ci: improve integrated workflows

Author: tboerger

.github/semantic.yml

@@ -19,5 +19,6 @@ types:
   - major
   - minor
   - patch
+  - deps
 
 ...

.github/settings.yml

@@ -11,8 +11,8 @@ repository:
 
   default_branch: master
 
+  allow_merge_commit: false
   allow_squash_merge: true
-  allow_merge_commit: true
   allow_rebase_merge: true
 
   allow_update_branch: true
@@ -21,24 +21,77 @@ repository:
   enable_automated_security_fixes: true
   enable_vulnerability_alerts: true
 
-branches:
-  - name: master
-    protection:
-      required_pull_request_reviews: null
-      required_status_checks:
-        strict: true
-        contexts:
-          - docker
-      enforce_admins: false
-      restrictions:
-        apps:
-          - toolhippie
-          - renovate
-        users: []
-        teams:
-          - admins
-          - bots
-          - members
+rulesets:
+  - name: prevent destruction
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: required_linear_history
+      - type: deletion
+      - type: non_fast_forward
+
+  - name: check verification
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: required_status_checks
+        parameters:
+          strict_required_status_checks_policy: true
+          required_status_checks:
+            - context: Semantic PR
+              integration_id: 198092
+            - context: docker
+              integration_id: 15368
+    bypass_actors:
+      - actor_id: 1
+        actor_type: OrganizationAdmin
+        bypass_mode: always
+      - actor_id: 951647  # app
+        actor_type: Integration
+        bypass_mode: always
+      - actor_id: 6276810  # bots
+        actor_type: Team
+        bypass_mode: always
+
+  - name: require reviewing
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: pull_request
+        parameters:
+          allowed_merge_methods:
+            - squash
+            - rebase
+          dismiss_stale_reviews_on_push: false
+          require_code_owner_review: false
+          require_last_push_approval: false
+          required_approving_review_count: 0
+          required_review_thread_resolution: false
+    bypass_actors:
+      - actor_id: 1
+        actor_type: OrganizationAdmin
+        bypass_mode: always
+      - actor_id: 951647  # app
+        actor_type: Integration
+        bypass_mode: always
+      - actor_id: 6276810  # bots
+        actor_type: Team
+        bypass_mode: always
 
 teams:
   - name: admins

.github/workflows/automerge.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: automerge
 
 "on":

.github/workflows/docker.yml

@@ -12,17 +12,19 @@ name: docker
   schedule:
     - cron: 0 8 * * 1
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   docker:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout source
-        id: source
         uses: actions/checkout@v5
 
       - name: Detect version
-        id: version
         run: |
           VER=$(sed -ne "s/^.*JSONNET_BUNDLER_VERSION=\(.*\)/\1/p;" Dockerfile)
           echo IMAGE_TAG=${VER} >> ${GITHUB_ENV}
@@ -48,23 +50,20 @@ jobs:
             maintainer=Thomas Boerger <thomas@webhippie.de>
 
       - name: Setup QEMU
-        id: qemu
         uses: docker/setup-qemu-action@v3
 
       - name: Setup Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Hub login
-        id: login1
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Quay login
-        id: login2
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
@@ -73,7 +72,6 @@ jobs:
           password: ${{ secrets.QUAY_PASSWORD }}
 
       - name: Ghcr login
-        id: login3
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
@@ -82,7 +80,6 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker build
-        id: docker
         uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
@@ -95,7 +92,6 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Hub readme
-        id: readme1
         uses: actionhippie/pushrm@v1
         if: github.event_name != 'pull_request'
         with:
@@ -107,11 +103,12 @@ jobs:
           readme: README.md
 
       - name: Quay readme
-        id: readme2
         uses: actionhippie/pushrm@v1
         if: github.event_name != 'pull_request'
         with:
           provider: quay
           target: quay.io/${{ github.repository }}
           apikey: ${{ secrets.QUAY_APIKEY }}
           readme: README.md
+
+...