diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 56a80afd..1190d301 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false fetch-depth: 0 # Fetches all history and tags @@ -181,7 +181,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false fetch-depth: 0 # Fetches all history and tags diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a43091a..3d944255 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -name: CI & Release Orchestration +name: CI on: push: @@ -36,3 +36,13 @@ jobs: permissions: contents: read security-events: write + + test: + uses: ./.github/workflows/test.yml + permissions: + contents: read + + docs: + uses: ./.github/workflows/docs.yml + permissions: + contents: read diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 53c47c5f..d008353e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -33,14 +33,6 @@ jobs: name: Analyze runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - language: [ 'python' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more... - # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection - steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 @@ -48,33 +40,12 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release + languages: python - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e4fe8302..83c9c121 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -22,6 +22,6 @@ jobs: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.3.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: 'Dependency Review' uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml index b02bef1c..1355b186 100644 --- a/.github/workflows/devcontainer.yml +++ b/.github/workflows/devcontainer.yml @@ -21,7 +21,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache Docker layers uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index d762166a..2438249b 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,12 +1,14 @@ name: "Docs" + on: -- pull_request + workflow_call: permissions: contents: read jobs: docs: + name: Documentation runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) @@ -14,7 +16,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 @@ -22,10 +24,42 @@ jobs: python-version: '3.13' - name: Install documentation requirements - run: "pip install .[docs] && pip install sphinx_design" + run: | + pip install .[docs] + pip install sphinx_design - name: Build docs run: "make -C doc html" - - name: Build landing-page - run: "make -C doc/landing-page html" + landing-page: + name: Landing page + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + + - name: Setup Python + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: "3.13" + + - name: Install dependencies + run: | + pip install .[docs] + pip install sphinx_design + + - name: Build landing-page + run: "make -C doc/landing-page html" + + - name: Publish + if: github.ref == 'refs/heads/main' + uses: tsunematsu21/actions-publish-gh-pages@c04b531c52b8f9d25c596bc6e6a7ddc116b2f3f8 # v1.0.2 + with: + dir: doc/landing-page/_build/html + repo: dfetch-org/dfetch-org.github.io + branch: main + token: ${{ secrets.GH_DFETCH_ORG_DEPLOY }} diff --git a/.github/workflows/landing-page.yml b/.github/workflows/landing-page.yml deleted file mode 100644 index ea56d26c..00000000 --- a/.github/workflows/landing-page.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Landing-page - -on: - push: - branches: - - main - - feature/simplify-landing-page - -permissions: - contents: read - -jobs: - publish: - runs-on: ubuntu-latest - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 - with: - egress-policy: audit - - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 - - - name: Setup Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 - with: - python-version: "3.13" - - - name: Install dependencies - run: | - pip install .[docs] - pip install sphinx_design - - - name: Build landing-page - run: | - cd doc/landing-page - make html - - name: Publish - uses: tsunematsu21/actions-publish-gh-pages@c04b531c52b8f9d25c596bc6e6a7ddc116b2f3f8 # v1.0.2 - with: - dir: doc/landing-page/_build/html - repo: dfetch-org/dfetch-org.github.io - branch: main - token: ${{ secrets.GH_DFETCH_ORG_DEPLOY }} diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 8c19f27a..511b11ad 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -25,7 +25,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false fetch-depth: 0 # Fetches all history and tags diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4b922896..4278b944 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: '3.13' diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index ca4ce67d..93fc7959 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -20,7 +20,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: cygwin/cygwin-install-action@7d2dc1e241644c3318bed9ec74115d1929baa681 # master @@ -73,7 +73,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 25155494..40bf550e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,7 +1,3 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See @@ -28,9 +24,6 @@ jobs: security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read steps: - name: Harden the runner (Audit all outbound calls) @@ -39,7 +32,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false @@ -48,26 +41,8 @@ jobs: with: results_file: results.sarif results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. publish_results: true - # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore - # file_mode: git - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: @@ -75,8 +50,6 @@ jobs: path: results.sarif retention-days: 5 - # Upload the results to GitHub's code scanning dashboard (optional). - # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 51bf8dfb..5fff9f5c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,11 +1,7 @@ name: Test on: - push: - branches: - - main - pull_request: - types: [opened, synchronize, reopened] + workflow_call: permissions: contents: read @@ -19,7 +15,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 diff --git a/action.yml b/action.yml index 8dcf3f8b..0498283e 100644 --- a/action.yml +++ b/action.yml @@ -20,7 +20,7 @@ runs: using: 'composite' steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: