From 0fbfa104ce8e045f73b321a34e9c0d68e23b8057 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 10:29:04 +0330 Subject: [PATCH 01/12] feat: add sync-label workflow --- .github/workflows/sync-labels.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/sync-labels.yml diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml new file mode 100644 index 0000000..2cbf1ce --- /dev/null +++ b/.github/workflows/sync-labels.yml @@ -0,0 +1,29 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Sync labels + +on: + workflow_dispatch: + push: + branches: + - next + paths: + - .github/labels.yml + +jobs: + labels: + name: Sync labels + runs-on: ubuntu-latest + + permissions: + contents: read + issues: write + + steps: + - name: โคต๏ธ Check out code from GitHub + uses: actions/checkout@v4 + + - name: ๐Ÿš€ Run Label Syncer + uses: micnncim/action-label-syncer@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From e1c27514dab3dfcb4ba9f8d75db6a6a7efae6458 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 10:29:15 +0330 Subject: [PATCH 02/12] feat: add release workflow --- .github/workflows/release.yaml | 86 ++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..eda2a85 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,86 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Build & Lint & Test & Release + +on: + workflow_dispatch: + +env: + NODE_VERSION: lts/* + GPG_KEY_ID: ${{ vars.GPG_KEY_ID }} + +jobs: + main: + name: Build & Lint & Test & Release + runs-on: ubuntu-latest + + permissions: + contents: write + + steps: + - name: โคต๏ธ Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + token: ${{ secrets.BOT_TOKEN }} + + - name: ๐Ÿ™‚โ€โ†”๏ธ Import GPG key + run: | + echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import + echo -e "5\ny\n" | gpg --batch --yes --command-fd 0 --edit-key ${{ env.GPG_KEY_ID }} trust quit + env: + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + + - name: ๐Ÿซก Setup Git + run: | + git config --global user.name "Nexim Bot" + git config --global user.email "bot@thenexim.com" + git config --global user.signingkey ${{ env.GPG_KEY_ID }} + git config --global commit.gpgsign true + + - name: ๐Ÿ”ง Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ inputs.NODE_VERSION }} + + - name: ๐Ÿ› ๏ธ Setup Node.js Corepack + run: corepack enable + + - name: ๐Ÿ“ฆ Get Yarn Config + id: yarn_config + run: echo "cache_folder=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT + + - name: ๐Ÿ—„๏ธ Cache Layer + uses: actions/cache@v4 + with: + path: ${{ steps.yarn_config.outputs.cache_folder }} + key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }} + restore-keys: | + ${{ runner.os }}-yarn- + + - name: ๐Ÿ“ฅ Install Dependencies + run: yarn install --immutable + + - name: ๐Ÿ—ƒ๏ธ Cache Wireit + uses: google/wireit@setup-github-actions-caching/v2 + + - name: ๐Ÿ—๏ธ Build TypeScript + run: yarn build + env: + WIREIT_LOGGER: metrics + + - name: ๐Ÿงน Run ESLint + run: yarn lint + env: + WIREIT_LOGGER: metrics + + - name: ๐Ÿงช Run Tests + run: yarn test + env: + WIREIT_LOGGER: metrics + + - name: ๐Ÿค– Get Release + run: yarn lerna version --yes + env: + GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }} + WIREIT_LOGGER: metrics From 78f4f19b3047f7845cd5427a5504195da60ae1b6 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 10:29:34 +0330 Subject: [PATCH 03/12] feat: add publish-npm workflow --- .github/workflows/publish-npm.yml | 71 +++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/publish-npm.yml diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml new file mode 100644 index 0000000..55f8638 --- /dev/null +++ b/.github/workflows/publish-npm.yml @@ -0,0 +1,71 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Publish NPM + +on: + workflow_dispatch: + + release: + types: + - created + +env: + NODE_VERSION: lts/* + +jobs: + publish-npm: + if: github.repository_owner == 'the-nexim' + + name: Publish NPM + runs-on: ubuntu-latest + + permissions: + contents: read + id-token: write + + steps: + - name: ๐Ÿ“ฅ Checkout repository + uses: actions/checkout@v4 + + - name: ๐Ÿ”ง Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ inputs.NODE_VERSION }} + + - name: ๐Ÿ› ๏ธ Setup Node.js Corepack + run: corepack enable + + - name: ๐Ÿ“ฆ Get Yarn Config + id: yarn_config + run: echo "cache_folder=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT + + - name: ๐Ÿ—„๏ธ Cache Layer + uses: actions/cache@v4 + with: + path: ${{ steps.yarn_config.outputs.cache_folder }} + key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }} + restore-keys: | + ${{ runner.os }}-yarn- + + - name: ๐Ÿ“ฅ Install Dependencies + run: yarn install --immutable + + - name: ๐Ÿ—ƒ๏ธ Cache Wireit + uses: google/wireit@setup-github-actions-caching/v2 + + - name: ๐Ÿ—๏ธ Build TypeScript + run: yarn build + env: + WIREIT_LOGGER: metrics + + - name: ๐Ÿงน Run ESLint + run: yarn lint + env: + WIREIT_LOGGER: metrics + + - name: ๐Ÿš€ Publish + run: yarn run publish -- --yes + env: + NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} + NPM_CONFIG_PROVENANCE: true + WIREIT_LOGGER: metrics From 7153b79599f540118dc02722edae8e229003dd19 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 10:29:53 +0330 Subject: [PATCH 04/12] feat: add dependency-review workflow --- .github/workflows/dependency-review.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/dependency-review.yaml diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml new file mode 100644 index 0000000..e992f79 --- /dev/null +++ b/.github/workflows/dependency-review.yaml @@ -0,0 +1,23 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Dependency Review + +on: + workflow_dispatch: + + pull_request: + +jobs: + dependency-review: + name: Dependency Review + runs-on: ubuntu-latest + + permissions: + contents: read + + steps: + - name: โคต๏ธ Checkout repository + uses: actions/checkout@v4 + + - name: ๐Ÿš€ Dependency Review + uses: actions/dependency-review-action@v4 From fa5c4d3e8c667709c49f007236a617de78ec27c3 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 10:30:07 +0330 Subject: [PATCH 05/12] feat: add codeql(code quality) workflow --- .github/workflows/codeql.yaml | 48 +++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/codeql.yaml diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 0000000..e923110 --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,48 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: CodeQL + +on: + workflow_dispatch: + + schedule: + - cron: '0 7 * */2 *' + # โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ + # โ”‚ โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€ day of the week (0 - 6 or SUN-SAT) + # โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€ month (1 - 12 or JAN-DEC) + # โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ day of the month (1 - 31) + # โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ hour (0 - 23) + # โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ minute (0 - 59) + +jobs: + analyze-code-ql: + name: CodeQL Analyze + runs-on: ubuntu-latest + + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ['TypeScript'] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: โคต๏ธ Checkout repository + uses: actions/checkout@v4 + + - name: ๐Ÿ— Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + - name: ๐Ÿ— Auto build + uses: github/codeql-action/autobuild@v3 + + - name: ๐Ÿš€ Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 9fcacd8067d3f63cd884271c3e1e75fa05502f04 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 10:34:54 +0330 Subject: [PATCH 06/12] feat: add header for workflow call --- .github/workflows/build-lint-test.yaml | 6 +++--- .github/workflows/codeql.yaml | 11 +++++++++-- .github/workflows/dependency-review.yaml | 7 +++++++ .github/workflows/publish-npm.yml | 7 +++++++ .github/workflows/release.yaml | 7 +++++++ 5 files changed, 33 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-lint-test.yaml b/.github/workflows/build-lint-test.yaml index 0e347c1..a426a3c 100644 --- a/.github/workflows/build-lint-test.yaml +++ b/.github/workflows/build-lint-test.yaml @@ -6,9 +6,9 @@ on: workflow_call: inputs: node-version: - description: 'Node.js version' + description: "Node.js version" required: true - default: 'lts/*' + default: "lts/*" type: string permissions: @@ -46,7 +46,7 @@ jobs: - name: ๐Ÿ“ฅ Install Dependencies run: yarn install --immutable - - name: ๐Ÿ—๏ธ Build + - name: ๐Ÿ—๏ธ Build TypeScript run: yarn build env: WIREIT_LOGGER: metrics diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index e923110..21dafc5 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -6,13 +6,20 @@ on: workflow_dispatch: schedule: - - cron: '0 7 * */2 *' + - cron: "0 7 * */2 *" # โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ # โ”‚ โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€ day of the week (0 - 6 or SUN-SAT) # โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€ month (1 - 12 or JAN-DEC) # โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ day of the month (1 - 31) # โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ hour (0 - 23) # โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ minute (0 - 59) + workflow_call: + inputs: + node-version: + description: "Node.js version" + required: true + default: "lts/*" + type: string jobs: analyze-code-ql: @@ -27,7 +34,7 @@ jobs: strategy: fail-fast: false matrix: - language: ['TypeScript'] + language: ["TypeScript"] # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index e992f79..50b1a26 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -6,6 +6,13 @@ on: workflow_dispatch: pull_request: + workflow_call: + inputs: + node-version: + description: "Node.js version" + required: true + default: "lts/*" + type: string jobs: dependency-review: diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index 55f8638..b12ee6b 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -8,6 +8,13 @@ on: release: types: - created + workflow_call: + inputs: + node-version: + description: "Node.js version" + required: true + default: "lts/*" + type: string env: NODE_VERSION: lts/* diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index eda2a85..7a8fb6c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,6 +4,13 @@ name: Build & Lint & Test & Release on: workflow_dispatch: + workflow_call: + inputs: + node-version: + description: "Node.js version" + required: true + default: "lts/*" + type: string env: NODE_VERSION: lts/* From 9f6efe895e10577a0edb73b989c87a1c75f67b04 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 10:51:16 +0330 Subject: [PATCH 07/12] chore: remove unnecessary headers --- .github/workflows/codeql.yaml | 10 ---------- .github/workflows/dependency-review.yaml | 3 --- .github/workflows/publish-npm.yml | 5 ----- .github/workflows/release.yaml | 1 - 4 files changed, 19 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 21dafc5..011f68a 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -3,16 +3,6 @@ name: CodeQL on: - workflow_dispatch: - - schedule: - - cron: "0 7 * */2 *" - # โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ - # โ”‚ โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€ day of the week (0 - 6 or SUN-SAT) - # โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€ month (1 - 12 or JAN-DEC) - # โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ day of the month (1 - 31) - # โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ hour (0 - 23) - # โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ minute (0 - 59) workflow_call: inputs: node-version: diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 50b1a26..08cde49 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -3,9 +3,6 @@ name: Dependency Review on: - workflow_dispatch: - - pull_request: workflow_call: inputs: node-version: diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index b12ee6b..0ee9d4f 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -3,11 +3,6 @@ name: Publish NPM on: - workflow_dispatch: - - release: - types: - - created workflow_call: inputs: node-version: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7a8fb6c..ac6b718 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,7 +3,6 @@ name: Build & Lint & Test & Release on: - workflow_dispatch: workflow_call: inputs: node-version: From 55d01ac20b47f5f7afb6998088fb3fcd13fe2eb4 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 10:57:24 +0330 Subject: [PATCH 08/12] refactor: update workflows to remove unnecessary inputs and standardize job names --- .github/workflows/build-lint-test.yaml | 2 +- .github/workflows/codeql.yaml | 18 ++++++------------ .github/workflows/dependency-review.yaml | 14 ++++---------- .github/workflows/publish-npm.yml | 12 ++++++------ .github/workflows/release.yaml | 8 ++++---- .github/workflows/sync-labels.yml | 17 ++++++----------- 6 files changed, 27 insertions(+), 44 deletions(-) diff --git a/.github/workflows/build-lint-test.yaml b/.github/workflows/build-lint-test.yaml index a426a3c..876ebb0 100644 --- a/.github/workflows/build-lint-test.yaml +++ b/.github/workflows/build-lint-test.yaml @@ -46,7 +46,7 @@ jobs: - name: ๐Ÿ“ฅ Install Dependencies run: yarn install --immutable - - name: ๐Ÿ—๏ธ Build TypeScript + - name: ๐Ÿ—๏ธ Build run: yarn build env: WIREIT_LOGGER: metrics diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 011f68a..d7dba7c 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -4,23 +4,17 @@ name: CodeQL on: workflow_call: - inputs: - node-version: - description: "Node.js version" - required: true - default: "lts/*" - type: string + +permissions: + actions: read + contents: read + security-events: write jobs: - analyze-code-ql: + main: name: CodeQL Analyze runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - strategy: fail-fast: false matrix: diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 08cde49..dd90cf1 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -4,21 +4,15 @@ name: Dependency Review on: workflow_call: - inputs: - node-version: - description: "Node.js version" - required: true - default: "lts/*" - type: string + +permissions: + contents: read jobs: - dependency-review: + main: name: Dependency Review runs-on: ubuntu-latest - permissions: - contents: read - steps: - name: โคต๏ธ Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index 0ee9d4f..d378463 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -14,17 +14,17 @@ on: env: NODE_VERSION: lts/* +permissions: + contents: read + id-token: write + jobs: - publish-npm: + main: if: github.repository_owner == 'the-nexim' name: Publish NPM runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - steps: - name: ๐Ÿ“ฅ Checkout repository uses: actions/checkout@v4 @@ -55,7 +55,7 @@ jobs: - name: ๐Ÿ—ƒ๏ธ Cache Wireit uses: google/wireit@setup-github-actions-caching/v2 - - name: ๐Ÿ—๏ธ Build TypeScript + - name: ๐Ÿ—๏ธ Build run: yarn build env: WIREIT_LOGGER: metrics diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ac6b718..54f89d6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,14 +15,14 @@ env: NODE_VERSION: lts/* GPG_KEY_ID: ${{ vars.GPG_KEY_ID }} +permissions: + contents: write + jobs: main: name: Build & Lint & Test & Release runs-on: ubuntu-latest - permissions: - contents: write - steps: - name: โคต๏ธ Checkout repository uses: actions/checkout@v4 @@ -70,7 +70,7 @@ jobs: - name: ๐Ÿ—ƒ๏ธ Cache Wireit uses: google/wireit@setup-github-actions-caching/v2 - - name: ๐Ÿ—๏ธ Build TypeScript + - name: ๐Ÿ—๏ธ Build run: yarn build env: WIREIT_LOGGER: metrics diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 2cbf1ce..837990d 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -3,22 +3,17 @@ name: Sync labels on: - workflow_dispatch: - push: - branches: - - next - paths: - - .github/labels.yml + workflow_call: + +permissions: + contents: read + issues: write jobs: - labels: + main: name: Sync labels runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - name: โคต๏ธ Check out code from GitHub uses: actions/checkout@v4 From 1cc6cddc6fe9bca98a69e23388a6b425324fa8a6 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 11:12:08 +0330 Subject: [PATCH 09/12] feat: enhance workflows by adding required secrets and expanding language support --- .github/workflows/codeql.yaml | 2 +- .github/workflows/publish-npm.yml | 7 ++++--- .github/workflows/release.yaml | 20 ++++++++++---------- .github/workflows/sync-labels.yml | 4 ++++ 4 files changed, 19 insertions(+), 14 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index d7dba7c..df43f56 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -18,7 +18,7 @@ jobs: strategy: fail-fast: false matrix: - language: ["TypeScript"] + language: ["TypeScript", "JavaScript"] # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index d378463..c0e3850 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -10,6 +10,10 @@ on: required: true default: "lts/*" type: string + secrets: + NPM_TOKEN: + required: true + description: "NPM token" env: NODE_VERSION: lts/* @@ -52,9 +56,6 @@ jobs: - name: ๐Ÿ“ฅ Install Dependencies run: yarn install --immutable - - name: ๐Ÿ—ƒ๏ธ Cache Wireit - uses: google/wireit@setup-github-actions-caching/v2 - - name: ๐Ÿ—๏ธ Build run: yarn build env: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 54f89d6..a8e5e64 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,15 +5,18 @@ name: Build & Lint & Test & Release on: workflow_call: inputs: - node-version: + NODE_VERSION: description: "Node.js version" required: true default: "lts/*" type: string - -env: - NODE_VERSION: lts/* - GPG_KEY_ID: ${{ vars.GPG_KEY_ID }} + secrets: + GPG_KEY_ID: + required: true + description: "GPG key ID" + BOT_TOKEN: + required: true + description: "Nexim Bot token" permissions: contents: write @@ -33,7 +36,7 @@ jobs: - name: ๐Ÿ™‚โ€โ†”๏ธ Import GPG key run: | echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import - echo -e "5\ny\n" | gpg --batch --yes --command-fd 0 --edit-key ${{ env.GPG_KEY_ID }} trust quit + echo -e "5\ny\n" | gpg --batch --yes --command-fd 0 --edit-key ${{ secrets.GPG_KEY_ID }} trust quit env: GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} @@ -41,7 +44,7 @@ jobs: run: | git config --global user.name "Nexim Bot" git config --global user.email "bot@thenexim.com" - git config --global user.signingkey ${{ env.GPG_KEY_ID }} + git config --global user.signingkey ${{ secrets.GPG_KEY_ID }} git config --global commit.gpgsign true - name: ๐Ÿ”ง Setup Node.js @@ -67,9 +70,6 @@ jobs: - name: ๐Ÿ“ฅ Install Dependencies run: yarn install --immutable - - name: ๐Ÿ—ƒ๏ธ Cache Wireit - uses: google/wireit@setup-github-actions-caching/v2 - - name: ๐Ÿ—๏ธ Build run: yarn build env: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 837990d..e755d76 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -4,6 +4,10 @@ name: Sync labels on: workflow_call: + secrets: + GITHUB_TOKEN: + description: "GitHub token" + required: true permissions: contents: read From e05c377c55cfc625424939cf10f06de2899b2e3d Mon Sep 17 00:00:00 2001 From: "S. Amir Mohammad Najafi" Date: Thu, 2 Jan 2025 11:17:52 +0330 Subject: [PATCH 10/12] chore: fix typo Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: S. Amir Mohammad Najafi --- .github/workflows/codeql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index df43f56..90ab119 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -29,7 +29,7 @@ jobs: uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # Details on CodeQL's query packs refer to https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - name: ๐Ÿ— Auto build From 1f8ffd2f69a401afcd4109d8793533dca1cfe88b Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 11:18:57 +0330 Subject: [PATCH 11/12] refactor: add GPG private key to release workflow for enhanced security --- .github/workflows/release.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a8e5e64..341a52e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,10 +17,16 @@ on: BOT_TOKEN: required: true description: "Nexim Bot token" + GPG_PRIVATE_KEY: + required: true + description: "GPG private key" permissions: contents: write +env: + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + jobs: main: name: Build & Lint & Test & Release @@ -35,10 +41,10 @@ jobs: - name: ๐Ÿ™‚โ€โ†”๏ธ Import GPG key run: | - echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import + echo "${{ env.GPG_PRIVATE_KEY }}" | gpg --batch --import echo -e "5\ny\n" | gpg --batch --yes --command-fd 0 --edit-key ${{ secrets.GPG_KEY_ID }} trust quit env: - GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY}} - name: ๐Ÿซก Setup Git run: | From ef28694385b7ea3b1bdd5e6811cdd19e4eb3ba45 Mon Sep 17 00:00:00 2001 From: arashagp Date: Thu, 2 Jan 2025 11:23:29 +0330 Subject: [PATCH 12/12] refactor: streamline GPG key handling in release workflow --- .github/workflows/release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 341a52e..6c38e43 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -24,9 +24,6 @@ on: permissions: contents: write -env: - GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} - jobs: main: name: Build & Lint & Test & Release @@ -45,6 +42,7 @@ jobs: echo -e "5\ny\n" | gpg --batch --yes --command-fd 0 --edit-key ${{ secrets.GPG_KEY_ID }} trust quit env: GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY}} + GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} - name: ๐Ÿซก Setup Git run: | @@ -52,6 +50,8 @@ jobs: git config --global user.email "bot@thenexim.com" git config --global user.signingkey ${{ secrets.GPG_KEY_ID }} git config --global commit.gpgsign true + env: + GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} - name: ๐Ÿ”ง Setup Node.js uses: actions/setup-node@v4