chore: refactor Updatecli gha workflow & fix zizmor config file (#1069)

* fix: zizmor default configuration

Signed-off-by: Olivier Vernin <me@olblak.com>

* chore: add updatecli labels and refactor updatecli-compose.yaml

Signed-off-by: Olivier Vernin <me@olblak.com>

* chore: cleanup updatecli gha workflows

Signed-off-by: Olivier Vernin <me@olblak.com>

* fix: updatecli release event

Signed-off-by: Olivier Vernin <me@olblak.com>

* fix: updatecli-compose.yaml

Signed-off-by: Olivier Vernin <me@olblak.com>

* fix: updatecli pipeline name

Signed-off-by: Olivier Vernin <me@olblak.com>

* chore: add compose file name

Signed-off-by: Olivier Vernin <me@olblak.com>

---------

Signed-off-by: Olivier Vernin <me@olblak.com>

Author: olblak

.github/workflows/updatecli.yaml

@@ -1,7 +1,6 @@
 ---
 name: Updatecli
 on:
-  release:
   workflow_dispatch:
   schedule:
     # Run at 12:00 every 14 days

.github/workflows/updatecli_release.yaml

@@ -0,0 +1,32 @@
+---
+name: Updatecli - Release
+on:
+  workflow_dispatch:
+  schedule:
+    # Run daily at 03:00
+    - cron: "0 3 * * *"
+  repository_dispatch:
+    types:
+      - "updatecli-release"
+permissions: {}
+jobs:
+  updatecli:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        with:
+          persist-credentials: false
+      - name: "Setup updatecli"
+        uses: "updatecli/updatecli-action@2cc8e6d8e356d76b0280cdd03766c36596a0614e" # v3.0.0
+        with:
+          version: "v0.115.0"
+      - name: "Run updatecli only on Updatecli release event"
+        run: updatecli compose apply --clean-git-branches=true --labels="release:updatecli" --experimental
+        env:
+          UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
+          UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
+          UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
+          UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
+          UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
+          UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}

.github/workflows/updatecli_update.yaml

@@ -22,14 +22,15 @@ jobs:
         with:
           version: "v0.115.0"
       - name: "Run updatecli only on monitored pipelines"
-        run: updatecli compose apply --clean-git-branches=true --labels="monitoring:enabled" --experimental
+        run: updatecli compose apply --clean-git-branches=true --labels="monitor:active" --experimental
         env:
           UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
           UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
           UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
           UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
           UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
           UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}
+
       - name: "Run updatecli only on existing pipelines"
         run: updatecli compose apply --clean-git-branches=true --existing-only=true --experimental
         env:

.github/zizmor.yaml

@@ -1,10 +1,3 @@
 rules:
   secrets-outside-env:
-    config:
-      allow:
-        - UPDATECLIBOT_APP_ID
-        - UPDATECLIBOT_APP_PRIVKEY
-        - UPDATECLIBOT_APP_INSTALLATION_ID
-        - UPDATECLI_UDASH_API_URL
-        - UPDATECLI_UDASH_ACCESS_TOKEN
-        - UPDATECLI_UDASH_URL
+    disable: true

updatecli-compose.yaml

@@ -1,40 +1,51 @@
+name: Default Update Policies
+
 policies:
   - name: Local Updatecli Website Policies
     config:
       - updatecli/updatecli.d/
     values:
       - updatecli/values.d/scm.yaml
 
-  - name: Handle Nodejs version in githubaction
-    policy: ghcr.io/updatecli/policies/nodejs/githubaction:0.11.1@sha256:812c245adc1f20767ca912baf3087022c78e8153a3f27d43729dd8931864f8e3
+  - name: Update Updatecli policies
+    policy: ghcr.io/updatecli/policies/updatecli/autodiscovery:0.8.1@sha256:f8edda1a6cbf0d7274e2b847ede29fc4dc70dd5302ccb8575ae21b069cc0d8a0
     values:
       - updatecli/values.d/scm.yaml
-      - updatecli/values.d/nodejs.yaml
+    valuesinline:
+      pipeline:
+        labels:
+          ecosystem: "updatecli"
+          monitor: active
 
-  - name: Update Updatecli policies
-    policy: ghcr.io/updatecli/policies/updatecli/autodiscovery:0.8.1@sha256:f8edda1a6cbf0d7274e2b847ede29fc4dc70dd5302ccb8575ae21b069cc0d8a0
+  - name: Handle Updatecli version in GitHub action
+    policy: ghcr.io/updatecli/policies/updatecli/githubaction:0.8.1@sha256:48872bbf1a09cfff32ff5ffa07086c20b40d6888c19c36048b18f84bbdad37fe
     values:
       - updatecli/values.d/scm.yaml
+    valuesinline:
+      pipeline:
+        labels:
+          ecosystem: "updatecli"
+          monitor: active
 
   - name: NPM autodiscovery
     policy: ghcr.io/updatecli/policies/npm/autodiscovery:0.12.1@sha256:ab02848169d584d7510ab974ec4a27309d9737068b1d888df6a8388a3dad26fc
     values:
       - updatecli/values.d/scm.yaml
-      - updatecli/values.d/npm.yaml
+    valuesinline:
+      automerge: true
+      groupby: individual
+      spec:
+        ignoreversionconstraints: true
 
-  - name: Handle Updatecli version in GitHub action
-    policy: ghcr.io/updatecli/policies/updatecli/githubaction:0.8.1@sha256:48872bbf1a09cfff32ff5ffa07086c20b40d6888c19c36048b18f84bbdad37fe
+  - name: Handle Nodejs version in githubaction
+    policy: ghcr.io/updatecli/policies/nodejs/githubaction:0.11.1@sha256:812c245adc1f20767ca912baf3087022c78e8153a3f27d43729dd8931864f8e3
     values:
       - updatecli/values.d/scm.yaml
+    valuesinline:
+      versionpattern: "~24"
+      automerge: true
 
   - name: Handle GitHub action version update
     policy: ghcr.io/updatecli/policies/autodiscovery/githubaction:0.4.1@sha256:869b676074f9fee7edd5d488140a12c3b09a5f8a175f12f26ea85a4f8bd0a9d1
     values:
       - updatecli/values.d/scm.yaml
-      - updatecli/values.d/githubaction.yaml
-
-  - name: Update Updatecli version in GitHub action
-    policy: ghcr.io/updatecli/policies/updatecli/githubaction:0.8.1@sha256:48872bbf1a09cfff32ff5ffa07086c20b40d6888c19c36048b18f84bbdad37fe
-    values:
-      - updatecli/values.d/scm.yaml
-      - updatecli/values.d/githubaction.yaml

updatecli/updatecli.d/updatecli.yaml

@@ -2,8 +2,9 @@ name: "deps: bump updatecli version"
 pipelineid: "updatecli_action_version"
 
 labels:
-  event: release
-  monitoring: enabled
+  ecosystem: updatecli
+  monitor: active
+  release: updatecli
 
 actions:
   default: