From fe3bbb9ac628456fed74f6dd4dcb6485f221b839 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Mon, 1 Jun 2026 14:34:13 -0400 Subject: [PATCH] wip --- .github/workflows/pint-fix.yml | 31 ------------ .github/workflows/pint-lint.yml | 12 +++-- .github/workflows/pr-title.yml | 63 +++--------------------- .github/workflows/pull-requests.yml | 75 ++++------------------------- .github/workflows/release.yml | 53 ++++++++------------ .github/workflows/stale.yml | 21 +++----- .github/workflows/tests.yml | 50 +++++++++++++------ .github/workflows/zizmor.yml | 23 +++++++++ 8 files changed, 110 insertions(+), 218 deletions(-) delete mode 100644 .github/workflows/pint-fix.yml create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/pint-fix.yml b/.github/workflows/pint-fix.yml deleted file mode 100644 index 7563200c5d1..00000000000 --- a/.github/workflows/pint-fix.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Fix PHP code style issues - -on: - push: - paths: - - '**.php' - -permissions: - contents: write - -jobs: - fix-php-code-styling: - runs-on: ubuntu-latest - if: github.repository_owner == 'statamic' - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - ref: ${{ github.head_ref }} - token: ${{ secrets.PINT }} - - - name: Fix PHP code style issues - uses: aglipanci/laravel-pint-action@v2 - with: - pintVersion: 1.16.0 - - - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: Fix styling diff --git a/.github/workflows/pint-lint.yml b/.github/workflows/pint-lint.yml index 732b5ed824d..2ed2273822b 100644 --- a/.github/workflows/pint-lint.yml +++ b/.github/workflows/pint-lint.yml @@ -1,20 +1,24 @@ name: Lint PHP code style issues -on: +on: # zizmor: ignore[concurrency-limits] pull_request: paths: - '**.php' +permissions: {} + jobs: - lint-php-code-styling: + lint-php-code-styling: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Check PHP code style issues - uses: aglipanci/laravel-pint-action@v2 + uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # 2.6 with: testMode: true verboseMode: true diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index a4ecda7248a..87c54a70fc8 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -4,60 +4,13 @@ on: pull_request: types: [opened, edited, synchronize, reopened] -jobs: - pr-title: - runs-on: ubuntu-latest - steps: - - name: Validate PR title matches target branch - env: - PR_TITLE: ${{ github.event.pull_request.title }} - BASE_BRANCH: ${{ github.event.pull_request.base.ref }} - DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} - run: | - # Validates PR title against target branch - # Returns error message if invalid, empty string if valid - validate_pr_title() { - local target_branch="$1" - local pr_title="$2" - local default_branch="$3" - - # Check if target branch is a version branch (e.g., 5.x, 4.x) - if [[ $target_branch =~ ^([0-9]+)\.x$ ]]; then - local version="${BASH_REMATCH[1]}" - if [[ ! $pr_title =~ ^\[$version\.x\][[:space:]] ]]; then - echo "PR targeting '$target_branch' must have title starting with '[$version.x] '" - return - fi - - # Check if target branch is master (next major version) - elif [[ $target_branch == "master" ]]; then - local current_version="${default_branch//\.x/}" - local next_version=$((current_version + 1)) - if [[ ! $pr_title =~ ^\[$next_version\.x\][[:space:]] ]]; then - echo "PR targeting 'master' must have title starting with '[$next_version.x] '" - return - fi - - # For other branches, just enforce that there's a version prefix - else - if [[ ! $pr_title =~ ^\[[0-9]+\.x\][[:space:]] ]]; then - echo "PR title must start with a version prefix like '[5.x] '" - return - fi - fi +permissions: {} - echo "" - } +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true - echo "PR Title: $PR_TITLE" - echo "Base Branch: $BASE_BRANCH" - echo "Default Branch: $DEFAULT_BRANCH" - - ERROR=$(validate_pr_title "$BASE_BRANCH" "$PR_TITLE" "$DEFAULT_BRANCH") - - if [[ -n $ERROR ]]; then - echo $ERROR - exit 1 - fi - - echo "PR title validation passed" +jobs: + pr-title: + uses: statamic/.github/.github/workflows/pr-title.yml@bebe92309b4276e45ebc0d0c65854fb2ecf786ba + permissions: {} diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml index 