zizmor/.github/workflows/codegen.yml

127 lines
3.9 KiB
YAML

name: Code generation 🤖
on:
workflow_dispatch:
schedule:
- cron: "0 12 * * 1"
permissions: {}
env:
PR_ASSIGNEES: woodruffw
jobs:
refresh-schemas:
name: Refresh JSON schemas 📈
runs-on: ubuntu-latest
# this job does not make sense on forks
if: ${{ github.repository_owner == 'zizmorcore' }}
permissions:
contents: write # for creating branches
pull-requests: write # for opening PRs
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: try to refresh schemas
run: |
make refresh-schemas
- name: create PR
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
with:
draft: true
commit-message: "[BOT] update JSON schemas from SchemaStore"
branch: refresh-schemas
branch-suffix: timestamp
title: "[BOT] update JSON schemas from SchemaStore"
body: |
:robot: :warning: :robot:
This is an automated pull request, updating the embedded JSON
schemas after a SchemaStore change was detected.
Please review manually before merging.
assignees: ${{ env.PR_ASSIGNEES }}
reviewers: ${{ env.PR_ASSIGNEES }}
refresh-context-capabilities:
name: Refresh context capabilities *️⃣
runs-on: ubuntu-latest
# this job does not make sense on forks
if: ${{ github.repository_owner == 'zizmorcore' }}
permissions:
contents: write # for creating branches
pull-requests: write # for opening PRs
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
- name: try to refresh context capabilities
run: |
make webhooks-to-contexts
- name: create PR
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
with:
draft: true
commit-message: "[BOT] update context capabilities"
branch: refresh-context-capabilities
branch-suffix: timestamp
title: "[BOT] update context-capabilities from GitHub webhooks"
body: |
:robot: :warning: :robot:
This is an automated pull request, updating the
context capabilities CSV after a change to GitHub's
webhooks was detected.
Please review manually before merging.
assignees: ${{ env.PR_ASSIGNEES }}
reviewers: ${{ env.PR_ASSIGNEES }}
refresh-codeql-injection-sinks:
name: Refresh CodeQL injection sinks 🚰
runs-on: ubuntu-latest
permissions:
contents: write # for creating branches
pull-requests: write # for opening PRs
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
- name: try to refresh CodeQL injection sinks
run: |
make codeql-injection-sinks
- name: create PR
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
with:
draft: true
commit-message: "[BOT] update CodeQL injection sinks"
branch: refresh-codeql-injection-sinks
branch-suffix: timestamp
title: "[BOT] update CodeQL injection sinks from GitHub"
body: |
:robot: :warning: :robot:
This is an automated pull request, updating the CodeQL
injection sinks after a change to GitHub's CodeQL
models was detected.
Please review manually before merging.
assignees: ${{ env.PR_ASSIGNEES }}
reviewers: ${{ env.PR_ASSIGNEES }}