diff --git a/template/.github/workflows/update-from-template.yml b/template/.github/workflows/update-from-template.yml new file mode 100644 index 0000000..58b216f --- /dev/null +++ b/template/.github/workflows/update-from-template.yml @@ -0,0 +1,55 @@ +name: Update from template + +on: + workflow_dispatch: + schedule: + # Every day at 3:30 at night. + - cron: '30 3 * * *' + +# Limit token permissions for security +permissions: read-all + +jobs: + update-from-template: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - name: Check out repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Install Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: "3.13" + + - name: Install dependencies + run: | + sudo apt install pipx + pipx ensurepath + pipx install uv rust-just copier + + - name: Set User + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + + - name: Pull request with updates from template + run: | + copier update --trust --defaults --overwrite + any_changes=$(git status --porcelain=v1 2>/dev/null | wc -l) + if [ "$any_changes" -eq 0 ]; then + echo "No updates from the template detected, and no changes found. Stopping and exiting." + exit 0 + fi + git checkout -b chore/update-from-template + git add . + git commit -m "chore(sync): :hammer: update changes from template" + gh pr create \ + --title "chore(sync): :hammer: update changes from template" \ + --body "This PR is automatically generated by the 'update-from-template' workflow. It syncs the latest changes from the template repository with this repository."