chore: update workflows, linting, configs

2026-01-29 16:42:30 +00:00 · 2025-05-12 01:11:48 +03:00
parent 46c1d723b7
commit cdc7174ff9
14 changed files with 331 additions and 93 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,46 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: 'CodeQL'
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+  schedule:
+    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
+  merge_group:
+
+permissions:
+  actions: read
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript'] # Add languages used in your actions
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
+        with:
+          category: '/language:${{matrix.language}}'
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -1,18 +1,30 @@
 ---
-name: PR Lint
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: Lint Code Base

 on:
  push:
-    branches-ignore: [master, main]
-    # Remove the line above to run when pushing to master
+    branches: [master, main]
  pull_request:
    branches: [master, main]

-permissions:
-  contents: read
-  packages: read
-  statuses: write
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: read-all

 jobs:
-  SuperLinter:
-    uses: ivuorinen/.github/.github/workflows/pr-lint.yml@main
+  Linter:
+    name: PR Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      statuses: write
+      contents: read
+      packages: read
+
+    steps:
+      - name: Run PR Lint
+        # https://github.com/ivuorinen/actions
+        uses: ivuorinen/actions/pr-lint@2be873ebc893ab669d11d1848e5bddfe1cb9f828 # 25.5.5
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -1,14 +0,0 @@
---
-name: Release Drafter
-
-# yamllint disable-line rule:truthy
-on:
-  workflow_call:
-
-permissions:
-  contents: write
-  statuses: write
-
-jobs:
-  Draft:
-    uses: ivuorinen/.github/.github/workflows/sync-labels.yml@main
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,19 +1,26 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Stale

-# yamllint disable-line rule:truthy
 on:
  schedule:
-    - cron: "0 8 * * *"
+    - cron: '0 8 * * *' # Every day at 08:00
  workflow_call:
  workflow_dispatch:

+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 jobs:
  stale:
+    name: 🧹 Clean up stale issues and PRs
    runs-on: ubuntu-latest
+
    permissions:
      contents: write # only for delete-branch option
      issues: write
      pull-requests: write
    steps:
-      - uses: ivuorinen/actions/stale@main
+      - uses: ivuorinen/actions/stale@2be873ebc893ab669d11d1848e5bddfe1cb9f828 # 25.5.5
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -1,23 +1,41 @@
 ---
-name: Sync labels
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: Sync Labels

-# yamllint disable-line rule:truthy
 on:
  push:
    branches:
      - main
+      - master
    paths:
-      - .github/workflows/sync-labels.yml
-      - .github/labels.yml
+      - '.github/labels.yml'
+      - '.github/workflows/sync-labels.yml'
  schedule:
-    - cron: "34 5 * * *"
+    - cron: '34 5 * * *' # Run every day at 05:34 AM UTC
  workflow_call:
  workflow_dispatch:
+  merge_group:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: read-all

 jobs:
-  SyncLabels:
-    permissions:
-      issues: write
+  labels:
+    name: ♻️ Sync Labels
    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    permissions:
+      contents: read
+      issues: write
+
    steps:
-      - uses: ivuorinen/actions/sync-labels@main
+      - name: ⤵️ Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: ⤵️ Sync Latest Labels Definitions
+        uses: ivuorinen/actions/sync-labels@2be873ebc893ab669d11d1848e5bddfe1cb9f828 # 25.5.5