From dd3be612e3df1450de40a74fadc6df3c2885e9b1 Mon Sep 17 00:00:00 2001 From: Marc Cornellà Date: Wed, 20 Dec 2023 10:21:31 +0100 Subject: ci(dependencies): add automation for updating external dependencies (#12109) --- .github/workflows/dependencies.yml | 26 ++ .github/workflows/dependencies/updater.py | 450 ++++++++++++++++++++++++++++++ 2 files changed, 476 insertions(+) create mode 100644 .github/workflows/dependencies.yml create mode 100644 .github/workflows/dependencies/updater.py (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml new file mode 100644 index 000000000..c27ad7998 --- /dev/null +++ b/.github/workflows/dependencies.yml @@ -0,0 +1,26 @@ +name: Update dependencies +on: + workflow_dispatch: {} + # schedule: + # - cron: '34 3 * * */8' + +jobs: + check: + name: Check for updates + runs-on: ubuntu-latest + steps: + - name: Checkout + if: github.repository == 'ohmyzsh/ohmyzsh' + uses: actions/checkout@v4 + - name: Authenticate as @ohmyzsh + uses: ohmyzsh/github-app-token@v2 + with: + app-id: ${{ secrets.OHMYZSH_APP_ID }} + private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} + - name: Process dependencies + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + TMP_DIR: ${{ env.RUNNER_TEMP }} + run: | + gh auth login --with-token <<< "${GITHUB_TOKEN}" + python3 .github/workflows/dependencies/updater.py diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py new file mode 100644 index 000000000..5af19d14c --- /dev/null +++ b/.github/workflows/dependencies/updater.py @@ -0,0 +1,450 @@ +import os +import subprocess +import sys +import requests +import shutil +import yaml +from copy import deepcopy +from typing import Optional, TypedDict + +# Get TMP_DIR variable from environment +TMP_DIR = os.path.join(os.environ.get("TMP_DIR", "/tmp"), "ohmyzsh") +# Relative path to dependencies.yml file +DEPS_YAML_FILE = ".github/dependencies.yml" +# Dry run flag +DRY_RUN = os.environ.get("DRY_RUN", "0") == "1" + +import timeit +class CodeTimer: + def __init__(self, name=None): + self.name = " '" + name + "'" if name else '' + + def __enter__(self): + self.start = timeit.default_timer() + + def __exit__(self, exc_type, exc_value, traceback): + self.took = (timeit.default_timer() - self.start) * 1000.0 + print('Code block' + self.name + ' took: ' + str(self.took) + ' ms') + + +### YAML representation +def str_presenter(dumper, data): + """ + Configures yaml for dumping multiline strings + Ref: https://stackoverflow.com/a/33300001 + """ + if len(data.splitlines()) > 1: # check for multiline string + return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|') + return dumper.represent_scalar('tag:yaml.org,2002:str', data) + +yaml.add_representer(str, str_presenter) +yaml.representer.SafeRepresenter.add_representer(str, str_presenter) + + +# Types +class DependencyDict(TypedDict): + repo: str + branch: str + version: str + precopy: Optional[str] + postcopy: Optional[str] + +class DependencyYAML(TypedDict): + dependencies: dict[str, DependencyDict] + +class UpdateStatus(TypedDict): + has_updates: bool + version: Optional[str] + compare_url: Optional[str] + head_ref: Optional[str] + head_url: Optional[str] + + +class CommandRunner: + class Exception(Exception): + def __init__(self, message, returncode, stage, stdout, stderr): + super().__init__(message) + self.returncode = returncode + self.stage = stage + self.stdout = stdout + self.stderr = stderr + + @staticmethod + def run_or_fail(command: list[str], stage: str, *args, **kwargs): + if DRY_RUN and command[0] == "gh": + command.insert(0, "echo") + + result = subprocess.run(command, *args, capture_output=True, **kwargs) + + if result.returncode != 0: + raise CommandRunner.Exception( + f"{stage} command failed with exit code {result.returncode}", returncode=result.returncode, + stage=stage, + stdout=result.stdout.decode("utf-8"), + stderr=result.stderr.decode("utf-8") + ) + + return result + + +class DependencyStore: + store: DependencyYAML = { + "dependencies": {} + } + + @staticmethod + def set(data: DependencyYAML): + DependencyStore.store = data + + @staticmethod + def update_dependency_version(path: str, version: str) -> DependencyYAML: + with CodeTimer(f"store deepcopy: {path}"): + store_copy = deepcopy(DependencyStore.store) + + dependency = store_copy["dependencies"].get(path, {}) + dependency["version"] = version + store_copy["dependencies"][path] = dependency + + return store_copy + + @staticmethod + def write_store(file: str, data: DependencyYAML): + with open(file, "w") as yaml_file: + yaml.safe_dump(data, yaml_file, sort_keys=False) + + +class Dependency: + def __init__(self, path: str, values: DependencyDict): + self.path = path + self.values = values + + self.name: str = "" + self.desc: str = "" + self.kind: str = "" + + match path.split("/"): + case ["plugins", name]: + self.name = name + self.kind = "plugin" + self.desc = f"{name} plugin" + case ["themes", name]: + self.name = name.replace(".zsh-theme", "") + self.kind = "theme" + self.desc = f"{self.name} theme" + case _: + self.name = self.desc = path + + def __str__(self): + output: str = "" + for key in DependencyDict.__dict__['__annotations__'].keys(): + if key not in self.values: + output += f"{key}: None\n" + continue + + value = self.values[key] + if "\n" not in value: + output += f"{key}: {value}\n" + else: + output += f"{key}:\n " + output += value.replace("\n", "\n ", value.count("\n") - 1) + return output + + def update_or_notify(self): + # Print dependency settings + print(f"Processing {self.desc}...", file=sys.stderr) + print(self, file=sys.stderr) + + # Check for updates + repo = self.values["repo"] + remote_branch = self.values["branch"] + version = self.values["version"] + is_tag = version.startswith("tag:") + + try: + with CodeTimer(f"update check: {repo}"): + if is_tag: + status = GitHub.check_newer_tag(repo, version.replace("tag:", "")) + else: + status = GitHub.check_updates(repo, remote_branch, version) + + if status["has_updates"]: + short_sha = status["head_ref"][:8] + new_version = status["version"] if is_tag else short_sha + + try: + # Create new branch + branch = Git.create_branch(self.path, new_version) + + # Update dependencies.yml file + self.__update_yaml(f"tag:{new_version}" if is_tag else status["version"]) + + # Update dependency files + self.__apply_upstream_changes() + + # Add all changes and commit + Git.add_and_commit(self.name, short_sha) + + # Push changes to remote + Git.push(branch) + + # Create GitHub PR + GitHub.create_pr( + branch, + f"feat({self.name}): update to version {new_version}", + f"""## Description + +Update for **{self.desc}**: update to version [{new_version}]({status['head_url']}). +Check out the [list of changes]({status['compare_url']}). +""" + ) + + # Clean up repository + Git.clean_repo() + except (CommandRunner.Exception, shutil.Error) as e: + # Handle exception on automatic update + match type(e): + case CommandRunner.Exception: + # Print error message + print(f"Error running {e.stage} command: {e.returncode}", file=sys.stderr) + print(e.stderr, file=sys.stderr) + case shutil.Error: + print(f"Error copying files: {e}", file=sys.stderr) + + try: + Git.clean_repo() + except CommandRunner.Exception as e: + print(f"Error reverting repository to clean state: {e}", file=sys.stderr) + sys.exit(1) + + # Create a GitHub issue to notify maintainer + title = f"{self.path}: update to {new_version}" + body = ( + f"""## Description + +There is a new version of `{self.name}` {self.kind} available. + +New version: [{new_version}]({status['head_url']}) +Check out the [list of changes]({status['compare_url']}). +""" + ) + + print(f"Creating GitHub issue", file=sys.stderr) + print(f"{title}\n\n{body}", file=sys.stderr) + GitHub.create_issue(title, body) + except Exception as e: + print(e, file=sys.stderr) + + def __update_yaml(self, new_version: str) -> None: + dep_yaml = DependencyStore.update_dependency_version(self.path, new_version) + DependencyStore.write_store(DEPS_YAML_FILE, dep_yaml) + + def __apply_upstream_changes(self) -> None: + # Patterns to ignore in copying files from upstream repo + GLOBAL_IGNORE = [ + ".git", + ".github", + ".gitignore" + ] + + path = os.path.abspath(self.path) + precopy = self.values.get("precopy") + postcopy = self.values.get("postcopy") + + repo = self.values["repo"] + branch = self.values["branch"] + remote_url = f"https://github.com/{repo}.git" + repo_dir = os.path.join(TMP_DIR, repo) + + # Clone repository + Git.clone(remote_url, branch, repo_dir, reclone=True) + + # Run precopy on tmp repo + if precopy is not None: + print("Running precopy script:", end="\n ", file=sys.stderr) + print(precopy.replace("\n", "\n ", precopy.count("\n") - 1), file=sys.stderr) + CommandRunner.run_or_fail(["bash", "-c", precopy], cwd=repo_dir, stage="Precopy") + + # Copy files from upstream repo + print(f"Copying files from {repo_dir} to {path}", file=sys.stderr) + shutil.copytree(repo_dir, path, dirs_exist_ok=True, ignore=shutil.ignore_patterns(*GLOBAL_IGNORE)) + + # Run postcopy on our repository + if postcopy is not None: + print("Running postcopy script:", end="\n ", file=sys.stderr) + print(postcopy.replace("\n", "\n ", postcopy.count("\n") - 1), file=sys.stderr) + CommandRunner.run_or_fail(["bash", "-c", postcopy], cwd=path, stage="Postcopy") + + +class Git: + default_branch = "master" + + @staticmethod + def clone(remote_url: str, branch: str, repo_dir: str, reclone=False): + # If repo needs to be fresh + if reclone and os.path.exists(repo_dir): + shutil.rmtree(repo_dir) + + # Clone repo in tmp directory and checkout branch + if not os.path.exists(repo_dir): + print(f"Cloning {remote_url} to {repo_dir} and checking out {branch}", file=sys.stderr) + CommandRunner.run_or_fail(["git", "clone", "--depth=1", "-b", branch, remote_url, repo_dir], stage="Clone") + + @staticmethod + def create_branch(path: str, version: str): + # Get current branch name + result = CommandRunner.run_or_fail(["git", "rev-parse", "--abbrev-ref", "HEAD"], stage="GetDefaultBranch") + Git.default_branch = result.stdout.decode("utf-8").strip() + + # Create new branch and return created branch name + branch_name = f"update/{path}/{version}" + CommandRunner.run_or_fail(["git", "checkout", "-b", branch_name], stage="CreateBranch") + return branch_name + + @staticmethod + def add_and_commit(scope: str, version: str): + user_name = "ohmyzsh" + user_email = "bot@ohmyz.sh" + + # Add all files to git staging + CommandRunner.run_or_fail(["git", "add", "-A", "-v"], stage="AddFiles") + + # Reset environment and git config + clean_env = os.environ.copy() + clean_env["LANG"]="C.UTF-8" + clean_env["GIT_CONFIG_GLOBAL"]="/dev/null" + clean_env["GIT_CONFIG_NOSYSTEM"]="1" + + # Commit with settings above + CommandRunner.run_or_fail([ + "git", + "-c", f"user.name={user_name}", + "-c", f"user.email={user_email}", + "commit", + "-m", f"feat({scope}): update to {version}" + ], stage="CreateCommit", env=clean_env) + + @staticmethod + def push(branch: str): + CommandRunner.run_or_fail(["git", "push", "-u", "origin", branch], stage="PushBranch") + + @staticmethod + def clean_repo(): + CommandRunner.run_or_fail(["git", "reset", "--hard", "HEAD"], stage="ResetRepository") + CommandRunner.run_or_fail(["git", "checkout", Git.default_branch], stage="CheckoutDefaultBranch") + + +class GitHub: + @staticmethod + def check_newer_tag(repo, current_tag) -> UpdateStatus: + # GET /repos/:owner/:repo/git/refs/tags + url = f"https://api.github.com/repos/{repo}/git/refs/tags" + + # Send a GET request to the GitHub API + response = requests.get(url) + + # If the request was successful + if response.status_code == 200: + # Parse the JSON response + data = response.json() + + if len(data) == 0: + return { + "has_updates": False, + } + + latest_ref = data[-1] + latest_tag = latest_ref["ref"].replace("refs/tags/", "") + + if latest_tag == current_tag: + return { + "has_updates": False, + } + + return { + "has_updates": True, + "version": latest_tag, + "compare_url": f"https://github.com/{repo}/compare/{current_tag}...{latest_tag}", + "head_ref": latest_ref["object"]["sha"], + "head_url": f"https://github.com/{repo}/releases/tag/{latest_tag}", + } + else: + # If the request was not successful, raise an exception + raise Exception(f"GitHub API request failed with status code {response.status_code}: {response.json()}") + + @staticmethod + def check_updates(repo, branch, version) -> UpdateStatus: + # TODO: add support for semver updating (based on tags) + # Check if upstream github repo has a new version + # GitHub API URL for comparing two commits + url = f"https://api.github.com/repos/{repo}/compare/{version}...{branch}" + + # Send a GET request to the GitHub API + response = requests.get(url) + + # If the request was successful + if response.status_code == 200: + # Parse the JSON response + data = response.json() + + # If the base is behind the head, there is a newer version + has_updates = data["status"] != "identical" + + if not has_updates: + return { + "has_updates": False, + } + + return { + "has_updates": data["status"] != "identical", + "version": data["commits"][-1]["sha"], + "compare_url": data["permalink_url"], + "head_ref": data["commits"][-1]["sha"], + "head_url": data["commits"][-1]["html_url"] + } + else: + # If the request was not successful, raise an exception + raise Exception(f"GitHub API request failed with status code {response.status_code}: {response.json()}") + + @staticmethod + def create_issue(title: str, body: str) -> None: + cmd = [ + "gh", + "issue", + "create", + "-t", title, + "-b", body + ] + CommandRunner.run_or_fail(cmd, stage="CreateIssue") + + @staticmethod + def create_pr(branch: str, title: str, body: str) -> None: + cmd = [ + "gh", + "pr", + "create", + "-B", Git.default_branch, + "-H", branch, + "-t", title, + "-b", body + ] + CommandRunner.run_or_fail(cmd, stage="CreatePullRequest") + + +def main(): + # Load the YAML file + with open(DEPS_YAML_FILE, "r") as yaml_file: + data: DependencyYAML = yaml.safe_load(yaml_file) + + if "dependencies" not in data: + raise Exception(f"dependencies.yml not properly formatted") + + # Cache YAML version + DependencyStore.set(data) + + dependencies = data["dependencies"] + for path in dependencies: + dependency = Dependency(path, dependencies[path]) + dependency.update_or_notify() + +if __name__ == "__main__": + main() -- cgit v1.2.3-70-g09d2 From 0bb00eddbbc25564b5329899fcdfcd28153da720 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Wed, 20 Dec 2023 19:38:25 +0100 Subject: ci(dependencies): fix typo --- .github/workflows/dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index c27ad7998..aab740126 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -15,8 +15,8 @@ jobs: - name: Authenticate as @ohmyzsh uses: ohmyzsh/github-app-token@v2 with: - app-id: ${{ secrets.OHMYZSH_APP_ID }} - private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} + app_id: ${{ secrets.OHMYZSH_APP_ID }} + private_key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} - name: Process dependencies env: GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} -- cgit v1.2.3-70-g09d2 From 46b24d409909cdc00ac441448c0aa31cc35d12c9 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Thu, 28 Dec 2023 21:20:28 +0100 Subject: ci(dependencies): fix some envs and add requirements --- .github/workflows/dependencies.yml | 11 +++++++---- .github/workflows/dependencies/requirements.txt | 2 ++ .github/workflows/dependencies/updater.py | 4 ++-- 3 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/dependencies/requirements.txt (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index aab740126..2e2217e1c 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -8,19 +8,22 @@ jobs: check: name: Check for updates runs-on: ubuntu-latest + if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Checkout - if: github.repository == 'ohmyzsh/ohmyzsh' uses: actions/checkout@v4 - name: Authenticate as @ohmyzsh + id: generate_token uses: ohmyzsh/github-app-token@v2 with: app_id: ${{ secrets.OHMYZSH_APP_ID }} private_key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} - name: Process dependencies env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} - TMP_DIR: ${{ env.RUNNER_TEMP }} + GH_TOKEN: ${{ steps.generate_token.outputs.token }} + GIT_APP_NAME: ohmyzsh[bot] + GIT_APP_EMAIL: 54982679+ohmyzsh[bot]@users.noreply.github.com + TMP_DIR: ${{ runner.temp }} run: | - gh auth login --with-token <<< "${GITHUB_TOKEN}" + pip install -r .github/workflows/dependencies/requirements.txt python3 .github/workflows/dependencies/updater.py diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt new file mode 100644 index 000000000..3c4c149ea --- /dev/null +++ b/.github/workflows/dependencies/requirements.txt @@ -0,0 +1,2 @@ +PyYAML~=6.0.1 +requests~=2.31.0 diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index 5af19d14c..f54d316f9 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -302,8 +302,8 @@ class Git: @staticmethod def add_and_commit(scope: str, version: str): - user_name = "ohmyzsh" - user_email = "bot@ohmyz.sh" + user_name = os.environ.get("GIT_APP_NAME") + user_email = os.environ.get("GIT_APP_EMAIL") # Add all files to git staging CommandRunner.run_or_fail(["git", "add", "-A", "-v"], stage="AddFiles") -- cgit v1.2.3-70-g09d2 From 544eb17e33454dbfb758683cc37bc3ab50661f98 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Thu, 28 Dec 2023 21:21:09 +0100 Subject: ci(project): use ohmyzsh's bot credentials --- .github/workflows/project.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index 1d961d8c0..2c2a1cdaa 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -15,9 +15,15 @@ jobs: name: Add to project runs-on: ubuntu-latest if: github.repository == 'ohmyzsh/ohmyzsh' - env: - GITHUB_TOKEN: ${{ secrets.PROJECT_TOKEN }} steps: + - name: Authenticate as @ohmyzsh + id: generate_token + uses: ohmyzsh/github-app-token@v2 + with: + app_id: ${{ secrets.OHMYZSH_APP_ID }} + private_key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} + - name: Store app token + run: echo "GH_TOKEN=${{ steps.generate_token.outputs.token }}" >> "$GITHUB_ENV" - name: Read project data env: ORGANIZATION: ohmyzsh -- cgit v1.2.3-70-g09d2 From f9bbf6047b35ff00ea398857d2a09ffea5cd8bfa Mon Sep 17 00:00:00 2001 From: Raphael Boidol Date: Tue, 13 Feb 2024 17:32:44 +0100 Subject: ci: bump `actions/checkout` version (#12210) --- .github/workflows/installer.yml | 4 ++-- .github/workflows/main.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index cad5d445b..5593c9175 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -26,7 +26,7 @@ jobs: - macos-latest steps: - name: Set up git repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install zsh if: runner.os == 'Linux' run: sudo apt-get update; sudo apt-get install zsh @@ -42,7 +42,7 @@ jobs: - test steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install Vercel CLI run: npm install -g vercel - name: Setup project and deploy diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index de7d98262..264ac31f3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -24,7 +24,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Set up git repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install zsh run: sudo apt-get update; sudo apt-get install zsh - name: Check syntax -- cgit v1.2.3-70-g09d2 From 83110e8ce16cd3c6bd85e7f96a920d114f598df1 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Thu, 9 May 2024 17:19:43 +0200 Subject: chore(dependencies): update requirements.txt --- .github/workflows/dependencies/requirements.txt | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 3c4c149ea..0ef3e54ca 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,2 +1,6 @@ -PyYAML~=6.0.1 -requests~=2.31.0 +certifi==2024.2.2 +charset-normalizer==3.3.2 +idna==3.7 +PyYAML==6.0.1 +requests==2.31.0 +urllib3==2.2.1 -- cgit v1.2.3-70-g09d2 From 13c8a10e39d60c078193d403b253270cdc4abc80 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Thu, 9 May 2024 17:20:09 +0200 Subject: style(dependencies): run `ruff` formatter --- .editorconfig | 3 + .github/workflows/dependencies/updater.py | 788 ++++++++++++++++-------------- 2 files changed, 420 insertions(+), 371 deletions(-) (limited to '.github/workflows') diff --git a/.editorconfig b/.editorconfig index b5321de59..b349bcc42 100644 --- a/.editorconfig +++ b/.editorconfig @@ -6,3 +6,6 @@ insert_final_newline = true charset = utf-8 indent_size = 2 indent_style = space + +[*.py] +indent_size = 4 diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index f54d316f9..765cb26fe 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -1,12 +1,14 @@ import os +import shutil import subprocess import sys -import requests -import shutil -import yaml +import timeit from copy import deepcopy from typing import Optional, TypedDict +import requests +import yaml + # Get TMP_DIR variable from environment TMP_DIR = os.path.join(os.environ.get("TMP_DIR", "/tmp"), "ohmyzsh") # Relative path to dependencies.yml file @@ -14,28 +16,29 @@ DEPS_YAML_FILE = ".github/dependencies.yml" # Dry run flag DRY_RUN = os.environ.get("DRY_RUN", "0") == "1" -import timeit + class CodeTimer: - def __init__(self, name=None): - self.name = " '" + name + "'" if name else '' + def __init__(self, name=None): + self.name = " '" + name + "'" if name else "" - def __enter__(self): - self.start = timeit.default_timer() + def __enter__(self): + self.start = timeit.default_timer() - def __exit__(self, exc_type, exc_value, traceback): - self.took = (timeit.default_timer() - self.start) * 1000.0 - print('Code block' + self.name + ' took: ' + str(self.took) + ' ms') + def __exit__(self, exc_type, exc_value, traceback): + self.took = (timeit.default_timer() - self.start) * 1000.0 + print("Code block" + self.name + " took: " + str(self.took) + " ms") ### YAML representation def str_presenter(dumper, data): - """ - Configures yaml for dumping multiline strings - Ref: https://stackoverflow.com/a/33300001 - """ - if len(data.splitlines()) > 1: # check for multiline string - return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|') - return dumper.represent_scalar('tag:yaml.org,2002:str', data) + """ + Configures yaml for dumping multiline strings + Ref: https://stackoverflow.com/a/33300001 + """ + if len(data.splitlines()) > 1: # check for multiline string + return dumper.represent_scalar("tag:yaml.org,2002:str", data, style="|") + return dumper.represent_scalar("tag:yaml.org,2002:str", data) + yaml.add_representer(str, str_presenter) yaml.representer.SafeRepresenter.add_representer(str, str_presenter) @@ -43,408 +46,451 @@ yaml.representer.SafeRepresenter.add_representer(str, str_presenter) # Types class DependencyDict(TypedDict): - repo: str - branch: str - version: str - precopy: Optional[str] - postcopy: Optional[str] + repo: str + branch: str + version: str + precopy: Optional[str] + postcopy: Optional[str] + class DependencyYAML(TypedDict): - dependencies: dict[str, DependencyDict] + dependencies: dict[str, DependencyDict] + class UpdateStatus(TypedDict): - has_updates: bool - version: Optional[str] - compare_url: Optional[str] - head_ref: Optional[str] - head_url: Optional[str] + has_updates: bool + version: Optional[str] + compare_url: Optional[str] + head_ref: Optional[str] + head_url: Optional[str] class CommandRunner: - class Exception(Exception): - def __init__(self, message, returncode, stage, stdout, stderr): - super().__init__(message) - self.returncode = returncode - self.stage = stage - self.stdout = stdout - self.stderr = stderr + class Exception(Exception): + def __init__(self, message, returncode, stage, stdout, stderr): + super().__init__(message) + self.returncode = returncode + self.stage = stage + self.stdout = stdout + self.stderr = stderr - @staticmethod - def run_or_fail(command: list[str], stage: str, *args, **kwargs): - if DRY_RUN and command[0] == "gh": - command.insert(0, "echo") + @staticmethod + def run_or_fail(command: list[str], stage: str, *args, **kwargs): + if DRY_RUN and command[0] == "gh": + command.insert(0, "echo") - result = subprocess.run(command, *args, capture_output=True, **kwargs) + result = subprocess.run(command, *args, capture_output=True, **kwargs) - if result.returncode != 0: - raise CommandRunner.Exception( - f"{stage} command failed with exit code {result.returncode}", returncode=result.returncode, - stage=stage, - stdout=result.stdout.decode("utf-8"), - stderr=result.stderr.decode("utf-8") - ) + if result.returncode != 0: + raise CommandRunner.Exception( + f"{stage} command failed with exit code {result.returncode}", + returncode=result.returncode, + stage=stage, + stdout=result.stdout.decode("utf-8"), + stderr=result.stderr.decode("utf-8"), + ) - return result + return result class DependencyStore: - store: DependencyYAML = { - "dependencies": {} - } + store: DependencyYAML = {"dependencies": {}} - @staticmethod - def set(data: DependencyYAML): - DependencyStore.store = data + @staticmethod + def set(data: DependencyYAML): + DependencyStore.store = data - @staticmethod - def update_dependency_version(path: str, version: str) -> DependencyYAML: - with CodeTimer(f"store deepcopy: {path}"): - store_copy = deepcopy(DependencyStore.store) + @staticmethod + def update_dependency_version(path: str, version: str) -> DependencyYAML: + with CodeTimer(f"store deepcopy: {path}"): + store_copy = deepcopy(DependencyStore.store) - dependency = store_copy["dependencies"].get(path, {}) - dependency["version"] = version - store_copy["dependencies"][path] = dependency + dependency = store_copy["dependencies"].get(path, {}) + dependency["version"] = version + store_copy["dependencies"][path] = dependency - return store_copy + return store_copy - @staticmethod - def write_store(file: str, data: DependencyYAML): - with open(file, "w") as yaml_file: - yaml.safe_dump(data, yaml_file, sort_keys=False) + @staticmethod + def write_store(file: str, data: DependencyYAML): + with open(file, "w") as yaml_file: + yaml.safe_dump(data, yaml_file, sort_keys=False) class Dependency: - def __init__(self, path: str, values: DependencyDict): - self.path = path - self.values = values - - self.name: str = "" - self.desc: str = "" - self.kind: str = "" - - match path.split("/"): - case ["plugins", name]: - self.name = name - self.kind = "plugin" - self.desc = f"{name} plugin" - case ["themes", name]: - self.name = name.replace(".zsh-theme", "") - self.kind = "theme" - self.desc = f"{self.name} theme" - case _: - self.name = self.desc = path - - def __str__(self): - output: str = "" - for key in DependencyDict.__dict__['__annotations__'].keys(): - if key not in self.values: - output += f"{key}: None\n" - continue - - value = self.values[key] - if "\n" not in value: - output += f"{key}: {value}\n" - else: - output += f"{key}:\n " - output += value.replace("\n", "\n ", value.count("\n") - 1) - return output - - def update_or_notify(self): - # Print dependency settings - print(f"Processing {self.desc}...", file=sys.stderr) - print(self, file=sys.stderr) - - # Check for updates - repo = self.values["repo"] - remote_branch = self.values["branch"] - version = self.values["version"] - is_tag = version.startswith("tag:") - - try: - with CodeTimer(f"update check: {repo}"): - if is_tag: - status = GitHub.check_newer_tag(repo, version.replace("tag:", "")) - else: - status = GitHub.check_updates(repo, remote_branch, version) - - if status["has_updates"]: - short_sha = status["head_ref"][:8] - new_version = status["version"] if is_tag else short_sha + def __init__(self, path: str, values: DependencyDict): + self.path = path + self.values = values + + self.name: str = "" + self.desc: str = "" + self.kind: str = "" + + match path.split("/"): + case ["plugins", name]: + self.name = name + self.kind = "plugin" + self.desc = f"{name} plugin" + case ["themes", name]: + self.name = name.replace(".zsh-theme", "") + self.kind = "theme" + self.desc = f"{self.name} theme" + case _: + self.name = self.desc = path + + def __str__(self): + output: str = "" + for key in DependencyDict.__dict__["__annotations__"].keys(): + if key not in self.values: + output += f"{key}: None\n" + continue + + value = self.values[key] + if "\n" not in value: + output += f"{key}: {value}\n" + else: + output += f"{key}:\n " + output += value.replace("\n", "\n ", value.count("\n") - 1) + return output + + def update_or_notify(self): + # Print dependency settings + print(f"Processing {self.desc}...", file=sys.stderr) + print(self, file=sys.stderr) + + # Check for updates + repo = self.values["repo"] + remote_branch = self.values["branch"] + version = self.values["version"] + is_tag = version.startswith("tag:") try: - # Create new branch - branch = Git.create_branch(self.path, new_version) + with CodeTimer(f"update check: {repo}"): + if is_tag: + status = GitHub.check_newer_tag(repo, version.replace("tag:", "")) + else: + status = GitHub.check_updates(repo, remote_branch, version) - # Update dependencies.yml file - self.__update_yaml(f"tag:{new_version}" if is_tag else status["version"]) + if status["has_updates"]: + short_sha = status["head_ref"][:8] + new_version = status["version"] if is_tag else short_sha - # Update dependency files - self.__apply_upstream_changes() + try: + # Create new branch + branch = Git.create_branch(self.path, new_version) - # Add all changes and commit - Git.add_and_commit(self.name, short_sha) + # Update dependencies.yml file + self.__update_yaml( + f"tag:{new_version}" if is_tag else status["version"] + ) - # Push changes to remote - Git.push(branch) + # Update dependency files + self.