From 7d8093e341d59b118d8a3e6b5cfb09d61bb55071 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 10:17:55 -0700 Subject: [PATCH 01/11] Fix permissions section in update-from-submodule.yml Signed-off-by: Hunter T. --- .github/workflows/update-from-submodule.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-from-submodule.yml b/.github/workflows/update-from-submodule.yml index c2e4202..a67b4fd 100644 --- a/.github/workflows/update-from-submodule.yml +++ b/.github/workflows/update-from-submodule.yml @@ -1,5 +1,8 @@ name: Update From Submodule +permissions: + contents: write + on: pull_request_target: types: [opened, synchronize] @@ -7,9 +10,6 @@ on: - main workflow_dispatch: -permissions: - contents: write - jobs: update-files: if: github.actor == 'renovate[bot]' && startsWith(github.event.pull_request.head.ref, 'renovate/submodules-') From 9be4c91b9c386b2ddc27ef6c5584e4434d4695e7 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 10:18:57 -0700 Subject: [PATCH 02/11] Change GitHub Actions permissions from write to read Signed-off-by: Hunter T. --- .github/workflows/mkdocs-deploy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/mkdocs-deploy.yml b/.github/workflows/mkdocs-deploy.yml index 2154627..9bcdef4 100644 --- a/.github/workflows/mkdocs-deploy.yml +++ b/.github/workflows/mkdocs-deploy.yml @@ -1,13 +1,13 @@ name: Deploy 'Custom Unix Terminal' GitHub Page +permissions: + contents: read + on: push: branches: ["main"] workflow_dispatch: -permissions: - contents: write - jobs: deploy: runs-on: ubuntu-latest From 8fb668365a16e5426f78293d0c34ff8b9f81a532 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 10:51:09 -0700 Subject: [PATCH 03/11] Separate build and deploy jobs in mkdocs-deploy.yml Refactor GitHub Actions workflow to separate build and deploy jobs for MkDocs. Signed-off-by: Hunter T. --- .github/workflows/mkdocs-deploy.yml | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/mkdocs-deploy.yml b/.github/workflows/mkdocs-deploy.yml index 9bcdef4..00f5c7d 100644 --- a/.github/workflows/mkdocs-deploy.yml +++ b/.github/workflows/mkdocs-deploy.yml @@ -1,15 +1,12 @@ name: Deploy 'Custom Unix Terminal' GitHub Page -permissions: - contents: read - on: push: branches: ["main"] workflow_dispatch: jobs: - deploy: + build: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 @@ -25,5 +22,24 @@ jobs: - name: Build the site with MkDocs run: uv run mkdocs build --strict + - name: Upload static files as artifact + uses: actions/upload-pages-artifact@v4 + with: + path: ./site + + deploy: + needs: build + runs-on: ubuntu-latest + + permissions: + pages: write + id-token: write + + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + + steps: - name: Deploy to GitHub Pages - run: uv run mkdocs gh-deploy --force + id: deployment + uses: actions/deploy-pages@v4 From 1ff51bb3468b1ec9ac22c70f90b7cf878d962ad2 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 10:54:42 -0700 Subject: [PATCH 04/11] Add permissions to mkdocs-deploy workflow Added permissions for reading contents in the deployment workflow. Signed-off-by: Hunter T. --- .github/workflows/mkdocs-deploy.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/mkdocs-deploy.yml b/.github/workflows/mkdocs-deploy.yml index 00f5c7d..5cb9f62 100644 --- a/.github/workflows/mkdocs-deploy.yml +++ b/.github/workflows/mkdocs-deploy.yml @@ -1,5 +1,8 @@ name: Deploy 'Custom Unix Terminal' GitHub Page +permissions: + contents: read + on: push: branches: ["main"] From fae0cef21cd7ab34cc8422d46d9f5c6a8ba64a23 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 10:57:13 -0700 Subject: [PATCH 05/11] Rename checkout step in PR build workflow Signed-off-by: Hunter T. --- .github/workflows/pr-build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 5bbd3fd..01216c0 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -11,7 +11,8 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 1 From 51a0b4ad859e4966711d43890fff79014691d1ba Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 10:58:14 -0700 Subject: [PATCH 06/11] Add permissions section to mkdocs-deploy.yml Signed-off-by: Hunter T. --- .github/workflows/mkdocs-deploy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/mkdocs-deploy.yml b/.github/workflows/mkdocs-deploy.yml index 5cb9f62..c746613 100644 --- a/.github/workflows/mkdocs-deploy.yml +++ b/.github/workflows/mkdocs-deploy.yml @@ -1,13 +1,13 @@ name: Deploy 'Custom Unix Terminal' GitHub Page -permissions: - contents: read - on: push: branches: ["main"] workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From cadd6b9040f13ad1cbcdbb20c753225cc2d6f97d Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 10:58:43 -0700 Subject: [PATCH 07/11] Fix permissions indentation in PR build workflow Signed-off-by: Hunter