fix(release): Changelog Generator (#9)

jkroepke · web-flow · commit 67283a7b091d · 2025-05-08T08:11:26.000+02:00
diff --git a/.env b/.env
@@ -57,5 +57,5 @@ INPUT_MILLISECONDS=2400
 # RUNNER_DEBUG=""
 # RUNNER_NAME=""
 # RUNNER_OS=""
-RUNNER_TEMP=".local/tmp"
-RUNNER_TOOL_CACHE=".local/cache"
+RUNNER_TEMP=.local/tmp
+RUNNER_TOOL_CACHE=.local/cache
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,11 +7,14 @@ on: # rebuild any PRs and main branch changes
   push:
     branches:
       - main
-      - 'releases/*'
+
+permissions: {}
 
 jobs:
   build: # make sure build/ci work properly
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
@@ -24,6 +27,8 @@ jobs:
           git diff --exit-code ':!dist/index.js.map' ':!badges/coverage.svg'
   test: # make sure the action works on a clean machine without building
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -42,3 +47,65 @@ jobs:
           version: 0.28.0
       - name: Get the version
         run: stackit --version | grep 0.28.0
+
+  super-lint:
+    name: super-lint
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Lint Code Base
+        uses: super-linter/super-linter/slim@4e8a7c2bf106c4c766c816b35ec612638dc9b6b2 # v7.3.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MULTI_STATUS: false
+          LINTER_RULES_PATH: .
+          VALIDATE_ALL_CODEBASE: true
+          VALIDATE_BASH: true
+          VALIDATE_BASH_EXEC: true
+          VALIDATE_EDITORCONFIG: true
+          VALIDATE_ENV: true
+          VALIDATE_GITHUB_ACTIONS: true
+          VALIDATE_HTML: true
+          # VALIDATE_JSON: true
+          VALIDATE_NATURAL_LANGUAGE: true
+          # VALIDATE_RENOVATE: true
+          VALIDATE_SHELL_SHFMT: true
+          VALIDATE_XML: true
+          VALIDATE_YAML: true
+
+  release:
+    if: github.repository_owner == 'jkroepke' && github.ref_name == 'main'
+    name: Release
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - test
+      - super-lint
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: 1248576
+          private-key: ${{ secrets.APP_RENOVATE_HELPER_PRIVATE_KEY }}
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '22'
+      - name: Install dependencies
+        run: npm clean-install
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: npx semantic-release
diff --git a/.github/workflows/release-changelog.yaml b/.github/workflows/release-changelog.yaml
@@ -3,17 +3,21 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   regenerate:
     if: github.repository_owner == 'jkroepke'
     name: 'regenerate'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Update notes
         run: |
           NEW_NOTES=$(gh api --method POST -H "Accept: application/vnd.github+json" /repos/${{ github.repository }}/releases/generate-notes  -f tag_name=${{ github.ref_name }} | jq -r '.body')
           RELEASE_ID=$(gh api -H "Accept: application/vnd.github+json" /repos/${{ github.repository }}/releases/tags/${{ github.ref_name }} | jq -r '.id')
-          gh api --method PATCH -H "Accept: application/vnd.github+json" /repos/${{ github.repository }}/releases/$RELEASE_ID -f body=$NEW_NOTES
+          gh api --method PATCH -H "Accept: application/vnd.github+json" "/repos/${{ github.repository }}/releases/$RELEASE_ID" -f "body=$NEW_NOTES"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RELEASE_TAG: ${{ github.event.release.tag_name }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
diff --git a/.github/workflows/update-major-tag.yaml b/.github/workflows/update-major-tag.yaml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: |
-          TAG=${{ github.ref_name }}
-          TAG=${TAG%%.*}
-          git tag -f ${TAG}
+          TAG="${{ github.ref_name }}"
+          TAG="${TAG%%.*}"
+          git tag -f "${TAG}"
           git push --tags --force
