Securize CI, reusable workflows, simplifications

2025-03-30 19:56:21 +00:00 · 2024-09-11 23:34:53 +00:00 · 2024-09-11 23:34:53 +00:00 · e673037a54
commit e673037a54
parent c6b4d41535
15 changed files with 473 additions and 371 deletions
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@ -0,0 +1,99 @@
+name: Pull Request 📥
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  pull_request_target:
+    branches:
+      - master
+      - release*
+    paths-ignore:
+      - '**/*.md'
+  merge_group:
+
+jobs:
+  push-comment:
+    name: Create comments ✍️
+    if: ${{ always() && !cancelled() && github.repository == 'jellyfin/jellyfin-web' }}
+    uses: ./.github/workflows/__job_messages.yml
+    secrets: inherit
+    with:
+      commit: ${{ github.event.pull_request.head.sha }}
+      in_progress: true
+      comment: true
+
+  build:
+    name: Build 🏗️
+    if: ${{ always() && !cancelled() }}
+    uses: ./.github/workflows/__package.yml
+    with:
+      commit: ${{ github.event.pull_request.head.sha }}
+
+  automation:
+    name: Automation 🎛️
+    if: ${{ github.repository == 'jellyfin/jellyfin-web' }}
+    uses: ./.github/workflows/__automation.yml
+    secrets: inherit
+
+  quality_checks:
+    name: Quality checks 👌🧪
+    if: ${{ always() && !cancelled() }}
+    uses: ./.github/workflows/__quality_checks.yml
+    permissions: {}
+    with:
+      commit: ${{ github.event.pull_request.head.ref }}
+
+  codeql:
+    name: GitHub CodeQL 🔬
+    if: ${{ always() && !cancelled() }}
+    uses: ./.github/workflows/__codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    with:
+      commit: ${{ github.event.pull_request.head.sha }}
+
+  deploy:
+    name: Deploy 🚀
+    uses: ./.github/workflows/__deploy.yml
+    if: ${{ always() && !cancelled() && needs.build.result == 'success' && github.repository == 'jellyfin/jellyfin-web' }}
+    needs:
+      - push-comment
+      - build
+    permissions:
+      contents: read
+      deployments: write
+    secrets: inherit
+    with:
+      # If the PR is from the master branch of a fork, append the fork's name to the branch name
+      branch: ${{ github.event.pull_request.head.repo.full_name != github.repository && github.event.pull_request.head.ref == 'master' && format('{0}/{1}', github.event.pull_request.head.repo.full_name, github.event.pull_request.head.ref) || github.event.pull_request.head.ref }}
+      comment: true
+      commit: ${{ github.event.pull_request.head.sha }}
+
+  run-eslint:
+    name: Run eslint suggestions
+    if: ${{ github.repository == 'jellyfin/jellyfin-web' }}
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+    
+      - name: Setup node environment
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version: 20
+          check-latest: true 
+    
+      - name: Install Node.js dependencies
+        run: npm ci --no-audit
+    
+      - name: Run eslint
+        uses: CatChen/eslint-suggestion-action@09aa3e557bafa4bebe3e026d8808bffff08e67a9 # v4.1.6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}