fix: split release-drafter into dedicated reusable workflows for drafting and PR labeling (#71)

* fix: split release-drafter into separate reusable workflows for release drafting and PR labeling

Co-authored-by: 2bndy5 <14963867+2bndy5@users.noreply.github.com>

* fix: add zizmor ignore comments for secrets-outside-env audit rule

Co-authored-by: 2bndy5 <14963867+2bndy5@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: 2bndy5 <14963867+2bndy5@users.noreply.github.com>

Author: Copilot

.github/workflows/pr-labeler.yml

@@ -0,0 +1,17 @@
+name: PR Labeler
+
+on:
+  workflow_call:
+
+jobs:
+  label_pr:
+    permissions:
+      # write permission is required for autolabeler
+      pull-requests: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      # Automatically label pull requests based on the release-drafter config
+      - uses: release-drafter/release-drafter/autolabeler@3a7fb5c85b80b1dda66e1ccb94009adbbd32fce3 # v7.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/py-coverage.yml

@@ -39,7 +39,7 @@ jobs:
 
       - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         env:
-          CODECOV_TOKEN: ${{secrets.CODECOV_TOKEN}}
+          CODECOV_TOKEN: ${{secrets.CODECOV_TOKEN}} # zizmor: ignore[secrets-outside-env]
         with:
           files: ./coverage.xml
           fail_ci_if_error: true # optional (default = false)

.github/workflows/py-publish.yml

@@ -41,12 +41,12 @@ jobs:
       if: startsWith(github.repository, 'cpp-linter') && !startsWith(github.ref, 'refs/tags/')
       env:
         TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}
+        TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }} # zizmor: ignore[secrets-outside-env]
       run: twine upload --repository testpypi dist/*
 
     - name: Publish package (to PyPI)
       if: startsWith(github.repository, 'cpp-linter') && startsWith(github.ref, 'refs/tags/')
       env:
         TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
       run: twine upload dist/*

.github/workflows/release-drafter.yml

@@ -14,13 +14,11 @@ jobs:
     permissions:
       # write permission is required to create a github release
       contents: write
-      # write permission is required for autolabeler
-      # otherwise, read permission is required at least
-      pull-requests: write
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
       # Draft your next Release notes as Pull Requests are merged into the default branch
-      - uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97 # v6.2.0
+      - uses: release-drafter/release-drafter@3a7fb5c85b80b1dda66e1ccb94009adbbd32fce3 # v7.0.0
         with:
           commitish: '${{ inputs.commitish }}'
         env:

.github/workflows/snyk-container.yml

@@ -17,7 +17,7 @@ jobs:
         # In order to use the Snyk Action you will need to have a Snyk API token.
         # More details in https://github.com/snyk/actions#getting-your-snyk-token
         # or you can sign up for free at https://snyk.io/login
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # zizmor: ignore[secrets-outside-env]
       with:
         image: xianpengshen/clang-tools:all
         args: --severity-threshold=high --file=Dockerfile.all