diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61dbacc9..6e7528a1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,16 +7,16 @@ jobs: if: ${{ !cancelled() && ! failure() }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: fetch-depth: 0 - - uses: pdm-project/setup-pdm@v4 + - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4 with: cache: true python-version: ${{ matrix.python-version }} - id: pages name: Setup pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4 - run: env | sort - run: make dev - run: make lint @@ -35,12 +35,12 @@ jobs: if: ${{ !cancelled() && ! failure() }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Set up Git run: | git config --global user.name github-actions git config --global user.email github-actions@github.com - - uses: pdm-project/setup-pdm@v4 + - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4 with: cache: true python-version: '3.12' diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 2751ce2e..e228e683 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -6,7 +6,7 @@ jobs: commitlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - run: env | sort - name: Install commitlint with conventional config run: npm install --save-dev @commitlint/config-conventional @commitlint/cli diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml index 4e7ca504..ec9048d9 100644 --- a/.github/workflows/devcontainer.yml +++ b/.github/workflows/devcontainer.yml @@ -9,8 +9,8 @@ jobs: packages: write runs-on: ubuntu-latest steps: - - uses: docker/setup-buildx-action@v3 - - uses: docker/login-action@v3 + - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3 + - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3 with: password: ${{ secrets.GITHUB_TOKEN }} registry: ghcr.io @@ -18,7 +18,7 @@ jobs: - name: Build and push dev container env: SOURCE_DATE_EPOCH: 0 - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5 with: build-args: | PYTHON_VERSION=${{ matrix.python-version }} diff --git a/.github/workflows/readthedocs-preview.yml b/.github/workflows/readthedocs-preview.yml index ac5e34f7..68bfc816 100644 --- a/.github/workflows/readthedocs-preview.yml +++ b/.github/workflows/readthedocs-preview.yml @@ -6,7 +6,7 @@ jobs: documentation-links: runs-on: ubuntu-latest steps: - - uses: readthedocs/actions/preview@v1 + - uses: readthedocs/actions/preview@cc0920454cf03ca8a3fbd3cbaa2ce2e509e70636 # v1 with: project-slug: ss-python on: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 07318359..9fcd9bae 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,28 +3,28 @@ jobs: pages-build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: fetch-depth: 0 - - uses: pdm-project/setup-pdm@v4 + - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4 with: cache: true python-version: '3.12' - id: pages name: Setup pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4 - run: env | sort - run: make dev-doc - run: CI_PAGES_URL=${{ steps.pages.outputs.base_url }} make doc - name: Generate release notes run: make release-notes > release-notes.md - name: Upload release notes - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: release-notes path: release-notes.md - name: Upload pages artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: public release-publish: @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download release notes - uses: actions/download-artifact@v4 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4 with: name: release-notes - id: prerelease @@ -46,7 +46,7 @@ jobs: echo "is_prerelease=false" > $GITHUB_OUTPUT fi - name: Create GitHub release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: body_path: release-notes.md prerelease: ${{ steps.prerelease.outputs.is_prerelease }} @@ -57,8 +57,8 @@ jobs: packages: write runs-on: ubuntu-latest steps: - - uses: docker/setup-buildx-action@v3 - - uses: docker/login-action@v3 + - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3 + - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3 with: password: ${{ secrets.GITHUB_TOKEN }} registry: ghcr.io @@ -66,7 +66,7 @@ jobs: - name: Build and push dev container env: SOURCE_DATE_EPOCH: 0 - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5 with: build-args: | PYTHON_VERSION=${{ matrix.python-version }} @@ -82,7 +82,7 @@ jobs: - name: Build and push prod container env: SOURCE_DATE_EPOCH: 0 - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5 with: build-args: | PYTHON_VERSION=${{ matrix.python-version }} @@ -107,8 +107,8 @@ jobs: needs: release-publish runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: pdm-project/setup-pdm@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4 with: cache: true python-version: '3.12' @@ -126,7 +126,7 @@ jobs: steps: - id: deployment name: Deploy to GitHub Pages - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4 on: push: tags: diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 00000000..34358520 --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,39 @@ +name: Renovate +jobs: + renovate: + container: + env: + LOG_LEVEL: debug + RENOVATE_BRANCH_PREFIX: renovate-github/ + RENOVATE_ENABLED_MANAGERS: '["pep621", "github-actions"]' + RENOVATE_GIT_AUTHOR: Renovate GitHub Bot + RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: '["${{ github.repository }}"]' + RENOVATE_REPOSITORY_CACHE: enabled + RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} + image: ghcr.io/renovatebot/renovate:37.202.2@sha256:6b5508487d42dcd36f95ff1139958f3b755bc8ff77b805b86eb1c59db943ef2f + options: '--user root' + runs-on: ubuntu-latest + steps: + - run: env | sort + - id: generate-token + name: Generate a token + if: vars.BOT_APP_ID + uses: actions/create-github-app-token@e8e39f73bb84fdf315a015fa3104f314c0a258b4 # v1 + with: + app-id: ${{ vars.BOT_APP_ID }} + private-key: ${{ secrets.BOT_PRIVATE_KEY }} + - env: + RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN || steps.generate-token.outputs.token }} + run: | + if [ -z "$RENOVATE_TOKEN" ]; then + echo "RENOVATE_TOKEN is not properly configured, skipping ..." + else + renovate $RENOVATE_EXTRA_FLAG + fi +on: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 * * * 0,6' + workflow_dispatch: null diff --git a/.gitlab/workflows/ci.yml b/.gitlab/workflows/ci.yml index 191593f6..711de24d 100644 --- a/.gitlab/workflows/ci.yml +++ b/.gitlab/workflows/ci.yml @@ -16,7 +16,7 @@ ci: - '3.11' - '3.12' rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - make dev diff --git a/.gitlab/workflows/commitlint.yml b/.gitlab/workflows/commitlint.yml index 3f1c8f18..23367f53 100644 --- a/.gitlab/workflows/commitlint.yml +++ b/.gitlab/workflows/commitlint.yml @@ -4,7 +4,7 @@ commitlint: entrypoint: [""] interruptible: true rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - | diff --git a/.gitlab/workflows/devcontainer.yml b/.gitlab/workflows/devcontainer.yml index 4938a1a4..9be72847 100644 --- a/.gitlab/workflows/devcontainer.yml +++ b/.gitlab/workflows/devcontainer.yml @@ -11,7 +11,8 @@ dev-container-publish: rules: - changes: - .devcontainer/Dockerfile - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "web" script: - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} - docker context create builder diff --git a/.gitlab/workflows/renovate.yml b/.gitlab/workflows/renovate.yml new file mode 100644 index 00000000..6990fb68 --- /dev/null +++ b/.gitlab/workflows/renovate.yml @@ -0,0 +1,21 @@ +renovate: + cache: + key: ${CI_COMMIT_REF_SLUG}-renovate + paths: + - renovate/cache/renovate/repository/ + image: renovate/renovate:37.202.2 + rules: + - if: $CI_PIPELINE_SOURCE == "schedule" && $RENOVATE_TOKEN != null + script: renovate $RENOVATE_EXTRA_FLAG + stage: build + variables: + LOG_LEVEL: debug + RENOVATE_BASE_DIR: $CI_PROJECT_DIR/renovate + RENOVATE_BRANCH_PREFIX: renovate-gitlab/ + RENOVATE_ENABLED_MANAGERS: '["pep621"]' + RENOVATE_ENDPOINT: $CI_API_V4_URL + RENOVATE_GIT_AUTHOR: Renovate GitLab Bot + RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' + RENOVATE_PLATFORM: gitlab + RENOVATE_REPOSITORIES: '["$CI_PROJECT_PATH"]' + RENOVATE_REPOSITORY_CACHE: enabled diff --git a/.renovaterc.json b/.renovaterc.json new file mode 100644 index 00000000..eb577d2b --- /dev/null +++ b/.renovaterc.json @@ -0,0 +1,10 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:best-practices", + ":maintainLockFilesWeekly" + ], + "ignorePaths": [ + "**/template/**" + ] +} diff --git a/.vscode/settings.json b/.vscode/settings.json index ef2700b9..33936a79 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -45,6 +45,7 @@ "pyproject", "pytest", "Quickstart", + "renovatebot", "setuptools", "softprops", "sphinxcontrib", diff --git a/template/.renovaterc.json.jinja b/template/.renovaterc.json.jinja new file mode 100644 index 00000000..e9b8a2b9 --- /dev/null +++ b/template/.renovaterc.json.jinja @@ -0,0 +1,12 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:best-practices", + ":maintainLockFilesWeekly" + ] +[%- if project_name == "Serious Scaffold Python" %], + "ignorePaths": [ + "**/template/**" + ] +[%- endif %] +} diff --git a/template/.vscode/settings.json b/template/.vscode/settings.json index ef2700b9..33936a79 100644 --- a/template/.vscode/settings.json +++ b/template/.vscode/settings.json @@ -45,6 +45,7 @@ "pyproject", "pytest", "Quickstart", + "renovatebot", "setuptools", "softprops", "sphinxcontrib", diff --git a/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja b/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja new file mode 100644 index 00000000..f48cd321 --- /dev/null +++ b/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja @@ -0,0 +1,29 @@ +name: Renovate +jobs: + renovate: + container: + env: + LOG_LEVEL: debug + RENOVATE_BRANCH_PREFIX: renovate-github/ + RENOVATE_ENABLED_MANAGERS: '["pep621", "github-actions"]' + RENOVATE_GIT_AUTHOR: Renovate GitHub Bot + RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: '["{{ '${{ github.repository }}' }}"]' + RENOVATE_REPOSITORY_CACHE: enabled + RENOVATE_TOKEN: {{ '${{ secrets.RENOVATE_TOKEN }}' }} + image: ghcr.io/renovatebot/renovate:37.202.2 + runs-on: ubuntu-latest + steps: + - run: env | sort + - run: | + if [ -z "{{ '${{ secrets.RENOVATE_TOKEN }}' }}" ]; then + echo "RENOVATE_TOKEN not set, skipping ..." + else + renovate $RENOVATE_EXTRA_FLAG + fi +on: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 * * * 0,6' + workflow_dispatch: null diff --git a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja index c2aa2fd0..9936a2ca 100644 --- a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja +++ b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja @@ -27,7 +27,7 @@ ci: - '3.12' [%- endif %] rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - make dev diff --git a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/commitlint.yml b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/commitlint.yml index 3f1c8f18..23367f53 100644 --- a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/commitlint.yml +++ b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/commitlint.yml @@ -4,7 +4,7 @@ commitlint: entrypoint: [""] interruptible: true rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - | diff --git a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/devcontainer.yml.jinja b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/devcontainer.yml.jinja index 080a2fd2..abf7a0d1 100644 --- a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/devcontainer.yml.jinja +++ b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/devcontainer.yml.jinja @@ -22,7 +22,8 @@ dev-container-publish: rules: - changes: - .devcontainer/Dockerfile - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "web" script: - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} - docker context create builder diff --git a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml new file mode 100644 index 00000000..6990fb68 --- /dev/null +++ b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml @@ -0,0 +1,21 @@ +renovate: + cache: + key: ${CI_COMMIT_REF_SLUG}-renovate + paths: + - renovate/cache/renovate/repository/ + image: renovate/renovate:37.202.2 + rules: + - if: $CI_PIPELINE_SOURCE == "schedule" && $RENOVATE_TOKEN != null + script: renovate $RENOVATE_EXTRA_FLAG + stage: build + variables: + LOG_LEVEL: debug + RENOVATE_BASE_DIR: $CI_PROJECT_DIR/renovate + RENOVATE_BRANCH_PREFIX: renovate-gitlab/ + RENOVATE_ENABLED_MANAGERS: '["pep621"]' + RENOVATE_ENDPOINT: $CI_API_V4_URL + RENOVATE_GIT_AUTHOR: Renovate GitLab Bot + RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' + RENOVATE_PLATFORM: gitlab + RENOVATE_REPOSITORIES: '["$CI_PROJECT_PATH"]' + RENOVATE_REPOSITORY_CACHE: enabled