diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3f3721f..28e5985 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,7 +1,6 @@ name: Build and Release on: - workflow_call: push: branches: [main] pull_request: @@ -12,62 +11,40 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: complete: if: always() - needs: [cargo, go] + needs: [prepare, cargo, go] runs-on: ubuntu-latest steps: - if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') run: exit 1 + prepare: + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + cargo: ${{ steps.matrix.outputs.cargo }} + go: ${{ steps.matrix.outputs.go }} + steps: + - uses: actions/checkout@v5 + - id: matrix + run: | + echo "cargo=$(jq -c '.' tools-cargo.json)" >> "$GITHUB_OUTPUT" + echo "go=$(jq -c '.' tools-go.json)" >> "$GITHUB_OUTPUT" + cargo: + needs: prepare + permissions: + contents: read strategy: fail-fast: false matrix: - crate: - - name: cargo-expand - version: '1.0.116' - - name: cargo-workspaces - version: '0.2.35' - - name: cargo-workspaces - version: '0.3.6' - - name: cargo-hack - version: '0.6.44' - - name: cargo-set-rust-version - version: '0.5.0' - - name: cargo-edit - version: '0.11.6' - - name: cargo-fuzz - version: '0.13.1' - - name: cargo-deny - version: '0.14.19' - rust: '1.79.0' - - name: cargo-deny - version: '0.19.0' - - name: cargo-cache - version: '0.8.3' - - name: cargo-sweep - version: '0.7.0' - - name: cargo-readme - version: '3.3.1' - - name: cargo-semver-checks - version: '0.46.0' - - name: cargo-public-api - version: '0.33.1' - - name: cargo-nextest - version: '0.9.105' - - name: wasm-pack - version: '0.13.0' - - name: wasm-bindgen-cli - version: '0.2.92' - - name: check-lockfile-intersection - version: '0.1.0' - - name: wasm-cs - version: '1.0.0' - - name: sccache - version: '0.14.0' + crate: ${{ fromJSON(needs.prepare.outputs.cargo) }} runs-on: - ubuntu-latest # amd64 - ubuntu-22.04-arm # arm64 @@ -111,13 +88,13 @@ jobs: path: '*.tar.gz' go: + needs: prepare + permissions: + contents: read strategy: fail-fast: false matrix: - package: - - name: actionlint - import-path: github.com/rhysd/actionlint/cmd/actionlint - version: '1.7.1' + package: ${{ fromJSON(needs.prepare.outputs.go) }} runs-on: - ubuntu-latest # amd64 - ubuntu-22.04-arm # arm64 @@ -158,6 +135,8 @@ jobs: if: github.ref_name == 'main' needs: complete runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v6 with: @@ -174,6 +153,8 @@ jobs: if: github.ref_name == 'main' needs: release-create runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/download-artifact@v8 - run: gh release -R ${{ github.repository }} upload --clobber "${{ needs.release-create.outputs.tag }}" **/*.tar.gz @@ -183,6 +164,8 @@ jobs: release-test: if: github.ref_name == 'main' needs: [release-create, release-upload] + permissions: + contents: read strategy: matrix: runs-on: diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 0000000..908f827 --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,34 @@ +name: Renovate + +on: + schedule: + - cron: '0 6 * * *' # daily, 06:00 UTC + workflow_dispatch: + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} + +jobs: + + renovate: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v5 + - uses: renovatebot/github-action@693b9ef15eec82123529a37c782242f091365961 #v46.1.14 + with: + token: ${{ secrets.GITHUB_TOKEN }} + configurationFile: renovate.json5 + env: + RENOVATE_REPOSITORIES: ${{ github.repository }} + RENOVATE_BASE_BRANCH_PATTERNS: '["${{ github.head_ref || github.ref_name }}"]' + RENOVATE_REQUIRE_CONFIG: optional + RENOVATE_ONBOARDING: 'false' + RENOVATE_DRY_RUN: ${{ github.event_name == 'pull_request' && 