From 48dc6f63646295e4d1ec69312e7ec919fe05847b Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 3 Jan 2026 20:44:23 +0000 Subject: [PATCH 1/9] Shorten name --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a43091a..e84e1a00 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -name: CI & Release Orchestration +name: CI on: push: From 1a8a4510aa185b32eb12524b3d3d7e550796cbbc Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 3 Jan 2026 20:53:40 +0000 Subject: [PATCH 2/9] Combine doc actions in single yml --- .github/workflows/docs.yml | 48 +++++++++++++++++++++++++++--- .github/workflows/landing-page.yml | 43 -------------------------- 2 files changed, 44 insertions(+), 47 deletions(-) delete mode 100644 .github/workflows/landing-page.yml diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index d762166a..d6a7b618 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,12 +1,20 @@ name: "Docs" + on: -- pull_request + push: + branches: + - main + tags: + - '[0-9]+.[0-9]+.[0-9]+' + pull_request: + types: [opened, synchronize, reopened] permissions: contents: read jobs: docs: + name: Documentation runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) @@ -22,10 +30,42 @@ jobs: python-version: '3.13' - name: Install documentation requirements - run: "pip install .[docs] && pip install sphinx_design" + run: | + pip install .[docs] + pip install sphinx_design - name: Build docs run: "make -C doc html" - - name: Build landing-page - run: "make -C doc/landing-page html" + landing-page: + name: Landing page + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + + - name: Setup Python + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: "3.13" + + - name: Install dependencies + run: | + pip install .[docs] + pip install sphinx_design + + - name: Build landing-page + run: "make -C doc/landing-page html" + + - name: Publish + if: github.ref == 'refs/heads/main' + uses: tsunematsu21/actions-publish-gh-pages@c04b531c52b8f9d25c596bc6e6a7ddc116b2f3f8 # v1.0.2 + with: + dir: doc/landing-page/_build/html + repo: dfetch-org/dfetch-org.github.io + branch: main + token: ${{ secrets.GH_DFETCH_ORG_DEPLOY }} diff --git a/.github/workflows/landing-page.yml b/.github/workflows/landing-page.yml deleted file mode 100644 index ea56d26c..00000000 --- a/.github/workflows/landing-page.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Landing-page - -on: - push: - branches: - - main - - feature/simplify-landing-page - -permissions: - contents: read - -jobs: - publish: - runs-on: ubuntu-latest - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 - with: - egress-policy: audit - - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 - - - name: Setup Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 - with: - python-version: "3.13" - - - name: Install dependencies - run: | - pip install .[docs] - pip install sphinx_design - - - name: Build landing-page - run: | - cd doc/landing-page - make html - - name: Publish - uses: tsunematsu21/actions-publish-gh-pages@c04b531c52b8f9d25c596bc6e6a7ddc116b2f3f8 # v1.0.2 - with: - dir: doc/landing-page/_build/html - repo: dfetch-org/dfetch-org.github.io - branch: main - token: ${{ secrets.GH_DFETCH_ORG_DEPLOY }} From bbc59e59fbaeb0221a9815669fd3208132bb3533 Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 3 Jan 2026 21:01:44 +0000 Subject: [PATCH 3/9] Call test job from ci --- .github/workflows/ci.yml | 5 +++++ .github/workflows/test.yml | 6 +----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e84e1a00..4b6f5984 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,3 +36,8 @@ jobs: permissions: contents: read security-events: write + + test: + uses: ./.github/workflows/test.yml + permissions: + contents: read diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 51bf8dfb..eab0edbc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,11 +1,7 @@ name: Test on: - push: - branches: - - main - pull_request: - types: [opened, synchronize, reopened] + workflow_call: permissions: contents: read From fd420d3c85fe3616dfcea3f1147b3fa02e6b420f Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 3 Jan 2026 21:04:12 +0000 Subject: [PATCH 4/9] Simplify codeql --- .github/workflows/codeql-analysis.yml | 28 +-------------------------- 1 file changed, 1 insertion(+), 27 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 53c47c5f..db1d256e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -33,14 +33,6 @@ jobs: name: Analyze runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - language: [ 'python' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more... - # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection - steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 @@ -50,31 +42,13 @@ jobs: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + languages: python - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 From d1705b91a06cbb075b7519681c0b451013fbf478 Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 3 Jan 2026 21:04:26 +0000 Subject: [PATCH 5/9] Simplify scorecard --- .github/workflows/scorecard.yml | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 25155494..23c42f2a 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,7 +1,3 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See @@ -28,9 +24,6 @@ jobs: security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read steps: - name: Harden the runner (Audit all outbound calls) @@ -48,26 +41,8 @@ jobs: with: results_file: results.sarif results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. publish_results: true - # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore - # file_mode: git - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: @@ -75,8 +50,6 @@ jobs: path: results.sarif retention-days: 5 - # Upload the results to GitHub's code scanning dashboard (optional). - # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 with: From a55763e9549f026de074798a1e85ab005ea04cbe Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 3 Jan 2026 21:12:44 +0000 Subject: [PATCH 6/9] Call docs from ci job --- .github/workflows/ci.yml | 5 +++++ .github/workflows/docs.yml | 8 +------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b6f5984..3d944255 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,3 +41,8 @@ jobs: uses: ./.github/workflows/test.yml permissions: contents: read + + docs: + uses: ./.github/workflows/docs.yml + permissions: + contents: read diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index d6a7b618..77a12103 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,13 +1,7 @@ name: "Docs" on: - push: - branches: - - main - tags: - - '[0-9]+.[0-9]+.[0-9]+' - pull_request: - types: [opened, synchronize, reopened] + workflow_call: permissions: contents: read From 079c5464deb1a232d9c81323159bac5f407c869b Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 3 Jan 2026 21:34:53 +0000 Subject: [PATCH 7/9] Remove unneeded step --- .github/workflows/codeql-analysis.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index db1d256e..f5ccabc0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -47,8 +47,5 @@ jobs: with: languages: python - - name: Autobuild - uses: github/codeql-action/autobuild@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 From 8a5fd9f37db8bacf3b2ae8dafaabaf8e2a70fe43 Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 3 Jan 2026 21:35:11 +0000 Subject: [PATCH 8/9] Update to acutal versions in comments --- .github/workflows/dependency-review.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e4fe8302..c06e2777 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -22,6 +22,6 @@ jobs: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.3.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 - name: 'Dependency Review' uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 23c42f2a..9b736c99 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,7 +32,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 with: persist-credentials: false From 181fdaddd6d6534c28ed99f01e7e4cec0fd51f3b Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 3 Jan 2026 21:48:18 +0000 Subject: [PATCH 9/9] Make sure actions/checkout version comment matches actual tag --- .github/workflows/build.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/devcontainer.yml | 2 +- .github/workflows/docs.yml | 4 ++-- .github/workflows/python-publish.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/run.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/test.yml | 2 +- action.yml | 2 +- 11 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 56a80afd..1190d301 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false fetch-depth: 0 # Fetches all history and tags @@ -181,7 +181,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false fetch-depth: 0 # Fetches all history and tags diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f5ccabc0..d008353e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -40,7 +40,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Initialize CodeQL uses: github/codeql-action/init@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index c06e2777..83c9c121 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -22,6 +22,6 @@ jobs: egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: 'Dependency Review' uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml index b02bef1c..1355b186 100644 --- a/.github/workflows/devcontainer.yml +++ b/.github/workflows/devcontainer.yml @@ -21,7 +21,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache Docker layers uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 77a12103..2438249b 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -16,7 +16,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 @@ -40,7 +40,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 8c19f27a..511b11ad 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -25,7 +25,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false fetch-depth: 0 # Fetches all history and tags diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4b922896..4278b944 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: '3.13' diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index ca4ce67d..93fc7959 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -20,7 +20,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: cygwin/cygwin-install-action@7d2dc1e241644c3318bed9ec74115d1929baa681 # master @@ -73,7 +73,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9b736c99..40bf550e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,7 +32,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index eab0edbc..5fff9f5c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 diff --git a/action.yml b/action.yml index 8dcf3f8b..0498283e 100644 --- a/action.yml +++ b/action.yml @@ -20,7 +20,7 @@ runs: using: 'composite' steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: