Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions .github/workflows/Semgrep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,16 @@ jobs:
# suppressions were ignored. See https://semgrep.dev/docs CHANGELOG v1.164.0.
image: semgrep/semgrep:1.164.0

# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')
# Skip any PR created by dependabot to avoid permission issues, and skip the
# automated release PR (opened by github-actions[bot], same repo, release/*
# branch — the Create Release PR workflow posts the required checks for it).
# The release gate is keyed on the PR author, not the branch name (which any
# contributor controls), so a "release/…" branch can't bypass required checks.
if: >-
${{ github.actor != 'dependabot[bot]'
&& !(github.event.pull_request.user.login == 'github-actions[bot]'
&& github.event.pull_request.head.repo.full_name == github.repository
&& startsWith(github.head_ref, 'release/')) }}

steps:
# Fetch project source with GitHub Actions Checkout.
Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/executable-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,15 @@ concurrency:
jobs:
verify:
name: Build & verify executable
# Skip CI only for the automated release PR: opened by github-actions[bot],
# from this same repo, on a release/* branch (the Create Release PR workflow
# posts the required checks as passing for it). Keyed on the PR author, not the
# branch name, so a "release/…" branch can't be used to bypass required checks.
if: >-
${{ !(github.event_name == 'pull_request'
&& github.event.pull_request.user.login == 'github-actions[bot]'
&& github.event.pull_request.head.repo.full_name == github.repository
&& startsWith(github.head_ref, 'release/')) }}
runs-on: macos-latest
steps:
- uses: actions/checkout@v5
Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,15 @@ permissions:
jobs:
lint:
name: Lint
# Skip CI only for the automated release PR: opened by github-actions[bot],
# from this same repo, on a release/* branch (the Create Release PR workflow
# posts the required checks as passing for it). Keyed on the PR author, not the
# branch name, so a "release/…" branch can't be used to bypass required checks.
if: >-
${{ !(github.event_name == 'pull_request'
&& github.event.pull_request.user.login == 'github-actions[bot]'
&& github.event.pull_request.head.repo.full_name == github.repository
&& startsWith(github.head_ref, 'release/')) }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,16 @@ on:
jobs:
build:
name: Build
# Skip CI only for the automated release PR: opened by github-actions[bot],
# from this same repo, on a release/* branch (the Create Release PR workflow
# posts the required checks as passing for it). The gate is keyed on the PR
# author — NOT the branch name, which any contributor controls — so a PR from
# a "release/…" branch can't be used to bypass required checks.
if: >-
${{ !(github.event_name == 'pull_request'
&& github.event.pull_request.user.login == 'github-actions[bot]'
&& github.event.pull_request.head.repo.full_name == github.repository
&& startsWith(github.head_ref, 'release/')) }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
Expand Down Expand Up @@ -35,6 +45,12 @@ jobs:

test:
name: Test ${{ matrix.package }}
# Skip only for the automated release PR (see the build job for rationale).
if: >-
${{ !(github.event_name == 'pull_request'
&& github.event.pull_request.user.login == 'github-actions[bot]'
&& github.event.pull_request.head.repo.full_name == github.repository
&& startsWith(github.head_ref, 'release/')) }}
needs: [build]
strategy:
matrix:
Expand Down Expand Up @@ -137,6 +153,12 @@ jobs:

regression:
name: Regression
# Skip only for the automated release PR (see the build job for rationale).
if: >-
${{ !(github.event_name == 'pull_request'
&& github.event.pull_request.user.login == 'github-actions[bot]'
&& github.event.pull_request.head.repo.full_name == github.repository
&& startsWith(github.head_ref, 'release/')) }}
needs: [build]
runs-on: ubuntu-latest
timeout-minutes: 15
Expand Down
9 changes: 9 additions & 0 deletions .github/workflows/typecheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,15 @@ permissions:
jobs:
typecheck:
name: Typecheck
# Skip CI only for the automated release PR: opened by github-actions[bot],
# from this same repo, on a release/* branch (the Create Release PR workflow
# posts the required checks as passing for it). Keyed on the PR author, not the
# branch name, so a "release/…" branch can't be used to bypass required checks.
if: >-
${{ !(github.event_name == 'pull_request'
&& github.event.pull_request.user.login == 'github-actions[bot]'
&& github.event.pull_request.head.repo.full_name == github.repository
&& startsWith(github.head_ref, 'release/')) }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/version-bump.yml
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,14 @@ jobs:
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
token: ${{ secrets.GITHUB_TOKEN }}
# Fully attribute the commit to the GitHub Actions bot (not the human
# who clicked "Run workflow", which is create-pull-request's default
# author). A bot-authored, GITHUB_TOKEN-pushed commit lets GitHub's
# recursion guard suppress the on:pull_request CI runs entirely, so the
# release PR never sits in the "Approve and run workflows" gate — the
# synthetic check runs posted below satisfy branch protection on their own.
author: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
committer: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
base: master
branch: release/${{ steps.bump.outputs.version }}
# Only commit version files — never workflow files (GITHUB_TOKEN may
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/windows.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,15 @@ on:
jobs:
build:
name: Build
# Skip CI only for the automated release PR: opened by github-actions[bot],
# from this same repo, on a release/* branch (the Create Release PR workflow
# posts the required checks as passing for it). Keyed on the PR author, not the
# branch name, so a "release/…" branch can't be used to bypass required checks.
if: >-
${{ !(github.event_name == 'pull_request'
&& github.event.pull_request.user.login == 'github-actions[bot]'
&& github.event.pull_request.head.repo.full_name == github.repository
&& startsWith(github.head_ref, 'release/')) }}
runs-on: windows-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
Expand Down Expand Up @@ -35,6 +44,12 @@ jobs:

test:
name: Test ${{ matrix.package }}
# Skip only for the automated release PR (see the build job for rationale).
if: >-
${{ !(github.event_name == 'pull_request'
&& github.event.pull_request.user.login == 'github-actions[bot]'
&& github.event.pull_request.head.repo.full_name == github.repository
&& startsWith(github.head_ref, 'release/')) }}
needs: [build]
strategy:
fail-fast: false
Expand Down
Loading