diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 934852d..4ff1502 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -160,6 +160,10 @@ jobs: # yamllint disable-line rule:line-length # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality + config: | + paths-ignore: + - node_modules + - third-party # Pre autobuild # create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository @@ -183,3 +187,26 @@ jobs: uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" + output: sarif-results + upload: failure-only + + - name: filter-sarif + uses: advanced-security/filter-sarif@v1 + with: + input: sarif-results/${{ matrix.language }}.sarif + output: sarif-results/${{ matrix.language }}.sarif + patterns: | + -node_modules/** + -third\-party/** + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: sarif-results/${{ matrix.language }}.sarif + + - name: Upload loc as a Build Artifact + uses: actions/upload-artifact@v4 + with: + name: sarif-results-${{ matrix.language }}-${{ runner.os }} + path: sarif-results + retention-days: 1 diff --git a/.github/workflows/update-changelog.yml b/.github/workflows/update-changelog.yml index d5bbed6..99d2793 100644 --- a/.github/workflows/update-changelog.yml +++ b/.github/workflows/update-changelog.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Update Changelog - uses: LizardByte/update-changelog-action@v2024.520.183314 + uses: LizardByte/update-changelog-action@v2024.609.4705 with: changelogBranch: changelog changelogFile: CHANGELOG.md diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml new file mode 100644 index 0000000..d1212f6 --- /dev/null +++ b/.github/workflows/update-docs.yml @@ -0,0 +1,89 @@ +--- +# This action is centrally managed in https://github.com//.github/ +# Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in +# the above-mentioned repo. + +# Use the `rtd` repository label to identify repositories that should trigger have this workflow. +# If the project slug is not the repository name, add a repository variable named `READTHEDOCS_SLUG` with the value of +# the ReadTheDocs project slug. + +# Update readthedocs on release events. + +name: Update docs + +on: + release: + types: [created, edited, deleted] + +concurrency: + group: "${{ github.workflow }}-${{ github.event.release.tag_name }}" + cancel-in-progress: true + +jobs: + update-docs: + env: + RTD_SLUG: ${{ vars.READTHEDOCS_SLUG }} + RTD_TOKEN: ${{ secrets.READTHEDOCS_TOKEN }} + TAG: ${{ github.event.release.tag_name }} + if: >- + !github.event.release.draft + runs-on: ubuntu-latest + steps: + - name: Get RTD_SLUG + run: | + # if the RTD_SLUG is not set, use the repository name in lowercase + if [ -z "${RTD_SLUG}" ]; then + RTD_SLUG=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]') + fi + echo "RTD_SLUG=${RTD_SLUG}" >> $GITHUB_ENV + + - name: Deactivate deleted release + if: >- + github.event_name == 'release' && + github.event.action == 'deleted' + run: | + json_body=$(jq -n \ + --arg active "false" \ + --arg hidden "false" \ + --arg privacy_level "public" \ + '{active: $active, hidden: $hidden, privacy_level: $privacy_level}') + + curl \ + -X PATCH \ + -H "Authorization: Token ${RTD_TOKEN}" \ + https://readthedocs.org/api/v3/projects/${RTD_SLUG}/versions/${TAG}/ \ + -H "Content-Type: application/json" \ + -d "$json_body" + + - name: Check if edited release is latest GitHub release + id: check + if: >- + github.event_name == 'release' && + github.event.action == 'edited' + uses: actions/github-script@v7 + with: + script: | + const latestRelease = await github.rest.repos.getLatestRelease({ + owner: context.repo.owner, + repo: context.repo.repo + }); + + core.setOutput('isLatestRelease', latestRelease.data.tag_name === context.payload.release.tag_name); + + - name: Update RTD project + # changing the default branch in readthedocs makes "latest" point to that branch/tag + # we can also update other properties like description, etc. + if: >- + steps.check.outputs.isLatestRelease == 'true' + run: | + json_body=$(jq -n \ + --arg default_branch "${TAG}" \ + --arg description "${{ github.event.repository.description }}" \ + '{default_branch: $default_branch}') + + curl \ + -X PATCH \ + -H "Authorization: Token ${RTD_TOKEN}" \ + https://readthedocs.org/api/v3/projects/${RTD_SLUG}/ \ + -H "Content-Type: application/json" \ + -d "$json_body"