__apply_upstream_changes() - # Create GitHub PR - GitHub.create_pr( - branch, - f"feat({self.name}): update to version {new_version}", - f"""## Description + # Add all changes and commit + Git.add_and_commit(self.name, short_sha) + + # Push changes to remote + Git.push(branch) + + # Create GitHub PR + GitHub.create_pr( + branch, + f"feat({self.name}): update to version {new_version}", + f"""## Description Update for **{self.desc}**: update to version [{new_version}]({status['head_url']}). Check out the [list of changes]({status['compare_url']}). -""" - ) - - # Clean up repository - Git.clean_repo() - except (CommandRunner.Exception, shutil.Error) as e: - # Handle exception on automatic update - match type(e): - case CommandRunner.Exception: - # Print error message - print(f"Error running {e.stage} command: {e.returncode}", file=sys.stderr) - print(e.stderr, file=sys.stderr) - case shutil.Error: - print(f"Error copying files: {e}", file=sys.stderr) - - try: - Git.clean_repo() - except CommandRunner.Exception as e: - print(f"Error reverting repository to clean state: {e}", file=sys.stderr) - sys.exit(1) - - # Create a GitHub issue to notify maintainer - title = f"{self.path}: update to {new_version}" - body = ( - f"""## Description +""", + ) + + # Clean up repository + Git.clean_repo() + except (CommandRunner.Exception, shutil.Error) as e: + # Handle exception on automatic update + match type(e): + case CommandRunner.Exception: + # Print error message + print( + f"Error running {e.stage} command: {e.returncode}", + file=sys.stderr, + ) + print(e.stderr, file=sys.stderr) + case shutil.Error: + print(f"Error copying files: {e}", file=sys.stderr) + + try: + Git.clean_repo() + except CommandRunner.Exception as e: + print( + f"Error reverting repository to clean state: {e}", + file=sys.stderr, + ) + sys.exit(1) + + # Create a GitHub issue to notify maintainer + title = f"{self.path}: update to {new_version}" + body = f"""## Description There is a new version of `{self.name}` {self.kind} available. New version: [{new_version}]({status['head_url']}) Check out the [list of changes]({status['compare_url']}). """ - ) - - print(f"Creating GitHub issue", file=sys.stderr) - print(f"{title}\n\n{body}", file=sys.stderr) - GitHub.create_issue(title, body) - except Exception as e: - print(e, file=sys.stderr) - - def __update_yaml(self, new_version: str) -> None: - dep_yaml = DependencyStore.update_dependency_version(self.path, new_version) - DependencyStore.write_store(DEPS_YAML_FILE, dep_yaml) - - def __apply_upstream_changes(self) -> None: - # Patterns to ignore in copying files from upstream repo - GLOBAL_IGNORE = [ - ".git", - ".github", - ".gitignore" - ] - - path = os.path.abspath(self.path) - precopy = self.values.get("precopy") - postcopy = self.values.get("postcopy") - - repo = self.values["repo"] - branch = self.values["branch"] - remote_url = f"https://github.com/{repo}.git" - repo_dir = os.path.join(TMP_DIR, repo) - - # Clone repository - Git.clone(remote_url, branch, repo_dir, reclone=True) - - # Run precopy on tmp repo - if precopy is not None: - print("Running precopy script:", end="\n ", file=sys.stderr) - print(precopy.replace("\n", "\n ", precopy.count("\n") - 1), file=sys.stderr) - CommandRunner.run_or_fail(["bash", "-c", precopy], cwd=repo_dir, stage="Precopy") - - # Copy files from upstream repo - print(f"Copying files from {repo_dir} to {path}", file=sys.stderr) - shutil.copytree(repo_dir, path, dirs_exist_ok=True, ignore=shutil.ignore_patterns(*GLOBAL_IGNORE)) - - # Run postcopy on our repository - if postcopy is not None: - print("Running postcopy script:", end="\n ", file=sys.stderr) - print(postcopy.replace("\n", "\n ", postcopy.count("\n") - 1), file=sys.stderr) - CommandRunner.run_or_fail(["bash", "-c", postcopy], cwd=path, stage="Postcopy") + + print("Creating GitHub issue", file=sys.stderr) + print(f"{title}\n\n{body}", file=sys.stderr) + GitHub.create_issue(title, body) + except Exception as e: + print(e, file=sys.stderr) + + def __update_yaml(self, new_version: str) -> None: + dep_yaml = DependencyStore.update_dependency_version(self.path, new_version) + DependencyStore.write_store(DEPS_YAML_FILE, dep_yaml) + + def __apply_upstream_changes(self) -> None: + # Patterns to ignore in copying files from upstream repo + GLOBAL_IGNORE = [".git", ".github", ".gitignore"] + + path = os.path.abspath(self.path) + precopy = self.values.get("precopy") + postcopy = self.values.get("postcopy") + + repo = self.values["repo"] + branch = self.values["branch"] + remote_url = f"https://github.com/{repo}.git" + repo_dir = os.path.join(TMP_DIR, repo) + + # Clone repository + Git.clone(remote_url, branch, repo_dir, reclone=True) + + # Run precopy on tmp repo + if precopy is not None: + print("Running precopy script:", end="\n ", file=sys.stderr) + print( + precopy.replace("\n", "\n ", precopy.count("\n") - 1), file=sys.stderr + ) + CommandRunner.run_or_fail( + ["bash", "-c", precopy], cwd=repo_dir, stage="Precopy" + ) + + # Copy files from upstream repo + print(f"Copying files from {repo_dir} to {path}", file=sys.stderr) + shutil.copytree( + repo_dir, + path, + dirs_exist_ok=True, + ignore=shutil.ignore_patterns(*GLOBAL_IGNORE), + ) + + # Run postcopy on our repository + if postcopy is not None: + print("Running postcopy script:", end="\n ", file=sys.stderr) + print( + postcopy.replace("\n", "\n ", postcopy.count("\n") - 1), + file=sys.stderr, + ) + CommandRunner.run_or_fail( + ["bash", "-c", postcopy], cwd=path, stage="Postcopy" + ) class Git: - default_branch = "master" - - @staticmethod - def clone(remote_url: str, branch: str, repo_dir: str, reclone=False): - # If repo needs to be fresh - if reclone and os.path.exists(repo_dir): - shutil.rmtree(repo_dir) - - # Clone repo in tmp directory and checkout branch - if not os.path.exists(repo_dir): - print(f"Cloning {remote_url} to {repo_dir} and checking out {branch}", file=sys.stderr) - CommandRunner.run_or_fail(["git", "clone", "--depth=1", "-b", branch, remote_url, repo_dir], stage="Clone") - - @staticmethod - def create_branch(path: str, version: str): - # Get current branch name - result = CommandRunner.run_or_fail(["git", "rev-parse", "--abbrev-ref", "HEAD"], stage="GetDefaultBranch") - Git.default_branch = result.stdout.decode("utf-8").strip() - - # Create new branch and return created branch name - branch_name = f"update/{path}/{version}" - CommandRunner.run_or_fail(["git", "checkout", "-b", branch_name], stage="CreateBranch") - return branch_name - - @staticmethod - def add_and_commit(scope: str, version: str): - user_name = os.environ.get("GIT_APP_NAME") - user_email = os.environ.get("GIT_APP_EMAIL") - - # Add all files to git staging - CommandRunner.run_or_fail(["git", "add", "-A", "-v"], stage="AddFiles") - - # Reset environment and git config - clean_env = os.environ.copy() - clean_env["LANG"]="C.UTF-8" - clean_env["GIT_CONFIG_GLOBAL"]="/dev/null" - clean_env["GIT_CONFIG_NOSYSTEM"]="1" - - # Commit with settings above - CommandRunner.run_or_fail([ - "git", - "-c", f"user.name={user_name}", - "-c", f"user.email={user_email}", - "commit", - "-m", f"feat({scope}): update to {version}" - ], stage="CreateCommit", env=clean_env) - - @staticmethod - def push(branch: str): - CommandRunner.run_or_fail(["git", "push", "-u", "origin", branch], stage="PushBranch") - - @staticmethod - def clean_repo(): - CommandRunner.run_or_fail(["git", "reset", "--hard", "HEAD"], stage="ResetRepository") - CommandRunner.run_or_fail(["git", "checkout", Git.default_branch], stage="CheckoutDefaultBranch") + default_branch = "master" + + @staticmethod + def clone(remote_url: str, branch: str, repo_dir: str, reclone=False): + # If repo needs to be fresh + if reclone and os.path.exists(repo_dir): + shutil.rmtree(repo_dir) + + # Clone repo in tmp directory and checkout branch + if not os.path.exists(repo_dir): + print( + f"Cloning {remote_url} to {repo_dir} and checking out {branch}", + file=sys.stderr, + ) + CommandRunner.run_or_fail( + ["git", "clone", "--depth=1", "-b", branch, remote_url, repo_dir], + stage="Clone", + ) + + @staticmethod + def create_branch(path: str, version: str): + # Get current branch name + result = CommandRunner.run_or_fail( + ["git", "rev-parse", "--abbrev-ref", "HEAD"], stage="GetDefaultBranch" + ) + Git.default_branch = result.stdout.decode("utf-8").strip() + + # Create new branch and return created branch name + branch_name = f"update/{path}/{version}" + CommandRunner.run_or_fail( + ["git", "checkout", "-b", branch_name], stage="CreateBranch" + ) + return branch_name + + @staticmethod + def add_and_commit(scope: str, version: str): + user_name = os.environ.get("GIT_APP_NAME") + user_email = os.environ.get("GIT_APP_EMAIL") + + # Add all files to git staging + CommandRunner.run_or_fail(["git", "add", "-A", "-v"], stage="AddFiles") + + # Reset environment and git config + clean_env = os.environ.copy() + clean_env["LANG"] = "C.UTF-8" + clean_env["GIT_CONFIG_GLOBAL"] = "/dev/null" + clean_env["GIT_CONFIG_NOSYSTEM"] = "1" + + # Commit with settings above + CommandRunner.run_or_fail( + [ + "git", + "-c", + f"user.name={user_name}", + "-c", + f"user.email={user_email}", + "commit", + "-m", + f"feat({scope}): update to {version}", + ], + stage="CreateCommit", + env=clean_env, + ) + + @staticmethod + def push(branch: str): + CommandRunner.run_or_fail( + ["git", "push", "-u", "origin", branch], stage="PushBranch" + ) + + @staticmethod + def clean_repo(): + CommandRunner.run_or_fail( + ["git", "reset", "--hard", "HEAD"], stage="ResetRepository" + ) + CommandRunner.run_or_fail( + ["git", "checkout", Git.default_branch], stage="CheckoutDefaultBranch" + ) class GitHub: - @staticmethod - def check_newer_tag(repo, current_tag) -> UpdateStatus: - # GET /repos/:owner/:repo/git/refs/tags - url = f"https://api.github.com/repos/{repo}/git/refs/tags" - - # Send a GET request to the GitHub API - response = requests.get(url) - - # If the request was successful - if response.status_code == 200: - # Parse the JSON response - data = response.json() - - if len(data) == 0: - return { - "has_updates": False, - } - - latest_ref = data[-1] - latest_tag = latest_ref["ref"].replace("refs/tags/", "") - - if latest_tag == current_tag: - return { - "has_updates": False, - } - - return { - "has_updates": True, - "version": latest_tag, - "compare_url": f"https://github.com/{repo}/compare/{current_tag}...{latest_tag}", - "head_ref": latest_ref["object"]["sha"], - "head_url": f"https://github.com/{repo}/releases/tag/{latest_tag}", - } - else: - # If the request was not successful, raise an exception - raise Exception(f"GitHub API request failed with status code {response.status_code}: {response.json()}") - - @staticmethod - def check_updates(repo, branch, version) -> UpdateStatus: - # TODO: add support for semver updating (based on tags) - # Check if upstream github repo has a new version - # GitHub API URL for comparing two commits - url = f"https://api.github.com/repos/{repo}/compare/{version}...{branch}" - - # Send a GET request to the GitHub API - response = requests.get(url) - - # If the request was successful - if response.status_code == 200: - # Parse the JSON response - data = response.json() - - # If the base is behind the head, there is a newer version - has_updates = data["status"] != "identical" - - if not has_updates: - return { - "has_updates": False, - } - - return { - "has_updates": data["status"] != "identical", - "version": data["commits"][-1]["sha"], - "compare_url": data["permalink_url"], - "head_ref": data["commits"][-1]["sha"], - "head_url": data["commits"][-1]["html_url"] - } - else: - # If the request was not successful, raise an exception - raise Exception(f"GitHub API request failed with status code {response.status_code}: {response.json()}") - - @staticmethod - def create_issue(title: str, body: str) -> None: - cmd = [ - "gh", - "issue", - "create", - "-t", title, - "-b", body - ] - CommandRunner.run_or_fail(cmd, stage="CreateIssue") - - @staticmethod - def create_pr(branch: str, title: str, body: str) -> None: - cmd = [ - "gh", - "pr", - "create", - "-B", Git.default_branch, - "-H", branch, - "-t", title, - "-b", body - ] - CommandRunner.run_or_fail(cmd, stage="CreatePullRequest") + @staticmethod + def check_newer_tag(repo, current_tag) -> UpdateStatus: + # GET /repos/:owner/:repo/git/refs/tags + url = f"https://api.github.com/repos/{repo}/git/refs/tags" + + # Send a GET request to the GitHub API + response = requests.get(url) + + # If the request was successful + if response.status_code == 200: + # Parse the JSON response + data = response.json() + + if len(data) == 0: + return { + "has_updates": False, + } + + latest_ref = data[-1] + latest_tag = latest_ref["ref"].replace("refs/tags/", "") + + if latest_tag == current_tag: + return { + "has_updates": False, + } + + return { + "has_updates": True, + "version": latest_tag, + "compare_url": f"https://github.com/{repo}/compare/{current_tag}...{latest_tag}", + "head_ref": latest_ref["object"]["sha"], + "head_url": f"https://github.com/{repo}/releases/tag/{latest_tag}", + } + else: + # If the request was not successful, raise an exception + raise Exception( + f"GitHub API request failed with status code {response.status_code}: {response.json()}" + ) + + @staticmethod + def check_updates(repo, branch, version) -> UpdateStatus: + # TODO: add support for semver updating (based on tags) + # Check if upstream github repo has a new version + # GitHub API URL for comparing two commits + url = f"https://api.github.com/repos/{repo}/compare/{version}...{branch}" + + # Send a GET request to the GitHub API + response = requests.get(url) + + # If the request was successful + if response.status_code == 200: + # Parse the JSON response + data = response.json() + + # If the base is behind the head, there is a newer version + has_updates = data["status"] != "identical" + + if not has_updates: + return { + "has_updates": False, + } + + return { + "has_updates": data["status"] != "identical", + "version": data["commits"][-1]["sha"], + "compare_url": data["permalink_url"], + "head_ref": data["commits"][-1]["sha"], + "head_url": data["commits"][-1]["html_url"], + } + else: + # If the request was not successful, raise an exception + raise Exception( + f"GitHub API request failed with status code {response.status_code}: {response.json()}" + ) + + @staticmethod + def create_issue(title: str, body: str) -> None: + cmd = ["gh", "issue", "create", "-t", title, "-b", body] + CommandRunner.run_or_fail(cmd, stage="CreateIssue") + + @staticmethod + def create_pr(branch: str, title: str, body: str) -> None: + cmd = [ + "gh", + "pr", + "create", + "-B", + Git.default_branch, + "-H", + branch, + "-t", + title, + "-b", + body, + ] + CommandRunner.run_or_fail(cmd, stage="CreatePullRequest") def main(): - # Load the YAML file - with open(DEPS_YAML_FILE, "r") as yaml_file: - data: DependencyYAML = yaml.safe_load(yaml_file) + # Load the YAML file + with open(DEPS_YAML_FILE, "r") as yaml_file: + data: DependencyYAML = yaml.safe_load(yaml_file) + + if "dependencies" not in data: + raise Exception("dependencies.yml not properly formatted") - if "dependencies" not in data: - raise Exception(f"dependencies.yml not properly formatted") + # Cache YAML version + DependencyStore.set(data) - # Cache YAML version - DependencyStore.set(data) + dependencies = data["dependencies"] + for path in dependencies: + dependency = Dependency(path, dependencies[path]) + dependency.update_or_notify() - dependencies = data["dependencies"] - for path in dependencies: - dependency = Dependency(path, dependencies[path]) - dependency.update_or_notify() if __name__ == "__main__": - main() + main() -- cgit v1.2.3-70-g09d2 From a258eb4547e610899162526f754ce1bf88027112 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Thu, 9 May 2024 18:27:01 +0200 Subject: fix(dependencies): improve typing --- .github/workflows/dependencies/updater.py | 36 ++++++++++++++++++------------- 1 file changed, 21 insertions(+), 15 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index 765cb26fe..9754cdf83 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -4,7 +4,7 @@ import subprocess import sys import timeit from copy import deepcopy -from typing import Optional, TypedDict +from typing import Literal, NotRequired, TypedDict import requests import yaml @@ -49,20 +49,24 @@ class DependencyDict(TypedDict): repo: str branch: str version: str - precopy: Optional[str] - postcopy: Optional[str] + precopy: NotRequired[str] + postcopy: NotRequired[str] class DependencyYAML(TypedDict): dependencies: dict[str, DependencyDict] -class UpdateStatus(TypedDict): - has_updates: bool - version: Optional[str] - compare_url: Optional[str] - head_ref: Optional[str] - head_url: Optional[str] +class UpdateStatusFalse(TypedDict): + has_updates: Literal[False] + + +class UpdateStatusTrue(TypedDict): + has_updates: Literal[True] + version: str + compare_url: str + head_ref: str + head_url: str class CommandRunner: @@ -105,7 +109,9 @@ class DependencyStore: with CodeTimer(f"store deepcopy: {path}"): store_copy = deepcopy(DependencyStore.store) - dependency = store_copy["dependencies"].get(path, {}) + dependency = store_copy["dependencies"].get(path) + if dependency is None: + raise ValueError(f"Dependency {path} {version} not found") dependency["version"] = version store_copy["dependencies"][path] = dependency @@ -171,7 +177,7 @@ class Dependency: else: status = GitHub.check_updates(repo, remote_branch, version) - if status["has_updates"]: + if status["has_updates"] is True: short_sha = status["head_ref"][:8] new_version = status["version"] if is_tag else short_sha @@ -212,10 +218,10 @@ Check out the [list of changes]({status['compare_url']}). case CommandRunner.Exception: # Print error message print( - f"Error running {e.stage} command: {e.returncode}", + f"Error running {e.stage} command: {e.returncode}", # pyright: ignore[reportAttributeAccessIssue] file=sys.stderr, ) - print(e.stderr, file=sys.stderr) + print(e.stderr, file=sys.stderr) # pyright: ignore[reportAttributeAccessIssue] case shutil.Error: print(f"Error copying files: {e}", file=sys.stderr) @@ -378,7 +384,7 @@ class Git: class GitHub: @staticmethod - def check_newer_tag(repo, current_tag) -> UpdateStatus: + def check_newer_tag(repo, current_tag) -> UpdateStatusFalse | UpdateStatusTrue: # GET /repos/:owner/:repo/git/refs/tags url = f"https://api.github.com/repos/{repo}/git/refs/tags" @@ -417,7 +423,7 @@ class GitHub: ) @staticmethod - def check_updates(repo, branch, version) -> UpdateStatus: + def check_updates(repo, branch, version) -> UpdateStatusFalse | UpdateStatusTrue: # TODO: add support for semver updating (based on tags) # Check if upstream github repo has a new version # GitHub API URL for comparing two commits -- cgit v1.2.3-70-g09d2 From 423b9a8ded10b0d4a81d6134c4045d0b7e077eb5 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Thu, 9 May 2024 19:20:11 +0200 Subject: feat(dependencies): add support for semver tags --- .github/workflows/dependencies/requirements.txt | 1 + .github/workflows/dependencies/updater.py | 62 ++++++++++++++++++++++--- 2 files changed, 57 insertions(+), 6 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 0ef3e54ca..7e840a74c 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -3,4 +3,5 @@ charset-normalizer==3.3.2 idna==3.7 PyYAML==6.0.1 requests==2.31.0 +semver==3.0.2 urllib3==2.2.1 diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index 9754cdf83..7e8e92ca9 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -1,13 +1,15 @@ import os +import re import shutil import subprocess import sys import timeit from copy import deepcopy -from typing import Literal, NotRequired, TypedDict +from typing import Literal, NotRequired, Optional, TypedDict import requests import yaml +from semver import Version # Get TMP_DIR variable from environment TMP_DIR = os.path.join(os.environ.get("TMP_DIR", "/tmp"), "ohmyzsh") @@ -16,6 +18,35 @@ DEPS_YAML_FILE = ".github/dependencies.yml" # Dry run flag DRY_RUN = os.environ.get("DRY_RUN", "0") == "1" +# utils for tag comparison +BASEVERSION = re.compile( + r"""[vV]? + (?P(0|[1-9])\d*) + (\. + (?P(0|[1-9])\d*) + (\. + (?P(0|[1-9])\d*) + )? + )? + """, + re.VERBOSE, +) + + +def coerce(version: str) -> Optional[Version]: + match = BASEVERSION.search(version) + if not match: + return None + + # BASEVERSION looks for `MAJOR.minor.patch` in the string given + # it fills with None if any of them is missing (for example `2.1`) + ver = { + key: 0 if value is None else value for key, value in match.groupdict().items() + } + # Version takes `major`, `minor`, `patch` arguments + ver = Version(**ver) # pyright: ignore[reportArgumentType] + return ver + class CodeTimer: def __init__(self, name=None): @@ -390,6 +421,11 @@ class GitHub: # Send a GET request to the GitHub API response = requests.get(url) + current_version = coerce(current_tag) + if current_version is None: + raise ValueError( + f"Stored {current_version} from {repo} does not follow semver" + ) # If the request was successful if response.status_code == 200: @@ -401,10 +437,27 @@ class GitHub: "has_updates": False, } - latest_ref = data[-1] + latest_ref = None + latest_version: Optional[Version] = None + for ref in data: + # we find the tag since GitHub returns it as plain git ref + tag_version = coerce(ref["ref"].replace("refs/tags/", "")) + if tag_version is None: + # we skip every tag that is not semver-complaint + continue + if latest_version is None or tag_version.compare(latest_version) > 0: + # if we have a "greater" semver version, set it as latest + latest_version = tag_version + latest_ref = ref + + # raise if no valid semver tag is found + if latest_ref is None or latest_version is None: + raise ValueError(f"No tags following semver found in {repo}") + + # we get the tag since GitHub returns it as plain git ref latest_tag = latest_ref["ref"].replace("refs/tags/", "") - if latest_tag == current_tag: + if latest_version.compare(current_version) <= 0: return { "has_updates": False, } @@ -424,9 +477,6 @@ class GitHub: @staticmethod def check_updates(repo, branch, version) -> UpdateStatusFalse | UpdateStatusTrue: - # TODO: add support for semver updating (based on tags) - # Check if upstream github repo has a new version - # GitHub API URL for comparing two commits url = f"https://api.github.com/repos/{repo}/compare/{version}...{branch}" # Send a GET request to the GitHub API -- cgit v1.2.3-70-g09d2 From eb2ff84a2c8ae45b90d36e367c6bd6bc01f8464d Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Thu, 9 May 2024 19:52:50 +0200 Subject: fix(dependencies): avoid creating PR if it's already there --- .github/workflows/dependencies/updater.py | 42 ++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 6 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index 7e8e92ca9..6fa32e378 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -1,3 +1,4 @@ +import json import os import re import shutil @@ -213,8 +214,10 @@ class Dependency: new_version = status["version"] if is_tag else short_sha try: + branch_name = f"update/{self.path}/{new_version}" + # Create new branch - branch = Git.create_branch(self.path, new_version) + branch = Git.checkout_or_create_branch(branch_name) # Update dependencies.yml file self.__update_yaml( @@ -353,7 +356,7 @@ class Git: ) @staticmethod - def create_branch(path: str, version: str): + def checkout_or_create_branch(branch_name: str): # Get current branch name result = CommandRunner.run_or_fail( ["git", "rev-parse", "--abbrev-ref", "HEAD"], stage="GetDefaultBranch" @@ -361,10 +364,16 @@ class Git: Git.default_branch = result.stdout.decode("utf-8").strip() # Create new branch and return created branch name - branch_name = f"update/{path}/{version}" - CommandRunner.run_or_fail( - ["git", "checkout", "-b", branch_name], stage="CreateBranch" - ) + try: + # try to checkout already existing branch + CommandRunner.run_or_fail( + ["git", "checkout", branch_name], stage="CreateBranch" + ) + except CommandRunner.Exception: + # otherwise create new branch + CommandRunner.run_or_fail( + ["git", "checkout", "-b", branch_name], stage="CreateBranch" + ) return branch_name @staticmethod @@ -515,6 +524,27 @@ class GitHub: @staticmethod def create_pr(branch: str, title: str, body: str) -> None: + # first of all let's check if PR is already open + check_cmd = [ + "gh", + "pr", + "list", + "--state", + "open", + "--head", + branch, + "--json", + "title", + ] + # returncode is 0 also if no PRs are found + output = json.loads( + CommandRunner.run_or_fail(check_cmd, stage="CheckPullRequestOpen") + .stdout.decode("utf-8") + .strip() + ) + # we have PR in this case! + if len(output) > 0: + return cmd = [ "gh", "pr", -- cgit v1.2.3-70-g09d2 From eff648aab021df0407dcd86126d2ab9db950d0f2 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Thu, 9 May 2024 17:41:59 +0200 Subject: ci(dependencies): use `setup-python` and enable cron-based jobs --- .github/workflows/dependencies.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 2e2217e1c..fce666e4c 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -1,8 +1,8 @@ name: Update dependencies on: workflow_dispatch: {} - # schedule: - # - cron: '34 3 * * */8' + schedule: + - cron: '34 3 * * */8' jobs: check: @@ -18,6 +18,11 @@ jobs: with: app_id: ${{ secrets.OHMYZSH_APP_ID }} private_key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + cache: "pip" - name: Process dependencies env: GH_TOKEN: ${{ steps.generate_token.outputs.token }} -- cgit v1.2.3-70-g09d2 From 1d31ff603706007e69aefe2c9ca198658e35b5dc Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Sun, 12 May 2024 12:30:22 +0200 Subject: ci(dependencies): fetch all branches --- .github/workflows/dependencies.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index fce666e4c..6bc8dc74d 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -2,7 +2,7 @@ name: Update dependencies on: workflow_dispatch: {} schedule: - - cron: '34 3 * * */8' + - cron: "34 3 * * */8" jobs: check: @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Authenticate as @ohmyzsh id: generate_token uses: ohmyzsh/github-app-token@v2 -- cgit v1.2.3-70-g09d2 From 0493eab8ce02c4988a16cbe27ad61a20ed8a89df Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Sun, 12 May 2024 12:40:45 +0200 Subject: fix(dependencies): check if repo is clean before committing --- .github/workflows/dependencies/updater.py | 36 ++++++++++++++++++------------- 1 file changed, 21 insertions(+), 15 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index 6fa32e378..4533b7aeb 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -390,21 +390,27 @@ class Git: clean_env["GIT_CONFIG_GLOBAL"] = "/dev/null" clean_env["GIT_CONFIG_NOSYSTEM"] = "1" - # Commit with settings above - CommandRunner.run_or_fail( - [ - "git", - "-c", - f"user.name={user_name}", - "-c", - f"user.email={user_email}", - "commit", - "-m", - f"feat({scope}): update to {version}", - ], - stage="CreateCommit", - env=clean_env, - ) + # check if repo is clean (clean => no error, no commit) + try: + CommandRunner.run_or_fail( + ["git", "diff", "--exit-code"], stage="CheckRepoClean", env=clean_env + ) + except CommandRunner.Exception: + # Commit with settings above + CommandRunner.run_or_fail( + [ + "git", + "-c", + f"user.name={user_name}", + "-c", + f"user.email={user_email}", + "commit", + "-m", + f"feat({scope}): update to {version}", + ], + stage="CreateCommit", + env=clean_env, + ) @staticmethod def push(branch: str): -- cgit v1.2.3-70-g09d2 From 0621944db50aec931850806644b673e39b650163 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Tue, 21 May 2024 20:43:26 +0200 Subject: fix(dependencies): only open PR if there are changes --- .github/workflows/dependencies/updater.py | 78 +++++++++++++++++-------------- 1 file changed, 44 insertions(+), 34 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index 4533b7aeb..e64d69939 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -228,21 +228,22 @@ class Dependency: self.__apply_upstream_changes() # Add all changes and commit - Git.add_and_commit(self.name, short_sha) + has_new_commit = Git.add_and_commit(self.name, short_sha) - # Push changes to remote - Git.push(branch) + if has_new_commit: + # Push changes to remote + Git.push(branch) - # Create GitHub PR - GitHub.create_pr( - branch, - f"feat({self.name}): update to version {new_version}", - f"""## Description + # Create GitHub PR + GitHub.create_pr( + branch, + f"feat({self.name}): update to version {new_version}", + f"""## Description -Update for **{self.desc}**: update to version [{new_version}]({status['head_url']}). -Check out the [list of changes]({status['compare_url']}). -""", - ) + Update for **{self.desc}**: update to version [{new_version}]({status['head_url']}). + Check out the [list of changes]({status['compare_url']}). + """, + ) # Clean up repository Git.clean_repo() @@ -377,7 +378,21 @@ class Git: return branch_name @staticmethod - def add_and_commit(scope: str, version: str): + def add_and_commit(scope: str, version: str) -> bool: + """ + Returns `True` if there were changes and were indeed commited. + Returns `False` if the repo was clean and no changes were commited. + """ + # check if repo is clean (clean => no error, no commit) + try: + CommandRunner.run_or_fail( + ["git", "diff", "--exit-code"], stage="CheckRepoClean" + ) + return False + except CommandRunner.Exception: + # if it's other kind of error just throw! + pass + user_name = os.environ.get("GIT_APP_NAME") user_email = os.environ.get("GIT_APP_EMAIL") @@ -390,27 +405,22 @@ class Git: clean_env["GIT_CONFIG_GLOBAL"] = "/dev/null" clean_env["GIT_CONFIG_NOSYSTEM"] = "1" - # check if repo is clean (clean => no error, no commit) - try: - CommandRunner.run_or_fail( - ["git", "diff", "--exit-code"], stage="CheckRepoClean", env=clean_env - ) - except CommandRunner.Exception: - # Commit with settings above - CommandRunner.run_or_fail( - [ - "git", - "-c", - f"user.name={user_name}", - "-c", - f"user.email={user_email}", - "commit", - "-m", - f"feat({scope}): update to {version}", - ], - stage="CreateCommit", - env=clean_env, - ) + # Commit with settings above + CommandRunner.run_or_fail( + [ + "git", + "-c", + f"user.name={user_name}", + "-c", + f"user.email={user_email}", + "commit", + "-m", + f"feat({scope}): update to {version}", + ], + stage="CreateCommit", + env=clean_env, + ) + return True @staticmethod def push(branch: str): -- cgit v1.2.3-70-g09d2 From 04b66b230857fb9bc28af5e7590b09ff79f888fa Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Tue, 21 May 2024 20:46:54 +0200 Subject: chore(dependencies): PR wording --- .github/workflows/dependencies/updater.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index e64d69939..f85c9eda7 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -240,9 +240,9 @@ class Dependency: f"feat({self.name}): update to version {new_version}", f"""## Description - Update for **{self.desc}**: update to version [{new_version}]({status['head_url']}). - Check out the [list of changes]({status['compare_url']}). - """, +Update for **{self.desc}**: update to version [{new_version}]({status['head_url']}). +Check out the [list of changes]({status['compare_url']}). +""", ) # Clean up repository -- cgit v1.2.3-70-g09d2 From 203369b0f9ec284e06b73f555a14fa5f02be5a0a Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Wed, 22 May 2024 15:36:03 +0200 Subject: ci(dependencies): run on sunday CET morning --- .github/workflows/dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 6bc8dc74d..6c7387089 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -2,7 +2,7 @@ name: Update dependencies on: workflow_dispatch: {} schedule: - - cron: "34 3 * * */8" + - cron: "0 6 * * 0" jobs: check: -- cgit v1.2.3-70-g09d2 From c432ca09932bb0c2f2f7f8862b949b0875615724 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Jun 2024 13:40:27 +0200 Subject: chore(deps): bump `urllib3` to 2.2.2 in `dependencies` workflow (#12516) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 7e840a74c..743d838b5 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -4,4 +4,4 @@ idna==3.7 PyYAML==6.0.1 requests==2.31.0 semver==3.0.2 -urllib3==2.2.1 +urllib3==2.2.2 -- cgit v1.2.3-70-g09d2 From a4313db16ab76cfb059d1ca716dae00278672c25 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 28 Jun 2024 11:52:47 +0200 Subject: chore(deps): bump certifi from 2024.2.2 to 2024.6.2 in /.github/workflows/dependencies (#12519) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 743d838b5..8c80c60a2 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2024.2.2 +certifi==2024.6.2 charset-normalizer==3.3.2 idna==3.7 PyYAML==6.0.1 -- cgit v1.2.3-70-g09d2 From dd4be1b6fb9973d63eba334d8bd92b3da30b3e72 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 28 Jun 2024 11:53:03 +0200 Subject: chore(deps): bump requests from 2.31.0 to 2.32.3 in /.github/workflows/dependencies (#12518) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 8c80c60a2..f8d8d4289 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -2,6 +2,6 @@ certifi==2024.6.2 charset-normalizer==3.3.2 idna==3.7 PyYAML==6.0.1 -requests==2.31.0 +requests==2.32.3 semver==3.0.2 urllib3==2.2.2 -- cgit v1.2.3-70-g09d2 From 608d62b2a5ee7f3af62dd8f31d47c167bf04547f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 6 Jul 2024 20:51:57 +0200 Subject: chore(deps): bump certifi in `dependencies` workflow (#12543) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.6.2 to 2024.7.4. - [Commits](https://github.com/certifi/python-certifi/compare/2024.06.02...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index f8d8d4289..f125da542 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2024.6.2 +certifi==2024.7.4 charset-normalizer==3.3.2 idna==3.7 PyYAML==6.0.1 -- cgit v1.2.3-70-g09d2 From 3476148b19dc0771ec8df75fc29c3364bc90d013 Mon Sep 17 00:00:00 2001 From: Marc Cornellà Date: Tue, 23 Jul 2024 16:16:19 +0200 Subject: chore(dependencies): sort dependencies.yml --- .github/dependencies.yml | 30 +++++++++++++++--------------- .github/workflows/dependencies/.gitignore | 1 + 2 files changed, 16 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/dependencies/.gitignore (limited to '.github/workflows') diff --git a/.github/dependencies.yml b/.github/dependencies.yml index 43ec92fb7..be2d02cd8 100644 --- a/.github/dependencies.yml +++ b/.github/dependencies.yml @@ -7,17 +7,13 @@ dependencies: set -e rm -rf git-completion.plugin.zsh Makefile README.adoc t tools test -e git-completion.zsh && mv -f git-completion.zsh _git - plugins/z: + plugins/gradle: + repo: gradle/gradle-completion branch: master - repo: agkozak/zsh-z - version: afaf2965b41fdc6ca66066e09382726aa0b6aa04 + version: 25da917cf5a88f3e58f05be3868a7b2748c8afe6 precopy: | set -e - test -e README.md && mv -f README.md MANUAL.md - postcopy: | - set -e - test -e _zshz && mv -f _zshz _z - test -e zsh-z.plugin.zsh && mv -f zsh-z.plugin.zsh z.plugin.zsh + find . ! -name _gradle ! -name LICENSE -delete plugins/history-substring-search: repo: zsh-users/zsh-history-substring-search branch: master @@ -29,13 +25,6 @@ dependencies: postcopy: | set -e test -e dependencies/OMZ-README.md && cat dependencies/OMZ-README.md >> README.md - plugins/gradle: - repo: gradle/gradle-completion - branch: master - version: 25da917cf5a88f3e58f05be3868a7b2748c8afe6 - precopy: | - set -e - find . ! -name _gradle ! -name LICENSE -delete plugins/wd: repo: mfaerevaag/wd branch: master @@ -44,3 +33,14 @@ dependencies: set -e rm -r test rm install.sh tty.gif wd.1 + plugins/z: + branch: master + repo: agkozak/zsh-z + version: afaf2965b41fdc6ca66066e09382726aa0b6aa04 + precopy: | + set -e + test -e README.md && mv -f README.md MANUAL.md + postcopy: | + set -e + test -e _zshz && mv -f _zshz _z + test -e zsh-z.plugin.zsh && mv -f zsh-z.plugin.zsh z.plugin.zsh diff --git a/.github/workflows/dependencies/.gitignore b/.github/workflows/dependencies/.gitignore new file mode 100644 index 000000000..1d17dae13 --- /dev/null +++ b/.github/workflows/dependencies/.gitignore @@ -0,0 +1 @@ +.venv -- cgit v1.2.3-70-g09d2 From f1764f8a569a84264ad5a6182721f6ae3bba835d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 11 Aug 2024 19:51:32 +0200 Subject: chore(deps): bump pyyaml from 6.0.1 to 6.0.2 in /.github/workflows/dependencies (#12610) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index f125da542..2a383e14b 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,7 +1,7 @@ certifi==2024.7.4 charset-normalizer==3.3.2 idna==3.7 -PyYAML==6.0.1 +PyYAML==6.0.2 requests==2.32.3 semver==3.0.2 urllib3==2.2.2 -- cgit v1.2.3-70-g09d2 From f622e6a6367b5142c868f554fda968982226e5df Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Aug 2024 17:15:23 +0200 Subject: chore(deps): bump idna from 3.7 to 3.8 in /.github/workflows/dependencies (#12638) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 2a383e14b..81a119844 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,6 +1,6 @@ certifi==2024.7.4 charset-normalizer==3.3.2 -idna==3.7 +idna==3.8 PyYAML==6.0.2 requests==2.32.3 semver==3.0.2 -- cgit v1.2.3-70-g09d2 From b8c69d265257fae88fe504ea43cbcf2728bc1308 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 1 Sep 2024 21:02:04 +0200 Subject: chore(deps): bump certifi in /.github/workflows/dependencies (#12646) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.7.4 to 2024.8.30. - [Commits](https://github.com/certifi/python-certifi/compare/2024.07.04...2024.08.30) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 81a119844..7cf0b642f 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2024.7.4 +certifi==2024.8.30 charset-normalizer==3.3.2 idna==3.8 PyYAML==6.0.2 -- cgit v1.2.3-70-g09d2 From 8c13f021bf3f0315f516f73c8f2555bd7a4313d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 15 Sep 2024 19:36:08 +0200 Subject: chore(deps): bump idna in /.github/workflows/dependencies (#12678) Bumps [idna](https://github.com/kjd/idna) from 3.8 to 3.9. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.8...v3.9) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 7cf0b642f..9b5b03ea0 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,6 +1,6 @@ certifi==2024.8.30 charset-normalizer==3.3.2 -idna==3.8 +idna==3.9 PyYAML==6.0.2 requests==2.32.3 semver==3.0.2 -- cgit v1.2.3-70-g09d2 From ec7d01faf837f17ccdc91249d0e63117ad0585af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 15 Sep 2024 19:36:24 +0200 Subject: chore(deps): bump urllib3 in /.github/workflows/dependencies (#12677) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.2 to 2.2.3. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.2.2...2.2.3) --- updated-dependencies: - dependency-name: urllib3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 9b5b03ea0..05b2f27fe 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -4,4 +4,4 @@ idna==3.9 PyYAML==6.0.2 requests==2.32.3 semver==3.0.2 -urllib3==2.2.2 +urllib3==2.2.3 -- cgit v1.2.3-70-g09d2 From f11cc8fea190eb9a1638dc67877436d0b8475ff5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 22 Sep 2024 16:20:33 +0200 Subject: chore(deps): bump idna in /.github/workflows/dependencies (#12688) Bumps [idna](https://github.com/kjd/idna) from 3.9 to 3.10. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.9...v3.10) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 05b2f27fe..eedd6d276 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,6 +1,6 @@ certifi==2024.8.30 charset-normalizer==3.3.2 -idna==3.9 +idna==3.10 PyYAML==6.0.2 requests==2.32.3 semver==3.0.2 -- cgit v1.2.3-70-g09d2 From 9bfa3395f34f63d14945e01c45c72ec43d372dfa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 13 Oct 2024 21:11:03 +0200 Subject: chore(deps): bump charset-normalizer in /.github/workflows/dependencies (#12749) Bumps [charset-normalizer](https://github.com/Ousret/charset_normalizer) from 3.3.2 to 3.4.0. - [Release notes](https://github.com/Ousret/charset_normalizer/releases) - [Changelog](https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/Ousret/charset_normalizer/compare/3.3.2...3.4.0) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index eedd6d276..ed0d129b3 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,5 +1,5 @@ certifi==2024.8.30 -charset-normalizer==3.3.2 +charset-normalizer==3.4.0 idna==3.10 PyYAML==6.0.2 requests==2.32.3 -- cgit v1.2.3-70-g09d2 From b3ba8da4218c3b9e1e5e45e1d4c00d312ff7226b Mon Sep 17 00:00:00 2001 From: Marc Cornellà Date: Mon, 14 Oct 2024 13:15:39 +0200 Subject: ci(dependencies): use tag version in git commit if available (#12756) Related: https://github.com/ohmyzsh/ohmyzsh/pull/12747#issuecomment-2410440748 --- .github/workflows/dependencies/updater.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index f85c9eda7..02cff9030 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -228,7 +228,7 @@ class Dependency: self.__apply_upstream_changes() # Add all changes and commit - has_new_commit = Git.add_and_commit(self.name, short_sha) + has_new_commit = Git.add_and_commit(self.name, new_version) if has_new_commit: # Push changes to remote -- cgit v1.2.3-70-g09d2 From 4ada1541900539ce585a26642eecc7e8e56d16f6 Mon Sep 17 00:00:00 2001 From: Marc Cornellà Date: Fri, 18 Oct 2024 14:27:54 +0200 Subject: chore(installer): only serve installer in / and /install.sh This avoids false positive detections on other bruteforced paths, such as .zsh_history or others, which eventually result in automated false vulnerability submissions. --- .github/workflows/installer/vercel.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/installer/vercel.json b/.github/workflows/installer/vercel.json index 524dc3c0f..88ec18725 100644 --- a/.github/workflows/installer/vercel.json +++ b/.github/workflows/installer/vercel.json @@ -1,7 +1,7 @@ { "headers": [ { - "source": "/((?!favicon.ico).*)", + "source": "/(|install.sh)", "headers": [ { "key": "Content-Type", @@ -16,7 +16,7 @@ ], "rewrites": [ { - "source": "/((?!favicon.ico|install.sh).*)", + "source": "/", "destination": "/install.sh" } ] -- cgit v1.2.3-70-g09d2 From 62e3e0b2fdd25919de6ae2d4e09317e1bd07a2dc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 15 Dec 2024 23:38:56 +0100 Subject: chore(deps): bump certifi from 2024.8.30 to 2024.12.14 in /.github/workflows/dependencies (#12848) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index ed0d129b3..8ca4477c9 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2024.8.30 +certifi==2024.12.14 charset-normalizer==3.4.0 idna==3.10 PyYAML==6.0.2 -- cgit v1.2.3-70-g09d2 From f733dc340b2a1c5b2e61a4da7de790b2f557175f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 22 Dec 2024 16:19:12 +0100 Subject: chore(deps): bump urllib3 from 2.2.3 to 2.3.0 in /.github/workflows/dependencies (#12863) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 8ca4477c9..5204e2cb7 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -4,4 +4,4 @@ idna==3.10 PyYAML==6.0.2 requests==2.32.3 semver==3.0.2 -urllib3==2.2.3 +urllib3==2.3.0 -- cgit v1.2.3-70-g09d2 From 9c8afcc3ee2fe6da2e2487a623498a9105cbd38c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 29 Dec 2024 13:22:49 +0100 Subject: chore(deps): bump charset-normalizer in /.github/workflows/dependencies (#12874) Bumps [charset-normalizer](https://github.com/jawah/charset_normalizer) from 3.4.0 to 3.4.1. - [Release notes](https://github.com/jawah/charset_normalizer/releases) - [Changelog](https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/jawah/charset_normalizer/compare/3.4.0...3.4.1) --- updated-dependencies: - dependency-name: charset-normalizer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 5204e2cb7..a3922cd03 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,5 +1,5 @@ certifi==2024.12.14 -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 idna==3.10 PyYAML==6.0.2 requests==2.32.3 -- cgit v1.2.3-70-g09d2 From 6e9cda3d30d8e73c11e4d32044b7f4c5e06f822d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 19 Jan 2025 23:30:40 +0100 Subject: chore(deps): bump semver in /.github/workflows/dependencies (#12924) Bumps [semver](https://github.com/python-semver/python-semver) from 3.0.2 to 3.0.3. - [Release notes](https://github.com/python-semver/python-semver/releases) - [Changelog](https://github.com/python-semver/python-semver/blob/master/CHANGELOG.rst) - [Commits](https://github.com/python-semver/python-semver/compare/3.0.2...3.0.3) --- updated-dependencies: - dependency-name: semver dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index a3922cd03..d8149743c 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -3,5 +3,5 @@ charset-normalizer==3.4.1 idna==3.10 PyYAML==6.0.2 requests==2.32.3 -semver==3.0.2 +semver==3.0.3 urllib3==2.3.0 -- cgit v1.2.3-70-g09d2 From 9ffc14c3e1de2054fa113e2c7d42cbdac542769b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Jan 2025 14:11:35 +0100 Subject: chore(deps): bump semver from 3.0.3 to 3.0.4 in /.github/workflows/dependencies (#12938) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index d8149743c..0471ccc4a 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -3,5 +3,5 @@ charset-normalizer==3.4.1 idna==3.10 PyYAML==6.0.2 requests==2.32.3 -semver==3.0.3 +semver==3.0.4 urllib3==2.3.0 -- cgit v1.2.3-70-g09d2 From 2b547d113b7e55a556b695c9372f1beb721efd67 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 2 Feb 2025 13:38:22 +0100 Subject: chore(deps): bump certifi in /.github/workflows/dependencies (#12955) Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.12.14 to 2025.1.31. - [Commits](https://github.com/certifi/python-certifi/compare/2024.12.14...2025.01.31) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 0471ccc4a..910db7bac 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2024.12.14 +certifi==2025.1.31 charset-normalizer==3.4.1 idna==3.10 PyYAML==6.0.2 -- cgit v1.2.3-70-g09d2 From a84a0332a822a78ddf3f66d0e1ed3990d4badd12 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 13 Apr 2025 23:11:55 +0200 Subject: chore(deps): bump urllib3 in /.github/workflows/dependencies (#13065) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.3.0...2.4.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 910db7bac..f2044a5f5 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -4,4 +4,4 @@ idna==3.10 PyYAML==6.0.2 requests==2.32.3 semver==3.0.4 -urllib3==2.3.0 +urllib3==2.4.0 -- cgit v1.2.3-70-g09d2 From 137bfbbfd1e39897f02ca47e9f010b0d81cc15ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 27 Apr 2025 14:55:23 +0200 Subject: chore(deps): bump certifi in /.github/workflows/dependencies (#13094) Bumps [certifi](https://github.com/certifi/python-certifi) from 2025.1.31 to 2025.4.26. - [Commits](https://github.com/certifi/python-certifi/compare/2025.01.31...2025.04.26) --- updated-dependencies: - dependency-name: certifi dependency-version: 2025.4.26 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index f2044a5f5..63eadd07d 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2025.1.31 +certifi==2025.4.26 charset-normalizer==3.4.1 idna==3.10 PyYAML==6.0.2 -- cgit v1.2.3-70-g09d2 From 8648cd640b428bdd7dea65886c2671ef1e8ffe32 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 4 May 2025 17:22:51 +0200 Subject: chore(deps): bump charset-normalizer in /.github/workflows/dependencies (#13100) Bumps [charset-normalizer](https://github.com/jawah/charset_normalizer) from 3.4.1 to 3.4.2. - [Release notes](https://github.com/jawah/charset_normalizer/releases) - [Changelog](https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/jawah/charset_normalizer/compare/3.4.1...3.4.2) --- updated-dependencies: - dependency-name: charset-normalizer dependency-version: 3.4.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 63eadd07d..e73c1b5ca 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,5 +1,5 @@ certifi==2025.4.26 -charset-normalizer==3.4.1 +charset-normalizer==3.4.2 idna==3.10 PyYAML==6.0.2 requests==2.32.3 -- cgit v1.2.3-70-g09d2 From 042605ee6b2afeb21e380d05b22d5072f0eeff44 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Jun 2025 16:15:59 +0200 Subject: chore(deps): bump requests in /.github/workflows/dependencies (#13164) Bumps [requests](https://github.com/psf/requests) from 2.32.3 to 2.32.4. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.32.3...v2.32.4) --- updated-dependencies: - dependency-name: requests dependency-version: 2.32.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index e73c1b5ca..5dae1f64b 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -2,6 +2,6 @@ certifi==2025.4.26 charset-normalizer==3.4.2 idna==3.10 PyYAML==6.0.2 -requests==2.32.3 +requests==2.32.4 semver==3.0.4 urllib3==2.4.0 -- cgit v1.2.3-70-g09d2 From 7ee92de190b3710b55aa04e10eb54e907587e61c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Jun 2025 10:02:32 +0200 Subject: chore(deps): bump urllib3 in /.github/workflows/dependencies (#13176) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 5dae1f64b..d2c8bdcc9 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -4,4 +4,4 @@ idna==3.10 PyYAML==6.0.2 requests==2.32.4 semver==3.0.4 -urllib3==2.4.0 +urllib3==2.5.0 -- cgit v1.2.3-70-g09d2 From 52f7ad6913cd039c32f4088d101c30db2492d518 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Jul 2025 18:55:43 +0200 Subject: chore(deps): bump certifi in /.github/workflows/dependencies (#13218) Bumps [certifi](https://github.com/certifi/python-certifi) from 2025.4.26 to 2025.7.14. - [Commits](https://github.com/certifi/python-certifi/compare/2025.04.26...2025.07.14) --- updated-dependencies: - dependency-name: certifi dependency-version: 2025.7.14 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index d2c8bdcc9..4c55ff760 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2025.4.26 +certifi==2025.7.14 charset-normalizer==3.4.2 idna==3.10 PyYAML==6.0.2 -- cgit v1.2.3-70-g09d2 From 98a182d71b59a24d6b694d3e6b7a49212c06e04f Mon Sep 17 00:00:00 2001 From: Marc Cornellà Date: Mon, 28 Jul 2025 19:13:35 +0200 Subject: ci: add strict permissions to `dependencies.yml` workflow (#13232) Just use `contents:read` initial permission. The other permissions needed are those attached to the @ohmyzsh GitHub App. --- .github/workflows/dependencies.yml | 3 +++ 1 file changed, 3 insertions(+) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 6c7387089..b4a17912b 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "0 6 * * 0" +permissions: + contents: read + jobs: check: name: Check for updates -- cgit v1.2.3-70-g09d2 From 5c804257ceb5b3062b876afae290adf72c474aad Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Mon, 28 Jul 2025 19:20:50 +0200 Subject: ci: use `actions/create-github-app-token` (#13233) --- .github/workflows/dependencies.yml | 10 +++++----- .github/workflows/project.yml | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index b4a17912b..0b8eeda93 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -18,11 +18,11 @@ jobs: with: fetch-depth: 0 - name: Authenticate as @ohmyzsh - id: generate_token - uses: ohmyzsh/github-app-token@v2 + id: generate-token + uses: actions/create-github-app-token@v2 with: - app_id: ${{ secrets.OHMYZSH_APP_ID }} - private_key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} + app-id: ${{ secrets.OHMYZSH_APP_ID }} + private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} - name: Setup Python uses: actions/setup-python@v5 with: @@ -30,7 +30,7 @@ jobs: cache: "pip" - name: Process dependencies env: - GH_TOKEN: ${{ steps.generate_token.outputs.token }} + GH_TOKEN: ${{ steps.generate-token.outputs.token }} GIT_APP_NAME: ohmyzsh[bot] GIT_APP_EMAIL: 54982679+ohmyzsh[bot]@users.noreply.github.com TMP_DIR: ${{ runner.temp }} diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index 2c2a1cdaa..8fd4e15d4 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -17,13 +17,13 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Authenticate as @ohmyzsh - id: generate_token - uses: ohmyzsh/github-app-token@v2 + id: generate-token + uses: actions/create-github-app-token@v2 with: - app_id: ${{ secrets.OHMYZSH_APP_ID }} - private_key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} + app-id: ${{ secrets.OHMYZSH_APP_ID }} + private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} - name: Store app token - run: echo "GH_TOKEN=${{ steps.generate_token.outputs.token }}" >> "$GITHUB_ENV" + run: echo "GH_TOKEN=${{ steps.generate-token.outputs.token }}" >> "$GITHUB_ENV" - name: Read project data env: ORGANIZATION: ohmyzsh -- cgit v1.2.3-70-g09d2 From 73024e8f0849ff22ea15dee1d7c38157cefc77d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Aug 2025 10:25:23 +0200 Subject: chore(deps): bump charset-normalizer in /.github/workflows/dependencies (#13257) Bumps [charset-normalizer](https://github.com/jawah/charset_normalizer) from 3.4.2 to 3.4.3. - [Release notes](https://github.com/jawah/charset_normalizer/releases) - [Changelog](https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/jawah/charset_normalizer/compare/3.4.2...3.4.3) --- updated-dependencies: - dependency-name: charset-normalizer dependency-version: 3.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 4c55ff760..167f9df8f 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,5 +1,5 @@ certifi==2025.7.14 -charset-normalizer==3.4.2 +charset-normalizer==3.4.3 idna==3.10 PyYAML==6.0.2 requests==2.32.4 -- cgit v1.2.3-70-g09d2 From 9fe2c26abd3f476a3377bf37b513e5cabf3f3637 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Aug 2025 13:47:37 +0200 Subject: chore(deps): bump certifi in /.github/workflows/dependencies (#13246) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 167f9df8f..09bebefbd 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2025.7.14 +certifi==2025.8.3 charset-normalizer==3.4.3 idna==3.10 PyYAML==6.0.2 -- cgit v1.2.3-70-g09d2 From c2a69fe5904e074f0049a941c09f039acdce40a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Aug 2025 08:32:18 +0200 Subject: chore(deps): bump actions/checkout from 4 to 5 (#13271) Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- .github/workflows/installer.yml | 4 ++-- .github/workflows/main.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 0b8eeda93..7cc53371d 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -14,7 +14,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 - name: Authenticate as @ohmyzsh diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index 5593c9175..9e933350f 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -26,7 +26,7 @@ jobs: - macos-latest steps: - name: Set up git repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Install zsh if: runner.os == 'Linux' run: sudo apt-get update; sudo apt-get install zsh @@ -42,7 +42,7 @@ jobs: - test steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Install Vercel CLI run: npm install -g vercel - name: Setup project and deploy diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 264ac31f3..c49324495 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -24,7 +24,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Set up git repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Install zsh run: sudo apt-get update; sudo apt-get install zsh - name: Check syntax -- cgit v1.2.3-70-g09d2 From b95022dde6a200ba3dbb96c8b997ba74d8db0136 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Aug 2025 02:37:09 +0200 Subject: chore(deps): bump requests in /.github/workflows/dependencies (#13280) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 09bebefbd..7388ed765 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -2,6 +2,6 @@ certifi==2025.8.3 charset-normalizer==3.4.3 idna==3.10 PyYAML==6.0.2 -requests==2.32.4 +requests==2.32.5 semver==3.0.4 urllib3==2.5.0 -- cgit v1.2.3-70-g09d2 From 8c168e26625ac8376d9156b1b189cd2ae8c16dc7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 12:06:41 +0800 Subject: chore(deps): bump actions/setup-python from 5 to 6 (#13293) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 7cc53371d..11c0ad0ef 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -24,7 +24,7 @@ jobs: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: "3.12" cache: "pip" -- cgit v1.2.3-70-g09d2 From 7f3d8a34e2d850b51782f0900151413b435296d4 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 19 Sep 2025 08:30:10 -0700 Subject: ci: Harden GitHub Actions [StepSecurity] (#13318) --- .github/workflows/dependencies.yml | 11 ++++++++--- .github/workflows/installer.yml | 14 ++++++++++++-- .github/workflows/main.yml | 7 ++++++- .github/workflows/project.yml | 7 ++++++- 4 files changed, 32 insertions(+), 7 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 11c0ad0ef..3f448fe64 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -13,18 +13,23 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'ohmyzsh/ohmyzsh' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - name: Authenticate as @ohmyzsh id: generate-token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 with: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.12" cache: "pip" diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index 9e933350f..2d1de706a 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -25,8 +25,13 @@ jobs: - ubuntu-latest - macos-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Set up git repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install zsh if: runner.os == 'Linux' run: sudo apt-get update; sudo apt-get install zsh @@ -41,8 +46,13 @@ jobs: needs: - test steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Vercel CLI run: npm install -g vercel - name: Setup project and deploy diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c49324495..b48a3d32b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,8 +23,13 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'ohmyzsh/ohmyzsh' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Set up git repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install zsh run: sudo apt-get update; sudo apt-get install zsh - name: Check syntax diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index 8fd4e15d4..ba971db15 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -16,9 +16,14 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'ohmyzsh/ohmyzsh' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Authenticate as @ohmyzsh id: generate-token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 with: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} -- cgit v1.2.3-70-g09d2 From ddd77516efb1393af738e57de9522e091c63c5b6 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Fri, 19 Sep 2025 17:55:16 +0200 Subject: ci: add scorecard automatic update (#13319) --- .github/workflows/scorecard.yml | 65 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 .github/workflows/scorecard.yml (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..5654fb74b --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,65 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["master"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + # To allow GraphQL ListCommits to work + issues: read + pull-requests: read + # To detect SAST tools + checks: read + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 + with: + sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From b428e3177022a5d2c026a670ff9df64fcb704ec2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 10:50:42 +0200 Subject: chore(deps): bump actions/checkout from 4.3.0 to 5.0.0 (#13323) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5654fb74b..49b21cbd9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -41,7 +41,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false -- cgit v1.2.3-70-g09d2 From 58cba614652ce8115138fef5c7d80c8a0c0a58f4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 10:50:59 +0200 Subject: chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 (#13322) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 49b21cbd9..c366b95bc 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -46,7 +46,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 with: results_file: results.sarif results_format: sarif -- cgit v1.2.3-70-g09d2 From 242e2faa51675494cbfa78a81f3ff47d81039863 Mon Sep 17 00:00:00 2001 From: Marc Cornellà Date: Sat, 27 Sep 2025 20:00:50 +0200 Subject: ci: improve security in project.yml workflow (#13329) There is no inherent security vulnerability in the workflow, but there were certain practices that increased latent risk. In this commit, we: - Explicitly bind app token for each step that needs it, instead of setting it for all steps after "Store app token" - Refactor "classify" step, to not rely on files passed around, and instead uses only awk script. - Remove all instances of template injection within `run` scripts. There was nothing dangerous, but the practice is unsafe. - Sanitize all unwanted characters from PR plugin and theme names. References: W2M1-06 W2M1-07 --- .github/workflows/project.yml | 64 +++++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 30 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index ba971db15..e6da2cbe5 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -20,17 +20,15 @@ jobs: uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: egress-policy: audit - - name: Authenticate as @ohmyzsh id: generate-token uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 with: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} - - name: Store app token - run: echo "GH_TOKEN=${{ steps.generate-token.outputs.token }}" >> "$GITHUB_ENV" - name: Read project data env: + GH_TOKEN: ${{ steps.generate-token.outputs.token }} ORGANIZATION: ohmyzsh PROJECT_NUMBER: "1" run: | @@ -53,14 +51,14 @@ jobs: }' -f org=$ORGANIZATION -F number=$PROJECT_NUMBER > project_data.json # Parse project data - cat >> $GITHUB_ENV <> "$GITHUB_ENV" <> $GITHUB_ENV - - name: Classify Pull Request if: github.event_name == 'pull_request_target' + env: + GH_TOKEN: ${{ steps.generate-token.outputs.token }} + PR_NUMBER: ${{ github.event.pull_request.number }} run: | - touch plugins.list themes.list - - gh pr view ${{ github.event.pull_request.number }} \ - --repo ${{ github.repository }} \ + # Get the list of modified files in the PR, and extract plugins and themes + gh pr view "$PR_NUMBER" \ + --repo "$GITHUB_REPOSITORY" \ --json files --jq '.files.[].path' | awk -F/ ' + BEGIN { + plugins = 0 + themes = 0 + } /^plugins\// { - plugins[$2] = 1 + if (plugin == $2) next + plugin = $2 + plugins++ } /^themes\// { gsub(/\.zsh-theme$/, "", $2) - themes[$2] = 1 + if (theme == $2) next + theme = $2 + themes++ } END { - for (plugin in plugins) { - print plugin >> "plugins.list" + # plugin and theme are values controlled by the PR author + # so we should sanitize them before using anywhere else + if (plugins == 1) { + gsub(/[^a-zA-Z0-9._-]/, "", plugin) + print "PLUGIN=" plugin } - for (theme in themes) { - print theme >> "themes.list" + if (themes == 1) { + gsub(/[^a-zA-Z0-9._-]/, "", theme) + print "THEME=" theme } } - ' - # If only one plugin is modified, add it to the plugin field - if [[ $(wc -l < plugins.list) = 1 ]]; then - echo "PLUGIN=$(cat plugins.list)" >> $GITHUB_ENV - fi - # If only one theme is modified, add it to the theme field - if [[ $(wc -l < themes.list) = 1 ]]; then - echo "THEME=$(cat themes.list)" >> $GITHUB_ENV - fi - + ' >> "$GITHUB_ENV" - name: Fill Pull Request fields in project if: github.event_name == 'pull_request_target' + env: + GH_TOKEN: ${{ steps.generate-token.outputs.token }} run: | gh api graphql -f query=' mutation ( @@ -145,7 +149,7 @@ jobs: } } } - ' -f project=$PROJECT_ID -f item=$ITEM_ID \ - -f plugin_field=$PLUGIN_FIELD_ID -f plugin_value=$PLUGIN \ - -f theme_field=$THEME_FIELD_ID -f theme_value=$THEME \ + ' -f project="$PROJECT_ID" -f item="$ITEM_ID" \ + -f plugin_field="$PLUGIN_FIELD_ID" -f plugin_value="$PLUGIN" \ + -f theme_field="$THEME_FIELD_ID" -f theme_value="$THEME" \ --silent -- cgit v1.2.3-70-g09d2 From e7528a5b373568591b0ba4f5c0fe1b552c0d6874 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 08:27:53 +0200 Subject: chore(deps): bump github/codeql-action from 3.30.3 to 3.30.5 (#13336) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index c366b95bc..e6ff44e4a 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 + uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From 9ac3b895d426dfdd000b8ae884a8bf9d42840839 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 08:31:23 +0200 Subject: chore(deps): bump pyyaml in /.github/workflows/dependencies (#13337) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 7388ed765..441426dcf 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,7 +1,7 @@ certifi==2025.8.3 charset-normalizer==3.4.3 idna==3.10 -PyYAML==6.0.2 +PyYAML==6.0.3 requests==2.32.5 semver==3.0.4 urllib3==2.5.0 -- cgit v1.2.3-70-g09d2 From 182dfdf210f961f141903fdd36f65350bcedc904 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Oct 2025 09:21:34 +0200 Subject: chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#13352) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e6ff44e4a..31c420581 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -46,7 +46,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif -- cgit v1.2.3-70-g09d2 From d4cb4f249c365ba921840f1a4279ffd55d09e9a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Oct 2025 09:21:45 +0200 Subject: chore(deps): bump certifi in /.github/workflows/dependencies (#13353) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 441426dcf..0531f9f0a 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2025.8.3 +certifi==2025.10.5 charset-normalizer==3.4.3 idna==3.10 PyYAML==6.0.3 -- cgit v1.2.3-70-g09d2 From c6482fa5be724e9504c6ffe92203440e4c3239b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Oct 2025 09:21:58 +0200 Subject: chore(deps): bump github/codeql-action from 3.30.5 to 3.30.6 (#13351) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 31c420581..cfaa5f03e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5 + uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From c5f64018fffbffe6624690e929b6ff745514336b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 11:57:33 +0200 Subject: chore(deps): bump github/codeql-action from 3.30.6 to 4.30.8 (#13364) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index cfaa5f03e..7f1769540 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From 064f0c1d0adbe5a4a4a239eab452f80ad0a7ee20 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Oct 2025 11:28:57 +0300 Subject: chore(deps): bump idna in /.github/workflows/dependencies (#13377) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 0531f9f0a..d6757a0f6 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,6 +1,6 @@ certifi==2025.10.5 charset-normalizer==3.4.3 -idna==3.10 +idna==3.11 PyYAML==6.0.3 requests==2.32.5 semver==3.0.4 -- cgit v1.2.3-70-g09d2 From 1672a12704798353725a5d559acc3917adb0075e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Oct 2025 11:29:15 +0300 Subject: chore(deps): bump github/codeql-action from 4.30.8 to 4.30.9 (#13376) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7f1769540..d2e0ff01b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 + uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From ac9258296117df625ba69d8e3cd1fe4883062c2b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Oct 2025 11:33:03 +0300 Subject: chore(deps): bump charset-normalizer in /.github/workflows/dependencies (#13378) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index d6757a0f6..cc8b0a28f 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,5 +1,5 @@ certifi==2025.10.5 -charset-normalizer==3.4.3 +charset-normalizer==3.4.4 idna==3.11 PyYAML==6.0.3 requests==2.32.5 -- cgit v1.2.3-70-g09d2 From 38423b4b5ce1ebbcded814642706a5fc300eadda Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Thu, 23 Oct 2025 05:16:17 -0700 Subject: ci(deps): ensure push permissions are available (#13389) --- .github/workflows/dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 3f448fe64..be54fdf41 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -5,7 +5,7 @@ on: - cron: "0 6 * * 0" permissions: - contents: read + contents: write jobs: check: -- cgit v1.2.3-70-g09d2 From 279e91e1327ed3683d099f59e304ba2c8e1153b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Oct 2025 06:16:55 -0700 Subject: chore(deps): bump github/codeql-action from 4.30.9 to 4.31.0 (#13394) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index d2e0ff01b..40c795877 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 + uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From 829b8fdea441208c08c9d231079f46215344cc46 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 26 Oct 2025 06:17:45 -0700 Subject: chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#13395) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 40c795877..93a55a250 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -53,7 +53,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: SARIF file path: results.sarif -- cgit v1.2.3-70-g09d2 From 423e9aef522fa954e73b77a99ee627723fc31257 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Nov 2025 08:29:39 +0100 Subject: chore(deps): bump github/codeql-action from 4.31.0 to 4.31.2 (#13408) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.0 to 4.31.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4e94bd11f71e507f7f87df81788dff88d1dacbfb...0499de31b99561a6d14a36a5f662c2a54f91beee) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 93a55a250..ca2655968 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0 + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From 18d0a63df8ed61aad7b25dc9c6f61a7cb88760dc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 9 Nov 2025 20:03:00 +0100 Subject: chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 (#13414) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- .github/workflows/installer.yml | 4 ++-- .github/workflows/main.yml | 2 +- .github/workflows/project.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index be54fdf41..9ff5ae375 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -14,7 +14,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index 2d1de706a..829d3804f 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -26,7 +26,7 @@ jobs: - macos-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit @@ -47,7 +47,7 @@ jobs: - test steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b48a3d32b..5bd062e1b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -24,7 +24,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index e6da2cbe5..1d22ec3d1 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -17,7 +17,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Authenticate as @ohmyzsh diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ca2655968..6bb853386 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -36,7 +36,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit -- cgit v1.2.3-70-g09d2 From 73d79fe1376cc773b2bcb7f7a27bff880a4502e2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 09:08:43 -0300 Subject: chore(deps): bump certifi in /.github/workflows/dependencies (#13431) Bumps [certifi](https://github.com/certifi/python-certifi) from 2025.10.5 to 2025.11.12. - [Commits](https://github.com/certifi/python-certifi/compare/2025.10.05...2025.11.12) --- updated-dependencies: - dependency-name: certifi dependency-version: 2025.11.12 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index cc8b0a28f..4fc25d593 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2025.10.5 +certifi==2025.11.12 charset-normalizer==3.4.4 idna==3.11 PyYAML==6.0.3 -- cgit v1.2.3-70-g09d2 From 8a4d6fc0a2b5586f093fb2b96b51e2141f643284 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 09:09:09 -0300 Subject: chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3 (#13430) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.2 to 4.31.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0499de31b99561a6d14a36a5f662c2a54f91beee...014f16e7ab1402f30e7c3329d33797e7948572db) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6bb853386..eec4b453d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 + uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From 441299ca775d0e718e72d8cf2490702ac98d3b08 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Nov 2025 22:35:53 +0100 Subject: chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#13438) Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 6.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/08c6903cd8c0fde910a37f88322edcfb5dd907a8...1af3b93b6815bc44a9784bd300feb67ff0d1eeb3) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- .github/workflows/installer.yml | 4 ++-- .github/workflows/main.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 9ff5ae375..45dee6f5d 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -19,7 +19,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 - name: Authenticate as @ohmyzsh diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index 829d3804f..120381dd8 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -31,7 +31,7 @@ jobs: egress-policy: audit - name: Set up git repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install zsh if: runner.os == 'Linux' run: sudo apt-get update; sudo apt-get install zsh @@ -52,7 +52,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install Vercel CLI run: npm install -g vercel - name: Setup project and deploy diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5bd062e1b..8200f50a6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -29,7 +29,7 @@ jobs: egress-policy: audit - name: Set up git repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Install zsh run: sudo apt-get update; sudo apt-get install zsh - name: Check syntax diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index eec4b453d..5078aecc6 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -41,7 +41,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false -- cgit v1.2.3-70-g09d2 From 0116e7a5af51e1c1bb10f99004224a2136406420 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Nov 2025 22:36:07 +0100 Subject: chore(deps): bump github/codeql-action from 4.31.3 to 4.31.4 (#13439) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.3 to 4.31.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/014f16e7ab1402f30e7c3329d33797e7948572db...e12f0178983d466f2f6028f5cc7a6d786fd97f4b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 5078aecc6..e57546112 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3 + uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From beadd56dd75e8a40fe0a7d4a5d63ed5bf9efcd48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Nov 2025 22:37:35 +0100 Subject: chore(deps): bump actions/create-github-app-token from 2.1.4 to 2.2.0 (#13440) Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2.1.4 to 2.2.0. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](https://github.com/actions/create-github-app-token/compare/67018539274d69449ef7c02e8e71183d1719ab42...7e473efe3cb98aa54f8d4bac15400b15fad77d94) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- .github/workflows/project.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 45dee6f5d..1c4ae131a 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -24,7 +24,7 @@ jobs: fetch-depth: 0 - name: Authenticate as @ohmyzsh id: generate-token - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 + uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 with: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index 1d22ec3d1..6a236e691 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -22,7 +22,7 @@ jobs: egress-policy: audit - name: Authenticate as @ohmyzsh id: generate-token - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 + uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 with: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} -- cgit v1.2.3-70-g09d2 From 343c5a83cb758e65fd638c7c05672198a9860619 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 30 Nov 2025 16:28:47 +0100 Subject: chore(deps): bump github/codeql-action from 4.31.4 to 4.31.5 (#13456) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.4 to 4.31.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e12f0178983d466f2f6028f5cc7a6d786fd97f4b...fdbfb4d2750291e159f0156def62b853c2798ca2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e57546112..95d1086b8 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 + uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From a449c0247d69726fe4f3ca4fe88182bdb215a5d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 30 Nov 2025 16:29:07 +0100 Subject: chore(deps): bump actions/setup-python from 6.0.0 to 6.1.0 (#13455) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 6.0.0 to 6.1.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/e797f83bcb11b83ae66e0230d6156d7c80228e7c...83679a892e2d95755f2dac6acb0bfd1e9ac5d548) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 1c4ae131a..000589087 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -29,7 +29,7 @@ jobs: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} - name: Setup Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.12" cache: "pip" -- cgit v1.2.3-70-g09d2 From ca5c467db1d495a4b5c0049a4cf476ca7f34b790 Mon Sep 17 00:00:00 2001 From: Carlo Sala Date: Mon, 1 Dec 2025 09:59:09 +0100 Subject: fix(dependencies): only open PR if there are relevant changes (#13454) Fixes cases like #13453 --- .github/workflows/dependencies/updater.py | 62 +++++++++++++++++-------------- 1 file changed, 35 insertions(+), 27 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index 02cff9030..aee15d9e0 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -219,31 +219,32 @@ class Dependency: # Create new branch branch = Git.checkout_or_create_branch(branch_name) - # Update dependencies.yml file - self.__update_yaml( - f"tag:{new_version}" if is_tag else status["version"] - ) - # Update dependency files self.__apply_upstream_changes() - # Add all changes and commit - has_new_commit = Git.add_and_commit(self.name, new_version) + if not Git.repo_is_clean(): + # Update dependencies.yml file + self.__update_yaml( + f"tag:{new_version}" if is_tag else status["version"] + ) + + # Add all changes and commit + has_new_commit = Git.add_and_commit(self.name, new_version) - if has_new_commit: - # Push changes to remote - Git.push(branch) + if has_new_commit: + # Push changes to remote + Git.push(branch) - # Create GitHub PR - GitHub.create_pr( - branch, - f"feat({self.name}): update to version {new_version}", - f"""## Description + # Create GitHub PR + GitHub.create_pr( + branch, + f"feat({self.name}): update to version {new_version}", + f"""## Description -Update for **{self.desc}**: update to version [{new_version}]({status['head_url']}). -Check out the [list of changes]({status['compare_url']}). +Update for **{self.desc}**: update to version [{new_version}]({status["head_url"]}). +Check out the [list of changes]({status["compare_url"]}). """, - ) + ) # Clean up repository Git.clean_repo() @@ -275,8 +276,8 @@ Check out the [list of changes]({status['compare_url']}). There is a new version of `{self.name}` {self.kind} available. -New version: [{new_version}]({status['head_url']}) -Check out the [list of changes]({status['compare_url']}). +New version: [{new_version}]({status["head_url"]}) +Check out the [list of changes]({status["compare_url"]}). """ print("Creating GitHub issue", file=sys.stderr) @@ -378,20 +379,27 @@ class Git: return branch_name @staticmethod - def add_and_commit(scope: str, version: str) -> bool: + def repo_is_clean() -> bool: """ - Returns `True` if there were changes and were indeed commited. - Returns `False` if the repo was clean and no changes were commited. + Returns `True` if the repo is clean. + Returns `False` if the repo is dirty. """ - # check if repo is clean (clean => no error, no commit) try: CommandRunner.run_or_fail( ["git", "diff", "--exit-code"], stage="CheckRepoClean" ) - return False + return True except CommandRunner.Exception: - # if it's other kind of error just throw! - pass + return False + + @staticmethod + def add_and_commit(scope: str, version: str) -> bool: + """ + Returns `True` if there were changes and were indeed commited. + Returns `False` if the repo was clean and no changes were commited. + """ + if Git.repo_is_clean(): + return False user_name = os.environ.get("GIT_APP_NAME") user_email = os.environ.get("GIT_APP_EMAIL") -- cgit v1.2.3-70-g09d2 From e9fc134236323ce3ce376715b1e55a54ed6ac7ac Mon Sep 17 00:00:00 2001 From: Marc Cornellà Date: Mon, 1 Dec 2025 11:22:14 +0100 Subject: ci(dependencies): update job permissions, change commits to `chore` (#13457) --- .github/workflows/dependencies.yml | 5 ++--- .github/workflows/dependencies/updater.py | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 000589087..a21803ec6 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -4,14 +4,13 @@ on: schedule: - cron: "0 6 * * 0" -permissions: - contents: write - jobs: check: name: Check for updates runs-on: ubuntu-latest if: github.repository == 'ohmyzsh/ohmyzsh' + permissions: + contents: write # this is needed to push commits and branches steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 diff --git a/.github/workflows/dependencies/updater.py b/.github/workflows/dependencies/updater.py index aee15d9e0..783161d6c 100644 --- a/.github/workflows/dependencies/updater.py +++ b/.github/workflows/dependencies/updater.py @@ -238,7 +238,7 @@ class Dependency: # Create GitHub PR GitHub.create_pr( branch, - f"feat({self.name}): update to version {new_version}", + f"chore({self.name}): update to version {new_version}", f"""## Description Update for **{self.desc}**: update to version [{new_version}]({status["head_url"]}). @@ -423,7 +423,7 @@ class Git: f"user.email={user_email}", "commit", "-m", - f"feat({scope}): update to {version}", + f"chore({scope}): update to {version}", ], stage="CreateCommit", env=clean_env, -- cgit v1.2.3-70-g09d2 From 1b4497fc8f51cfc1f326f3474203f9ea6dfd3804 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 6 Dec 2025 09:06:29 +0100 Subject: chore(deps): bump urllib3 in /.github/workflows/dependencies (#13464) Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.5.0...2.6.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.6.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 4fc25d593..94eaf3c9a 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -4,4 +4,4 @@ idna==3.11 PyYAML==6.0.3 requests==2.32.5 semver==3.0.4 -urllib3==2.5.0 +urllib3==2.6.0 -- cgit v1.2.3-70-g09d2 From 953f526dea332c6ba12f178f61785c5a3aa9ae73 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:38:05 +0100 Subject: chore(deps): bump github/codeql-action from 4.31.5 to 4.31.7 (#13469) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.5 to 4.31.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/fdbfb4d2750291e159f0156def62b853c2798ca2...cf1bb45a277cb3c205638b2cd5c984db1c46a412) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 95d1086b8..42a1dc0cb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From 3b66f643e4cfc78dfd62bb332f28f82d7dff2461 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:38:26 +0100 Subject: chore(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 (#13471) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.2 to 2.13.3. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/95d9a5deda9de15063e7595e9719c11c38c90ae2...df199fb7be9f65074067a9eb93f12bb4c5547cf2) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.13.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- .github/workflows/installer.yml | 4 ++-- .github/workflows/main.yml | 2 +- .github/workflows/project.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index a21803ec6..aeeda6711 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -13,7 +13,7 @@ jobs: contents: write # this is needed to push commits and branches steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index 120381dd8..d48a9603e 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -26,7 +26,7 @@ jobs: - macos-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit @@ -47,7 +47,7 @@ jobs: - test steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8200f50a6..ea64e3a2f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -24,7 +24,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index 6a236e691..baaa1f9f2 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -17,7 +17,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit - name: Authenticate as @ohmyzsh diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 42a1dc0cb..cc8e0a8eb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -36,7 +36,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit -- cgit v1.2.3-70-g09d2 From 0ebeae78d0ebdefbd0af38bfdad10504770acb82 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:38:44 +0100 Subject: chore(deps): bump actions/create-github-app-token from 2.2.0 to 2.2.1 (#13470) Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](https://github.com/actions/create-github-app-token/compare/7e473efe3cb98aa54f8d4bac15400b15fad77d94...29824e69f54612133e76f7eaac726eef6c875baf) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 2.2.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- .github/workflows/project.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index aeeda6711..753effdcb 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -23,7 +23,7 @@ jobs: fetch-depth: 0 - name: Authenticate as @ohmyzsh id: generate-token - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 with: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index baaa1f9f2..9bb3e6550 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -22,7 +22,7 @@ jobs: egress-policy: audit - name: Authenticate as @ohmyzsh id: generate-token - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 with: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} -- cgit v1.2.3-70-g09d2 From ddec79ad4384325e08104574a9e0b81bb8a7e9d9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:39:14 +0100 Subject: chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#13468) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/1af3b93b6815bc44a9784bd300feb67ff0d1eeb3...8e8c483db84b4bee98b60c0593521ed34d9990e8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- .github/workflows/installer.yml | 4 ++-- .github/workflows/main.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 753effdcb..149c7fef7 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -18,7 +18,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 - name: Authenticate as @ohmyzsh diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index d48a9603e..dcf5b52d8 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -31,7 +31,7 @@ jobs: egress-policy: audit - name: Set up git repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install zsh if: runner.os == 'Linux' run: sudo apt-get update; sudo apt-get install zsh @@ -52,7 +52,7 @@ jobs: egress-policy: audit - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install Vercel CLI run: npm install -g vercel - name: Setup project and deploy diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ea64e3a2f..a8363eceb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -29,7 +29,7 @@ jobs: egress-policy: audit - name: Set up git repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install zsh run: sudo apt-get update; sudo apt-get install zsh - name: Check syntax diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index cc8e0a8eb..068fb5e7d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -41,7 +41,7 @@ jobs: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false -- cgit v1.2.3-70-g09d2 From a4e15fdb1695ace2d6d67fb62729393b94d62836 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 09:57:41 +0100 Subject: chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 (#13481) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 068fb5e7d..3a1f5c92c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 + uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From 57781231bbef3df293ce3a4ae4bc58643f839c97 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 09:59:27 +0100 Subject: chore(deps): bump urllib3 in /.github/workflows/dependencies (#13482) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 94eaf3c9a..44ec3fb30 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -4,4 +4,4 @@ idna==3.11 PyYAML==6.0.3 requests==2.32.5 semver==3.0.4 -urllib3==2.6.0 +urllib3==2.6.2 -- cgit v1.2.3-70-g09d2 From 1fee750c3bf53164ea93f564fe53764bb727f9ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 09:59:52 +0100 Subject: chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 (#13483) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies.yml | 2 +- .github/workflows/installer.yml | 4 ++-- .github/workflows/main.yml | 2 +- .github/workflows/project.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 149c7fef7..8d8f5cc73 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -13,7 +13,7 @@ jobs: contents: write # this is needed to push commits and branches steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index dcf5b52d8..eef5bf322 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -26,7 +26,7 @@ jobs: - macos-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit @@ -47,7 +47,7 @@ jobs: - test steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a8363eceb..5917d5316 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -24,7 +24,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index 9bb3e6550..70597cab6 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -17,7 +17,7 @@ jobs: if: github.repository == 'ohmyzsh/ohmyzsh' steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - name: Authenticate as @ohmyzsh diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 3a1f5c92c..2ce0dd5ff 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -36,7 +36,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit -- cgit v1.2.3-70-g09d2 From 7192af5239aaa3b22cb61de8c73702dcf8b1dc06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 11:07:43 +0100 Subject: chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 (#13480) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2ce0dd5ff..a40c491c5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -53,7 +53,7 @@ jobs: publish_results: true - name: "Upload artifact" - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: SARIF file path: results.sarif -- cgit v1.2.3-70-g09d2 From 3a730949839e24f6536f8c34867adeab8404f0a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Dec 2025 14:07:16 +0100 Subject: chore(deps): bump github/codeql-action from 4.31.8 to 4.31.9 (#13486) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.8 to 4.31.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/1b168cd39490f61582a9beae412bb7057a6b2c4e...5d4e8d1aca955e8d8589aabd499c5cae939e33c7) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a40c491c5..8c8113b2c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8 + uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: sarif_file: results.sarif -- cgit v1.2.3-70-g09d2 From d23d3ea69fdb839088e6e5589557cce77b34aaf8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 4 Jan 2026 21:50:31 +0100 Subject: chore(deps): bump certifi in /.github/workflows/dependencies (#13499) Bumps [certifi](https://github.com/certifi/python-certifi) from 2025.11.12 to 2026.1.4. - [Commits](https://github.com/certifi/python-certifi/compare/2025.11.12...2026.01.04) --- updated-dependencies: - dependency-name: certifi dependency-version: 2026.1.4 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/dependencies/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/dependencies/requirements.txt b/.github/workflows/dependencies/requirements.txt index 44ec3fb30..584a96ac9 100644 --- a/.github/workflows/dependencies/requirements.txt +++ b/.github/workflows/dependencies/requirements.txt @@ -1,4 +1,4 @@ -certifi==2025.11.12 +certifi==2026.1.4 charset-normalizer==3.4.4 idna==3.11 PyYAML==6.0.3 -- cgit v1.2.3-70-g09d2