feat: add shared workflows (#142)

Author: wislertt

.github/workflows/security.yml

@@ -48,7 +48,7 @@ jobs:
                   toolchain: stable
 
             - name: Restore cache
-              uses: actions/cache/restore@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
+              uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
               with:
                   path: |
                       ~/.cargo/bin/
@@ -67,7 +67,7 @@ jobs:
               run: cargo audit
 
             - name: Save cache
-              uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+              uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
               if: always()
               with:
                   path: |

.github/workflows/shared-check-pr-label-and-branch.yml

@@ -0,0 +1,94 @@
+name: check-pr-label-and-branch
+
+on:
+    workflow_call:
+        inputs:
+            labels:
+                required: false
+                type: string
+                description: "JSON string of labels from the pull request"
+                default: ${{ toJSON(github.event.pull_request.labels) }}
+            target_label:
+                required: true
+                type: string
+                description: "Target label to check for in the PR"
+            branch_prefix:
+                required: false
+                type: string
+                description: "Required prefix for the branch name"
+                default: ""
+        outputs:
+            is_valid:
+                value: ${{ jobs.check-pr-label-and-branch.outputs.is_valid }}
+            has_label:
+                value: ${{ jobs.check-pr-label-and-branch.outputs.has_label }}
+            is_valid_branch:
+                value: ${{ jobs.check-pr-label-and-branch.outputs.is_valid_branch }}
+
+jobs:
+    check-pr-label-and-branch:
+        name: check-pr-label-and-branch
+        runs-on: ubuntu-latest
+        outputs:
+            is_valid: ${{ steps.check.outputs.is_valid }}
+            has_label: ${{ steps.check.outputs.has_label }}
+            is_valid_branch: ${{ steps.check.outputs.is_valid_branch }}
+        steps:
+            - name: Check for label and branch prefix
+              id: check
+              run: |
+                  TARGET_LABEL="${{ inputs.target_label }}"
+                  BRANCH_PREFIX="${{ inputs.branch_prefix }}"
+                  CURRENT_BRANCH="${{ github.head_ref }}"
+
+                  echo "Checking for label: $TARGET_LABEL"
+                  echo "Required branch prefix: $BRANCH_PREFIX"
+                  echo "Current branch: $CURRENT_BRANCH"
+                  echo "Input labels: ${{ inputs.labels }}"
+
+                  # Check if branch has the required prefix
+                  if [ -n "$BRANCH_PREFIX" ]; then
+                    if [[ "$CURRENT_BRANCH" == "$BRANCH_PREFIX"* ]]; then
+                      echo "✅ Branch prefix matches"
+                      HAS_BRANCH_PREFIX=true
+                    else
+                      echo "❌ Branch prefix does not match"
+                      HAS_BRANCH_PREFIX=false
+                    fi
+                  else
+                    echo "ℹ️ No branch prefix requirement"
+                    HAS_BRANCH_PREFIX=true
+                  fi
+
+                  # Use jq to check if the label exists in the labels array
+                  HAS_LABEL=$(echo '${{ inputs.labels }}' | \
+                    jq --arg target "$TARGET_LABEL" \
+                    '[.[] | select(.name == $target)] | length > 0')
+
+                  echo "Has label: $HAS_LABEL"
+
+                  # Output individual condition results
+                  echo "has_label=$HAS_LABEL" >> $GITHUB_OUTPUT
+                  echo "is_valid_branch=$HAS_BRANCH_PREFIX" >> $GITHUB_OUTPUT
+
+                  # Both conditions must be true
+                  if [ "$HAS_LABEL" = "true" ] && [ "$HAS_BRANCH_PREFIX" = "true" ]; then
+                    echo "is_valid=true" >> $GITHUB_OUTPUT
+                    echo "✅ Both label '$TARGET_LABEL' and branch prefix '$BRANCH_PREFIX' found"
+                  else
+                    echo "is_valid=false" >> $GITHUB_OUTPUT
+                    if [ "$HAS_LABEL" != "true" ]; then
+                      echo "❌ Label '$TARGET_LABEL' not found"
+                    else
+                      echo "✅ Label '$TARGET_LABEL' found"
+                    fi
+                    if [ "$HAS_BRANCH_PREFIX" != "true" ]; then
+                      echo "❌ Branch prefix '$BRANCH_PREFIX' not found"
+                    else
+                      echo "✅ Branch prefix '$BRANCH_PREFIX' found"
+                    fi
+                  fi
+
+            - name: Display Validation Result
+              run: |
+                  echo "Validation result: ${{ steps.check.outputs.is_valid }}"

.github/workflows/shared-check-pr-labels-with-prefix.yml

@@ -0,0 +1,52 @@
+name: check-pr-labels-with-prefix
+
+on:
+    workflow_call:
+        inputs:
+            labels:
+                description: "JSON string of labels from the pull request"
+                required: false
+                type: string
+                default: ${{ toJSON(github.event.pull_request.labels) }}
+            prefix:
+                description: 'Label prefix to filter (e.g., "deploy-", "test-", "run-")'
+                required: false
+                default: ""
+                type: string
+        outputs:
+            labels:
+                description: "JSON object with labels matching the prefix"
+                value: ${{ jobs.check-pr-labels-with-prefix.outputs.labels }}
+
+jobs:
+    check-pr-labels-with-prefix:
+        runs-on: ubuntu-latest
+        # Example outputs:
+        # - With prefix "deploy-": {"deploy-d": {full label object}, "deploy-n1": {full label object}}
+        outputs:
+            labels: ${{ steps.filter.outputs.filtered-labels }}
+        steps:
+            - name: Filter labels by prefix
+              id: filter
+              run: |
+                  PREFIX="${{ inputs.prefix }}"
+
+                  # Use jq to filter labels by prefix (empty prefix returns all labels)
+                  JSON_RESULT=$(echo '${{ inputs.labels }}' | \
+                    jq --arg prefix "$PREFIX" \
+                    'map(select(.name | startswith($prefix))) |
+                     map({(.name): .}) |
+                     reduce .[] as $item ({}; . + $item)')
+
+                  # Ensure JSON_RESULT is never empty - default to {} if empty
+                  if [ -z "$JSON_RESULT" ] || [ "$JSON_RESULT" = "null" ]; then
+                    JSON_RESULT="{}"
+                  fi
+
+                  # Use <<< to pass the JSON as a single line to avoid file command issues
+                  {
+                    echo "filtered-labels<<EOF"
+                    echo "$JSON_RESULT"
+                    echo "EOF"
+                  } >> $GITHUB_OUTPUT
+                  echo "Labels result: $JSON_RESULT"

