zizmor/.github/workflows/codegen.yml

name: Code generation 🤖

on:
  workflow_dispatch:
  schedule:
    - cron: '0 12 * * 1'

permissions: {}

env:
  PR_ASSIGNEES: woodruffw

jobs:
  refresh-schemas:
    name: Refresh JSON schemas 📈
    runs-on: ubuntu-latest
    # this job does not make sense on forks
    if: ${{ github.repository_owner == 'zizmorcore' }}

    permissions:
      contents: write # for creating branches
      pull-requests: write # for opening PRs

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - name: try to refresh schemas
        run: |
          make refresh-schemas

      - name: create PR
        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          commit-message: "[BOT] update JSON schemas from SchemaStore"
          branch: refresh-schemas
          branch-suffix: timestamp
          title: "[BOT] update JSON schemas from SchemaStore"
          body: |
            :robot: :warning: :robot:

            This is an automated pull request, updating the embedded JSON
            schemas after a SchemaStore change was detected.

            Please review manually before merging.
          assignees: ${{ env.PR_ASSIGNEES }}
          reviewers: ${{ env.PR_ASSIGNEES }}

  refresh-context-capabilities:
    name: Refresh context capabilities *️⃣
    runs-on: ubuntu-latest
    # this job does not make sense on forks
    if: ${{ github.repository_owner == 'zizmorcore' }}

    permissions:
      contents: write # for creating branches
      pull-requests: write # for opening PRs

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0

      - name: try to refresh context capabilities
        run: |
          make webhooks-to-contexts

      - name: create PR
        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          commit-message: "[BOT] update context capabilities"
          branch: refresh-context-capabilities
          branch-suffix: timestamp
          title: "[BOT] update context-capabilities from GitHub webhooks"
          body: |
            :robot: :warning: :robot:

            This is an automated pull request, updating the
            context capabilities CSV after a change to GitHub's
            webhooks was detected.

            Please review manually before merging.
          assignees: ${{ env.PR_ASSIGNEES }}
          reviewers: ${{ env.PR_ASSIGNEES }}


  refresh-codeql-injection-sinks:
    name: Refresh CodeQL injection sinks 🚰
    runs-on: ubuntu-latest

    permissions:
      contents: write # for creating branches
      pull-requests: write # for opening PRs

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - uses: astral-sh/setup-uv@d9e0f98d3fc6adb07d1e3d37f3043649ddad06a1 # v6.5.0

      - name: try to refresh CodeQL injection sinks
        run: |
          make codeql-injection-sinks

      - name: create PR
        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          commit-message: "[BOT] update CodeQL injection sinks"
          branch: refresh-codeql-injection-sinks
          branch-suffix: timestamp
          title: "[BOT] update CodeQL injection sinks from GitHub"
          body: |
            :robot: :warning: :robot:

            This is an automated pull request, updating the CodeQL
            injection sinks after a change to GitHub's CodeQL
            models was detected.

            Please review manually before merging.
          assignees: ${{ env.PR_ASSIGNEES }}
          reviewers: ${{ env.PR_ASSIGNEES }}