Merge pull request #65 from Homebrew/sync-shared-config

Author: p-linnane

.github/codeql/extensions/homebrew-actions.yml

@@ -0,0 +1,7 @@
+# This file is synced from the `.github` repository, do not modify it directly.
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: trustedActionsOwnerDataModel
+    data:
+      - ["Homebrew"]

.github/dependabot.yml

@@ -1,18 +1,23 @@
+# This file is synced from the `.github` repository, do not modify it directly.
+---
 version: 2
-
-updates:
-  - package-ecosystem: github-actions
-    directory: /
+multi-ecosystem-groups:
+  all:
     schedule:
-      interval: daily
-    allow:
-      - dependency-type: all
-    groups:
-      artifacts:
-        patterns:
-          - actions/*-artifact
+      interval: weekly
+      day: friday
+      time: '08:00'
+      timezone: Etc/UTC
+updates:
+- package-ecosystem: github-actions
+  directory: "/"
+  multi-ecosystem-group: all
+  patterns:
+  - "*"
+  allow:
+  - dependency-type: all
+  cooldown:
+    default-days: 1
+    include:
+    - "*"
 
-  - package-ecosystem: terraform
-    directory: /
-    schedule:
-      interval: daily

.github/workflows/actionlint.yml

@@ -1,14 +1,12 @@
-name: actionlint
+# This file is synced from the `.github` repository, do not modify it directly.
+name: Actionlint
 
 on:
   push:
     branches:
       - main
-    paths:
-      - '.github/workflows/*.ya?ml'
+      - master
   pull_request:
-    paths:
-      - '.github/workflows/*.ya?ml'
 
 defaults:
   run:
@@ -25,15 +23,18 @@ env:
 
 permissions: {}
 
-# FIXME: The `Install tools` step fails inside the Docker container for some reason.
 jobs:
   workflow_syntax:
     if: github.repository_owner == 'Homebrew'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    container:
+      image: ghcr.io/homebrew/ubuntu22.04:main
     steps:
       - name: Set up Homebrew
         id: setup-homebrew
-        uses: Homebrew/actions/setup-homebrew@master
+        uses: Homebrew/actions/setup-homebrew@main
         with:
           core: false
           cask: false
@@ -47,26 +48,39 @@ jobs:
           persist-credentials: false
 
       - run: zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload SARIF file
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        # We can't use the SARIF file when triggered by `merge_group` so we don't upload it.
+        if: always() && github.event_name != 'merge_group'
         with:
           name: results.sarif
           path: results.sarif
 
       - name: Set up actionlint
         run: |
-          # Setting `shell: /bin/bash` prevents shellcheck from running on
-          # those steps, so let's change them to `shell: bash` for linting.
+          # In homebrew-core, setting `shell: /bin/bash` prevents shellcheck from running on
+          # those steps, so let's change them to `shell: bash` temporarily for better linting.
           sed -i 's|shell: /bin/bash -x|shell: bash -x|' .github/workflows/*.y*ml
-          # The JSON matcher needs to be accessible to the container host.
+
+          # In homebrew-core, the JSON matcher needs to be accessible to the container host.
           cp "$(brew --repository)/.github/actionlint-matcher.json" "$HOME"
+
           echo "::add-matcher::$HOME/actionlint-matcher.json"
 
       - run: actionlint
 
   upload_sarif:
     needs: workflow_syntax
+    # We want to always upload this even if `actionlint` failed.
+    # This is only available on public repositories.
+    if: >
+      always() &&
+      !contains(fromJSON('["cancelled", "skipped"]'), needs.workflow_syntax.result) &&
+      !github.event.repository.private &&
+      github.event_name != 'merge_group'
     runs-on: ubuntu-latest
     permissions:
       contents: read

.github/workflows/stale-issues.yml

@@ -0,0 +1,82 @@
+# This file is synced from the `.github` repository, do not modify it directly.
+name: Manage stale issues
+
+on:
+  push:
+    paths:
+      - .github/workflows/stale-issues.yml
+    branches-ignore:
+      - dependabot/**
+  schedule:
+    # Once every day at midnight UTC
+    - cron: "0 0 * * *"
+  issue_comment:
+
+permissions: {}
+
+defaults:
+  run:
+    shell: bash -xeuo pipefail {0}
+
+concurrency:
+  group: stale-issues
+  cancel-in-progress: ${{ github.event_name != 'issue_comment' }}
+
+jobs:
+  stale:
+    if: >
+      github.repository_owner == 'Homebrew' && (
+        github.event_name != 'issue_comment' || (
+          contains(github.event.issue.labels.*.name, 'stale') ||
+          contains(github.event.pull_request.labels.*.name, 'stale')
+        )
+      )
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Mark/Close Stale Issues and Pull Requests
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          days-before-stale: 21
+          days-before-close: 7
+          stale-issue-message: >
+            This issue has been automatically marked as stale because it has not had
+            recent activity. It will be closed if no further activity occurs.
+          stale-pr-message: >
+            This pull request has been automatically marked as stale because it has not had
+            recent activity. It will be closed if no further activity occurs.
+          exempt-issue-labels: "gsoc-outreachy,help wanted,in progress"
+          exempt-pr-labels: "gsoc-outreachy,help wanted,in progress"
+          delete-branch: true
+
+  bump-pr-stale:
+    if: >
+      github.repository_owner == 'Homebrew' && (
+        github.event_name != 'issue_comment' || (
+          contains(github.event.issue.labels.*.name, 'stale') ||
+          contains(github.event.pull_request.labels.*.name, 'stale')
+        )
+      )
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Mark/Close Stale `bump-formula-pr` and `bump-cask-pr` Pull Requests
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          days-before-stale: 2
+          days-before-close: 1
+          stale-pr-message: >
+            This pull request has been automatically marked as stale because it has not had
+            recent activity. It will be closed if no further activity occurs. To keep this
+            pull request open, add a `help wanted` or `in progress` label.
+          exempt-pr-labels: "help wanted,in progress"
+          any-of-labels: "bump-formula-pr,bump-cask-pr"
+          delete-branch: true

.github/zizmor.yml

@@ -0,0 +1,6 @@
+# This file is synced from the `.github` repository, do not modify it directly.
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        Homebrew/actions/*: ref-pin