ci: deprecate reusable actions and move to in-repo configs (#185)

Author: mircea-pavel-anton

.github/renovate.json5

@@ -3,7 +3,8 @@
     "dependencyDashboardTitle": "Renovate Dashboard 🤖",
     "extends": [
         ":dependencyDashboard",
-        "config:best-practices",
+        "config:recommended",
+        "helpers:pinGitHubActionDigests",
         ":disableRateLimiting",
         ":semanticCommits",
         "github>mirceanton/renovate-config//labels/all.json5",

.github/workflows/goreleaser.yaml

@@ -12,26 +12,52 @@ on:
         default: false
         type: boolean
 
-  # Dry Run on any PR that changes this pipeline or that should ultimately trigger a release when merged
-  pull_request:
-    paths:
-      - ".github/workflows/goreleaser.yaml"
-      - .goreleaser.yaml
-      - "go.mod"
-      - "go.sum"
-      - "**/**.go"
-
   # "Wet" Run on any tag push
   push:
     tags: ["*"]
 
+  # Dry Run on any PR that changes the goreleaser config or the workflow
+  pull_request:
+    paths:
+      - .github/workflows/goreleaser.yaml
+      - .goreleaser.yaml
+
 jobs:
   goreleaser:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-go-release.yaml@feat/custom-images
-    secrets: inherit
-    with:
-      dry-run: ${{ inputs.dry-run || github.event_name == 'pull_request' }}
-      # renovate: depName=go datasource=golang-version
-      go-version: 1.24.2
-      # renovate: depName=goreleaser/goreleaser datasource=github-tags
-      goreleaser-version: v2.8.2
+    if: github.repository_owner == 'mirceanton' # ? don't run on forks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          fetch-depth: 0
+
+      - name: Login to Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: "ghcr.io"
+          username: "${{ github.actor }}"
+          password: "${{ secrets.GHCR_RW_TOKEN }}"
+
+      - name: Setup Go
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: go.mod
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+          TAP_GITHUB_TOKEN: "${{ secrets.GHCR_RW_TOKEN }}"
+        with:
+          # renovate: datasource=github-tags packageName=goreleaser/goreleaser
+          version: v2.8.2
+          args: ${{ (inputs.dry-run || github.event_name == 'pull_request') && '--snapshot' || '--clean' }}

.github/workflows/label-sync.yaml

@@ -25,14 +25,31 @@ on:
       - .github/workflows/label-sync.yaml
       - .github/configs/labels.yaml
 
-  # "Wet" Run daily
+  # "Wet" Run hourly
   schedule:
     - cron: "0 * * * *"
 
 jobs:
   label-sync:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-label-sync.yaml@09f31ab6340ce5651dc6c28512a82de6b2415fb9 # v3.8.2
-    secrets: inherit
-    with:
-      dry-run: ${{ inputs.dry-run || github.event_name == 'pull_request' }}
-      config-file: .github/configs/labels.yaml
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          sparse-checkout: "${{ env.LABEL_SYNC_CONFIG_FILE }}"
+
+      - name: Sync Labels
+        uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
+        with:
+          dry-run: "${{ (inputs.dry-run || github.event_name == 'pull_request') == true }}"
+          token: "${{ steps.app-token.outputs.token }}"
+          delete-other-labels: true
+          config-file: .github/configs/labels.yaml

.github/workflows/labeler.yaml

@@ -6,8 +6,39 @@ on:
   pull_request_target: {}
 
 jobs:
-  pr-labeler:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-labeler.yaml@09f31ab6340ce5651dc6c28512a82de6b2415fb9 # v3.8.2
-    secrets: inherit
-    with:
-      config-file: .github/configs/labeler.yaml
+  size-label:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Size Label
+        uses: pascalgn/size-label-action@f8edde36b3be04b4f65dcfead05dc8691b374348 # v0.5.5
+        env:
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+
+  labeler:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+
+      - name: Labeler
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+        with:
+          sync-labels: true
+          repo-token: "${{ steps.app-token.outputs.token }}"
+          configuration-path: .github/configs/labeler.yaml

.github/workflows/lint.yaml

@@ -7,28 +7,112 @@ on:
   pull_request: {}
 
 jobs:
-  go:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-go-lint.yaml@feat/custom-images
-    secrets: inherit
-    with:
-      # renovate: depName=golangci/golangci-lint datasource=github-tags
-      version: v2.1.2
-
-  bash:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-shellcheck.yaml@09f31ab6340ce5651dc6c28512a82de6b2415fb9 # v3.8.2
-    secrets: inherit
-  commits:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-commitlint.yaml@09f31ab6340ce5651dc6c28512a82de6b2415fb9 # v3.8.2
-    secrets: inherit
-    with: { config-file: ./.github/configs/commitlint.config.mjs }
-  github-actions:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-actionlint.yaml@09f31ab6340ce5651dc6c28512a82de6b2415fb9 # v3.8.2
-    secrets: inherit
-  markdown:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-markdownlint.yaml@09f31ab6340ce5651dc6c28512a82de6b2415fb9 # v3.8.2
-    secrets: inherit
-    with: { config-file: .github/configs/.markdownlint.yaml }
-  yaml:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-yamllint.yaml@09f31ab6340ce5651dc6c28512a82de6b2415fb9 # v3.8.2
-    secrets: inherit
-    with: { config-file: .github/configs/yamllint.yaml }
+  golangci-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get changed files
+        id: changed-files
+        uses: bjw-s-labs/action-changed-files@b1144fc772fca235a50902c7bb6cc431cc7d8e27 # v0.3.2
+        with:
+          patterns: |-
+            .github/workflows/golangci-lint.yaml
+            .golangci.yaml
+            "**.go"
+
+      - name: Generate Token
+        if: steps.changed-files.outputs.changed_files != '[]'
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Setup Go
+        if: steps.changed-files.outputs.changed_files != '[]'
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: go.mod
+
+      - name: Run golangci-lint
+        if: steps.changed-files.outputs.changed_files != '[]'
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
+        with:
+          github-token: "${{ steps.app-token.outputs.token }}"
+          # renovate: datasource=github-tags packageName=golangci/golangci-lint
+          version: v2.1.2
+
+  # ===============================================================================================
+  # "Meta" linters
+  # ===============================================================================================
+  actionlint:
+    runs-on: ubuntu-latest
+    container: ghcr.io/mirceanton/gha-runner-actionlint:latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get changed files
+        id: changed-files
+        uses: bjw-s-labs/action-changed-files@b1144fc772fca235a50902c7bb6cc431cc7d8e27 # v0.3.2
+        with:
+          patterns: |-
+            .github/workflows/**/*.yml
+            .github/workflows/**/*.yaml
+
+      - name: Run actionlint
+        if: steps.changed-files.outputs.changed_files != '[]'
+        run: actionlint
+
+  commitlint:
+    runs-on: ubuntu-latest
+    container: ghcr.io/mirceanton/gha-runner-commitlint:latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Validate PR commits with CommitLint
+        run: echo "$PR_TITLE" | npx commitlint --extends=./.github/configs/commitlint.config.mjs
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+
+  markdownlint:
+    runs-on: ubuntu-latest
+    container: ghcr.io/mirceanton/gha-runner-markdownlint:latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get changed files
+        id: changed-files
+        uses: bjw-s-labs/action-changed-files@b1144fc772fca235a50902c7bb6cc431cc7d8e27 # v0.3.2
+        with:
+          patterns: |-
+            .github/configs/.markdownlint.yaml
+            **/*.md
+
+      - name: Run MarkdownLint
+        if: steps.changed-files.outputs.changed_files != '[]'
+        run: markdownlint --config=.github/configs/.markdownlint.yaml "**/*.md"
+
+  yamllint:
+    runs-on: ubuntu-latest
+    container: ghcr.io/mirceanton/gha-runner-yamllint:latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get changed files
+        id: changed-files
+        uses: bjw-s-labs/action-changed-files@b1144fc772fca235a50902c7bb6cc431cc7d8e27 # v0.3.2
+        with:
+          patterns: |-
+            **/*.yml
+            **/*.yaml
+
+      - name: Run yamllint
+        if: steps.changed-files.outputs.changed_files != '[]'
+        run: yamllint --config-file=.github/configs/yamllint.yaml .

.github/workflows/release.yaml

@@ -1,37 +1,57 @@
 ---
-# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Release
 
 on:
-  # Manual Trigger
+  # Manually trigger a new release from the Actions tab
   workflow_dispatch:
     inputs:
+      version-increment:
+        description: 'Version increment type'
+        required: false
+        default: 'auto'
+        type: choice
+        options: [ "auto", "major", "minor", "patch", "prerelease" ]
       dry-run:
-        description: Dry Run
+        description: 'Dry run mode (no actual release)'
         required: false
         default: false
         type: boolean
+      draft:
+        description: Mark Release as Draft
+        default: false
+        required: false
+        type: boolean
 
-  # Dry Run on any PR that changes this pipeline or that should ultimately trigger a release when merged
+  # Dry run on any PR to the main branch to make sure the workflow would run
+  # successfully before merging
   pull_request:
-    paths:
-      - ".github/workflows/git-release.yaml"
-      - "go.mod"
-      - "go.sum"
-      - "**/**.go"
+    branches: ["main"]
 
-  # "Wet" Run on any push to the main branch that modified a go-related file
-  push:
-    branches: ["main", "master"]
-    paths:
-      - "go.mod"
-      - "go.sum"
-      - "**/**.go"
+  schedule:
+    - cron: "0 0 * * *"
 
 jobs:
-  git:
-    uses: mirceanton/reusable-workflows/.github/workflows/reusable-release-semver.yaml@09f31ab6340ce5651dc6c28512a82de6b2415fb9 # v3.8.2
-    secrets: inherit
-    with:
-      dry-run: ${{ inputs.dry-run || github.event_name == 'pull_request' }}
-      config-file: ./.github/configs/release.config.mjs
+  release:
+    if: github.repository_owner == 'mirceanton' # ? don't run on forks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          fetch-depth: 0  # !important for SVU to determine the next version number
+
+      - name: Create Release
+        uses: mirceanton/action-semver-release@c48aeafa1300c3f2867ee27250f5ed076c7cb2a0 # v1.3.0
+        with:
+          github-token: ${{ steps.app-token.outputs.token }}
+          version-increment: ${{ inputs.version-increment || 'auto' }}
+          dry-run: ${{ inputs.dry-run || github.event_name == 'pull_request' }}
+          draft: ${{ inputs.draft || 'false' }}