CI Improvements (#382)

.github/workflows/branch_main.yml

@@ -5,18 +5,25 @@ on:
 
 name: "Main Branch"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Test"
 
+    permissions:
+      contents: read
+      security-events: write
+
     uses: ./.github/workflows/part_test.yml
 
   docs:
     name: "Docs"
 
-    uses: ./.github/workflows/part_docs.yml
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
 
-  publish:
-    name: "Publish"
-
-    uses: ./.github/workflows/part_publish.yml
+    uses: ./.github/workflows/part_docs.yml

.github/workflows/part_docs.yml

@@ -1,18 +1,22 @@
 on:
-  workflow_call:
-    inputs:
-      releaseName:
-        required: false
-        type: string
+  workflow_call: {}
 
 name: "Documentation"
 
+permissions:
+  contents: read
+
 jobs:
   generate:
     name: "Generate"
 
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+
     steps:
       - uses: actions/checkout@v4
       - uses: erlef/setup-elixir@v1
@@ -34,34 +38,22 @@ jobs:
             docs-bdepsuild-{{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ steps.setupBEAM.outputs.elixir-version }}-
       - run: mix deps.get
       - run: mix docs
-      - uses: actions/upload-artifact@v4
-        with:
-          name: docs
-          path: doc
-
-  upload:
-    name: "Upload"
-
-    runs-on: ubuntu-latest
-
-    if: ${{ inputs.releaseName }}
 
-    needs: ["generate"]
-
-    permissions:
-      contents: write
+      - name: "Create Docs Archive"
+        run: |
+          tar -czvf docs.tar.gz doc
+      
+      - name: "Attest docs provenance"
+        uses: actions/attest-build-provenance@v1
+        id: attest-docs-provenance
+        with:
+          subject-path: 'docs.tar.gz'
+      - name: "Copy docs provenance"
+        run: cp "$ATTESTATION" docs.tar.gz.sigstore
+        env:
+          ATTESTATION: "${{ steps.attest-docs-provenance.outputs.bundle-path }}"
 
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/upload-artifact@v4
         with:
           name: docs
-          path: docs
-      - run: |
-          tar -czvf docs.tar.gz docs
-      - name: Upload
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        run: |
-          gh release upload --clobber "${{ inputs.releaseName }}" \
-            docs.tar.gz
+          path: docs.tar.gz*

.github/workflows/part_publish.yml

@@ -10,6 +10,9 @@ on:
 
 name: "Publish"
 
+permissions:
+  contents: read
+
 jobs:
   hex_publish:
     name: mix hex.publish
@@ -41,59 +44,3 @@ jobs:
       - run: mix hex.publish --yes
         env:
           HEX_API_KEY: ${{ secrets.HEX_API_KEY }}
-
-  hex_build:
-    name: mix hex.build
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: erlef/setup-beam@v1
-        id: setupBEAM
-        with:
-          version-file: .tool-versions
-          version-type: strict
-      - uses: actions/cache@v4
-        with:
-          path: _build
-          key: mix_hex_build-build-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ hashFiles('mix.exs') }}
-          restore-keys: |
-            mix_hex_build-build-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-
-      - uses: actions/cache@v4
-        with:
-          path: deps
-          key: mix_hex_build-deps-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ hashFiles('mix.exs') }}
-          restore-keys: |
-            mix_hex_build-deps-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-
-      - run: mix deps.get
-      - run: mix hex.build --output package.tar
-      - uses: actions/upload-artifact@v4
-        with:
-          name: package
-          path: package.tar
-
-  upload:
-    name: "Upload"
-
-    runs-on: ubuntu-latest
-
-    if: ${{ inputs.releaseName }}
-
-    needs: ["hex_build"]
-
-    permissions:
-      contents: write
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
-        with:
-          name: package
-          path: .
-      - name: Upload
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        run: |
-          gh release upload --clobber "${{ inputs.releaseName }}" \
-            package.tar

.github/workflows/part_release.yml

@@ -11,11 +11,12 @@ on:
 
 name: "Release"
 
-jobs:
-  create_prerelease:
-    name: Create Prerelease
+permissions:
+  contents: read
 
-    if: ${{ !inputs.stable }}
+jobs:
+  create:
+    name: Create Release
 
     runs-on: ubuntu-latest
 
@@ -24,6 +25,7 @@ jobs:
 
     steps:
       - name: Create draft prerelease
+        if: ${{ !inputs.stable }}
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
@@ -33,19 +35,8 @@ jobs:
             --prerelease \
             --generate-notes \
             ${{ inputs.releaseName }}
-
-  create_stable:
-    name: Create Stable
-
-    if: ${{ inputs.stable }}
-
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write
-
-    steps:
-      - name: Create draft release
+      - name: Create release
+        if: ${{ inputs.stable }}
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
@@ -54,3 +45,15 @@ jobs:
             --title ${{ inputs.releaseName }} \
             --generate-notes \
             ${{ inputs.releaseName }}
+            
+      - name: "Download Docs Artifact"
+        uses: actions/download-artifact@v4
+        with:
+          name: docs
+          path: .
+      - name: Upload Docs
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          gh release upload --clobber "${{ inputs.releaseName }}" \
+            docs.tar.gz*

.github/workflows/part_test.yml

@@ -6,6 +6,9 @@ name: "Test"
 env:
   ERL_AFLAGS: "-enable-feature all"
 
+permissions:
+  contents: read
+
 jobs:
   detectToolVersions:
     name: "Detect Tool Versions"
@@ -321,6 +324,10 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+
     steps:
       - uses: actions/checkout@v4
       - uses: erlef/setup-beam@v1
@@ -341,7 +348,12 @@ jobs:
           restore-keys: |
             credo-deps-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-
       - run: mix deps.get
-      - run: mix credo
+      - run: mix credo --format sarif > results.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: credo
 
   dialyxir:
     name: mix dialyzer

.github/workflows/pr.yml

@@ -6,18 +6,26 @@ on:
 
 name: "Pull Request"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: "Test"
 
+    permissions:
+      contents: read
+      security-events: write
+
     uses: ./.github/workflows/part_test.yml
 
   docs:
     name: "Docs"
 
-    uses: ./.github/workflows/part_docs.yml
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
 
-  publish:
-    name: "Publish"
+    uses: ./.github/workflows/part_docs.yml
 
-    uses: ./.github/workflows/part_publish.yml

.github/workflows/tag-beta.yml

@@ -7,30 +7,32 @@ on:
 
 name: "Beta Tag"
 
-jobs:
-  release:
-    name: "Release"
-
-    uses: ./.github/workflows/part_release.yml
-    with:
-      releaseName: "${{ github.ref_name }}"
+permissions:
+  contents: read
 
+jobs:
   docs:
     name: "Docs"
 
-    needs: ["release"]
-
     uses: ./.github/workflows/part_docs.yml
-    with:
-      releaseName: "${{ github.ref_name }}"
 
   publish:
     name: "Publish"
 
-    needs: ["release"]
-
     uses: ./.github/workflows/part_publish.yml
     with:
       releaseName: "${{ github.ref_name }}"
     secrets:
       HEX_API_KEY: "${{ secrets.HEX_API_KEY }}"
+
+  release:
+    name: "Release"
+
+    needs: ["docs"]
+
+    permissions:
+      contents: write
+
+    uses: ./.github/workflows/part_release.yml
+    with:
+      releaseName: "${{ github.ref_name }}"