diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000000..f75a96b205 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: true +contact_links: + - name: Phenotype org + url: https://github.com/KooshaPari + about: Other Phenotype-ecosystem repos and discussions diff --git a/.github/workflows/alert-sync-issues.yml b/.github/workflows/alert-sync-issues.yml index 44bd116915..0eec3fd458 100644 --- a/.github/workflows/alert-sync-issues.yml +++ b/.github/workflows/alert-sync-issues.yml @@ -1,16 +1,19 @@ name: Alert sync issues on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] schedule: - cron: '17 * * * *' workflow_dispatch: - permissions: contents: read issues: write jobs: sync: - uses: KooshaPari/phenoShared/.github/workflows/alert-sync-issues.yml@main + uses: KooshaPari/phenoShared/.github/workflows/alert-sync-issues.yml@438e2e71e448c9f1f47f184d3ca4acbb28928677 with: auto-label: auto-alert-sync min_severity: high diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index cf6961ebad..175fbeed5c 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -1,8 +1,11 @@ name: Auto Merge Gate on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read pull-requests: write @@ -12,12 +15,13 @@ jobs: if: | (github.event_name != 'pull_request_review') || (github.event.review.state == 'APPROVED') - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Enable auto-merge for labeled PRs if: | contains(github.event.pull_request.labels.*.name, 'automerge') && !contains(github.event.pull_request.labels.*.name, 'do-not-merge') - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3with: + peter-evans/enable-pull-request-automerge@2b17150d25bd548fc41a48d3c6891cc520a07ff0 # v3 + with: github-token: ${{ secrets.GITHUB_TOKEN }} merge-method: squash diff --git a/.github/workflows/ci-rerun-flaky.yml b/.github/workflows/ci-rerun-flaky.yml index ed785ac7b8..e41506a4ad 100644 --- a/.github/workflows/ci-rerun-flaky.yml +++ b/.github/workflows/ci-rerun-flaky.yml @@ -1,8 +1,11 @@ name: ci-rerun-flaky on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: actions: write contents: read @@ -12,10 +15,11 @@ jobs: rerun-failed-jobs: name: rerun-failed-jobs if: github.event.label.name == 'ci:rerun-flaky' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Rerun failed CI jobs and remove rerun label - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: + actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v7 + with: script: | const label = 'ci:rerun-flaky'; const { owner, repo } = context.repo; diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b50ef95b39..cdc2669073 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,8 @@ name: CI +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: push: @@ -11,25 +15,28 @@ permissions: jobs: test: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 strategy: matrix: go-version: ['1.21', '1.22'] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog - run: | + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + name: Refresh models catalog + - run: | git fetch --depth 1 https://github.com/router-for-me/models.git main mkdir -p pkg/llmproxy/registry/models git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json - name: Setup Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version: ${{ matrix.go-version }} - name: Cache Go modules - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4with: + actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | @@ -45,10 +52,11 @@ jobs: run: go test ./... -v -race -coverprofile=coverage.out - name: Upload coverage - uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3with: + codecov/codecov-action@ca0a928a4cb3911011e868128a5cd90437c12db1 # v3 + with: files: ./coverage.out phenotype-validate: - runs-on: ubuntu-latest - uses: KooshaPari/phenotypeActions/.github/workflows/validate-governance.yml@main + runs-on: ubuntu-24.04 + uses: KooshaPari/phenotypeActions/.github/workflows/validate-governance.yml@48772d7560c964fff01a209742429f24283e96cf diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 64704c9d27..963825c590 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,8 +1,11 @@ name: codeql on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: actions: read contents: read @@ -12,28 +15,31 @@ jobs: analyze: name: Analyze (Go) if: ${{ !startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: language: [go] steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + name: Initialize CodeQL + github/codeql-action/init@115001ba8d0198846992657731666b08686c8ded # v4 + with: languages: ${{ matrix.language }} config-file: .github/codeql/codeql-config.yml - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Build run: go build ./... - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix: + github/codeql-action/analyze@115001ba8d0198846992657731666b08686c8ded # v4analyze-skip-for-migrated-router-fix: name: Analyze (Go) if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Skip CodeQL build for migrated router compatibility branch run: echo "Skipping CodeQL build for migrated router compatibility branch." diff --git a/.github/workflows/coderabbit-rate-limit-retry.yml b/.github/workflows/coderabbit-rate-limit-retry.yml index 376840ff6e..bcde5321a2 100644 --- a/.github/workflows/coderabbit-rate-limit-retry.yml +++ b/.github/workflows/coderabbit-rate-limit-retry.yml @@ -1,8 +1,11 @@ name: coderabbit-rate-limit-retry on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: checks: write contents: read @@ -12,10 +15,11 @@ permissions: jobs: retrigger: name: retrigger-coderabbit-on-rate-limit - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Re-request CodeRabbit when backlog is high and check is stale - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7with: + actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v7 + with: script: | const owner = context.repo.owner; const repo = context.repo.repo; @@ -166,7 +170,7 @@ jobs: status: "completed", conclusion: pass ? "success" : "failure", output: { - title: pass ? "CodeRabbit gate passed" : "CodeRabbit gate blocked", + title: "pass ? "CodeRabbit gate passed" : "CodeRabbit gate blocked"," summary, }, }); diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 4e118ad0dc..f6359a7920 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,8 +1,11 @@ name: docker-image on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - env: APP_NAME: CLIProxyAPI DOCKERHUB_REPO: ${{ secrets.DOCKERHUB_USERNAME }}/cli-proxy-api-plus @@ -12,16 +15,19 @@ permissions: jobs: docker_amd64: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: + docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - name: Login to DockerHub + docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -30,7 +36,8 @@ jobs: echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - name: Build and push (amd64) - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6with: + docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + with: context: . platforms: linux/amd64 push: true @@ -46,13 +53,16 @@ jobs: runs-on: ubuntu-24.04-arm steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: + docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - name: Login to DockerHub + docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -61,7 +71,8 @@ jobs: echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - name: Build and push (arm64) - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6with: + docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + with: context: . platforms: linux/arm64 push: true @@ -74,15 +85,18 @@ jobs: ${{ env.DOCKERHUB_REPO }}:${{ env.VERSION }}-arm64 docker_manifest: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 needs: - docker_amd64 - docker_arm64 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3- name: Login to DockerHub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Docker Buildx + docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - name: Login to DockerHub + docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Generate Build Metadata @@ -102,7 +116,7 @@ jobs: "${DOCKERHUB_REPO}:${VERSION}-arm64" - name: Cleanup temporary tags continue-on-error: true - env: + - env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: | diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index b05492eccf..1f210e1fa1 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,6 +1,10 @@ name: VitePress Pages on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: concurrency: @@ -16,17 +20,21 @@ jobs: build: name: Build Docs if: ${{ github.ref_name != 'chore/branding-slug-cleanup-20260303-clean' }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + + - name: Setup Node + actions/setup-node@0355742c943ddb13ca8a6b700f824231caa91e75 # v4 + with: node-version: "20" cache: "npm" cache-dependency-path: docs/package.json - name: Setup Bun - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2with: + oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + with: bun-version: latest - name: Install OXC dependencies @@ -36,7 +44,7 @@ jobs: run: bun run lint - name: Check docs TS/JS formatting with OXC - run: bun run format:check + run: "bun run format:check" - name: Install dependencies working-directory: docs @@ -44,19 +52,20 @@ jobs: - name: Build docs working-directory: docs - run: npm run docs:build + run: "npm run docs:build" - name: Verify built docs run: test -f docs/.vitepress/dist/index.html - name: Upload pages artifact - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: + actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v3 + with: path: docs/.vitepress/dist/ build-skip-branch-ci-unblock: name: Build Docs if: ${{ github.ref_name == 'chore/branding-slug-cleanup-20260303-clean' }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Skip docs build for temporary CI unblock branch run: echo "Skipping docs build for temporary CI unblock branch." @@ -65,12 +74,14 @@ jobs: name: Deploy Pages needs: build if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} steps: - name: Configure Pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5- name: Deploy + actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v5 + + - name: Deploy id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file + actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v4 diff --git a/.github/workflows/generate-sdks.yaml b/.github/workflows/generate-sdks.yaml index af9012880c..a15c7616b9 100644 --- a/.github/workflows/generate-sdks.yaml +++ b/.github/workflows/generate-sdks.yaml @@ -1,8 +1,11 @@ name: Generate SDKs on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: write pull-requests: write @@ -11,8 +14,10 @@ jobs: generate-python-sdk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Setup Python + actions/setup-python@c8813ba1bc76ebf779b911ad8ffccbf2e449cb48 # v5 + with: python-version: '3.14' - name: Install OpenAPI Generator @@ -29,7 +34,8 @@ jobs: --additional-properties=pythonVersion==3.12,generateSourceCodeOnly=true - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6with: + peter-evans/create-pull-request@aa523f9db61947bd5e06efd77870ef065eae32cc # v6 + with: commit-message: 'chore: generate Python SDK' title: 'chore: generate Python SDK' body: | @@ -40,8 +46,10 @@ jobs: generate-typescript-sdk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Setup Node + actions/setup-node@0355742c943ddb13ca8a6b700f824231caa91e75 # v4 + with: node-version: '20' - name: Install OpenAPI Generator @@ -57,7 +65,8 @@ jobs: --additional-properties=typescriptVersion=5.0,npmName=@cliproxy/api - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6with: + peter-evans/create-pull-request@aa523f9db61947bd5e06efd77870ef065eae32cc # v6 + with: commit-message: 'chore: generate TypeScript SDK' title: 'chore: generate TypeScript SDK' body: | diff --git a/.github/workflows/journey-gate.yml b/.github/workflows/journey-gate.yml index c26f5838da..7841d91bfe 100644 --- a/.github/workflows/journey-gate.yml +++ b/.github/workflows/journey-gate.yml @@ -1,4 +1,7 @@ # ============================================================================= +permissions: + contents: read + pull-requests: read # Journey Gate — Reusable Workflow # ============================================================================= # Canonical source: phenotype-infra/docs/governance/ci-journey-gate.yml @@ -19,6 +22,10 @@ # ============================================================================= name: Journey Gate +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: push: @@ -50,12 +57,12 @@ env: jobs: journey-gate: name: Journey Verification - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 15 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # --------------------------------------------------------------------- # 1. Install runtime dependencies @@ -101,7 +108,7 @@ jobs: # --------------------------------------------------------------------- - name: Discover manifests id: discover - run: | + - run: | GLOB="${MANIFEST_PATH:-**/manifest.verified.json}" echo "Glob pattern: $GLOB" @@ -187,7 +194,7 @@ jobs: # --------------------------------------------------------------------- - name: Live verification if: inputs.live_verification && github.event.inputs.live_verification != 'false' - env: + - env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} MANIFEST_LIST: ${{ steps.discover.outputs.MANIFEST_LIST }} run: | @@ -233,7 +240,7 @@ jobs: # -------------------------------------------------------------------------- stub-mode: name: Journey Gate — No Manifests Found - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 needs: journey-gate if: needs.journey-gate.result == 'failure' && needs.journey-gate.outputs.MANIFEST_COUNT == '0' steps: diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml index 27f8d9f68f..3c93067d41 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint-test.yml @@ -1,15 +1,20 @@ name: Lint & Test on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read jobs: lint-test: name: lint-test - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: KooshaPari/phenotypeActions/actions/lint-test@main + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 + + - uses: KooshaPari/phenotypeActions/actions/lint-test@48772d7560c964fff01a209742429f24283e96cf diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml index b1f69e17ea..0ff0c3d5e2 100644 --- a/.github/workflows/pages-deploy.yml +++ b/.github/workflows/pages-deploy.yml @@ -1,5 +1,9 @@ name: pages-deploy on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: permissions: contents: read @@ -10,9 +14,12 @@ jobs: environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: - path: '.' + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 + - actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d + - actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 + with: + path: . - id: deployment - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 \ No newline at end of file + actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v4 diff --git a/.github/workflows/policy-gate.yml b/.github/workflows/policy-gate.yml index fe8fc69368..9b7428a69c 100644 --- a/.github/workflows/policy-gate.yml +++ b/.github/workflows/policy-gate.yml @@ -1,11 +1,21 @@ name: policy-gate -on: [workflow_dispatch] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] + workflow_dispatch: permissions: contents: read jobs: enforce: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Enforce engineering policies + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Enforce engineering policies run: ./scripts/policy-gate.sh diff --git a/.github/workflows/pr-path-guard.yml b/.github/workflows/pr-path-guard.yml index 4da1648f16..b793e808d6 100644 --- a/.github/workflows/pr-path-guard.yml +++ b/.github/workflows/pr-path-guard.yml @@ -1,26 +1,31 @@ name: translator-path-guard on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read jobs: ensure-no-translator-changes: name: ensure-no-translator-changes - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: fetch-depth: 0 - name: Detect pkg/llmproxy/translator changes id: changed-files - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45with: + tj-actions/changed-files@934b2d2c7e653bb8c968afed5a0428617f09aa24 # v45 + with: files: | pkg/llmproxy/translator/** - name: Fail when restricted paths change if: steps.changed-files.outputs.any_changed == 'true' && !(startsWith(github.head_ref, 'feature/koosh-migrate') || startsWith(github.head_ref, 'feature/migrate-') || startsWith(github.head_ref, 'migrated/') || startsWith(github.head_ref, 'ci/fix-feature-koosh-migrate') || startsWith(github.head_ref, 'ci/fix-feature-migrate-') || startsWith(github.head_ref, 'ci/fix-migrated/') || startsWith(github.head_ref, 'ci/fix-feat-')) - run: | + - run: | # Filter out whitelisted translator files (formatting-only and hotfix paths) disallowed_files="$(printf '%s\n' \ $(printf '%s' '${{ steps.changed-files.outputs.all_changed_files }}' | tr ',' '\n') \ diff --git a/.github/workflows/pr-test-build.yml b/.github/workflows/pr-test-build.yml index 12c512a895..6819ea5030 100644 --- a/.github/workflows/pr-test-build.yml +++ b/.github/workflows/pr-test-build.yml @@ -1,8 +1,11 @@ name: pr-test-build on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read @@ -10,15 +13,17 @@ jobs: build: name: build if: ${{ !startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Build @@ -29,18 +34,20 @@ jobs: build-skip-for-migrated-router-fix: name: build if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Skip build for migrated router compatibility branch run: echo "Skipping compile step for migrated router compatibility branch." go-ci: name: go-ci - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Run full tests with baseline @@ -54,18 +61,21 @@ jobs: exit "${test_exit}" - name: Upload baseline artifact if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with: + actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: name: go-test-baseline path: target/test-baseline.json if-no-files-found: warn quality-ci: name: quality-ci - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -79,22 +89,25 @@ jobs: go install honnef.co/go/tools/cmd/staticcheck@latest fi - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + arduino/setup-task@696ff8f0a858f16a3c205ee53d273290513aad95 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Run CI quality gates env: QUALITY_DIFF_RANGE: "${{ github.event.pull_request.base.sha }}...${{ github.sha }}" ENABLE_STATICCHECK: "1" - run: task quality:ci + run: "task quality:ci" quality-staged-check: name: quality-staged-check - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -103,37 +116,43 @@ jobs: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 fi - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + arduino/setup-task@696ff8f0a858f16a3c205ee53d273290513aad95 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Check staged/diff files in PR range env: QUALITY_DIFF_RANGE: "${{ github.event.pull_request.base.sha }}...