sbrunner
diff --git a/‎.editorconfig
+1-1 b/‎.editorconfig
+1-1
diff --git a/‎.github/changelog-config.yaml
-24 b/‎.github/changelog-config.yaml
-24
diff --git a/‎.github/renovate.json5
+22-3 b/‎.github/renovate.json5
+22-3
diff --git a/‎.github/workflows/audit.yaml
+35 b/‎.github/workflows/audit.yaml
+35
diff --git a/‎.github/workflows/changelog.yaml
+24-38 b/‎.github/workflows/changelog.yaml
+24-38
diff --git a/‎.github/workflows/delete-old-workflows-run.yaml
+23 b/‎.github/workflows/delete-old-workflows-run.yaml
+23
diff --git a/‎.github/workflows/main.yaml
+16-1 b/‎.github/workflows/main.yaml
+16-1
diff --git a/‎.github/workflows/pr-checks.yaml
+1 b/‎.github/workflows/pr-checks.yaml
+1
diff --git a/‎.github/workflows/rebuild.yaml
+8 b/‎.github/workflows/rebuild.yaml
+8
diff --git a/‎.pre-commit-config.yaml
+66-4 b/‎.pre-commit-config.yaml
+66-4
diff --git a/‎.whitesource
+14 b/‎.whitesource
+14
@@ -10,7 +10,7 @@ trim_trailing_whitespace = true
 max_line_length = 110
 quote_type = single
 
-[*.{yaml,json,json5,md}]
+[*.{yaml,json,json5,md,whitesource}]
 indent_size = 2
 
 [{Makefile, *.mk}]
 
@@ -1,13 +1,25 @@
 {
   extends: ['config:base'],
   timezone: 'Europe/Zurich',
-  schedule: 'after 1am on Saturday',
+  schedule: 'after 5pm on the first day of the month',
   labels: ['dependencies'],
   separateMajorMinor: true,
   separateMinorPatch: true,
   prHourlyLimit: 0,
   prConcurrentLimit: 0,
-  lockFileMaintenance: { enabled: true, automerge: true },
+  lockFileMaintenance: {
+    enabled: true,
+    automerge: true,
+    schedule: 'after 5pm on the first day of the month',
+  },
+  baseBranches: ['master', 'test'],
+  'pre-commit': { enabled: true },
+  regexManagers: [
+    {
+      fileMatch: ['^.pre-commit-config.yaml'],
+      matchStrings: [" +- '?(?<depName>[^' @=]+)(@|==)(?<currentValue>[^' @=]+)'? # (?<datasource>.+)"],
+    },
+  ],
   packageRules: [
     /** Automerge the patch, the minor and the dev dependency */
     {
@@ -37,7 +49,8 @@
     },
     /** Group Poetry packages */
     {
-      matchPackageNames: ['poetry', 'poetry-core'],
+      matchPackageNames: ['poetry', 'pip'],
+      matchPackagePrefixes: ['poetry-'],
       groupName: 'Poetry',
       automerge: true,
       separateMajorMinor: false,
@@ -49,5 +62,11 @@
       matchPackageNames: ['c2cciutils'],
       enabled: false,
     },
+    /** Accept only the patch on stabilization branches */
+    {
+      matchBaseBranches: ['master'],
+      matchUpdateTypes: ['major', 'minor', 'pin', 'digest', 'lockFileMaintenance', 'rollback', 'bump'],
+      enabled: false,
+    },
   ],
 }
@@ -0,0 +1,35 @@
+name: Audit
+
+on:
+  schedule:
+    - cron: '30 2 * * *'
+
+jobs:
+  audit:
+    runs-on: ubuntu-22.04
+    name: Audit
+    timeout-minutes: 10
+
+    strategy:
+      fail-fast: false
+      matrix:
+        branch:
+          - master
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ matrix.branch }}
+
+      - run: git config --global user.email "[email protected]"
+      - run: git config --global user.name "Snyk autofix"
+
+      - run: python3 -m venv ~/.venv
+      - run: ~/.venv/bin/pip install --pre c2cciutils[audit]
+      - run: python3 -m pip install --pre c2cciutils[audit]
+
+      - name: Audit
+        run: ~/.venv/bin/c2cciutils-audit --branch=${{ matrix.branch }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.TOKEN }}
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@@ -1,59 +1,45 @@
 name: Changelog Generator
 
