zizmor/.github/workflows/codegen.yml

name: Code generation 🤖

on:
  workflow_dispatch:
  schedule:
    - cron: "0 12 * * 1"

permissions: {}

env:
  PR_ASSIGNEES: woodruffw

jobs:
  refresh-schemas:
    name: Refresh JSON schemas 📈
    runs-on: ubuntu-latest
    # this job does not make sense on forks
    if: ${{ github.repository_owner == 'zizmorcore' }}

    permissions:
      contents: write # for creating branches
      pull-requests: write # for opening PRs

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: try to refresh schemas
        run: |
          make refresh-schemas

      - name: create PR
        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          draft: true
          commit-message: "[BOT] update JSON schemas from SchemaStore"
          branch: refresh-schemas
          branch-suffix: timestamp
          title: "[BOT] update JSON schemas from SchemaStore"
          body: |
            :robot: :warning: :robot:

            This is an automated pull request, updating the embedded JSON
            schemas after a SchemaStore change was detected.

            Please review manually before merging.
          assignees: ${{ env.PR_ASSIGNEES }}
          reviewers: ${{ env.PR_ASSIGNEES }}

  refresh-context-capabilities:
    name: Refresh context capabilities *️⃣
    runs-on: ubuntu-latest
    # this job does not make sense on forks
    if: ${{ github.repository_owner == 'zizmorcore' }}

    permissions:
      contents: write # for creating branches
      pull-requests: write # for opening PRs

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6

      - name: try to refresh context capabilities
        run: |
          make webhooks-to-contexts

      - name: create PR
        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          draft: true
          commit-message: "[BOT] update context capabilities"
          branch: refresh-context-capabilities
          branch-suffix: timestamp
          title: "[BOT] update context-capabilities from GitHub webhooks"
          body: |
            :robot: :warning: :robot:

            This is an automated pull request, updating the
            context capabilities CSV after a change to GitHub's
            webhooks was detected.

            Please review manually before merging.
          assignees: ${{ env.PR_ASSIGNEES }}
          reviewers: ${{ env.PR_ASSIGNEES }}

  refresh-codeql-injection-sinks:
    name: Refresh CodeQL injection sinks 🚰
    runs-on: ubuntu-latest

    permissions:
      contents: write # for creating branches
      pull-requests: write # for opening PRs

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6

      - name: try to refresh CodeQL injection sinks
        run: |
          make codeql-injection-sinks

      - name: create PR
        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          draft: true
          commit-message: "[BOT] update CodeQL injection sinks"
          branch: refresh-codeql-injection-sinks
          branch-suffix: timestamp
          title: "[BOT] update CodeQL injection sinks from GitHub"
          body: |
            :robot: :warning: :robot:

            This is an automated pull request, updating the CodeQL
            injection sinks after a change to GitHub's CodeQL
            models was detected.

            Please review manually before merging.
          assignees: ${{ env.PR_ASSIGNEES }}
          reviewers: ${{ env.PR_ASSIGNEES }}