7dfc21ad702..708588df6f9 100644 --- a/.github/workflows/pull-requests.yml +++ b/.github/workflows/pull-requests.yml @@ -1,75 +1,18 @@ name: Pull Requests -# Credit: https://github.com/github/docs/blob/main/.github/workflows/notify-when-maintainers-cannot-edit.yaml -# https://github.com/laravel/.github/blob/main/.github/workflows/pull-requests.yml - on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened -permissions: - pull-requests: write +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true jobs: uneditable: - runs-on: ubuntu-latest - steps: - - uses: actions/github-script@v7 - with: - script: | - const repo = context.repo.repo; - - const query = ` - query($number: Int!) { - repository(owner: "statamic", name: "${repo}") { - pullRequest(number: $number) { - headRepositoryOwner { - login - } - maintainerCanModify - state - } - } - } - `; - - const pullNumber = context.issue.number; - const variables = { number: pullNumber }; - - try { - console.log(`Check for maintainer edit access ...`); - const result = await github.graphql(query, variables); - console.log(JSON.stringify(result, null, 2)); - const pullRequest = result.repository.pullRequest; - - if (pullRequest.headRepositoryOwner.login === 'statamic') { - console.log('PR owned by statamic'); - return; - } - - if (pullRequest.state !== 'OPEN') { - console.log('PR has already been closed or merged'); - return; - } - - if (!pullRequest.maintainerCanModify) { - console.log('PR not owned by statamic and does not have maintainer edits enabled'); - - await github.rest.issues.createComment({ - issue_number: pullNumber, - owner: 'statamic', - repo, - body: "Thanks for submitting a PR!\n\nIn order to review and merge PRs most efficiently, we require that all PRs grant maintainer edit access before we review them. For information on how to do this, [see the relevant GitHub documentation](https://docs.github.com/en/github/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork). Additionally, GitHub doesn't allow maintainer permissions from organization accounts. Please resubmit this PR from a personal GitHub account with maintainer permissions enabled." - }); - - await github.rest.pulls.update({ - pull_number: pullNumber, - owner: 'statamic', - repo, - state: 'closed' - }); - } - } catch(e) { - console.log(e); - } + uses: statamic/.github/.github/workflows/pull-requests.yml@bebe92309b4276e45ebc0d0c65854fb2ecf786ba + permissions: + pull-requests: write # post comment and close PRs that don't allow maintainer edits diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e68c4371d6e..a7abc0ca295 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,21 +1,28 @@ name: Create Release -on: +on: # zizmor: ignore[concurrency-limits] push: tags: - 'v*' +permissions: {} + jobs: - build: + build: # zizmor: ignore[anonymous-definition] runs-on: ubuntu-latest + permissions: + contents: write # create GitHub release and upload assets steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Use Node.js 16.13.0 - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 16.13.0 + package-manager-cache: false - name: Install required npm version run: npm -g install npm@8.5.5 @@ -37,36 +44,18 @@ jobs: - name: Get Changelog id: changelog - uses: statamic/changelog-action@v1 + uses: statamic/changelog-action@5d112d0d790cdeeb5adca3e584e37edc474ab51b # v1 with: version: ${{ github.ref }} - name: Create release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ steps.changelog.outputs.version }} - release_name: ${{ steps.changelog.outputs.version }} - body: ${{ steps.changelog.outputs.text }} - - - name: Upload dist zip to release - uses: actions/upload-release-asset@v1.0.1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./resources/dist.tar.gz - asset_name: dist.tar.gz - asset_content_type: application/tar+gz - - - name: Upload dist-frontend zip to release - uses: actions/upload-release-asset@v1.0.