chore: update global workflows (#336)

Author: LizardByte-bot

.github/pr_release_template.md

@@ -9,9 +9,9 @@ name: "CodeQL"
 
 on:
   push:
-    branches: ["master", "nightly"]
+    branches: ["master"]
   pull_request:
-    branches: ["master", "nightly"]
+    branches: ["master"]
   schedule:
     - cron: '00 12 * * 0'  # every Sunday at 12:00 UTC
 
@@ -140,9 +140,12 @@ jobs:
           submodules: recursive
 
       - name: Setup msys2
-        if: runner.os == 'Windows'
+        if: >-
+          runner.os == 'Windows' &&
+          matrix.language == 'cpp'
         uses: msys2/setup-msys2@v2
         with:
+          msystem: ucrt64
           update: true
 
       # Initializes the CodeQL tools for scanning.
@@ -157,6 +160,10 @@ jobs:
           # yamllint disable-line rule:line-length
           # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
           # queries: security-extended,security-and-quality
+          config: |
+            paths-ignore:
+              - node_modules
+              - third-party
 
       # Pre autobuild
       # create a file named .codeql-prebuild-${{ matrix.language }}.sh in the root of your repository
@@ -180,3 +187,26 @@ jobs:
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"
+          output: sarif-results
+          upload: failure-only
+
+      - name: filter-sarif
+        uses: advanced-security/filter-sarif@v1
+        with:
+          input: sarif-results/${{ matrix.language }}.sarif
+          output: sarif-results/${{ matrix.language }}.sarif
+          patterns: |
+            -node_modules/**
+            -third\-party/**
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sarif-results/${{ matrix.language }}.sarif
+
+      - name: Upload loc as a Build Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sarif-results-${{ matrix.language }}-${{ runner.os }}
+          path: sarif-results
+          retention-days: 1

.github/workflows/auto-create-pr.yml

@@ -9,11 +9,11 @@ name: flake8
 
 on:
   pull_request:
-    branches: [master, nightly]
+    branches: [master]
     types: [opened, synchronize, reopened]
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: true
 
 jobs:

.github/workflows/automerge.yml

@@ -9,15 +9,15 @@ name: Release Notifications
 
 on:
   release:
-    types: [published]
-    # https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onevent_nametypes
+    types:
+      - released  # this triggers when a release is published, but does not include prereleases or drafts
 
 jobs:
   discord:
     if: >-
       startsWith(github.repository, 'LizardByte/') &&
-      not(github.event.release.prerelease) &&
-      not(github.event.release.draft)
+      !github.event.release.prerelease &&
+      !github.event.release.draft
     runs-on: ubuntu-latest
     steps:
       - name: discord
@@ -35,8 +35,8 @@ jobs:
   facebook_group:
     if: >-
       startsWith(github.repository, 'LizardByte/') &&
-      not(github.event.release.prerelease) &&
-      not(github.event.release.draft)
+      !github.event.release.prerelease &&
+      !github.event.release.draft
     runs-on: ubuntu-latest
     steps:
       - name: facebook-post-action
@@ -52,8 +52,8 @@ jobs:
   facebook_page:
     if: >-
       startsWith(github.repository, 'LizardByte/') &&
-      not(github.event.release.prerelease) &&
-      not(github.event.release.draft)
+      !github.event.release.prerelease &&
+      !github.event.release.draft
     runs-on: ubuntu-latest
     steps:
       - name: facebook-post-action
@@ -69,8 +69,8 @@ jobs:
   reddit:
     if: >-
       startsWith(github.repository, 'LizardByte/') &&
-      not(github.event.release.prerelease) &&
-      not(github.event.release.draft)
+      !github.event.release.prerelease &&
+      !github.event.release.draft
     runs-on: ubuntu-latest
     steps:
       - name: reddit
@@ -89,8 +89,8 @@ jobs:
   twitter:
     if: >-
       startsWith(github.repository, 'LizardByte/') &&
-      not(github.event.release.prerelease) &&
-      not(github.event.release.draft)
+      !github.event.release.prerelease &&
+      !github.event.release.draft
     runs-on: ubuntu-latest
     steps:
       - name: twitter

.github/workflows/codeql.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Update Changelog
-        uses: LizardByte/update-changelog-action@v2024.520.183314
+        uses: LizardByte/update-changelog-action@v2024.609.4705
         with:
           changelogBranch: changelog
           changelogFile: CHANGELOG.md

.github/workflows/python-flake8.yml

@@ -0,0 +1,89 @@
+---
+# This action is centrally managed in https://github.com/<organization>/.github/
+# Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in
+# the above-mentioned repo.
+
+# Use the `rtd` repository label to identify repositories that should trigger have this workflow.
+# If the project slug is not the repository name, add a repository variable named `READTHEDOCS_SLUG` with the value of
+# the ReadTheDocs project slug.
+
+# Update readthedocs on release events.
+
+name: Update docs
+
+on:
+  release:
+    types: [created, edited, deleted]
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.event.release.tag_name }}"
+  cancel-in-progress: true
+
+jobs:
+  update-docs:
+    env:
+      RTD_SLUG: ${{ vars.READTHEDOCS_SLUG }}
+      RTD_TOKEN: ${{ secrets.READTHEDOCS_TOKEN }}
+      TAG: ${{ github.event.release.tag_name }}
+    if: >-
+      !github.event.release.draft
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get RTD_SLUG
+        run: |
+          # if the RTD_SLUG is not set, use the repository name in lowercase
+          if [ -z "${RTD_SLUG}" ]; then
+              RTD_SLUG=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')
+          fi
+          echo "RTD_SLUG=${RTD_SLUG}" >> $GITHUB_ENV
+
+      - name: Deactivate deleted release
+        if: >-
+          github.event_name == 'release' &&
+          github.event.action == 'deleted'
+        run: |
+          json_body=$(jq -n \
+            --arg active "false" \
+            --arg hidden "false" \
+            --arg privacy_level "public" \
+            '{active: $active, hidden: $hidden, privacy_level: $privacy_level}')
+
+          curl \
+            -X PATCH \
+            -H "Authorization: Token ${RTD_TOKEN}" \
+              https://readthedocs.org/api/v3/projects/${RTD_SLUG}/versions/${TAG}/ \
+            -H "Content-Type: application/json" \
+            -d "$json_body"
+
+      - name: Check if edited release is latest GitHub release
+        id: check
+        if: >-
+          github.event_name == 'release' &&
+          github.event.action == 'edited'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const latestRelease = await github.rest.repos.getLatestRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo
+            });
+
+            core.setOutput('isLatestRelease', latestRelease.data.tag_name === context.payload.release.tag_name);
+
+      - name: Update RTD project
+        # changing the default branch in readthedocs makes "latest" point to that branch/tag
+        # we can also update other properties like description, etc.
+        if: >-
+          steps.check.outputs.isLatestRelease == 'true'
+        run: |
+          json_body=$(jq -n \
+            --arg default_branch "${TAG}" \
+            --arg description "${{ github.event.repository.description }}" \
+            '{default_branch: $default_branch}')
+
+          curl \
+            -X PATCH \
+            -H "Authorization: Token ${RTD_TOKEN}" \
+              https://readthedocs.org/api/v3/projects/${RTD_SLUG}/ \
+            -H "Content-Type: application/json" \
+            -d "$json_body"

.github/workflows/release-notifier.yml

@@ -9,11 +9,11 @@ name: yaml lint
 
 on:
   pull_request:
-    branches: [master, nightly]
+    branches: [master]
     types: [opened, synchronize, reopened]
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: true
 
 jobs: