diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5dc86a7..4462456 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: run: pip install yamllint - name: actionlint - run: actionlint .github/workflows/**/*.yml .github/workflows/*.yml + run: actionlint .github/workflows/*.yml - name: zizmor run: zizmor --format sarif .github/workflows/ > zizmor.sarif || true @@ -46,7 +46,7 @@ jobs: .github/workflows/ test-check-release: - name: Test — common/check-release + name: Test — common-check-release needs: lint runs-on: ubuntu-latest strategy: @@ -107,7 +107,7 @@ jobs: REF="${{ steps.fixture.outputs.github_ref }}" REF_NAME=$(echo "$REF" | sed 's|refs/tags/||;s|refs/heads/||') act workflow_call \ - -W .github/workflows/common/check-release.yml \ + -W .github/workflows/common-check-release.yml \ --eventpath /tmp/event.json \ --env "GITHUB_REF=$REF" \ --env "GITHUB_REF_NAME=$REF_NAME" \ diff --git a/.github/workflows/build-docs.yml b/.github/workflows/common-build-docs.yml similarity index 95% rename from .github/workflows/build-docs.yml rename to .github/workflows/common-build-docs.yml index 481968e..86f195c 100644 --- a/.github/workflows/build-docs.yml +++ b/.github/workflows/common-build-docs.yml @@ -7,6 +7,9 @@ on: type: string default: "fatal" +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/common/check-release.yml b/.github/workflows/common-check-release.yml similarity index 100% rename from .github/workflows/common/check-release.yml rename to .github/workflows/common-check-release.yml diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/common-check-semantic-pr.yml similarity index 94% rename from .github/workflows/check-semantic-pr.yml rename to .github/workflows/common-check-semantic-pr.yml index 776074f..0b731db 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/common-check-semantic-pr.yml @@ -2,6 +2,9 @@ name: Check Semantic PR on: workflow_call: +permissions: + pull-requests: read + jobs: semantic-pr: name: Validate PR title diff --git a/.github/workflows/common/publish-to-docker.yml b/.github/workflows/common-publish-to-docker.yml similarity index 100% rename from .github/workflows/common/publish-to-docker.yml rename to .github/workflows/common-publish-to-docker.yml diff --git a/.github/workflows/common/publish-to-github-pages.yml b/.github/workflows/common-publish-to-github-pages.yml similarity index 100% rename from .github/workflows/common/publish-to-github-pages.yml rename to .github/workflows/common-publish-to-github-pages.yml diff --git a/.github/workflows/common/release-preview.yml b/.github/workflows/common-release-preview.yml similarity index 100% rename from .github/workflows/common/release-preview.yml rename to .github/workflows/common-release-preview.yml diff --git a/.github/workflows/common/release.yml b/.github/workflows/common-release.yml similarity index 100% rename from .github/workflows/common/release.yml rename to .github/workflows/common-release.yml diff --git a/.github/workflows/java/build-gradle.yml b/.github/workflows/java-build-gradle.yml similarity index 100% rename from .github/workflows/java/build-gradle.yml rename to .github/workflows/java-build-gradle.yml diff --git a/.github/workflows/java/build-maven.yml b/.github/workflows/java-build-maven.yml similarity index 100% rename from .github/workflows/java/build-maven.yml rename to .github/workflows/java-build-maven.yml diff --git a/.github/workflows/java/lint.yml b/.github/workflows/java-lint.yml similarity index 100% rename from .github/workflows/java/lint.yml rename to .github/workflows/java-lint.yml diff --git a/.github/workflows/java/publish-to-gradle.yml b/.github/workflows/java-publish-to-gradle.yml similarity index 100% rename from .github/workflows/java/publish-to-gradle.yml rename to .github/workflows/java-publish-to-gradle.yml diff --git a/.github/workflows/java/publish-to-maven.yml b/.github/workflows/java-publish-to-maven.yml similarity index 100% rename from .github/workflows/java/publish-to-maven.yml rename to .github/workflows/java-publish-to-maven.yml diff --git a/.github/workflows/python/build-hatch.yml b/.github/workflows/python-build-hatch.yml similarity index 100% rename from .github/workflows/python/build-hatch.yml rename to .github/workflows/python-build-hatch.yml diff --git a/.github/workflows/python/build-poetry.yml b/.github/workflows/python-build-poetry.yml similarity index 100% rename from .github/workflows/python/build-poetry.yml rename to .github/workflows/python-build-poetry.yml diff --git a/.github/workflows/python/lint.yml b/.github/workflows/python-lint.yml similarity index 100% rename from .github/workflows/python/lint.yml rename to .github/workflows/python-lint.yml diff --git a/.github/workflows/python/publish-to-python-test.yml b/.github/workflows/python-publish-to-python-test.yml similarity index 100% rename from .github/workflows/python/publish-to-python-test.yml rename to .github/workflows/python-publish-to-python-test.yml diff --git a/.github/workflows/python/publish-to-python.yml b/.github/workflows/python-publish-to-python.yml similarity index 100% rename from .github/workflows/python/publish-to-python.yml rename to .github/workflows/python-publish-to-python.yml diff --git a/.github/workflows/typescript/build.yml b/.github/workflows/typescript-build.yml similarity index 100% rename from .github/workflows/typescript/build.yml rename to .github/workflows/typescript-build.yml diff --git a/.github/workflows/typescript/lint.yml b/.github/workflows/typescript-lint.yml similarity index 100% rename from .github/workflows/typescript/lint.yml rename to .github/workflows/typescript-lint.yml diff --git a/.github/workflows/typescript/publish-to-npm.yml b/.github/workflows/typescript-publish-to-npm.yml similarity index 100% rename from .github/workflows/typescript/publish-to-npm.yml rename to .github/workflows/typescript-publish-to-npm.yml diff --git a/.github/workflows/typescript/publish-to-vscode.yml b/.github/workflows/typescript-publish-to-vscode.yml similarity index 100% rename from .github/workflows/typescript/publish-to-vscode.yml rename to .github/workflows/typescript-publish-to-vscode.yml diff --git a/tests/common/check-release.yml b/tests/common/check-release.yml index a30347e..3f9e822 100644 --- a/tests/common/check-release.yml +++ b/tests/common/check-release.yml @@ -1,24 +1,24 @@ -name: Test — common/check-release +name: Test — common-check-release on: workflow_call: -# Happy-path tests for .github/workflows/common/check-release.yml. +# Happy-path tests for .github/workflows/common-check-release.yml. # Failure-path tests (invalid tag, wrong branch, not-a-tag) are exercised by # ci.yml via act with event fixtures in tests/common/check-release/*.json. jobs: valid-semver: - uses: ./.github/workflows/common/check-release.yml + uses: ./.github/workflows/common-check-release.yml with: version-format: semver valid-pep440: - uses: ./.github/workflows/common/check-release.yml + uses: ./.github/workflows/common-check-release.yml with: version-format: pep440 valid-maven: - uses: ./.github/workflows/common/check-release.yml + uses: ./.github/workflows/common-check-release.yml with: version-format: maven diff --git a/tests/common/publish-to-docker.yml b/tests/common/publish-to-docker.yml index 73ab1bf..2bd44e7 100644 --- a/tests/common/publish-to-docker.yml +++ b/tests/common/publish-to-docker.yml @@ -1,15 +1,15 @@ -name: Test — common/publish-to-docker +name: Test — common-publish-to-docker on: workflow_call: -# Tests for .github/workflows/common/publish-to-docker.yml +# Tests for .github/workflows/common-publish-to-docker.yml # Uses dry-run mode: builds the image but does not push. # Requires tests/_resources/fake-docker-context/Dockerfile. jobs: dry-run: - uses: ./.github/workflows/common/publish-to-docker.yml + uses: ./.github/workflows/common-publish-to-docker.yml with: version: "1.0.0" image-name: "reqstool-org/test-image" diff --git a/tests/common/publish-to-github-pages.yml b/tests/common/publish-to-github-pages.yml index 3ab626e..723cd85 100644 --- a/tests/common/publish-to-github-pages.yml +++ b/tests/common/publish-to-github-pages.yml @@ -1,15 +1,15 @@ -name: Test — common/publish-to-github-pages +name: Test — common-publish-to-github-pages on: workflow_call: -# Tests for .github/workflows/common/publish-to-github-pages.yml +# Tests for .github/workflows/common-publish-to-github-pages.yml # Requires docs/antora-playbook.yml and a configured GitHub Pages environment. # Validated by actionlint only in ci.yml (no act execution — requires Pages environment). jobs: publish: - uses: ./.github/workflows/common/publish-to-github-pages.yml + uses: ./.github/workflows/common-publish-to-github-pages.yml permissions: contents: read pages: write diff --git a/tests/common/release-preview.yml b/tests/common/release-preview.yml index 79be835..725d219 100644 --- a/tests/common/release-preview.yml +++ b/tests/common/release-preview.yml @@ -1,14 +1,14 @@ -name: Test — common/release-preview +name: Test — common-release-preview on: workflow_call: -# Tests for .github/workflows/common/release-preview.yml +# Tests for .github/workflows/common-release-preview.yml # The workflow is read-only, so we just confirm it completes successfully. jobs: preview: - uses: ./.github/workflows/common/release-preview.yml + uses: ./.github/workflows/common-release-preview.yml with: version-command: "" permissions: diff --git a/tests/common/release.yml b/tests/common/release.yml index 0ca87fd..196120a 100644 --- a/tests/common/release.yml +++ b/tests/common/release.yml @@ -1,15 +1,15 @@ -name: Test — common/release +name: Test — common-release on: workflow_call: -# Dry-run tests for .github/workflows/common/release.yml. +# Dry-run tests for .github/workflows/common-release.yml. # No tag is pushed and no draft release is created. # Failure-path tests (invalid version format) are exercised by ci.yml via act. jobs: dry-run-semver: - uses: ./.github/workflows/common/release.yml + uses: ./.github/workflows/common-release.yml with: version: "1.2.3" version-format: semver @@ -18,7 +18,7 @@ jobs: contents: write dry-run-pep440: - uses: ./.github/workflows/common/release.yml + uses: ./.github/workflows/common-release.yml with: version: "1.2.3rc1" version-format: pep440 @@ -27,7 +27,7 @@ jobs: contents: write dry-run-maven: - uses: ./.github/workflows/common/release.yml + uses: ./.github/workflows/common-release.yml with: version: "1.2.3" version-format: maven diff --git a/tests/java/build-gradle.yml b/tests/java/build-gradle.yml index fb32563..f987c66 100644 --- a/tests/java/build-gradle.yml +++ b/tests/java/build-gradle.yml @@ -1,13 +1,13 @@ -name: Test — java/build-gradle +name: Test — java-build-gradle on: workflow_call: -# Tests for .github/workflows/java/build-gradle.yml +# Tests for .github/workflows/java-build-gradle.yml # Requires build.gradle — validated by actionlint only in ci.yml (no act execution). jobs: build: - uses: ./.github/workflows/java/build-gradle.yml + uses: ./.github/workflows/java-build-gradle.yml with: java-version: "21" diff --git a/tests/java/build-maven.yml b/tests/java/build-maven.yml index 8adc0d5..1420ab3 100644 --- a/tests/java/build-maven.yml +++ b/tests/java/build-maven.yml @@ -1,13 +1,13 @@ -name: Test — java/build-maven +name: Test — java-build-maven on: workflow_call: -# Tests for .github/workflows/java/build-maven.yml +# Tests for .github/workflows/java-build-maven.yml # Requires a pom.xml — validated by actionlint only in ci.yml (no act execution). jobs: build: - uses: ./.github/workflows/java/build-maven.yml + uses: ./.github/workflows/java-build-maven.yml with: java-version: "21" diff --git a/tests/java/lint.yml b/tests/java/lint.yml index d391723..095eed9 100644 --- a/tests/java/lint.yml +++ b/tests/java/lint.yml @@ -1,14 +1,14 @@ -name: Test — java/lint +name: Test — java-lint on: workflow_call: -# Tests for .github/workflows/java/lint.yml +# Tests for .github/workflows/java-lint.yml # Requires a pom.xml in the calling repo — exercised via act in repos that have one. # In ci.yml this test is validated by actionlint only (no act execution). jobs: lint: - uses: ./.github/workflows/java/lint.yml + uses: ./.github/workflows/java-lint.yml with: java-version: "21" diff --git a/tests/java/publish-to-gradle.yml b/tests/java/publish-to-gradle.yml index dc97dfe..3dca40f 100644 --- a/tests/java/publish-to-gradle.yml +++ b/tests/java/publish-to-gradle.yml @@ -1,21 +1,21 @@ -name: Test — java/publish-to-gradle +name: Test — java-publish-to-gradle on: workflow_call: -# Tests for .github/workflows/java/publish-to-gradle.yml +# Tests for .github/workflows/java-publish-to-gradle.yml # Dry-run executes ./gradlew build -x test (no publish task, no credentials). # Requires a build.gradle / build.gradle.kts in the calling repo. jobs: dry-run-portal: - uses: ./.github/workflows/java/publish-to-gradle.yml + uses: ./.github/workflows/java-publish-to-gradle.yml with: target: portal dry-run: true dry-run-central: - uses: ./.github/workflows/java/publish-to-gradle.yml + uses: ./.github/workflows/java-publish-to-gradle.yml with: target: central dry-run: true diff --git a/tests/java/publish-to-maven.yml b/tests/java/publish-to-maven.yml index 15bf6c1..cdaecfa 100644 --- a/tests/java/publish-to-maven.yml +++ b/tests/java/publish-to-maven.yml @@ -1,16 +1,16 @@ -name: Test — java/publish-to-maven +name: Test — java-publish-to-maven on: workflow_call: -# Tests for .github/workflows/java/publish-to-maven.yml +# Tests for .github/workflows/java-publish-to-maven.yml # Dry-run executes mvn package -DskipTests (no deploy, no GPG, no credentials). # Requires a pom.xml in the calling repo — callers that invoke this test # must have a Maven project at the repo root. jobs: dry-run: - uses: ./.github/workflows/java/publish-to-maven.yml + uses: ./.github/workflows/java-publish-to-maven.yml with: dry-run: true permissions: diff --git a/tests/python/build-hatch.yml b/tests/python/build-hatch.yml index dbc3579..4283750 100644 --- a/tests/python/build-hatch.yml +++ b/tests/python/build-hatch.yml @@ -1,13 +1,13 @@ -name: Test — python/build-hatch +name: Test — python-build-hatch on: workflow_call: -# Tests for .github/workflows/python/build-hatch.yml +# Tests for .github/workflows/python-build-hatch.yml # Requires pyproject.toml + src/ — validated by actionlint only in ci.yml. jobs: build: - uses: ./.github/workflows/python/build-hatch.yml + uses: ./.github/workflows/python-build-hatch.yml with: coverage-source: "" diff --git a/tests/python/build-poetry.yml b/tests/python/build-poetry.yml index 665baf3..1babba9 100644 --- a/tests/python/build-poetry.yml +++ b/tests/python/build-poetry.yml @@ -1,14 +1,14 @@ -name: Test — python/build-poetry +name: Test — python-build-poetry on: workflow_call: -# Tests for .github/workflows/python/build-poetry.yml +# Tests for .github/workflows/python-build-poetry.yml # Requires pyproject.toml configured for Poetry — validated by actionlint only in ci.yml. jobs: build: - uses: ./.github/workflows/python/build-poetry.yml + uses: ./.github/workflows/python-build-poetry.yml with: coverage-source: "" install-self-as-plugin: false diff --git a/tests/python/lint.yml b/tests/python/lint.yml index 8c329e2..104a1b1 100644 --- a/tests/python/lint.yml +++ b/tests/python/lint.yml @@ -1,18 +1,18 @@ -name: Test — python/lint +name: Test — python-lint on: workflow_call: -# Tests for .github/workflows/python/lint.yml +# Tests for .github/workflows/python-lint.yml # Requires src/ and tests/ directories with Python source — validated by actionlint only. jobs: lint-hatch: - uses: ./.github/workflows/python/lint.yml + uses: ./.github/workflows/python-lint.yml with: package-manager: hatch lint-poetry: - uses: ./.github/workflows/python/lint.yml + uses: ./.github/workflows/python-lint.yml with: package-manager: poetry diff --git a/tests/python/publish-to-python-test.yml b/tests/python/publish-to-python-test.yml index b56d143..fbd7d54 100644 --- a/tests/python/publish-to-python-test.yml +++ b/tests/python/publish-to-python-test.yml @@ -1,14 +1,14 @@ -name: Test — python/publish-to-python-test +name: Test — python-publish-to-python-test on: workflow_call: -# Tests for .github/workflows/python/publish-to-python-test.yml +# Tests for .github/workflows/python-publish-to-python-test.yml # Uses dry-run mode (twine check) with fake dist artifacts from tests/_resources/fake-python-dist/. jobs: dry-run: - uses: ./.github/workflows/python/publish-to-python-test.yml + uses: ./.github/workflows/python-publish-to-python-test.yml with: dry-run: true permissions: diff --git a/tests/python/publish-to-python.yml b/tests/python/publish-to-python.yml index 05941c0..56d3f01 100644 --- a/tests/python/publish-to-python.yml +++ b/tests/python/publish-to-python.yml @@ -1,14 +1,14 @@ -name: Test — python/publish-to-python +name: Test — python-publish-to-python on: workflow_call: -# Tests for .github/workflows/python/publish-to-python.yml +# Tests for .github/workflows/python-publish-to-python.yml # Uses dry-run mode (twine check) with fake dist artifacts from tests/_resources/fake-python-dist/. jobs: dry-run: - uses: ./.github/workflows/python/publish-to-python.yml + uses: ./.github/workflows/python-publish-to-python.yml with: dry-run: true permissions: diff --git a/tests/typescript/build.yml b/tests/typescript/build.yml index c117d2a..9c759ad 100644 --- a/tests/typescript/build.yml +++ b/tests/typescript/build.yml @@ -1,14 +1,14 @@ -name: Test — typescript/build +name: Test — typescript-build on: workflow_call: -# Tests for .github/workflows/typescript/build.yml +# Tests for .github/workflows/typescript-build.yml # No xvfb, no dependency install — validates the standard npm build path. # Requires npm run test and npm run build scripts — validated by actionlint only in ci.yml. jobs: build: - uses: ./.github/workflows/typescript/build.yml + uses: ./.github/workflows/typescript-build.yml with: use-xvfb: false diff --git a/tests/typescript/lint.yml b/tests/typescript/lint.yml index d29c887..8240bf6 100644 --- a/tests/typescript/lint.yml +++ b/tests/typescript/lint.yml @@ -1,14 +1,14 @@ -name: Test — typescript/lint +name: Test — typescript-lint on: workflow_call: -# Tests for .github/workflows/typescript/lint.yml +# Tests for .github/workflows/typescript-lint.yml # Uses tests/_resources/fake-npm-package which has a minimal package.json. # Requires npm run lint and npm run format scripts — validated by actionlint only in ci.yml. jobs: lint: - uses: ./.github/workflows/typescript/lint.yml + uses: ./.github/workflows/typescript-lint.yml with: node-version: "24" diff --git a/tests/typescript/publish-to-npm.yml b/tests/typescript/publish-to-npm.yml index 6d79e0a..13947f7 100644 --- a/tests/typescript/publish-to-npm.yml +++ b/tests/typescript/publish-to-npm.yml @@ -1,15 +1,15 @@ -name: Test — typescript/publish-to-npm +name: Test — typescript-publish-to-npm on: workflow_call: -# Tests for .github/workflows/typescript/publish-to-npm.yml +# Tests for .github/workflows/typescript-publish-to-npm.yml # Dry-run executes npm publish --dry-run (no registry upload, no NPM_TOKEN needed). # Requires a package.json + npm run build in tests/_resources/fake-npm-package/. jobs: dry-run: - uses: ./.github/workflows/typescript/publish-to-npm.yml + uses: ./.github/workflows/typescript-publish-to-npm.yml with: dry-run: true scope: "@reqstool" diff --git a/tests/typescript/publish-to-vscode.yml b/tests/typescript/publish-to-vscode.yml index 0789341..f1b3ff5 100644 --- a/tests/typescript/publish-to-vscode.yml +++ b/tests/typescript/publish-to-vscode.yml @@ -1,15 +1,15 @@ -name: Test — typescript/publish-to-vscode +name: Test — typescript-publish-to-vscode on: workflow_call: -# Tests for .github/workflows/typescript/publish-to-vscode.yml +# Tests for .github/workflows/typescript-publish-to-vscode.yml # Dry-run uses HaaLeo dryRun: true (no registry upload, OPEN_VSX_TOKEN not required). # Requires an npm project with a vsce build script in the calling repo. jobs: dry-run: - uses: ./.github/workflows/typescript/publish-to-vscode.yml + uses: ./.github/workflows/typescript-publish-to-vscode.yml with: dry-run: true permissions: