main to dev reverse sync

.github/workflows/block-failed-signatures.yml

@@ -7,6 +7,10 @@ on:
       - unlabeled
       - review_requested
 
+permissions:
+  pull-requests: read
+  contents: read
+
 jobs:
   check-label:
     runs-on: ubuntu-latest

.github/workflows/deploy-docs.yml

@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest

.github/workflows/read-sources.yml

@@ -4,6 +4,11 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 17 * * *'
+
+permissions:
+  contents: write  # Allows committing & pushing changes to repo
+  pull-requests: write  # Allows creating PRs via `gh pr create`
+
 jobs:
   readsources:
     runs-on: ubuntu-latest

.github/workflows/signature-test.yml

@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  pull-requests: write
+  contents: read
+
 jobs:
   signature-test:
     runs-on: ubuntu-latest
@@ -21,56 +25,55 @@ jobs:
           poetry install
 
       - name: Check for specific string in PR title and creator
-        id: check_conditions
         run: |
-          pr_title="${{ github.event.pull_request.title }}"
+          pr_title=$(printf '%q' "${{ github.event.pull_request.title }}")
           pr_creator="${{ github.event.pull_request.user.login }}"
           echo "Pull Request title: $pr_title" > signaturetest.log
           echo "Pull Request creator: $pr_creator" >> signaturetest.log
           if [[ "$pr_title" == "[SignatureBot]"* ]]; then
-            echo "::set-output name=is_new_signature_pr::true"
+            echo "IS_NEW_SIGNATURE_PR=true" >> "$GITHUB_ENV"
             echo "PR $pr_title Qualified" >> signaturetest.log
           else
-            echo "::set-output name=is_new_signature_pr::false"
+            echo "IS_NEW_SIGNATURE_PR=false" >> "$GITHUB_ENV"
             echo "PR $pr_title NOT Qualified" >> signaturetest.log
           fi
         env:
           GH_TOKEN: ${{ secrets.DNSBOT_TOKEN }}
 
       - name: Run signature test
-        if: steps.check_conditions.outputs.is_new_signature_pr == 'true'
-        id: signature_test
+        if: env.IS_NEW_SIGNATURE_PR == 'true'
         run: |
           PR_NUMBER=${{ github.event.pull_request.number }}
-          FILE=$(gh pr diff $PR_NUMBER --name-only | grep -v "signature_history.txt")
+          FILE=$(gh pr diff "$PR_NUMBER" --name-only | grep -v "signature_history.txt" || true)
+
+          if [[ -z "$FILE" ]]; then
+            echo "No valid files to process." >> signaturetest.log
+            exit 1
+          fi
+
           echo "Running signature test against: $FILE" >> signaturetest.log
-          OUTPUT=$(poetry run python3 baddns/scripts/signaturetest.py $FILE)
+          OUTPUT=$(poetry run python3 baddns/scripts/signaturetest.py "$FILE" | jq .)
           echo "$OUTPUT" > output.json
           echo "Run finished with this output: $OUTPUT" >> signaturetest.log
-          echo "::set-output name=result::$OUTPUT"
-          SIGNATURE_PASS=$(echo "$OUTPUT" | jq -r '.signature_pass')
+          echo "SIGNATURE_TEST_RESULT=$OUTPUT" >> "$GITHUB_ENV"
 
-          if [ "$SIGNATURE_PASS" == "true" ]
-          then
-            echo "Signature test passed, adding 'tests-passed' label to PR..." >> signaturetest.log
-            gh pr edit $PR_NUMBER --remove-label "tests-failed"
-            gh pr edit $PR_NUMBER --add-label "tests-passed"
+          SIGNATURE_PASS=$(echo "$OUTPUT" | jq -r '.signature_pass')
 
+          if [[ "$SIGNATURE_PASS" == "true" ]]; then
+            gh pr edit "$PR_NUMBER" --remove-label "tests-failed" --add-label "tests-passed"
           else
-            echo "Signature test failed, adding 'tests-failed' label to PR..." >> signaturetest.log
-            gh pr edit $PR_NUMBER --remove-label "tests-passed"
-            gh pr edit $PR_NUMBER --add-label "tests-failed"
+            gh pr edit "$PR_NUMBER" --remove-label "tests-passed" --add-label "tests-failed"
           fi
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Post result comment
-        if: always() && steps.check_conditions.outputs.is_new_signature_pr == 'true'
+        if: always() && env.IS_NEW_SIGNATURE_PR == 'true'
         run: |
           output=$(cat output.json)
-          signature_pass=$(echo $output | jq -r '.signature_pass')
-          match_table=$(echo $output | jq -r '.match_table')
-          error=$(echo $output | jq -r '.error')
+          signature_pass=$(echo "$output" | jq -r '.signature_pass')
+          match_table=$(echo "$output" | jq -r '.match_table')
+          error=$(echo "$output" | jq -r '.error')
 
           if [[ "$signature_pass" == "true" ]]; then
             emoji=":heavy_check_mark:"
@@ -93,14 +96,12 @@ jobs:
           if [[ "$signature_pass" == "false" ]]; then
               comment+="
               Error: **$error**"
-
           fi
           echo "Attempting to add comment to PR..." >> signaturetest.log
           gh pr comment "${{ github.event.pull_request.number }}" --body "$comment"
         env:
           GH_TOKEN: ${{ secrets.DNSBOT_TOKEN }}
 
-
       - name: Upload Signature Test Log
         uses: actions/upload-artifact@v4
         if: always()

.github/workflows/tests.yaml

@@ -6,6 +6,10 @@ on:
       - dev
   pull_request:
 
+permissions:
+  contents: read
+  pull-requests: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true