${{ github.sha }}" - run: task quality:fmt-staged:check + run: "task quality:fmt-staged:check" fmt-check: name: fmt-check - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + arduino/setup-task@696ff8f0a858f16a3c205ee53d273290513aad95 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Verify formatting - run: task quality:fmt:check + run: "task quality:fmt:check" golangci-lint: name: golangci-lint - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Install golangci-lint @@ -147,11 +166,13 @@ jobs: route-lifecycle: name: route-lifecycle - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Run route lifecycle tests @@ -161,7 +182,7 @@ jobs: provider-smoke-matrix: name: provider-smoke-matrix if: ${{ vars.CLIPROXY_PROVIDER_SMOKE_CASES != '' }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 env: CLIPROXY_PROVIDER_SMOKE_CASES: ${{ vars.CLIPROXY_PROVIDER_SMOKE_CASES }} CLIPROXY_SMOKE_EXPECT_SUCCESS: ${{ vars.CLIPROXY_SMOKE_EXPECT_SUCCESS }} @@ -169,8 +190,10 @@ jobs: CLIPROXY_BASE_URL: "http://127.0.0.1:8317" steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Build cliproxy proxy @@ -187,7 +210,7 @@ jobs: ./scripts/provider-smoke-matrix.sh - name: Stop proxy if: always() - run: | + - run: | if [ -f /tmp/cliproxy-smoke.pid ]; then kill "$(cat /tmp/cliproxy-smoke.pid)" || true fi @@ -195,15 +218,17 @@ jobs: provider-smoke-matrix-cheapest: name: provider-smoke-matrix-cheapest - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 env: CLIPROXY_SMOKE_EXPECT_SUCCESS: "0" CLIPROXY_SMOKE_WAIT_FOR_READY: "1" CLIPROXY_BASE_URL: "http://127.0.0.1:8317" steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Build cliproxy proxy @@ -217,7 +242,7 @@ jobs: run: ./scripts/provider-smoke-matrix-cheapest.sh - name: Stop proxy if: always() - run: | + - run: | if [ -f /tmp/cliproxy-smoke.pid ]; then kill "$(cat /tmp/cliproxy-smoke.pid)" || true fi @@ -225,31 +250,37 @@ jobs: test-smoke: name: test-smoke - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + arduino/setup-task@696ff8f0a858f16a3c205ee53d273290513aad95 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Run startup and control-plane smoke tests - run: task test:smoke + run: "task test:smoke" pre-release-config-compat-smoke: name: pre-release-config-compat-smoke - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Install Task - uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: + arduino/setup-task@696ff8f0a858f16a3c205ee53d273290513aad95 + with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Validate config compatibility path @@ -258,11 +289,13 @@ jobs: distributed-critical-paths: name: distributed-critical-paths - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Set up Go + actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 + with: go-version-file: go.mod cache: true - name: Run targeted critical-path checks @@ -270,10 +303,11 @@ jobs: changelog-scope-classifier: name: changelog-scope-classifier - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: fetch-depth: 0 - name: Detect change scopes run: | @@ -284,7 +318,7 @@ jobs: base_ref="origin/${{ github.base_ref }}" fi if git rev-parse --verify "${base_ref}" >/dev/null 2>&1; then - true + 'true' else git fetch origin "${{ github.base_ref }}" --depth=1 || true fi @@ -314,29 +348,32 @@ jobs: echo "scope=${scope}" >> "$GITHUB_ENV" echo "scope=${scope}" > target/changelog-scope.txt - name: Upload changelog scope artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with: + actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: name: changelog-scope path: target/changelog-scope.txt docs-build: name: docs-build - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Setup Node + actions/setup-node@0355742c943ddb13ca8a6b700f824231caa91e75 # v4 + with: node-version: "20" cache: "npm" cache-dependency-path: docs/package.json - name: Build docs working-directory: docs - run: | + - run: | npm install npm run docs:build ci-summary: name: ci-summary - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 needs: - quality-ci - quality-staged-check diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index 76484b963c..c668b2f8d8 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -1,11 +1,21 @@ name: quality-gate -on: [workflow_dispatch] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] + workflow_dispatch: permissions: contents: read jobs: verify: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Run quality checks + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Run quality checks run: ./scripts/quality-gate.sh verify diff --git a/.github/workflows/release-batch.yaml b/.github/workflows/release-batch.yaml index 67b65bd463..a028ad3e6b 100644 --- a/.github/workflows/release-batch.yaml +++ b/.github/workflows/release-batch.yaml @@ -1,8 +1,11 @@ name: release-batch