👷(gh): Configure generic Github Actions workflows

Signed-off-by: Alexandre Nicolaie <xunleii@users.noreply.github.com>
chezmoi-sh · Aug 11, 2024 · 8239833 · 8239833
1 parent 704c41e
commit 8239833
Show file tree

Hide file tree

Showing 8 changed files with 327 additions and 2 deletions.
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -0,0 +1,50 @@
+# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+---
+# Define automatically the `pr` label based on the changed files and the head branch
+pr::bugfix:
+  - head-branch:
+      - ^bug(fix(es)?)?/.+$
+
+pr::dependencies:
+  - head-branch:
+      - ^renovate\/.+$
+
+pr:documentation:
+  - changed-files:
+      - any-glob-to-any-file: [README.md, LICENSE, "**/README.md"]
+
+pr::workflows:
+  - all:
+      - changed-files:
+          - any-glob-to-any-file: [.github/workflows/**]
+      - head-branch:
+          - ^(?!renovate\/).+$
+
+pr::others:
+  - all:
+      - changed-files:
+          - any-glob-to-any-file: "**"
+          - all-globs-to-all-files:
+              - "!.github/workflows/**"
+              - "!Cargo.lock"
+              - "!Cargo.toml"
+              - "!docs/**"
+              - "!LICENSE"
+              - "!README.md"
+              - "!src/**"
+              - "!tests/**"
+      - head-branch:
+          - ^(?!renovate\/).+$
diff --git a/.github/labels.yaml b/.github/labels.yaml
@@ -0,0 +1,77 @@
+# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+---
+- name: pr::bugfix
+  description: Something that wasn't working is now fixed
+  color: D73A4A
+- name: pr::dependencies
+  description: Dependencies upgrade
+  color: 2B098D
+- name: pr::documentation
+  description: Improvements or additions to documentation
+  color: 0075CA
+- name: pr::workflows
+  description: Changes on workflows
+  color: 6A5ACD
+- name: pr::others
+  description: Anything else
+  color: DEDB26
+
+- name: size::XS
+  color: 008000
+- name: size::S
+  color: 008000
+- name: size::M
+  color: FFFF00
+- name: size::L
+  color: FF0000
+- name: size::XL
+  color: FF0000
+
+- name: bug
+  description: Something isn't working
+  color: D73A4A
+- name: duplicate
+  description: This doesn't seem right
+  color: CFD3D7
+- name: good first issue
+  description: Good for newcomers
+  color: 7057FF
+- name: help wanted
+  description: Extra attention is needed
+  color: 008672
+- name: invalid
+  description: This doesn't seem right
+  color: E4E669
+- name: question
+  description: Further information is requested
+  color: D876E3
+- name: wontfix
+  description: This will not be worked on
+  color: FFFFFF
+- name: 💥breaking change
+  description: This PR introduces a breaking change
+  color: F0CB2C
+
+- name: 💖 sponsor
+  description: This issue comes from a sponsor
+  color: FFDBF0
+
+- name: stale
+  description: This issue has not had recent activity
+  color: 6A5ACD
+- name: no-stale
+  description: This issue cannot be marked as stale
+  color: 6A5ACD
diff --git a/.github/workflows/merge_group,pull_request.all.lint.yaml b/.github/workflows/merge_group,pull_request.all.lint.yaml
@@ -0,0 +1,38 @@
+# Copyright 2024
+#
+# Everyone is permitted to copy, distribute, modify, merge, sell, publish,
+# sublicense or whatever the fuck they want with this software but at their
+# OWN RISK.
+# The author has absolutely no fucking clue what the code in this project
+# does. It might just fucking work or not, there is no third option.
+#
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+---
+name: 🚨 Lint Everything
+
+on:
+  merge_group: {}
+  pull_request: {}
+
+concurrency:
+  group: ${{ github.action }}-${{ github.event.pull_request.id }}
+  cancel-in-progress: true
+permissions: {}
+
+jobs:
+  trunk:
+    name: ✅ Validate code quality
+    permissions:
+      contents: read
+      checks: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: ✏️ Overrides Trunk configuration for Github Action
+        run: mv .trunk/gha.yaml .trunk/user.yaml
+      - name: ⚡️ Run `trunk check`
+        uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16
diff --git a/.github/workflows/pull_request.automations.yaml b/.github/workflows/pull_request.automations.yaml
@@ -0,0 +1,35 @@
+# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+---
+name: 🤖 Issue/PR Automation
+on:
+  pull_request:
+  issues:
+    types: [opened]
+
+permissions: {}
+
+jobs:
+  labeler:
+    name: 🏷️ Labeler
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: 🏷️ Apply label on PR
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
diff --git a/.github/workflows/push,schedule.sync-labels.yaml b/.github/workflows/push,schedule.sync-labels.yaml
@@ -0,0 +1,46 @@
+# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+---
+name: 🏷️ Sync Github labels
+
+on:
+  push:
+    branches: [main]
+    paths:
+      [.github/labels.yaml, ".github/workflows/push,schedule.sync-labels.yaml"]
+  schedule:
+    - cron: 0 0 * * *
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  labeler:
+    name: 🏷️ Labeler
+    permissions:
+      issues: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      - name: 🏷️ Sync Github labels with the definition
+        uses: brpaz/action-label-syncer@32e516ae73bbf7c7c0548897be07080795336e15 # main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          manifest: .github/labels.yaml
+          prune: true
diff --git a/.github/workflows/push.trunk-cache.yaml b/.github/workflows/push.trunk-cache.yaml
@@ -0,0 +1,37 @@
+# Copyright 2024
+#
+# Everyone is permitted to copy, distribute, modify, merge, sell, publish,
+# sublicense or whatever the fuck they want with this software but at their
+# OWN RISK.
+# The author has absolutely no fucking clue what the code in this project
+# does. It might just fucking work or not, there is no third option.
+#
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+---
+name: ♻️ Refresh Trunk cache
+
+on:
+  push:
+    branches: [main]
+    paths: [.trunk/trunk.yaml]
+
+permissions: {}
+
+jobs:
+  trunk-cache:
+    name: ♻️ Refresh Trunk cache
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
+
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: 📦️ Populate cache with Trunk
+        uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16
+        with:
+          check-mode: populate_cache_only
diff --git a/.github/workflows/security.workflows.yaml b/.github/workflows/security.workflows.yaml
@@ -0,0 +1,43 @@
+# Copyright 2024
+#
+# Everyone is permitted to copy, distribute, modify, merge, sell, publish,
+# sublicense or whatever the fuck they want with this software but at their
+# OWN RISK.
+# The author has absolutely no fucking clue what the code in this project
+# does. It might just fucking work or not, there is no third option.
+#
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+---
+name: 🔒️ Security hardening (Github Actions workflows)
+
+on:
+  merge_group: {}
+  pull_request:
+    types: [opened, synchronize]
+    paths: [.github/workflows/**]
+
+permissions: {}
+
+jobs:
+  ci_harden_security:
+    name: 🔒️ Github Action security hardening
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: 📄 Lint Github Actions
+        run: |
+          curl -O https://github.com/raw/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/.github/actionlint-matcher.json
+
+          echo "::add-matcher::actionlint-matcher.json"
+          bash <(curl https://github.com/raw/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/scripts/download-actionlint.bash)
+          ./actionlint -color
+
+      - name: ✅ Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@40e45e738b3cad2729f599d8afc6ed02184e1dbd # v3.0.5
diff --git a/.trunk/configs/.yamllint.yaml b/.trunk/configs/.yamllint.yaml
@@ -36,5 +36,4 @@ rules:
         required: only-when-needed # Require quoted strings only when necessary
         extra-allowed: ["{|}"] # Allow extra characters { and } in quoted strings
     trailing-spaces: false # Do not allow trailing spaces
-    truthy:
-        level: warning # Warn on non-standard truthy values (e.g., "yes" instead of "true")
+    truthy: disable # Do not enforce standard truthy values