 on:
+  schedule:
+    - cron: '0 0 * * 1'
   push:
-    branches:
-      - test
     tags:
-      - '*'
+      - '*.*.*'
 
 jobs:
   changelog:
     name: Changelog Generator
-    runs-on: ubuntu-20.04
-    timeout-minutes: 10
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
 
     steps:
-      - uses: actions/checkout@v3
-
-      - run: echo "${HOME}/.local/bin" >> ${GITHUB_PATH}
-      - run: python3 -m pip install --user --requirement=ci/requirements.txt
+      - name: Create release
+        run: |
+          if [[ ${{ env.GITHUB_REF_NAME }} =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            gh release create ${{ env.GITHUB_REF_NAME }}
+          fi
+        if: env.GITHUB_REF_TYPE == 'tag'
 
       - name: Get Date
         id: get-date
         run: |
-          echo "::set-output name=date::$(/bin/date -u "+%Y%m%d%H%M%S")"
+          echo "date=$(/bin/date -u "+%Y%m%d%H%M%S")" >> $GITHUB_OUTPUT
       - uses: actions/cache@v3
         with:
-          path: |
-            .github/changelog-generator-cache
-          key: changelog-${{ steps.get-date.outputs.date }}
+          path: .cache
+          key: automation-${{ steps.get-date.outputs.date }}
           restore-keys: |
-            changelog-
+            automation-
 
-      - name: Get config
-        id: config
-        run: echo ::set-output name=config::$(python -c 'print(__import__("json").dumps(__import__("yaml").load(open(".github/changelog-config.yaml"), Loader=__import__("yaml").SafeLoader)))')
+      - run: docker pull aeonphp/automation
       - name: Generate changelog
-        id: changelog
-        uses: heinrichreimer/[email protected]
-        with:
-          token: ${{ secrets.TOKEN }}
-          configureSections: ${{ steps.config.outputs.config }}
-          cacheFile: .github/changelog-generator-cache
-          unreleased: false
-
-      - run: c2cciutils-checks --fix --check=prettier
-      - id: status
-        run: echo ::set-output name=status::$(git status --short)
-      - run: |
-          git add CHANGELOG.md
-          git config --global user.email "[email protected]"
-          git config --global user.name "CI"
-          git commit -m "Update the changelog"
-          git checkout -b changelog-update
-          git push origin changelog-update -f
-          gh pr create --base=master --fill --label=chore || true
+        run: >
+          docker run --env=AEON_AUTOMATION_GH_TOKEN --rm --volume=$(pwd)/.cache:/cache aeonphp/automation
+          changelog:generate:all
+          ${{ github.repository }}
+          --github-release-update
+          --cache-path=/cache
+          -v
         env:
-          GITHUB_TOKEN: ${{ secrets.TOKEN }}
-        if: steps.status.outputs.status != ''
+          AEON_AUTOMATION_GH_TOKEN: ${{ secrets.TOKEN }}
@@ -0,0 +1,23 @@
+name: Delete old workflow runs
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+env:
+  HAS_SECRETS: ${{ secrets.HAS_SECRETS }}
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    timeout-minutes: 25
+    name: Delete old workflow runs
+
+    steps:
+      - name: Delete old workflow runs
+        uses: MajorScruffy/[email protected]
+        with:
+          repository: ${{ github.repository }}
+          older-than-seconds: 43200000 # 500 days
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -32,14 +32,23 @@ jobs:
       - run: echo "${HOME}/.local/bin" >> ${GITHUB_PATH}
       - run: python3 -m pip install --user --requirement=ci/requirements.txt
 
+      - uses: actions/cache@v3
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: "pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}\npre-commit-"
+      - run: pre-commit run --all-files
       - name: Checks
         run: c2cciutils-checks
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
       - name: GitHub event
         run: echo ${GITHUB_EVENT} | python3 -m json.tool
         env:
           GITHUB_EVENT: ${{ toJson(github) }}
 
