chore: update global workflows (#231)

Co-authored-by: ReenigneArcher <[email protected]>

Author: LizardByte-bot

.github/workflows/ci.yml

@@ -1,5 +1,7 @@
 ---
 name: Jekyll CI
+permissions:
+  contents: read
 
 on:
   pull_request:
@@ -20,16 +22,18 @@ concurrency:
 jobs:
   call-jekyll-build:
     uses: ./.github/workflows/jekyll-build.yml
-    with:
-      target_branch: gh-pages
-      clean_gh_pages: true
     secrets:
       GH_BOT_EMAIL: ${{ secrets.GH_BOT_EMAIL }}
       GH_BOT_NAME: ${{ secrets.GH_BOT_NAME }}
       GH_BOT_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
+    with:
+      target_branch: gh-pages
+      clean_gh_pages: true
 
   release:
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    permissions:
+      contents: write  # needed for setup-release-action
     runs-on: ubuntu-latest
     steps:
       - name: Setup Release

.github/workflows/codeql.yml

@@ -1,17 +1,21 @@
 ---
-# This action is centrally managed in https://github.com/<organization>/.github/
+# This workflow is centrally managed in https://github.com/<organization>/.github/
 # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in
 # the above-mentioned repo.
 
 # This workflow will analyze all supported languages in the repository using CodeQL Analysis.
 
 name: "CodeQL"
+permissions:
+  contents: read
 
 on:
   push:
-    branches: ["master"]
+    branches:
+      - master
   pull_request:
-    branches: ["master"]
+    branches:
+      - master
   schedule:
     - cron: '00 12 * * 0'  # every Sunday at 12:00 UTC
 
@@ -22,14 +26,17 @@ concurrency:
 jobs:
   languages:
     name: Get language matrix
-    runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.lang.outputs.result }}
       continue: ${{ steps.continue.outputs.result }}
+    runs-on: ubuntu-latest
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Get repo languages
-        uses: actions/github-script@v7
         id: lang
+        uses: actions/github-script@v7
         with:
           script: |
             // CodeQL supports ['cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift']
@@ -54,6 +61,22 @@ jobs:
             // Track languages we've already added to avoid duplicates
             const addedLanguages = new Set()
 
+            // Check if workflow files exist to determine if we should add actions language
+            const fs = require('fs');
+            const hasYmlFiles = fs.existsSync('.github/workflows') &&
+            fs.readdirSync('.github/workflows').some(file => file.endsWith('.yml') || file.endsWith('.yaml'));
+
+            // Add actions language if workflow files exist
+            if (hasYmlFiles) {
+              console.log('Found GitHub Actions workflow files. Adding actions to the matrix.');
+              matrix['include'].push({
+                "category": "/language:actions",
+                "language": "actions",
+                "name": "actions",
+                "os": "ubuntu-latest"
+              });
+            }
+
             for (let [key, value] of Object.entries(response.data)) {
               // remap language
               if (remap_languages[key.toLowerCase()]) {
@@ -78,11 +101,18 @@ jobs:
                   // set name for matrix
                   let name = osList.length === 1 ? normalizedKey : `${normalizedKey}, ${os}`
 
+                  // set category for matrix
+                  let category = `/language:${normalizedKey}`
+                  if (normalizedKey === 'cpp') {
+                    category = `/language:cpp-${os.split('-')[0]}`
+                  }
+
                   // add to matrix
                   matrix['include'].push({
+                    "category": category,
                     "language": normalizedKey,
-                    "os": os,
-                    "name": name
+                    "name": name,
+                    "os": os
                   })
                 }
               }
@@ -94,8 +124,8 @@ jobs:
             return matrix
 
       - name: Continue
-        uses: actions/github-script@v7
         id: continue
+        uses: actions/github-script@v7
         with:
           script: |
             // if matrix['include'] is an empty list return false, otherwise true
@@ -109,24 +139,22 @@ jobs:
 
   analyze:
     name: Analyze (${{ matrix.name }})
-    if: ${{ needs.languages.outputs.continue == 'true' }}
+    if: needs.languages.outputs.continue == 'true'
     defaults:
       run:
         shell: ${{ matrix.os == 'windows-latest' && 'msys2 {0}' || 'bash' }}
     env:
       GITHUB_CODEQL_BUILD: true
-    needs: [languages]
-    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
-    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    needs: languages
     permissions:
       actions: read
       contents: read
       security-events: write
-
+    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.languages.outputs.matrix) }}
-
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     steps:
       - name: Maximize build space
         if: >-
@@ -174,8 +202,7 @@ jobs:
               - third-party
 
       # Pre autobuild
-      # create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository
-      # create a file named .codeql-build-${{ matrix.language }}.sh in the root of your repository
+      # create a file named .codeql-prebuild-${{ matrix.language }}-${{ runner.os }}.sh in the root of your repository
       - name: Prebuild
         id: prebuild
         run: |
@@ -194,7 +221,7 @@ jobs:
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
-          category: "/language:${{matrix.language}}"
+          category: "${{ matrix.category }}"
           output: sarif-results
           upload: failure-only
 
@@ -211,11 +238,13 @@ jobs:
       - name: Upload SARIF
         uses: github/codeql-action/upload-sarif@v3
         with:
+          category: "${{ matrix.category }}"
           sarif_file: sarif-results/${{ matrix.language }}.sarif
 
       - name: Upload loc as a Build Artifact
         uses: actions/upload-artifact@v4
         with:
           name: sarif-results-${{ matrix.language }}-${{ runner.os }}
           path: sarif-results
+          if-no-files-found: error
           retention-days: 1

.github/workflows/common-lint.yml

@@ -1,16 +1,22 @@
 ---
-# This action is centrally managed in https://github.com/<organization>/.github/
+# This workflow is centrally managed in https://github.com/<organization>/.github/
 # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in
 # the above-mentioned repo.
 
