diff --git a/.github/workflows/branch_main.yml b/.github/workflows/branch_main.yml index c48c5ba..ebc2962 100644 --- a/.github/workflows/branch_main.yml +++ b/.github/workflows/branch_main.yml @@ -5,18 +5,25 @@ on: name: "Main Branch" +permissions: + contents: read + jobs: test: name: "Test" + permissions: + contents: read + security-events: write + uses: ./.github/workflows/part_test.yml docs: name: "Docs" - uses: ./.github/workflows/part_docs.yml + permissions: + id-token: write + contents: read + attestations: write - publish: - name: "Publish" - - uses: ./.github/workflows/part_publish.yml + uses: ./.github/workflows/part_docs.yml diff --git a/.github/workflows/part_docs.yml b/.github/workflows/part_docs.yml index 825cb7e..6c74ee2 100644 --- a/.github/workflows/part_docs.yml +++ b/.github/workflows/part_docs.yml @@ -1,18 +1,22 @@ on: - workflow_call: - inputs: - releaseName: - required: false - type: string + workflow_call: {} name: "Documentation" +permissions: + contents: read + jobs: generate: name: "Generate" runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + attestations: write + steps: - uses: actions/checkout@v4 - uses: erlef/setup-elixir@v1 @@ -34,34 +38,22 @@ jobs: docs-bdepsuild-{{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ steps.setupBEAM.outputs.elixir-version }}- - run: mix deps.get - run: mix docs - - uses: actions/upload-artifact@v4 - with: - name: docs - path: doc - - upload: - name: "Upload" - - runs-on: ubuntu-latest - - if: ${{ inputs.releaseName }} - needs: ["generate"] - - permissions: - contents: write + - name: "Create Docs Archive" + run: | + tar -czvf docs.tar.gz doc + + - name: "Attest docs provenance" + uses: actions/attest-build-provenance@v1 + id: attest-docs-provenance + with: + subject-path: 'docs.tar.gz' + - name: "Copy docs provenance" + run: cp "$ATTESTATION" docs.tar.gz.sigstore + env: + ATTESTATION: "${{ steps.attest-docs-provenance.outputs.bundle-path }}" - steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 + - uses: actions/upload-artifact@v4 with: name: docs - path: docs - - run: | - tar -czvf docs.tar.gz docs - - name: Upload - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - gh release upload --clobber "${{ inputs.releaseName }}" \ - docs.tar.gz + path: docs.tar.gz* diff --git a/.github/workflows/part_publish.yml b/.github/workflows/part_publish.yml index 54d5326..c1a8df3 100644 --- a/.github/workflows/part_publish.yml +++ b/.github/workflows/part_publish.yml @@ -10,6 +10,9 @@ on: name: "Publish" +permissions: + contents: read + jobs: hex_publish: name: mix hex.publish @@ -41,59 +44,3 @@ jobs: - run: mix hex.publish --yes env: HEX_API_KEY: ${{ secrets.HEX_API_KEY }} - - hex_build: - name: mix hex.build - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - uses: erlef/setup-beam@v1 - id: setupBEAM - with: - version-file: .tool-versions - version-type: strict - - uses: actions/cache@v4 - with: - path: _build - key: mix_hex_build-build-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ hashFiles('mix.exs') }} - restore-keys: | - mix_hex_build-build-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}- - - uses: actions/cache@v4 - with: - path: deps - key: mix_hex_build-deps-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ hashFiles('mix.exs') }} - restore-keys: | - mix_hex_build-deps-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}- - - run: mix deps.get - - run: mix hex.build --output package.tar - - uses: actions/upload-artifact@v4 - with: - name: package - path: package.tar - - upload: - name: "Upload" - - runs-on: ubuntu-latest - - if: ${{ inputs.releaseName }} - - needs: ["hex_build"] - - permissions: - contents: write - - steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 - with: - name: package - path: . - - name: Upload - env: - GITHUB_TOKEN: ${{ github.token }} - run: | - gh release upload --clobber "${{ inputs.releaseName }}" \ - package.tar diff --git a/.github/workflows/part_release.yml b/.github/workflows/part_release.yml index 7b2147d..3de01d6 100644 --- a/.github/workflows/part_release.yml +++ b/.github/workflows/part_release.yml @@ -11,11 +11,12 @@ on: name: "Release" -jobs: - create_prerelease: - name: Create Prerelease +permissions: + contents: read - if: ${{ !inputs.stable }} +jobs: + create: + name: Create Release runs-on: ubuntu-latest @@ -24,6 +25,7 @@ jobs: steps: - name: Create draft prerelease + if: ${{ !inputs.stable }} env: GITHUB_TOKEN: ${{ github.token }} run: | @@ -33,19 +35,8 @@ jobs: --prerelease \ --generate-notes \ ${{ inputs.releaseName }} - - create_stable: - name: Create Stable - - if: ${{ inputs.stable }} - - runs-on: ubuntu-latest - - permissions: - contents: write - - steps: - - name: Create draft release + - name: Create release + if: ${{ inputs.stable }} env: GITHUB_TOKEN: ${{ github.token }} run: | @@ -54,3 +45,15 @@ jobs: --title ${{ inputs.releaseName }} \ --generate-notes \ ${{ inputs.releaseName }} + + - name: "Download Docs Artifact" + uses: actions/download-artifact@v4 + with: + name: docs + path: . + - name: Upload Docs + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh release upload --clobber "${{ inputs.releaseName }}" \ + docs.tar.gz* diff --git a/.github/workflows/part_test.yml b/.github/workflows/part_test.yml index 062a928..57522a5 100644 --- a/.github/workflows/part_test.yml +++ b/.github/workflows/part_test.yml @@ -6,6 +6,9 @@ name: "Test" env: ERL_AFLAGS: "-enable-feature all" +permissions: + contents: read + jobs: detectToolVersions: name: "Detect Tool Versions" @@ -321,6 +324,10 @@ jobs: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: - uses: actions/checkout@v4 - uses: erlef/setup-beam@v1 @@ -341,7 +348,12 @@ jobs: restore-keys: | credo-deps-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}- - run: mix deps.get - - run: mix credo + - run: mix credo --format sarif > results.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: credo dialyxir: name: mix dialyzer diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 44b55b0..cf34437 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -6,18 +6,26 @@ on: name: "Pull Request" +permissions: + contents: read + jobs: test: name: "Test" + permissions: + contents: read + security-events: write + uses: ./.github/workflows/part_test.yml docs: name: "Docs" - uses: ./.github/workflows/part_docs.yml + permissions: + id-token: write + contents: read + attestations: write - publish: - name: "Publish" + uses: ./.github/workflows/part_docs.yml - uses: ./.github/workflows/part_publish.yml diff --git a/.github/workflows/tag-beta.yml b/.github/workflows/tag-beta.yml index ce914cb..5a9c6af 100644 --- a/.github/workflows/tag-beta.yml +++ b/.github/workflows/tag-beta.yml @@ -7,30 +7,32 @@ on: name: "Beta Tag" -jobs: - release: - name: "Release" - - uses: ./.github/workflows/part_release.yml - with: - releaseName: "${{ github.ref_name }}" +permissions: + contents: read +jobs: docs: name: "Docs" - needs: ["release"] - uses: ./.github/workflows/part_docs.yml - with: - releaseName: "${{ github.ref_name }}" publish: name: "Publish" - needs: ["release"] - uses: ./.github/workflows/part_publish.yml with: releaseName: "${{ github.ref_name }}" secrets: HEX_API_KEY: "${{ secrets.HEX_API_KEY }}" + + release: + name: "Release" + + needs: ["docs"] + + permissions: + contents: write + + uses: ./.github/workflows/part_release.yml + with: + releaseName: "${{ github.ref_name }}" diff --git a/.github/workflows/tag-stable.yml b/.github/workflows/tag-stable.yml index 6c5563e..086b6a9 100644 --- a/.github/workflows/tag-stable.yml +++ b/.github/workflows/tag-stable.yml @@ -5,31 +5,33 @@ on: name: "Stable Tag" -jobs: - release: - name: "Release" - - uses: ./.github/workflows/part_release.yml - with: - releaseName: "${{ github.ref_name }}" - stable: true +permissions: + contents: read +jobs: docs: name: "Docs" - needs: ["release"] - uses: ./.github/workflows/part_docs.yml - with: - releaseName: "${{ github.ref_name }}" publish: name: "Publish" - needs: ["release"] - uses: ./.github/workflows/part_publish.yml with: releaseName: "${{ github.ref_name }}" secrets: HEX_API_KEY: "${{ secrets.HEX_API_KEY }}" + + release: + name: "Release" + + needs: ["docs"] + + permissions: + contents: write + + uses: ./.github/workflows/part_release.yml + with: + releaseName: "${{ github.ref_name }}" + stable: true