diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml new file mode 100644 index 0000000..c91b040 --- /dev/null +++ b/.github/release-drafter.yml @@ -0,0 +1,20 @@ +# Release Drafter config — https://github.com/release-drafter/release-drafter +name-template: "$NEXT_PATCH_VERSION" +tag-template: "v$NEXT_PATCH_VERSION" +template: | + ## What's Changed + + $CHANGES + + **Full Changelog**: https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION +categories: + - title: "Features" + labels: [enhancement, feature] + - title: "Bug Fixes" + labels: [bug, fix] + - title: "CI and Infrastructure" + labels: [ci, infra, dependencies-changed, dependencies] + - title: "Documentation" + labels: [documentation, docs] +exclude-labels: [skip-changelog] +change-template: "- $TITLE @$AUTHOR (#$NUMBER)" diff --git a/.github/workflows/auto-add-to-project.yml b/.github/workflows/auto-add-to-project.yml new file mode 100644 index 0000000..73687b3 --- /dev/null +++ b/.github/workflows/auto-add-to-project.yml @@ -0,0 +1,16 @@ +# Automatically add new issues and PRs to the org-level GitHub Project. +name: Auto add to project + +on: + issues: + types: [opened] + pull_request_target: + types: [opened] + +permissions: {} + +jobs: + add-to-project: + uses: Mininglamp-OSS/.github/.github/workflows/auto-add-to-project.yml@main + secrets: + PROJECT_TOKEN: ${{ secrets.PROJECT_TOKEN }} diff --git a/.github/workflows/issue-welcome.yml b/.github/workflows/issue-welcome.yml new file mode 100644 index 0000000..49da312 --- /dev/null +++ b/.github/workflows/issue-welcome.yml @@ -0,0 +1,11 @@ +name: Issue Welcome + +on: + issues: + types: [opened] + +jobs: + welcome: + permissions: + issues: write + uses: Mininglamp-OSS/.github/.github/workflows/issue-welcome.yml@main diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 0000000..1451fb8 --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,28 @@ +name: PR Labeler + +on: + # pull_request_target runs in the context of the base repo and retains write + # access even for fork PRs — required because the reusable labeler calls the + # GitHub REST API to set labels and post comments (both need write tokens). + # + # Security: this workflow does NOT check out or execute any code from the PR + # branch; it only passes the PR number / owner / repo name to a reusable + # workflow that performs only API calls against the base repo. This matches + # the pattern used by auto-add-to-project.yml and octo-pr-feed.yml. + pull_request_target: # zizmor: ignore[dangerous-triggers] metadata-only automation; no PR code executed + types: [opened, synchronize, reopened] + +permissions: {} + +jobs: + label: + uses: Mininglamp-OSS/.github/.github/workflows/reusable-pr-labeler.yml@main + with: + pr_number: ${{ github.event.pull_request.number }} + repo_owner: ${{ github.repository_owner }} + repo_name: ${{ github.event.repository.name }} + permissions: + issues: write + pull-requests: write + # secrets: intentionally omitted — reusable-pr-labeler.yml uses only the + # inherited GITHUB_TOKEN granted via the job-level permissions above. diff --git a/.github/workflows/octo-issue-feed.yml b/.github/workflows/octo-issue-feed.yml new file mode 100644 index 0000000..f999622 --- /dev/null +++ b/.github/workflows/octo-issue-feed.yml @@ -0,0 +1,20 @@ +name: Octo Issue Feed + +on: + issues: + types: [opened, reopened] + +permissions: {} + +jobs: + notify: + uses: Mininglamp-OSS/.github/.github/workflows/octo-issue-feed.yml@main + with: + repo_name: ${{ github.event.repository.name }} + issue_number: ${{ github.event.issue.number }} + issue_title: ${{ github.event.issue.title }} + issue_url: ${{ github.event.issue.html_url }} + issue_author: ${{ github.event.issue.user.login }} + event_action: ${{ github.event.action }} + secrets: + OCTO_BOT_TOKEN: ${{ secrets.OCTO_BOT_TOKEN }} diff --git a/.github/workflows/pr-contributor-welcome.yml b/.github/workflows/pr-contributor-welcome.yml new file mode 100644 index 0000000..976201c --- /dev/null +++ b/.github/workflows/pr-contributor-welcome.yml @@ -0,0 +1,13 @@ +name: PR Contributor Welcome + +on: + pull_request_target: # zizmor: ignore[dangerous-triggers] metadata-only automation; no PR code executed + types: [opened] + +permissions: {} + +jobs: + welcome: + uses: Mininglamp-OSS/.github/.github/workflows/reusable-pr-contributor-welcome.yml@main + permissions: + issues: write diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml new file mode 100644 index 0000000..e8c4084 --- /dev/null +++ b/.github/workflows/release-drafter.yml @@ -0,0 +1,15 @@ +name: Release Drafter + +on: + push: + branches: [main] + workflow_dispatch: + +permissions: {} + +jobs: + draft: + uses: Mininglamp-OSS/.github/.github/workflows/reusable-release-drafter.yml@main + permissions: + contents: write + pull-requests: read diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml new file mode 100644 index 0000000..b024d35 --- /dev/null +++ b/.github/workflows/release-publish.yml @@ -0,0 +1,31 @@ +name: Release Publish + +on: + workflow_dispatch: + inputs: + tag: + description: "Release tag to publish (e.g. v1.4.0)" + required: true + type: string + validate_run_id: + description: "Required: successful CI run ID from the tagged commit as release evidence" + required: true + type: string + draft: + description: "Keep as draft instead of publishing" + required: false + type: boolean + default: false + +permissions: {} + +jobs: + publish: + uses: Mininglamp-OSS/.github/.github/workflows/reusable-release-publish.yml@main + with: + tag: ${{ inputs.tag }} + validate_run_id: ${{ inputs.validate_run_id }} + draft: ${{ inputs.draft }} + permissions: + contents: write + actions: read diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 0000000..5e9eacf --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,15 @@ +name: Stale + +on: + schedule: + - cron: "0 3 * * *" + workflow_dispatch: + +permissions: {} + +jobs: + stale: + uses: Mininglamp-OSS/.github/.github/workflows/reusable-stale.yml@main + permissions: + issues: write + pull-requests: write diff --git a/.github/workflows/workflow-sanity.yml b/.github/workflows/workflow-sanity.yml new file mode 100644 index 0000000..ef27588 --- /dev/null +++ b/.github/workflows/workflow-sanity.yml @@ -0,0 +1,19 @@ +name: Workflow Sanity + +on: + pull_request: + paths: + - '.github/workflows/**' + - '.github/actions/**' + push: + branches: [main] + paths: + - '.github/workflows/**' + +permissions: {} + +jobs: + sanity: + uses: Mininglamp-OSS/.github/.github/workflows/workflow-sanity.yml@main + permissions: + contents: read