-        # the if the generated files are up to date
+          # the if the generated files are up to date
       - run: make jsonschema
       - run: git diff --quiet
       - run: git diff
@@ -87,10 +96,16 @@ jobs:
       - name: Publish
         run: c2cciutils-publish
         if: env.HAS_SECRETS == 'HAS_SECRETS'
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.TOKEN_NEW }}
 
       - run: make build-all
 
       - name: Publish Docker all
         run: |
           c2cciutils-publish --group=docker-all
         if: env.HAS_SECRETS == 'HAS_SECRETS'
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.TOKEN_NEW }}
@@ -26,3 +26,4 @@ jobs:
         run: c2cciutils-pull-request-checks
         env:
           GITHUB_EVENT: ${{ toJson(github) }}
+          GITHUB_TOKEN: ${{ secrets.TOKEN }}
@@ -29,6 +29,8 @@ jobs:
 
       - name: Checks
         run: c2cciutils-checks
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
         # the if the generated files are up to date
       - run: make jsonschema
@@ -74,10 +76,16 @@ jobs:
 
       - name: Publish
         run: c2cciutils-publish --group=docker --type=rebuild --branch=${{ matrix.branch }}
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.TOKEN_NEW }}
 
       - run: make build-all
 
       - name: Publish Docker all
         run: |
           c2cciutils-publish --group=docker-all
         if: env.HAS_SECRETS == 'HAS_SECRETS'
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.TOKEN_NEW }}
@@ -1,12 +1,57 @@
-ci:
-  skip:
-    - copyright
-
 repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: detect-private-key
+      - id: check-merge-conflict
+      - id: check-ast
+      - id: debug-statements
+      - id: check-toml
+      - id: check-yaml
+      - id: check-json
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: mixed-line-ending
   - repo: https://github.com/sbrunner/pre-commit-copyright
     rev: 0.2.3
     hooks:
       - id: copyright
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.2.2
+    hooks:
+      - id: codespell
+        exclude: ^(.*/)?poetry\.lock$
+  - repo: https://github.com/pre-commit/mirrors-prettier
+    rev: v2.7.1
+    hooks:
+      - id: prettier
+        additional_dependencies:
+          - [email protected] # npm
+          - [email protected] # npm
+          - [email protected] # npm
+          - '@prettier/[email protected]' # npm
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.9.0.2
+    hooks:
+      - id: shellcheck
+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 3.0.0
+    hooks:
+      - id: git-check
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.21.0
+    hooks:
+      - id: check-github-workflows
+      - id: check-renovate
+        additional_dependencies:
+          - pyjson5==1.6.2 # pypi
+  - repo: https://github.com/sirwart/ripsecrets
+    rev: v0.1.5
+    hooks:
+      - id: ripsecrets
+        exclude: "(^\
+          thepaperlessproject-paperless-webserver.json\
+          |thepaperlessproject-paperless-consumer.json)"
   - repo: https://github.com/psf/black
     rev: 23.1.0
     hooks:
@@ -15,3 +60,20 @@ repos:
     rev: 5.12.0
     hooks:
       - id: isort
+  - repo: https://github.com/PyCQA/autoflake
+    rev: v2.0.1
+    hooks:
+      - id: autoflake
+  - repo: https://github.com/asottile/pyupgrade
+    rev: v3.3.1
+    hooks:
+      - id: pyupgrade
+        args:
+          - --py38-plus
+  - repo: https://github.com/PyCQA/prospector
+    rev: v1.8.4
+    hooks:
+      - id: prospector
+        args:
+          - --tool=pydocstyle
+          - --die-on-tool-error
@@ -0,0 +1,14 @@
+{
+  "scanSettings": {
+    "baseBranches": []
+  },
+  "checkRunSettings": {
+    "vulnerableCheckRunConclusionLevel": "failure",
+    "displayMode": "diff",
+    "useMendCheckNames": true
+  },
+  "issueSettings": {
+    "minSeverityLevel": "LOW",
+    "issueType": "DEPENDENCY"
+  }
+}