Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

permissions:
contents: read

env:
CARGO_TERM_COLOR: always
# CI does clean builds, so incremental compilation tracking adds I/O overhead
Expand Down
40 changes: 40 additions & 0 deletions .github/workflows/codeql.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: codeql

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '23 3 * * 1'

permissions:
contents: read

jobs:
analyze:
runs-on: ubuntu-24.04
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [actions, rust]
steps:
- name: Checkout repository
uses: actions/checkout@v6

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
queries: +security-extended

- name: Autobuild
if: matrix.language == 'rust'
uses: github/codeql-action/autobuild@v4

- name: Analyze
uses: github/codeql-action/analyze@v4
3 changes: 3 additions & 0 deletions .github/workflows/nightly-benchmark.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
- cron: '17 4 * * *'
workflow_dispatch:

permissions:
contents: read

env:
CARGO_TERM_COLOR: always
CARGO_INCREMENTAL: 0
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/nightly.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ on:
- cron: '37 5 * * *'
workflow_dispatch:

permissions:
contents: read

env:
CARGO_TERM_COLOR: always
CARGO_INCREMENTAL: 0
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/publish-docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
build-docs:
runs-on: ubuntu-24.04
Expand Down
19 changes: 17 additions & 2 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,7 @@
# (via upload-artifact/download-artifact) is fine since it's scoped to the
# current run.

permissions:
"contents": "write"
permissions: {}

# This task will run whenever you push a git tag that looks like a version
# like "1.0.0", "v0.1.0-prerelease.1", "my-app/0.1.0", "releases/v1.0.0", etc.
Expand Down Expand Up @@ -55,6 +54,8 @@ jobs:
# Run 'dist plan' (or host) to determine what tasks we need to do
plan:
runs-on: "ubuntu-24.04"
permissions:
contents: read
outputs:
val: ${{ steps.plan.outputs.manifest }}
tag: ${{ !github.event.pull_request && github.ref_name || '' }}
Expand Down Expand Up @@ -114,6 +115,8 @@ jobs:
# - N "local" tasks that build each platform's binaries and platform-specific installers
matrix: ${{ fromJson(needs.plan.outputs.val).ci.github.artifacts_matrix }}
runs-on: ${{ matrix.runner }}
permissions:
contents: read
container: ${{ matrix.container && matrix.container.image || null }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -177,6 +180,8 @@ jobs:
- plan
- build-local-artifacts
runs-on: "ubuntu-24.04"
permissions:
contents: read
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BUILD_MANIFEST_NAME: target/distrib/global-dist-manifest.json
Expand Down Expand Up @@ -228,6 +233,8 @@ jobs:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
runs-on: "ubuntu-24.04"
permissions:
contents: write
outputs:
val: ${{ steps.host.outputs.manifest }}
steps:
Expand Down Expand Up @@ -302,6 +309,8 @@ jobs:
runs-on: ubuntu-24.04
environment: release
if: ${{ needs.plan.outputs.publishing == 'true' }}
permissions:
contents: read
steps:
- uses: actions/checkout@v6
- name: Publish to crates.io
Expand All @@ -317,6 +326,7 @@ jobs:
if: ${{ needs.plan.outputs.publishing == 'true' }}
env:
GH_TOKEN: ${{ secrets.WORKTRUNK_BOT_TOKEN }}
permissions: {}
steps:
- name: Sync winget-pkgs fork with upstream
run: |
Expand All @@ -340,6 +350,7 @@ jobs:
GITHUB_USER: "worktrunk-bot"
GITHUB_EMAIL: "worktrunk-bot@users.noreply.github.com"
if: ${{ needs.plan.outputs.publishing == 'true' && (!fromJson(needs.plan.outputs.val).announcement_is_prerelease || fromJson(needs.plan.outputs.val).publish_prereleases) }}
permissions: {}
steps:
- uses: actions/checkout@v6
with:
Expand Down Expand Up @@ -368,6 +379,8 @@ jobs:
runs-on: ubuntu-24.04
environment: release
if: ${{ needs.plan.outputs.publishing == 'true' }}
permissions:
contents: read
steps:
- uses: actions/checkout@v6
- name: Update PKGBUILD version
Expand Down Expand Up @@ -402,6 +415,8 @@ jobs:
runs-on: "ubuntu-24.04"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
permissions:
contents: read
steps:
- uses: actions/checkout@v6
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tend-ci-fix.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ on:
types: [completed]
branches: ["main"]

permissions: {}

jobs:
fix-ci:
if: github.event.workflow_run.conclusion == 'failure'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tend-mention.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ on:
pull_request_review_comment:
types: [edited]

permissions: {}

jobs:
verify:
# Filter out fork PRs for review events — secrets are unavailable there
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tend-nightly.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ on:
- cron: "17 6 * * *"
workflow_dispatch:

permissions: {}

jobs:
nightly:
runs-on: ubuntu-24.04
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tend-notifications.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ on:
- cron: "*/15 * * * *"
workflow_dispatch:

permissions: {}

jobs:
notifications:
runs-on: ubuntu-24.04
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tend-review-runs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ on:
- cron: "47 7 * * *"
workflow_dispatch:

permissions: {}

jobs:
review-runs:
runs-on: ubuntu-24.04
Expand Down
12 changes: 12 additions & 0 deletions .github/workflows/tend-review.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ on:
pull_request_target:
types: [opened, synchronize, ready_for_review, reopened]

permissions: {}

jobs:
review:
if: >-
Expand All @@ -26,12 +28,19 @@ jobs:
actions: read
issues: write
steps:
- name: Skip privileged review on fork PRs
if: github.event.pull_request.head.repo.full_name != github.repository
run: >-
echo "::notice::Skipping tend-review for fork PR #${{ github.event.pull_request.number }} from
${{ github.event.pull_request.head.repo.full_name }}. Privileged review automation only runs for same-repo pull requests."

# GitHub only materializes refs/pull/N/merge for mergeable PRs — on
# conflicting PRs it 404s and every downstream step cascades as skipped.
# Probe first and fall back to /head so review always runs; on fallback
# the review sees the PR branch in isolation rather than the post-merge
# tree.
- name: Resolve PR checkout ref
if: github.event.pull_request.head.repo.full_name == github.repository
id: pr_ref
env:
GH_TOKEN: ${{ secrets.WORKTRUNK_BOT_TOKEN }}
Expand All @@ -44,15 +53,18 @@ jobs:
echo "::notice::refs/pull/$PR/merge unavailable (likely merge conflict); falling back to /head"
fi
- uses: actions/checkout@v6
if: github.event.pull_request.head.repo.full_name == github.repository
with:
ref: ${{ steps.pr_ref.outputs.ref }}
fetch-depth: 0
fetch-tags: true
token: ${{ secrets.WORKTRUNK_BOT_TOKEN }}

- uses: ./.github/actions/claude-setup
if: github.event.pull_request.head.repo.full_name == github.repository

- uses: max-sixty/tend@v1
if: github.event.pull_request.head.repo.full_name == github.repository
with:
github_token: ${{ secrets.WORKTRUNK_BOT_TOKEN }}
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tend-triage.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.issue.number }}
cancel-in-progress: true

permissions: {}

jobs:
triage:
runs-on: ubuntu-24.04
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tend-weekly.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ on:
- cron: "17 9 * * 0"
workflow_dispatch:

permissions: {}

jobs:
weekly:
runs-on: ubuntu-24.04
Expand Down
Loading