.github/workflows/shared-lock.yml

@@ -0,0 +1,163 @@
+name: lock
+
+on:
+    workflow_call:
+        inputs:
+            key:
+                description: "Key to lock (e.g., dev, staging, prod)"
+                required: true
+                type: string
+            key_owner:
+                description: "Key owner identifier (e.g., PR number, SHA, run ID)"
+                required: true
+                type: string
+            job_name:
+                description: "Custom name for the lock job"
+                required: false
+                type: string
+
+permissions:
+    contents: write
+
+jobs:
+    lock:
+        name: ${{ inputs.job_name || 'lock' }}
+        runs-on: ubuntu-latest
+        steps:
+            - name: Define lock check function
+              shell: bash
+              run: |
+                  # Define reusable function for lock ownership checking
+                  cat << 'EOF' > lock_check_function.sh
+                  check_lock() {
+                      # Parse named parameters
+                      while [[ "$#" -gt 0 ]]; do
+                          case $1 in
+                              --key) key="$2"; shift ;;
+                              --key-owner) key_owner="$2"; shift ;;
+                              --lock-reason) lock_reason="$2"; shift ;;
+                              --locked) locked="$2"; shift ;;
+                              --require-owned) require_owned="$2"; shift ;;
+                              *) echo "Unknown parameter passed: $1"; return 1 ;;
+                          esac
+                          shift
+                      done
+
+                      echo "Key: $key"
+                      echo "Key owner: $key_owner"
+                      echo "Lock reason: $lock_reason"
+                      echo "Locked: $locked"
+
+                      local should_proceed=false
+                      local is_owned_by_us=false
+
+                      if [ "$locked" = "true" ]; then
+                          echo "Lock exists, checking owner..."
+                          local lock_owner=$(echo "$lock_reason" | grep -o 'owner:[^,]*' | cut -d: -f2 || true)
+                          echo "Lock owner: $lock_owner"
+                          echo "Current owner: $key_owner"
+                          if [ "$lock_owner" = "$key_owner" ]; then
+                              echo "✓ Lock is held by this owner"
+                              should_proceed=true
+                              is_owned_by_us=true
+                          elif [ -z "$lock_owner" ]; then
+                              echo "✓ Lock is available (no owner)"
+                              should_proceed=true
+                              is_owned_by_us=false
+                          else
+                              echo "✗ Lock is held by $lock_owner"
+                              should_proceed=false
+                              is_owned_by_us=false
+                              echo "::error::Key '$key' is locked by $lock_owner"
+                              return 1
+                          fi
+                      else
+                          echo "✓ Key is not locked"
+                          should_proceed=true
+                          is_owned_by_us=false
+                      fi
+
+                      echo "should_proceed=$should_proceed" >> $GITHUB_OUTPUT
+                      echo "is_owned_by_us=$is_owned_by_us" >> $GITHUB_OUTPUT
+
+                      # Validate ownership requirement if specified
+                      if [ "$require_owned" = "true" ] && [ "$is_owned_by_us" != "true" ]; then
+                          echo "::error::Lock ownership is required but not achieved"
+                          return 1
+                      fi
+                  }
+                  EOF
+
+            # Check lock state
+            - name: Get lock state
+              uses: github/lock@9a5898804aedcdfb43592ed16b6457768d048183 # v3.0.1
+              id: get-lock-state
+              with:
+                  mode: "check"
+                  environment: ${{ inputs.key }}
+
+            - name: Check lock state
+              id: check-lock
+              shell: bash
+              run: |
+                  source ./lock_check_function.sh
+                  check_lock \
+                      --key "${{ inputs.key }}" \
+                      --key-owner "${{ inputs.key_owner }}" \
+                      --lock-reason "${{ steps.get-lock-state.outputs.reason }}" \
+                      --locked "${{ steps.get-lock-state.outputs.locked }}"
+
+            # Lock
+            - name: Prepare lock reason
+              id: lock-reason
+              run: |
+                  # Simple reason with owner information
+                  REASON="owner:${{ inputs.key_owner }}"
+                  echo "Lock reason: $REASON"
+                  echo "reason=$REASON" >> $GITHUB_OUTPUT
+              if: steps.check-lock.outputs.should_proceed == 'true'
+
+            - name: Lock
+              uses: github/lock@9a5898804aedcdfb43592ed16b6457768d048183 # v3.0.1
+              id: lock
+              with:
+                  mode: "lock"
+                  environment: ${{ inputs.key }}
+                  reason: ${{ steps.lock-reason.outputs.reason }}
+              if: steps.check-lock.outputs.should_proceed == 'true'
+
+            - name: Wait for lock to propagate
+              shell: bash
+              run: |
+                  echo "Waiting for lock to propagate..."
+                  sleep 1
+
+            # Recheck lock state after lock
+            - name: Get lock state for recheck
+              uses: github/lock@9a5898804aedcdfb43592ed16b6457768d048183 # v3.0.1
+              id: get-lock-state-for-recheck
+              with:
+                  mode: "check"
+                  environment: ${{ inputs.key }}
+
+            - name: Recheck lock state
+              id: recheck-lock
+              shell: bash
+              if: steps.lock.outcome == 'success'
+              run: |
+                  source ./lock_check_function.sh
+                  check_lock \
+                      --key "${{ inputs.key }}" \
+                      --key-owner "${{ inputs.key_owner }}" \
+                      --lock-reason "${{ steps.get-lock-state-for-recheck.outputs.reason }}" \
+                      --locked "${{ steps.get-lock-state-for-recheck.outputs.locked }}" \
+                      --require-owned true
+
+            - name: Final lock status
+              if: always()
+              run: |
+                  echo "=== Lock Result ==="
+                  echo "Key: ${{ inputs.key }}"
+                  echo "Owner: ${{ inputs.key_owner }}"
+                  echo "Status: ${{ steps.lock.outcome }}"
+                  echo "Verified ownership: ${{ steps.recheck-lock.outputs.is_owned_by_us || 'N/A' }}"