T. --- .github/workflows/pr-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 01216c0..608340e 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -1,12 +1,12 @@ name: Build the site with MkDocs -permissions: - contents: read - on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest From fd96cd4bbff11cd5b24c08e13df5df68cf9de47a Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 11:28:36 -0700 Subject: [PATCH 08/11] Refactor GitHub Actions workflow for submodule updates Signed-off-by: Hunter T. --- .github/workflows/update-from-submodule.yml | 41 +++++++++++++-------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/.github/workflows/update-from-submodule.yml b/.github/workflows/update-from-submodule.yml index a67b4fd..b417797 100644 --- a/.github/workflows/update-from-submodule.yml +++ b/.github/workflows/update-from-submodule.yml @@ -1,22 +1,23 @@ name: Update From Submodule -permissions: - contents: write - on: pull_request_target: types: [opened, synchronize] - branches: - - main + branches: [ main ] workflow_dispatch: +permissions: + contents: write + jobs: - update-files: - if: github.actor == 'renovate[bot]' && startsWith(github.event.pull_request.head.ref, 'renovate/submodules-') + update-from-submodule: + if: > + github.actor == 'renovate[bot]' && + startsWith(github.event.pull_request.head.ref, 'renovate/submodules-') + runs-on: ubuntu-latest - steps: - - name: Checkout pull request branch with submodules + - name: Checkout PR branch with submodules uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: # Checkout the repository at the merge commit @@ -24,13 +25,20 @@ jobs: fetch-depth: 0 submodules: true - - name: Validate PR source branch + - name: Validate PR source repository and branch + shell: bash run: | - if [[ ${{ github.event.pull_request.head.repo.full_name }} != '${{ github.repository }}' ]]; then - echo "Untrusted repository detected! Exiting."; - exit 1; + if [[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + echo "Untrusted repository detected! Exiting..." + exit 1 fi + - name: Configure git identity + shell: bash + run: | + git config --global user.name "renovate[bot]" + git config --global user.email "29139614+renovate[bot]@users.noreply.github.com" + - name: Import GPG key uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6 with: @@ -53,8 +61,9 @@ jobs: run: bash update-changelog.bash - name: Commit and push changes + shell: bash run: | - git add . + git add -A git commit -m "Update files based on submodule changes" - git pull --rebase origin ${{ github.event.pull_request.head.ref }} - git push origin HEAD:${{ github.event.pull_request.head.ref }} + git pull --rebase origin "${{ github.event.pull_request.head.ref }}" + git push origin HEAD:"${{ github.event.pull_request.head.ref }}" From 8a4676e784a345b52ea3810d5e8bfc482e9b9a77 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 11:46:56 -0700 Subject: [PATCH 09/11] Update .github/workflows/update-from-submodule.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Hunter T. --- .github/workflows/update-from-submodule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-from-submodule.yml b/.github/workflows/update-from-submodule.yml index b417797..8801d64 100644 --- a/.github/workflows/update-from-submodule.yml +++ b/.github/workflows/update-from-submodule.yml @@ -63,7 +63,7 @@ jobs: - name: Commit and push changes shell: bash run: | - git add -A + git add . git commit -m "Update files based on submodule changes" git pull --rebase origin "${{ github.event.pull_request.head.ref }}" git push origin HEAD:"${{ github.event.pull_request.head.ref }}" From 60ee902cb74ee2a138d752c4ec531953840f41b2 Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 11:52:25 -0700 Subject: [PATCH 10/11] Add rebaseWhen option to renovate configuration Signed-off-by: Hunter T. --- .github/renovate.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/renovate.json b/.github/renovate.json index fea3b9f..f164eaf 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -7,5 +7,6 @@ ], "git-submodules": { "enabled": true - } + }, + "rebaseWhen": "behind-base-branch" } From 483f2cd5d2be182cfd043f213909b08b8eba8ace Mon Sep 17 00:00:00 2001 From: "Hunter T." Date: Thu, 9 Oct 2025 11:56:00 -0700 Subject: [PATCH 11/11] Change trigger from pull_request_target to pull_request Signed-off-by: Hunter T. --- .github/workflows/update-from-submodule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-from-submodule.yml b/.github/workflows/update-from-submodule.yml index 8801d64..65afaac 100644 --- a/.github/workflows/update-from-submodule.yml +++ b/.github/workflows/update-from-submodule.yml @@ -1,7 +1,7 @@ name: Update From Submodule on: - pull_request_target: + pull_request: types: [opened, synchronize] branches: [ main ] workflow_dispatch: