chore: Update workflows to be more comprehensive

mime-types · Jan 8, 2025 · 310d664 · 310d664
1 parent 72089e8
commit 310d664
Show file tree

Hide file tree

Showing 5 changed files with 113 additions and 12 deletions.
diff --git a/.github/workflows/generate.yml b/.github/workflows/generate.yml
@@ -6,40 +6,46 @@ on:
   workflow_dispatch:
 
 jobs:
-  generate:
+  update-definitions:
+    permissions:
+      contents: write
+      pull-requests: write
+
     runs-on: ubuntu-latest
 
     steps:
-      - id: is-first-week
+      - id: is-scheduled
         env:
           EVENT_NAME: ${{ github.event_name }}
         run: |
           declare result
           declare -i dom
           dom="$(date +%d | sed 's/^0//')"
 
-          if ((dom <= 7)) || [[ "${EVENT_NAME}" == workflow_dispatch ]]; then
-            result=yes
-          fi
+          [[ "${EVENT_NAME}" == workflow_dispatch ]] && result=yes
+          ((dom <= 7)) && result=yes
+          ((dom >= 14 && dom <= 21)) && result=yes
 
           echo "ok=${result}" >>"$GITHUB_OUTPUT"
 
-      - uses: actions/checkout@v4
-        if: steps.is-first-week.outputs.ok
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: true
+        if: steps.is-scheduled.outputs.ok
 
-      - uses: ruby/setup-ruby@v1
-        if: steps.is-first-week.outputs.ok
+      - uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 #v1.207.0
+        if: steps.is-scheduled.outputs.ok
         with:
           ruby-version: '3.2'
           rubygems: 'latest'
           bundler: 2
           bundler-cache: true
 
       - run: bundle exec rake release:gha
-        if: steps.is-first-week.outputs.ok
+        if: steps.is-scheduled.outputs.ok
 
-      - uses: peter-evans/create-pull-request@v7.0.6
-        if: steps.is-first-week.outputs.ok
+      - uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
+        if: steps.is-scheduled.outputs.ok
         with:
           commit-message: |
             ${{ env.UPDATE_TITLE }}

diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
@@ -0,0 +1,61 @@
+name: Reviewdog
+
+on:
+  pull_request:
+
+jobs:
+  typos:
+    if: ${{ github.event.action != 'closed' }}
+    name: Typos
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: reviewdog/action-typos@2e6b919585397817d4fc55f0ee1dc771530b1089 #v1.13.0
+
+  actionlint:
+    if: ${{ github.event.action != 'closed' }}
+    name: Actionlint
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: reviewdog/action-actionlint@534eb894142bcf31616e5436cbe4214641c58101 #v1.61.0
+
+  standardrb:
+    if: ${{ github.event.action != 'closed' }}
+    name: 'Ruby: Standard'
+    runs-on: ubuntu-22.04
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 #v1.207.0
+        with:
+          ruby-version: '3.3'
+          bundler-cache: true
+
+      - uses: kirillplatonov/action-standard@ce7fc0be158421b01e5d9dc20eef1dcabcf18e4b #v1.0.1
+        with:
+          skip_install: true
+          use_bundler: true
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,31 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+
+jobs:
+  zizmor:
+    name: zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1.10.1
+
+      - run: cargo install --locked zizmor
+      - run: zizmor --persona pedantic --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        with:
+          sarif_file: results.sarif
+          category: zizmor
diff --git a/.standard.yml b/.standard.yml
@@ -1,6 +1,7 @@
 parallel: true
 ruby_version: 2.3
 ignore:
+  - 'pkg/**/*'
   - '*.gemspec'
   - Rakefile:
       - Layout/HeredocIndentation

diff --git a/.typos.toml b/.typos.toml
@@ -0,0 +1,2 @@
+[files]
+extend-exclude = ["data/", "types/"]