diff --git a/.github/workflows/auto-changelog.yml b/.github/workflows/auto-changelog.yml index 436bdc92..ceeed77a 100644 --- a/.github/workflows/auto-changelog.yml +++ b/.github/workflows/auto-changelog.yml @@ -10,8 +10,8 @@ jobs: update-draft: runs-on: ubuntu-latest steps: - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Draft Release uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} diff --git a/.github/workflows/auto-versioning.yml b/.github/workflows/auto-versioning.yml index 222cd9c9..e169bbae 100644 --- a/.github/workflows/auto-versioning.yml +++ b/.github/workflows/auto-versioning.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 @@ -60,28 +60,42 @@ jobs: # Export the tag for downstream steps echo "tag=${TAG}" >> $GITHUB_OUTPUT env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} + + - name: Determine tag + id: determine_tag + run: | + # Prefer created tag output; if empty fallback to semver version + TAG="${{ steps.create_tag.outputs.tag }}" + if [ -z "$TAG" ]; then + # semver.version contains a tag value like 'vX.Y.Z' or fallback 'v0.0.0' + VERSION_RAW="${{ steps.semver.outputs.version }}" + VERSION_NO_V="${VERSION_RAW#v}" + TAG="v${VERSION_NO_V}" + fi + echo "Determined tag: $TAG" + echo "tag=$TAG" >> $GITHUB_OUTPUT - name: Check for existing GitHub Release id: check_release run: | - TAG=${{ steps.create_tag.outputs.tag }} + TAG=${{ steps.determine_tag.outputs.tag }} echo "Checking for release for tag: ${TAG}" - STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true + STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${CHARON_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true if [ "${STATUS}" = "200" ]; then echo "exists=true" >> $GITHUB_OUTPUT else echo "exists=false" >> $GITHUB_OUTPUT fi env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} - name: Create GitHub Release (tag-only, no workspace changes) if: ${{ steps.semver.outputs.changed && steps.check_release.outputs.exists == 'false' }} uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 with: - tag_name: ${{ steps.create_tag.outputs.tag }} - name: Release ${{ steps.create_tag.outputs.tag }} + tag_name: ${{ steps.determine_tag.outputs.tag }} + name: Release ${{ steps.determine_tag.outputs.tag }} body: ${{ steps.semver.outputs.release_notes }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index e9d88387..7e00f72e 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -24,7 +24,7 @@ jobs: name: Performance Regression Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 @@ -42,7 +42,7 @@ jobs: name: Go Benchmark tool: 'go' output-file-path: backend/output.txt - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ secrets.CHARON_TOKEN }} auto-push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} # Show alert with commit comment on detection of performance regression alert-threshold: '150%' diff --git a/.github/workflows/codecov-upload.yml b/.github/workflows/codecov-upload.yml index ff218bfd..32a16b52 100644 --- a/.github/workflows/codecov-upload.yml +++ b/.github/workflows/codecov-upload.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f3dbf918..bd02dea9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,7 +31,7 @@ jobs: language: [ 'go', 'javascript-typescript' ] steps: - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Initialize CodeQL uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v4 diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml index 06359f57..91fc80ff 100644 --- a/.github/workflows/docker-lint.yml +++ b/.github/workflows/docker-lint.yml @@ -14,7 +14,7 @@ jobs: hadolint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Run Hadolint uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 32dce119..a61f13c5 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -169,7 +169,7 @@ jobs: uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 with: sarif_file: 'trivy-results.sarif' - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.CHARON_TOKEN }} - name: Create summary if: steps.skip.outputs.skip_build != 'true' @@ -279,7 +279,7 @@ jobs: if: github.event_name == 'pull_request' steps: - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - name: Build image locally for PR run: | diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index be3672be..faa2b69d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -29,7 +29,7 @@ jobs: steps: # Step 1: Get the code - name: 📥 Checkout code - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 # Step 2: Set up Node.js (for building any JS-based doc tools) - name: 🔧 Set up Node.js diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 7a4e4bbd..71bd7839 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -55,7 +55,7 @@ jobs: continue-on-error: false - name: Run golangci-lint - uses: golangci/golangci-lint-action@e7fa5ac41e1cf5b7d48e45e42232ce7ada589601 # v9.1.0 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: version: latest working-directory: backend @@ -69,7 +69,7 @@ jobs: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Node.js - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24.11.1' cache: 'npm' diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml index 5afbab69..224950eb 100644 --- a/.github/workflows/release-goreleaser.yml +++ b/.github/workflows/release-goreleaser.yml @@ -13,13 +13,13 @@ jobs: goreleaser: runs-on: ubuntu-latest env: - # Use the built-in GITHUB_TOKEN by default for GitHub API operations. + # Use the built-in CHARON_TOKEN by default for GitHub API operations. # If you need to provide a PAT with elevated permissions, add a CHARON_TOKEN secret # at the repo or organization level and update the env here accordingly. - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 @@ -47,7 +47,8 @@ jobs: with: version: 0.13.0 - # GITHUB_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN + # CHARON_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN + - name: Run GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6 diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 5f1d1962..c142ab8d 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 1 - name: Choose Renovate Token diff --git a/.github/workflows/renovate_prune.yml b/.github/workflows/renovate_prune.yml index b75e836b..7089e435 100644 --- a/.github/workflows/renovate_prune.yml +++ b/.github/workflows/renovate_prune.yml @@ -26,15 +26,15 @@ jobs: run: | if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then echo "Using CHARON_TOKEN" >&2 - echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV + echo "CHARON_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV else echo "Using CPMP_TOKEN fallback" >&2 - echo "GITHUB_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV + echo "CHARON_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV fi - name: Prune renovate branches uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: - github-token: ${{ env.GITHUB_TOKEN }} + github-token: ${{ env.CHARON_TOKEN }} script: | const owner = context.repo.owner; const repo = context.repo.repo;