chore: add zizmor #2497
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pull Request Validation | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| types: | |
| # title changes | |
| - edited | |
| # milestone changes | |
| - milestoned | |
| - demilestoned | |
| # label changes for “no milestone” | |
| - labeled | |
| - unlabeled | |
| # initial check | |
| - opened | |
| - edited | |
| - reopened | |
| # code change (e.g. this workflow) | |
| - synchronize | |
| env: | |
| LABELS: ${{ join(github.event.pull_request.labels.*.name, '|') }} | |
| jobs: | |
| # This job verifies that the milestone is present or not necessary | |
| # and determines if “check-relnotes” needs to be run. | |
| check-milestone: | |
| permissions: | |
| pull-requests: read | |
| name: "Triage: Check PR title, milestone, and labels" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check if a milestone is necessary and exists | |
| uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4 | |
| with: | |
| success: ${{ github.event.pull_request.user.login == 'pre-commit-ci[bot]' || github.event.pull_request.milestone != null || contains(env.LABELS, 'no milestone') }} | |
| - name: Check if release notes are necessary | |
| uses: kaisugi/action-regex-match@d67cd689755dc47c5362609e0a6e2e1c93fa721b # v1.0.2 | |
| id: checked-relnotes | |
| with: | |
| text: ${{ github.event.pull_request.body }} | |
| regex: '^\s*- \[x\].*Release note not necessary because:\s*(.*)$' | |
| flags: m | |
| - name: Check if PR title is valid | |
| id: check-title | |
| uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 | |
| env: # Needs repo options: “Squash and merge” with commit message set to “PR title” | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| outputs: | |
| no-relnotes-reason: ${{ steps.checked-relnotes.outputs.group1 }} | |
| type: ${{ steps.check-title.outputs.type }} | |
| # This job verifies that the relevant release notes file has been modified. | |
| check-relnotes: | |
| permissions: | |
| pull-requests: read | |
| name: Check for release notes | |
| runs-on: ubuntu-latest | |
| needs: check-milestone | |
| if: github.event.pull_request.user.login != 'pre-commit-ci[bot]' && needs.check-milestone.outputs.no-relnotes-reason == '' && !contains(fromJSON('["style","refactor","test","build","ci"]'), needs.check-milestone.outputs.type) | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: { filter: "blob:none", fetch-depth: 0, persist-credentials: false } | |
| - name: Find out if a relevant release fragment is added | |
| uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3.0.3 | |
| id: changes | |
| with: | |
| filters: | # this is intentionally a string | |
| relnotes: 'docs/release-notes/${{ github.event.pull_request.number }}.${{ (contains(github.event.pull_request.title, '!') && 'breaking') || needs.check-milestone.outputs.type }}.md' | |
| - name: Check if a relevant release fragment is added | |
| uses: flying-sheep/check@6162e3da6b50abdfe00c3233e6f0ce2d1bdcf69c # v1.0.4 | |
| with: | |
| success: ${{ steps.changes.outputs.relnotes }} |