents: write - pull-requests: write - -jobs: - on-success: - if: > - github.event.workflow_run.event == 'pull_request' && - github.event.workflow_run.conclusion == 'success' && - github.actor == 'dependabot[bot]' - runs-on: ubuntu-latest - steps: - - name: Download artifact - uses: actions/github-script@v7 - with: - script: | - const { writeFile } = require("node:fs/promises"); - const { owner, repo } = context.repo; - - const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ - owner, - repo, - run_id: ${{ github.event.workflow_run.id }}, - }); - const matchArtifact = artifacts.data.artifacts.find( - (artifact) => artifact.name == "pr" - ); - - const download = await github.rest.actions.downloadArtifact({ - owner, - repo, - artifact_id: matchArtifact.id, - archive_format: "zip", - }); - - await writeFile("${{github.workspace}}/pr.zip", Buffer.from(download.data), { flush: true }); - - - name: Unzip artifact - run: unzip pr.zip - - - name: Merge PR - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const { readFile } = require("node:fs/promises"); - const { owner, repo } = context.repo; - - const pull_number = Number(await readFile("./NR", "utf8")); - - await github.rest.pulls.merge({ - merge_method: "squash", - owner, - repo, - pull_number, - }); diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index e5c4644..6338b0e 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Release Please id: release - uses: googleapis/release-please-action@v4 + uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0 with: config-file: .github/release-please/config.json manifest-file: .github/release-please/manifest.json @@ -38,12 +38,12 @@ jobs: id-token: write steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 with: check-latest: true node-version: lts/* @@ -72,12 +72,12 @@ jobs: packages: write steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 with: check-latest: true node-version: lts/* diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e84bdcb..2b6e37a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,9 +18,6 @@ on: - "*.md" types: [opened, ready_for_review, reopened, synchronize] -permissions: - contents: read - # This allows a subsequently queued workflow run to interrupt previous runs concurrency: group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" @@ -33,27 +30,31 @@ jobs: github.event.pull_request.draft == false && github.event_name == 'pull_request' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Dependency review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 lint: name: Lint Code if: github.event.pull_request.draft == false runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 with: check-latest: true node-version: lts/* @@ -82,15 +83,17 @@ jobs: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 persist-credentials: false - name: Run Commitlint - uses: wagoid/commitlint-github-action@v6 + uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1 with: configFile: ./package.json @@ -102,14 +105,16 @@ jobs: node-version: [20, 22] os: [macos-latest, ubuntu-latest, windows-latest] runs-on: ${{ matrix.os }} + permissions: + contents: read steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Setup Node ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 with: node-version: ${{ matrix.node-version }} @@ -120,8 +125,8 @@ jobs: run: npm run test:unit:coverage - name: Coveralls parallel - if: github.repository == 'Fdawgs/fastify-disablecache' - uses: coverallsapp/github-action@v2 + if: github.repository == 'Fdawgs/fastify-json-to-xml' + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: github-token: ${{ secrets.GITHUB_TOKEN }} parallel: true @@ -132,37 +137,30 @@ jobs: needs: unit-tests if: > github.event.pull_request.draft == false && - github.repository == 'Fdawgs/fastify-disablecache' + github.repository == 'Fdawgs/fastify-json-to-xml' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Coveralls finished - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: github-token: ${{ secrets.GITHUB_TOKEN }} parallel-finished: true - # This job is used to save the PR number in an artifact, for use in the automerge.yml workflow - save-pr-number: - name: Save Dependabot PR Number + automerge: + name: Automerge Dependabot PRs needs: unit-tests if: > github.event.pull_request.draft == false && github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: write steps: - - name: Check out repo - uses: actions/checkout@v4 + - uses: fastify/github-action-merge-dependabot@e820d631adb1d8ab16c3b93e5afe713450884a4a # v3.11.1 with: - persist-credentials: false - - - name: Save PR number - run: | - mkdir -p ./pr - echo ${{ github.event.number }} > ./pr/NR - - - name: Upload PR number in artifact - uses: actions/upload-artifact@v4 - with: - name: pr - path: pr/ + github-token: ${{ secrets.GITHUB_TOKEN }} + merge-method: squash diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d33010f..1adfcd0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,9 +16,6 @@ on: - "**/*.yml" types: [opened, ready_for_review, reopened, synchronize] -permissions: - security-events: write - # This allows a subsequently queued workflow run to interrupt previous runs concurrency: group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" @@ -26,20 +23,29 @@ concurrency: jobs: build: + name: CodeQL Analysis if: github.event.pull_request.draft == false + strategy: + matrix: + languages: ["actions", "javascript-typescript"] runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false # Initialises the CodeQL tools for scanning - name: Initialise CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12 with: - languages: javascript config-file: ./.github/codeql-config.yml + languages: ${{ matrix.languages }} - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml index 874e59e..340bfc8 100644 --- a/.github/workflows/link-check.yml +++ b/.github/workflows/link-check.yml @@ -31,22 +31,21 @@ on: # Allows this workflow to be run manually from the Actions tab workflow_dispatch: -permissions: - contents: read - jobs: link-check: name: Link Check if: github.event.pull_request.draft == false runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Run Linkinator - uses: JustinBeckwith/linkinator-action@v1 + uses: JustinBeckwith/linkinator-action@3d5ba091319fa7b0ac14703761eebb7d100e6f6d # v1.11.0 with: paths: "**/*.md" skip: "https://(?:www.|)github.com/Fdawgs/.*/(?:commit|issues|compare)/, http://0.0.0.0"