on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: write @@ -14,12 +17,9 @@ jobs: release-batch: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: - fetch-depth: 0 + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 - run: git fetch --force --tags - - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: - go-version: ">=1.26.0" - cache: true + - actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v5 - name: Configure git run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 9892c91949..2783bc12fd 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,5 +1,9 @@ name: Release Drafter on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: permissions: contents: write @@ -7,7 +11,8 @@ permissions: jobs: update_release_draft: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6env: + - release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6 + with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 56227dede8..4aa85cc0b2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,8 +1,11 @@ name: goreleaser on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: write @@ -10,14 +13,16 @@ jobs: goreleaser: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: fetch-depth: 0 - name: Refresh models catalog run: | git fetch --depth 1 https://github.com/router-for-me/models.git main git show FETCH_HEAD:models.json > internal/registry/models/models.json - run: git fetch --force --tags - - uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4with: + - actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 # v4 + with: go-version: '>=1.26.0' cache: true - name: Generate Build Metadata @@ -25,7 +30,8 @@ jobs: echo "VERSION=${GITHUB_REF_NAME}" >> $GITHUB_ENV echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV - - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4with: + - goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4 + with: distribution: goreleaser version: latest args: release --clean --skip=validate @@ -34,13 +40,13 @@ jobs: VERSION: ${{ env.VERSION }} COMMIT: ${{ env.COMMIT }} BUILD_DATE: ${{ env.BUILD_DATE }} - build-termux: name: Build Termux (aarch64) runs-on: ubuntu-24.04-arm steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: fetch-depth: 0 - name: Build in Termux Container run: | @@ -48,7 +54,7 @@ jobs: VERSION=$(git describe --tags --always --dirty | sed 's/^v//') COMMIT=$(git rev-parse --short HEAD) BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) - + # Ensure the workspace is writable by the container chmod -R 777 . @@ -62,7 +68,8 @@ jobs: tar -czf cli-proxy-api-termux-aarch64.tar.gz cli-proxy-api LICENSE README.md README_CN.md config.example.yaml " - name: Upload to Release - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2if: startsWith(github.ref, 'refs/tags/') + softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2 + if: startsWith(github.ref, 'refs/tags/') with: files: cli-proxy-api-termux-aarch64.tar.gz env: diff --git a/.github/workflows/required-check-names-guard.yml b/.github/workflows/required-check-names-guard.yml index fe56573f89..c1341c08c3 100644 --- a/.github/workflows/required-check-names-guard.yml +++ b/.github/workflows/required-check-names-guard.yml @@ -1,18 +1,22 @@ name: required-check-names-guard on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read jobs: verify-required-check-names: name: verify-required-check-names - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Verify required check names exist + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Verify required check names exist run: | set -euo pipefail manifest=".github/required-checks.txt" diff --git a/.github/workflows/sast-full.yml b/.github/workflows/sast-full.yml index a00e2a128d..aa179f7dbe 100644 --- a/.github/workflows/sast-full.yml +++ b/.github/workflows/sast-full.yml @@ -1,8 +1,12 @@ name: SAST Full Analysis on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] schedule: - - cron: "0 2 * * *" + - cron: '17 * * * *' workflow_dispatch: permissions: @@ -12,39 +16,52 @@ permissions: jobs: codeql: name: CodeQL Analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 30 strategy: matrix: language: [go, javascript] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: + fetch-depth: 0 + - github/codeql-action/init@115001ba8d0198846992657731666b08686c8ded # v4 + with: languages: ${{ matrix.language }} + - github/codeql-action/analyze@115001ba8d0198846992657731666b08686c8ded # v4 + with: + category: "/lang:${{ matrix.language }}" - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4trivy-repo: + trivy-repo: name: Trivy Repository Scan - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 15 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: + fetch-depth: 0 + - aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # v0.35.0 + with: scan-type: fs scan-ref: . format: sarif output: trivy-results.sarif - - name: Upload Trivy SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + - github/codeql-action/upload-sarif@115001ba8d0198846992657731666b08686c8ded # v4 + if: always() with: sarif_file: trivy-results.sarif category: trivy full-semgrep: name: Full Semgrep Analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 20 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: + fetch-depth: 0 + - actions/setup-python@c8813ba1bc76ebf779b911ad8ffccbf2e449cb48 # v5 + with: python-version: "3.12" - name: Install Semgrep run: python -m pip install --disable-pip-version-check semgrep==1.157.0 @@ -59,21 +76,21 @@ jobs: --sarif \ --output semgrep.sarif \ . - - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + - github/codeql-action/upload-sarif@115001ba8d0198846992657731666b08686c8ded # v4 + if: always() with: sarif_file: semgrep.sarif category: semgrep-full full-secrets: name: Full Secret Scan - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 15 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: fetch-depth: 0 - - - uses: trufflesecurity/trufflehog@6bd2d14f7a4bc1e569fa3550efa7ec632a4fa67b # v3.94.2with: + - trufflesecurity/trufflehog@36f6f697079e637bccb1e05561a481d8b4016862 # v3.94.2 + with: path: ./ extra_args: --only-verified diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml index 3e7df455c4..192e88dfc2 100644 --- a/.github/workflows/sast-quick.yml +++ b/.github/workflows/sast-quick.yml @@ -1,4 +1,8 @@ name: SAST Quick Check +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: pull_request: @@ -12,14 +16,16 @@ permissions: jobs: semgrep: name: Semgrep Scan - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 15 # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: fetch-depth: 0 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: + - actions/setup-python@c8813ba1bc76ebf779b911ad8ffccbf2e449cb48 # v5 + with: python-version: "3.12" - name: Install Semgrep run: python -m pip install --disable-pip-version-check semgrep==1.157.0 @@ -29,42 +35,48 @@ jobs: run: | semgrep scan --sarif --sarif-output=semgrep.sarif --max-target-bytes 1000000 --quiet --config=auto || true - name: Upload SARIF - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + github/codeql-action/upload-sarif@115001ba8d0198846992657731666b08686c8ded # v4 + if: always() with: sarif_file: semgrep.sarif # License Compliance - Tier 3: Advisory license-compliance: name: License Compliance - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 10 # Tier 3: Advisory - security enrichment only continue-on-error: true steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Analyze licenses - uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true # Allow findings but don't fail + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + - name: Analyze licenses + fsfe/reuse-action@6ac5c823270d369f01e3c491c708f706f2bdc355 # v4 + continue-on-error: true # Allow findings but don't fail - name: Check for non-reusable licenses run: | # Check for problematic licenses grep -r "GPL\|AGPL" --include="*.toml" --include="*.json" . || true - name: Check license compliance - uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true + fsfe/reuse-action@6ac5c823270d369f01e3c491c708f706f2bdc355 # v4 + continue-on-error: true # Secret Scanning - Tier 2: Important (runs in parallel) secrets: name: Secret Scanning - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 5 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: fetch-depth: 0 - name: Run Gitleaks - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2env: + gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: args: --verbose --redact - name: Run Trivy Secret Scanner - uses: aquasecurity/trivy-action@master + aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # master with: scan-type: repo exit-code: 0 @@ -72,6 +84,7 @@ jobs: output: trivy-results.sarif continue-on-error: true - name: Upload Trivy results - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always() + github/codeql-action/upload-sarif@115001ba8d0198846992657731666b08686c8ded # v4 + if: always() with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ccd2add8b9..9441de8f9d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,22 +1,18 @@ name: OpenSSF Scorecard + on: - branch_protection_rule: - schedule: - - cron: '17 3 * * 6' push: - branches: [main] - -permissions: - contents: read - security-events: write - actions: read + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] + branch_protection_rule: permissions: read-all jobs: analysis: name: Scorecard analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: security-events: write id-token: write @@ -24,18 +20,22 @@ jobs: actions: read steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: persist-credentials: false - - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2with: + - ossf/scorecard-action@af76153369ae1eb1eaffc4118046b7fda9a8419e # v2.4.2 + with: results_file: results.sarif results_format: sarif publish_results: true - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with: + - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4 + with: name: SARIF file path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3with: + - github/codeql-action/upload-sarif@115001ba8d0198846992657731666b08686c8ded # v3 + with: sarif_file: results.sarif diff --git a/.github/workflows/security-guard-hook-audit.yml b/.github/workflows/security-guard-hook-audit.yml index 8b6cdaafee..6133449be3 100644 --- a/.github/workflows/security-guard-hook-audit.yml +++ b/.github/workflows/security-guard-hook-audit.yml @@ -1,17 +1,21 @@ name: Security Guard (Hooks) on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: - permissions: contents: read jobs: guard: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with: + actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + with: fetch-depth: 0 - name: Wire Git hook path and verify guard hook diff --git a/.github/workflows/security-guard.yml b/.github/workflows/security-guard.yml index 5fbe3bd682..d7257b93dd 100644 --- a/.github/workflows/security-guard.yml +++ b/.github/workflows/security-guard.yml @@ -12,12 +12,12 @@ permissions: jobs: ggshield-scan: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 + - actions/setup-python@c8813ba1bc76ebf779b911ad8ffccbf2e449cb48 with: python-version: "3.13" - name: Install ggshield diff --git a/.github/workflows/self-merge-gate.yml b/.github/workflows/self-merge-gate.yml index 4bcc3e18f5..c6f5185b3e 100644 --- a/.github/workflows/self-merge-gate.yml +++ b/.github/workflows/self-merge-gate.yml @@ -1,11 +1,20 @@ name: self-merge-gate -on: [workflow_dispatch] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] + workflow_dispatch: permissions: contents: read jobs: check: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 if: github.event.review.state == 'approved' steps: - name: Check self-merge eligibility diff --git a/.github/workflows/tag-automation.yml b/.github/workflows/tag-automation.yml index 98cf804b23..4979f58463 100644 --- a/.github/workflows/tag-automation.yml +++ b/.github/workflows/tag-automation.yml @@ -1,12 +1,17 @@ name: Tag Automation on: + push: + branches: [main, master, develop] + pull_request: + branches: [main, master, develop] workflow_dispatch: permissions: contents: read jobs: tag: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Create release tag + - actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 # v4 + name: Create release tag run: echo "Creating release for ${{ github.ref_name }}" diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 2b440b2f78..c85f56a6f9 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -1,4 +1,11 @@ name: Trufflehog Secrets Scan +permissions: + contents: read + pull-requests: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + on: push: branches: [main] @@ -6,12 +13,15 @@ on: jobs: trufflehog: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: actions/checkout@900f2210b1d28bbbd0bd22d17926b9e224e8f231 with: fetch-depth: 0 - - uses: trufflehog/actions/setup@main + - uses: actions/setup-go@78961f6f84d799cd858575bb931c3e51d3b13290 + with: + go-version: 'stable' + - run: go install github.com/trufflehog/trufflehog/v3@latest - run: trufflehog github --only-verified --no-update env: - GH_TOKEN: \${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index 6d3485594f..453a23e484 100644 --- a/.gitignore +++ b/.gitignore @@ -84,3 +84,19 @@ releasebatch .claudeignore .llmignore journey-fix/ + +# ===== Standard auto-generated hygiene ignores (do not edit manually) ===== +.env.* +!.env.example +node_modules/ +target/ +dist/ +build/ +coverage/ +.pytest_cache/ +__pycache__/ +.mypy_cache/ +.ruff_cache/ +.venv/ +venv/ +# ===== End standard hygiene ignores ===== diff --git a/docs/.vitepress/theme/index.ts b/docs/.vitepress/theme/index.ts index 031d421c3a..aed7e64a62 100644 --- a/docs/.vitepress/theme/index.ts +++ b/docs/.vitepress/theme/index.ts @@ -2,6 +2,7 @@ import DefaultTheme from "vitepress/theme"; import type { Theme } from "vitepress"; import CategorySwitcher from "./components/CategorySwitcher.vue"; import "./custom.css"; +import "./style.css"; const theme: Theme = { ...DefaultTheme, diff --git a/package.json b/package.json index a7c9b96000..cd616db167 100644 --- a/package.json +++ b/package.json @@ -11,5 +11,6 @@ "oxfmt": "^0.36.0", "oxlint": "^1.51.0", "oxlint-tsgolint": "^0.16.0" - } + }, + "packageManager": "npm@10" }