'full' || '' }} + LOG_LEVEL: ${{ github.event_name == 'pull_request' && 'debug' || 'info' }} diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 0000000..60b5e6e --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,52 @@ +{ + $schema: 'https://docs.renovatebot.com/renovate-schema.json', + extends: ['config:recommended'], + + // Only manage the tool versions in tools/tools.json. Action `uses:` pins are + // handled by Dependabot (.github/dependabot.yml), so leave every other + // manager off to avoid the two bots fighting. + enabledManagers: ['custom.jsonata'], + + // Hold every update until the release is at least 1 month old, and always + // target the newest version that passes that age check rather than the + // absolute latest (so we never jump onto a brand-new release). + minimumReleaseAge: '1 month', + internalChecksFilter: 'strict', + + customManagers: [ + { + // cargo tools built via `cargo install`. Parsed as structured JSON, so an + // optional `auto-update` flag anywhere in the entry is captured as the + // depType (see packageRules below) regardless of field order. + customType: 'jsonata', + fileFormat: 'json', + managerFilePatterns: ['/^tools-cargo\\.json$/'], + matchStrings: [ + '$.{ "depName": name, "currentValue": version, "depType": $string(`auto-update`) }', + ], + datasourceTemplate: 'crate', + }, + { + // go tools built via `go install`. depName is the module root (first three + // path segments of import-path); version is stored without a leading `v`. + customType: 'jsonata', + fileFormat: 'json', + managerFilePatterns: ['/^tools-go\\.json$/'], + matchStrings: [ + '$.{ "depName": $join($split(`import-path`, "/")[[0..2]], "/"), "currentValue": version, "depType": $string(`auto-update`) }', + ], + datasourceTemplate: 'go', + extractVersionTemplate: '^v?(?.+)$', + }, + ], + + packageRules: [ + { + // Freeze a tool by setting "auto-update": false on its entry in + // tools/tools.json; that flag is captured as the depType above and + // disabled here, so Renovate never proposes updates for it. + matchDepTypes: ['false'], + enabled: false, + }, + ], +} diff --git a/tools-cargo.json b/tools-cargo.json new file mode 100644 index 0000000..0b43cef --- /dev/null +++ b/tools-cargo.json @@ -0,0 +1,22 @@ +[ + { "name": "cargo-expand", "version": "1.0.116" }, + { "name": "cargo-workspaces", "version": "0.2.35", "auto-update": false }, + { "name": "cargo-workspaces", "version": "0.3.6" }, + { "name": "cargo-hack", "version": "0.6.44" }, + { "name": "cargo-set-rust-version", "version": "0.5.0" }, + { "name": "cargo-edit", "version": "0.11.6" }, + { "name": "cargo-fuzz", "version": "0.13.1" }, + { "name": "cargo-deny", "version": "0.14.19", "rust": "1.79.0", "auto-update": false }, + { "name": "cargo-deny", "version": "0.19.0" }, + { "name": "cargo-cache", "version": "0.8.3" }, + { "name": "cargo-sweep", "version": "0.7.0" }, + { "name": "cargo-readme", "version": "3.3.1" }, + { "name": "cargo-semver-checks", "version": "0.46.0" }, + { "name": "cargo-public-api", "version": "0.33.1" }, + { "name": "cargo-nextest", "version": "0.9.105" }, + { "name": "wasm-pack", "version": "0.13.0" }, + { "name": "wasm-bindgen-cli", "version": "0.2.92" }, + { "name": "check-lockfile-intersection", "version": "0.1.0" }, + { "name": "wasm-cs", "version": "1.0.0", "auto-update": false }, + { "name": "sccache", "version": "0.14.0" } +] diff --git a/tools-go.json b/tools-go.json new file mode 100644 index 0000000..dff11d8 --- /dev/null +++ b/tools-go.json @@ -0,0 +1,3 @@ +[ + { "name": "actionlint", "import-path": "github.com/rhysd/actionlint/cmd/actionlint", "version": "1.7.1" } +]