back to astro for hopefully the last time (#146)

author: seth <[email protected]> 2024-10-09 10:59:13 -0400
committer: GitHub <[email protected]> 2024-10-09 10:59:13 -0400
commit: d17bca56238e9ca326d60e58230d0d354f23bfe8 (patch)
tree: 12aee4c37a1490914e6307ce1b0023be2df93105 /.github
parent: 7d6495399d5e1ba429a339de1c3a00f121e89305 (diff)
6 files changed, 177 insertions, 36 deletions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 4c39a33..bb70f4c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,5 +1,11 @@
 version: 2
 updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore(node_modules)"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml
new file mode 100644
index 0000000..9c7e8f6
--- /dev/null
+++ b/.github/workflows/autobot.yaml
@@ -0,0 +1,32 @@
+name: Auto-merge Dependabot
+
+on: pull_request
+
+jobs:
+  automerge:
+    name: Check and merge PR
+
+    if: github.actor == 'dependabot[bot]'
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Generate GitHub App token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Fetch metadata
+        uses: dependabot/fetch-metadata@v2
+        id: metadata
+        with:
+          github-token: ${{ steps.app-token.outputs.token }}
+
+      - name: Enable auto-merge
+        if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' }}
+        run: gh pr merge --auto --squash "$PR"
+        env:
+          PR: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
deleted file mode 100644
index 9f1ec19..0000000
--- a/.github/workflows/ci.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-  workflow_dispatch:
-
-jobs:
-  ci:
-    name: Build site
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v14
-
-      - name: Setup cache
-        uses: DeterminateSystems/magic-nix-cache-action@v8
-
-      - name: Build site
-        run: |
-          nix build --print-build-logs
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
new file mode 100644
index 0000000..82fb9e6
--- /dev/null
+++ b/.github/workflows/codeql.yaml
@@ -0,0 +1,49 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**.ts"
+      - "package.json"
+      - "pnpm-lock.yaml"
+
+      - "tsconfig.json"
+
+      - ".github/workflows/codeql.yaml"
+  pull_request:
+    paths:
+      - "**.ts"
+      - "package.json"
+      - "pnpm-lock.yaml"
+
+      - "tsconfig.json"
+
+      - ".github/workflows/codeql.yaml"
+  workflow_dispatch:
+
+jobs:
+  codeql:
+    name: Run scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    env:
+      LANGUAGE: "javascript-typescript"
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ env.LANGUAGE }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ env.LANGUAGE }}"
diff --git a/.github/workflows/eslint.yaml b/.github/workflows/eslint.yaml
new file mode 100644
index 0000000..c5fe28c
--- /dev/null
+++ b/.github/workflows/eslint.yaml
@@ -0,0 +1,61 @@
+name: ESLint
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**.ts"
+      - "**.astro"
+      - "package.json"
+      - "pnpm-lock.yaml"
+
+      - "astro.config.ts"
+      - "eslint.config.js"
+      - "tsconfig.json"
+
+      - ".github/workflows/eslint.yaml"
+  pull_request:
+    paths:
+      - "**.ts"
+      - "**.astro"
+      - "package.json"
+      - "pnpm-lock.yaml"
+
+      - "astro.config.ts"
+      - "eslint.config.js"
+      - "tsconfig.json"
+
+      - ".github/workflows/eslint.yaml"
+
+jobs:
+  eslint:
+    name: Run scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v14
+
+      - name: Install Dependencies
+        run: nix develop .#ci --command pnpm install --frozen-lockfile
+
+      - name: Run ESLint
+        continue-on-error: true
+        run: |
+          nix develop .#ci --command \
+            nrr lint \
+            --format @microsoft/eslint-formatter-sarif \
+            --output-file /tmp/results.sarif
+
+      - name: Upload Results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: /tmp/results.sarif
+          wait-for-processing: true
diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml
index 4e33720..4473811 100644
--- a/.github/workflows/update-flake.yaml
+++ b/.github/workflows/update-flake.yaml
@@ -8,22 +8,42 @@ on:
 
 jobs:
   update:
-    name: Run update
-    runs-on: ubuntu-latest
+    name: Run update & create PR
 
-    permissions:
-      contents: write
-      pull-requests: write
+    runs-on: ubuntu-latest
 
     steps:
+      - name: Generate GitHub App token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v14
 
-      - name: Update flake.lock & make PR
-        uses: DeterminateSystems/update-flake-lock@v24
+      - name: Run update
+        run: nix flake update
+
+      - name: Create pull request
+        id: pull-request
+        uses: peter-evans/create-pull-request@v7
         with:
-          commit-msg: "nix: update flake.lock"
-          pr-title: "nix: update flake.lock"
+          branch: update-flake-lock
+          commit-message: "nix: update flake.lock"
+          title: "nix: update flake.lock"
+          token: ${{ steps.app-token.outputs.token }}
+          sign-commits: true
+
+      - name: Enable auto-merge
+        if: ${{ env.PR_ID != '' }}
+        run: gh pr merge --auto --squash "$PR_ID"
+        env:
+          PR_ID: ${{ steps.pull-request.outputs.pull-request-number }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
author	seth <[email protected]>	2024-10-09 10:59:13 -0400
committer	GitHub <[email protected]>	2024-10-09 10:59:13 -0400
commit	d17bca56238e9ca326d60e58230d0d354f23bfe8 (patch)
tree	12aee4c37a1490914e6307ce1b0023be2df93105 /.github
parent	7d6495399d5e1ba429a339de1c3a00f121e89305 (diff)