 # Common linting.
 
 name: common lint
+permissions:
+  contents: read
 
 on:
   pull_request:
-    branches: [master]
-    types: [opened, synchronize, reopened]
+    branches:
+      - master
+    types:
+      - opened
+      - synchronize
+      - reopened
 
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
@@ -77,9 +83,10 @@ jobs:
 
       - name: C++ - Clang format lint
         if: always() && steps.cpp_files.outputs.found_files
-        uses: DoozyX/clang-format-lint-action@v0.18
+        uses: DoozyX/clang-format-lint-action@v0.20
         with:
           source: ${{ steps.cpp_files.outputs.found_files }}
+          clangFormatVersion: '20'
           extensions: 'c,cpp,h,hpp,m,mm'
           style: file
           inplace: false
@@ -263,5 +270,4 @@ jobs:
 
       - name: YAML - log
         if: always() && steps.yamllint.outcome == 'failure'
-        run: |
-          cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY
+        run: cat "${{ steps.yamllint.outputs.logfile }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/issues.yml

@@ -1,17 +1,22 @@
 ---
-# This action is centrally managed in https://github.com/<organization>/.github/
+# This workflow is centrally managed in https://github.com/<organization>/.github/
 # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in
 # the above-mentioned repo.
 
 # Label and un-label actions using `../label-actions.yml`.
 
 name: Issues
+permissions: {}
 
 on:
   issues:
-    types: [labeled, unlabeled]
+    types:
+      - labeled
+      - unlabeled
   discussion:
-    types: [labeled, unlabeled]
+    types:
+      - labeled
+      - unlabeled
 
 jobs:
   label:

.github/workflows/jekyll-build.yml

@@ -1,5 +1,7 @@
 ---
 name: Build Jekyll
+permissions:
+  contents: read
 
 on:
   workflow_call:
@@ -83,14 +85,14 @@ jobs:
           path: theme
 
       - name: Download input artifact
-        if: ${{ inputs.site_artifact != '' }}
+        if: inputs.site_artifact != ''
         uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.site_artifact }}
           path: project
 
       - name: Extract archive
-        if: ${{ inputs.site_artifact != '' && inputs.extract_archive != '' }}
+        if: inputs.site_artifact != '' && inputs.extract_archive != ''
         working-directory: project
         run: |
           case "${{ inputs.extract_archive }}" in
@@ -111,7 +113,7 @@ jobs:
           rm -f "${{ inputs.extract_archive }}"
 
       - name: Setup project
-        if: ${{ github.repository == 'LizardByte/LizardByte.github.io' }}
+        if: github.repository == 'LizardByte/LizardByte.github.io'
         run: |
           mkdir -p ./project
           cp -RT ./theme/ ./project/
@@ -172,8 +174,7 @@ jobs:
           ruby-version: '3.3'
 
       - name: Install dependencies
-        run: |
-          bundle install
+        run: bundle install
 
       - name: Setup Pages
         id: configure-pages
@@ -208,8 +209,7 @@ jobs:
 
       - name: Prepare Artifacts  # uploading artifacts may fail if not zipped due to very large quantity of files
         shell: bash
-        run: |
-          7z a _site.zip ./_site/*
+        run: 7z a _site.zip ./_site/*
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4
@@ -224,8 +224,8 @@ jobs:
     name: Deploy to Pages
     if: >-
       (github.event_name == 'push' && github.ref == 'refs/heads/master') ||
-      (github.event_name == 'schedule') ||
-      (github.event_name == 'workflow_dispatch')
+      github.event_name == 'schedule' ||
+      github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     needs: build
     steps:
@@ -237,11 +237,10 @@ jobs:
           persist-credentials: false  # otherwise, the token used is the GITHUB_TOKEN, instead of the personal token
           fetch-depth: 0  # otherwise, will fail to push refs to dest repo
 
+      # empty contents of gh-pages
       - name: Clean
-        if: ${{ inputs.clean_gh_pages }}
-        run: |
-          # empty contents of gh-pages
-          rm -f -r ./gh-pages/*
+        if: inputs.clean_gh_pages
+        run: rm -f -r ./gh-pages/*
 
       - name: Download artifact
         uses: actions/download-artifact@v4

README.md

@@ -25,6 +25,8 @@ This repo contains a reusable workflow to allow for building gh-pages subproject
 ```yml
 ---
 name: Jekyll CI
+permissions:
+  contents: read
 
 on:
  pull_request:
@@ -61,14 +63,14 @@ jobs:
   call-jekyll-build:
     needs: prep
     uses: LizardByte/LizardByte.github.io/.github/workflows/jekyll-build.yml@master
-    with:
-      site_artifact: 'prep'  # any name except 'site' is allowed
-      target_branch: 'gh-pages'
-      clean_gh_pages: true
     secrets:
       GH_BOT_EMAIL: ${{ secrets.GH_BOT_EMAIL }}
       GH_BOT_NAME: ${{ secrets.GH_BOT_NAME }}
       GH_BOT_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
+    with:
+      site_artifact: 'prep'  # any name except 'site' is allowed
+      target_branch: 'gh-pages'
+      clean_gh_pages: true
 ```
 
 For additional options see [jekyll-build.yml](.github/workflows/jekyll-build.yml)