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./resources/dist-frontend.tar.gz - asset_name: dist-frontend.tar.gz - asset_content_type: application/tar+gz + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_VERSION: ${{ steps.changelog.outputs.version }} + RELEASE_NOTES: ${{ steps.changelog.outputs.text }} + run: | + gh release create "$RELEASE_VERSION" \ + --title "$RELEASE_VERSION" \ + --notes "$RELEASE_NOTES" \ + ./resources/dist.tar.gz \ + ./resources/dist-frontend.tar.gz diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 2f068f0602d..795c524331b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,22 +1,13 @@ name: "Close stale issues" -on: +on: # zizmor: ignore[concurrency-limits] workflow_dispatch: schedule: - cron: "30 1 * * *" +permissions: {} + jobs: stale: - runs-on: ubuntu-latest - steps: - - uses: actions/stale@v9 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - days-before-stale: 60 - days-before-close: 7 - ascending: true - only-labels: 'needs more info' - stale-issue-label: stale - stale-issue-message: > - This issue has not had recent activity and has been marked as stale — by me, a robot. - Simply reply to keep it open and send me away. If you do nothing, I will close it in - a week. I have no feelings, so whatever you do is fine by me. + uses: statamic/.github/.github/workflows/stale.yml@bebe92309b4276e45ebc0d0c65854fb2ecf786ba + permissions: + issues: write # mark issues stale and close them diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index c6652634fa8..74c684383f8 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -9,10 +9,18 @@ on: schedule: - cron: '0 0 * * *' +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: php-tests: runs-on: ${{ matrix.os }} if: "!contains(github.event.head_commit.message, '[ci skip]')" + permissions: + contents: read strategy: matrix: @@ -45,11 +53,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v46 + uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 with: files: | config @@ -82,7 +92,7 @@ jobs: run: sudo apt-get install language-pack-fr - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 if: steps.should-run-tests.outputs.result == 'true' with: php-version: ${{ matrix.php }} @@ -91,7 +101,7 @@ jobs: coverage: none - name: Install dependencies - uses: nick-invision/retry@v3 + uses: nick-invision/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 if: steps.should-run-tests.outputs.result == 'true' with: timeout_minutes: 5 @@ -111,16 +121,20 @@ jobs: js-tests: runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, '[ci skip]')" + permissions: + contents: read name: JavaScript tests steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v46 + uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 with: files: | **/*.{js,vue,ts} @@ -135,9 +149,10 @@ jobs: echo "result=true" >> $env:GITHUB_OUTPUT - name: Use Node.js 16.13.0 - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 16.13.0 + package-manager-cache: false - name: Install required npm version if: steps.should-run-tests.outputs.result == 'true' @@ -155,16 +170,21 @@ jobs: name: Slack Notification runs-on: ubuntu-latest needs: [php-tests, js-tests] + permissions: + actions: read # required by workflow-conclusion-action to determine overall workflow status if: always() steps: - - uses: technote-space/workflow-conclusion-action@v3 + - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3 - name: Send Slack notification - uses: 8398a7/action-slack@v3 + uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3 if: env.WORKFLOW_CONCLUSION == 'failure' && github.event_name == 'schedule' with: - status: failure - fields: repo,message,commit,author,action,eventName,ref,workflow - author_name: ${{ github.actor }} - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + webhook: ${{ secrets.SLACK_WEBHOOK }} + webhook-type: incoming-webhook + payload: | + text: ":x: *${{ github.repository }}* tests failed" + blocks: + - type: section + text: + type: mrkdwn + text: ":x: *${{ github.repository }}* tests failed\n*Ref:* ${{ github.ref }}\n*Author:* ${{ github.actor }}\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000000..1278d6787f9 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,23 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: + - master + - '*.x' + paths: + - '.github/**.yml' + pull_request: + paths: + - '.github/**.yml' + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + zizmor: + uses: statamic/.github/.github/workflows/zizmor.yml@7e941c239074d66da6cad3322bec3b1005c80cf7 + permissions: {}