diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..99451d9 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,50 @@ +# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------- +--- +# Define automatically the `pr` label based on the changed files and the head branch +pr::bugfix: + - head-branch: + - ^bug(fix(es)?)?/.+$ + +pr::dependencies: + - head-branch: + - ^renovate\/.+$ + +pr:documentation: + - changed-files: + - any-glob-to-any-file: [README.md, LICENSE, "**/README.md"] + +pr::workflows: + - all: + - changed-files: + - any-glob-to-any-file: [.github/workflows/**] + - head-branch: + - ^(?!renovate\/).+$ + +pr::others: + - all: + - changed-files: + - any-glob-to-any-file: "**" + - all-globs-to-all-files: + - "!.github/workflows/**" + - "!Cargo.lock" + - "!Cargo.toml" + - "!docs/**" + - "!LICENSE" + - "!README.md" + - "!src/**" + - "!tests/**" + - head-branch: + - ^(?!renovate\/).+$ diff --git a/.github/labels.yaml b/.github/labels.yaml new file mode 100644 index 0000000..7e39441 --- /dev/null +++ b/.github/labels.yaml @@ -0,0 +1,77 @@ +# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------- +--- +- name: pr::bugfix + description: Something that wasn't working is now fixed + color: D73A4A +- name: pr::dependencies + description: Dependencies upgrade + color: 2B098D +- name: pr::documentation + description: Improvements or additions to documentation + color: 0075CA +- name: pr::workflows + description: Changes on workflows + color: 6A5ACD +- name: pr::others + description: Anything else + color: DEDB26 + +- name: size::XS + color: 008000 +- name: size::S + color: 008000 +- name: size::M + color: FFFF00 +- name: size::L + color: FF0000 +- name: size::XL + color: FF0000 + +- name: bug + description: Something isn't working + color: D73A4A +- name: duplicate + description: This doesn't seem right + color: CFD3D7 +- name: good first issue + description: Good for newcomers + color: 7057FF +- name: help wanted + description: Extra attention is needed + color: 008672 +- name: invalid + description: This doesn't seem right + color: E4E669 +- name: question + description: Further information is requested + color: D876E3 +- name: wontfix + description: This will not be worked on + color: FFFFFF +- name: 💥breaking change + description: This PR introduces a breaking change + color: F0CB2C + +- name: 💖 sponsor + description: This issue comes from a sponsor + color: FFDBF0 + +- name: stale + description: This issue has not had recent activity + color: 6A5ACD +- name: no-stale + description: This issue cannot be marked as stale + color: 6A5ACD diff --git a/.github/workflows/merge_group,pull_request.all.lint.yaml b/.github/workflows/merge_group,pull_request.all.lint.yaml new file mode 100644 index 0000000..8674cd9 --- /dev/null +++ b/.github/workflows/merge_group,pull_request.all.lint.yaml @@ -0,0 +1,38 @@ +# Copyright 2024 +# +# Everyone is permitted to copy, distribute, modify, merge, sell, publish, +# sublicense or whatever the fuck they want with this software but at their +# OWN RISK. +# The author has absolutely no fucking clue what the code in this project +# does. It might just fucking work or not, there is no third option. +# +# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +# DEALINGS IN THE SOFTWARE. +--- +name: 🚨 Lint Everything + +on: + merge_group: {} + pull_request: {} + +concurrency: + group: ${{ github.action }}-${{ github.event.pull_request.id }} + cancel-in-progress: true +permissions: {} + +jobs: + trunk: + name: ✅ Validate code quality + permissions: + contents: read + checks: write + runs-on: ubuntu-latest + steps: + - name: ⬇️ Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: ✏️ Overrides Trunk configuration for Github Action + run: mv .trunk/gha.yaml .trunk/user.yaml + - name: ⚡️ Run `trunk check` + uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 diff --git a/.github/workflows/pull_request.automations.yaml b/.github/workflows/pull_request.automations.yaml new file mode 100644 index 0000000..0819c05 --- /dev/null +++ b/.github/workflows/pull_request.automations.yaml @@ -0,0 +1,35 @@ +# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------- +--- +name: 🤖 Issue/PR Automation +on: + pull_request: + issues: + types: [opened] + +permissions: {} + +jobs: + labeler: + name: 🏷️ Labeler + if: github.event_name == 'pull_request' + permissions: + contents: read + pull-requests: write + + runs-on: ubuntu-latest + steps: + - name: 🏷️ Apply label on PR + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 diff --git a/.github/workflows/push,schedule.sync-labels.yaml b/.github/workflows/push,schedule.sync-labels.yaml new file mode 100644 index 0000000..e8cd7e4 --- /dev/null +++ b/.github/workflows/push,schedule.sync-labels.yaml @@ -0,0 +1,46 @@ +# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------- +--- +name: 🏷️ Sync Github labels + +on: + push: + branches: [main] + paths: + [.github/labels.yaml, ".github/workflows/push,schedule.sync-labels.yaml"] + schedule: + - cron: 0 0 * * * + workflow_dispatch: + +permissions: {} + +jobs: + labeler: + name: 🏷️ Labeler + permissions: + issues: write + runs-on: ubuntu-latest + steps: + - name: ⬇️ Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - name: 🏷️ Sync Github labels with the definition + uses: brpaz/action-label-syncer@32e516ae73bbf7c7c0548897be07080795336e15 # main + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + manifest: .github/labels.yaml + prune: true diff --git a/.github/workflows/push.trunk-cache.yaml b/.github/workflows/push.trunk-cache.yaml new file mode 100644 index 0000000..580a03a --- /dev/null +++ b/.github/workflows/push.trunk-cache.yaml @@ -0,0 +1,37 @@ +# Copyright 2024 +# +# Everyone is permitted to copy, distribute, modify, merge, sell, publish, +# sublicense or whatever the fuck they want with this software but at their +# OWN RISK. +# The author has absolutely no fucking clue what the code in this project +# does. It might just fucking work or not, there is no third option. +# +# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +# DEALINGS IN THE SOFTWARE. +--- +name: ♻️ Refresh Trunk cache + +on: + push: + branches: [main] + paths: [.trunk/trunk.yaml] + +permissions: {} + +jobs: + trunk-cache: + name: ♻️ Refresh Trunk cache + runs-on: ubuntu-latest + permissions: + contents: read + actions: write + + steps: + - name: ⬇️ Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: 📦️ Populate cache with Trunk + uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 + with: + check-mode: populate_cache_only diff --git a/.github/workflows/security.workflows.yaml b/.github/workflows/security.workflows.yaml new file mode 100644 index 0000000..b83dfab --- /dev/null +++ b/.github/workflows/security.workflows.yaml @@ -0,0 +1,43 @@ +# Copyright 2024 +# +# Everyone is permitted to copy, distribute, modify, merge, sell, publish, +# sublicense or whatever the fuck they want with this software but at their +# OWN RISK. +# The author has absolutely no fucking clue what the code in this project +# does. It might just fucking work or not, there is no third option. +# +# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +# DEALINGS IN THE SOFTWARE. +--- +name: 🔒️ Security hardening (Github Actions workflows) + +on: + merge_group: {} + pull_request: + types: [opened, synchronize] + paths: [.github/workflows/**] + +permissions: {} + +jobs: + ci_harden_security: + name: 🔒️ Github Action security hardening + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: ⬇️ Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: 📄 Lint Github Actions + run: | + curl -O https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/.github/actionlint-matcher.json + + echo "::add-matcher::actionlint-matcher.json" + bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/scripts/download-actionlint.bash) + ./actionlint -color + + - name: ✅ Ensure SHA pinned actions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@40e45e738b3cad2729f599d8afc6ed02184e1dbd # v3.0.5 diff --git a/.trunk/configs/.yamllint.yaml b/.trunk/configs/.yamllint.yaml index 56f230b..4abbdaa 100644 --- a/.trunk/configs/.yamllint.yaml +++ b/.trunk/configs/.yamllint.yaml @@ -36,5 +36,4 @@ rules: required: only-when-needed # Require quoted strings only when necessary extra-allowed: ["{|}"] # Allow extra characters { and } in quoted strings trailing-spaces: false # Do not allow trailing spaces - truthy: - level: warning # Warn on non-standard truthy values (e.g., "yes" instead of "true") + truthy: disable # Do not enforce standard truthy values