diff --git a/.github/actions/gh_matrix_test.yml b/.github/actions/gh_matrix_test.yml new file mode 100644 index 0000000000..ceedec2660 --- /dev/null +++ b/.github/actions/gh_matrix_test.yml @@ -0,0 +1,57 @@ +name: CI Test +description: "Run tests on multiple Python versions and configurations when a PR is approved." +runs: + using: "composite" + strategy: + fail-fast: false + matrix: + py-version: + - '3.10' + - 3.11 + - 3.12 + mpi: [ 'openmpi' ] + install-options: [ '.', '.[hdf5,netcdf,pandas,zarr]' ] + pytorch-version: + - 'numpy==1.26 torch==2.1.2 torchvision==0.16.2 torchaudio==2.1.2' + - 'numpy==1.26 torch==2.2.2 torchvision==0.17.2 torchaudio==2.2.2' + - 'torch==2.3.1 torchvision==0.18.1 torchaudio==2.3.1' + - 'torch==2.4.1 torchvision==0.19.1 torchaudio==2.4.1' + - 'torch==2.5.1 torchvision==0.20.1 torchaudio==2.5.1' + - 'torch==2.6.0 torchvision==0.21.0 torchaudio==2.6.0' + - 'torch==2.7.0 torchvision==0.22.0 torchaudio==2.7.0' + exclude: + - py-version: '3.12' + pytorch-version: 'numpy==1.26 torch==2.1.2 torchvision==0.16.2 torchaudio==2.1.2' + - py-version: '3.12' + pytorch-version: 'numpy==1.26 torch==2.2.2 torchvision==0.17.2 torchaudio==2.2.2' + - py-version: '3.9' + install-options: '.[hdf5,netcdf,pandas,zarr]' + - py-version: '3.10' + install-options: '.[hdf5,netcdf,pandas,zarr]' + + + name: Python ${{ matrix.py-version }} with ${{ matrix.pytorch-version }} and ${{ matrix.mpi }}; options ${{ matrix.install-options }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@v4.2.2 + - name: Setup MPI + uses: mpi4py/setup-mpi@v1.2.0 + with: + mpi: ${{ matrix.mpi }} + - name: Use Python ${{ matrix.py-version }} + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: ${{ matrix.py-version }} + architecture: x64 + - name: Test + run: | + pip install pytest + pip install ${{ matrix.pytorch-version }} --extra-index-url https://download.pytorch.org/whl/cpu + pip install ${{ matrix.install-options }} + mpirun -n 3 pytest heat/ + mpirun -n 4 pytest heat/ diff --git a/.github/actions/trigger_codebase_benchmarks.yml b/.github/actions/trigger_codebase_benchmarks.yml new file mode 100644 index 0000000000..4d10ef04cf --- /dev/null +++ b/.github/actions/trigger_codebase_benchmarks.yml @@ -0,0 +1,47 @@ +name: Trigger Codebase Benchmarks +description: "Trigger benchmarks on Codebase for performance testing and analysis." +inputs: + branch: + description: "The branch to trigger benchmarks on. Defaults to 'main'." + required: false + default: "main" + sha: + description: "The commit SHA to trigger benchmarks on. Defaults to the current commit." + required: false + default: "${{ github.sha }}" + pr_number: + description: "The pull request number to trigger benchmarks on. Defaults to the current PR number." + required: false + default: "" + author: + description: "The author of the benchmarks. Defaults to the PR assignee or 'heat_team'." + required: false + default: "${{ github.event.pull_request.assignee.login || 'heat_team' }}" +runs: + using: "composite" + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Trigger benchmarks + env: + AUTHOR: ${{ inputs.auth }} + BRANCH: ${{ inputs.branch }} + PIPE_TRIGGER_TOKEN: ${{ secrets.BENCH_PIPE_TRIGGER }} + SHA: ${{ inputs.sha }} + PR_NUMBER: ${{ inputs.pr_number }} + run: | + SHORT_SHA=$(git rev-parse --short $SHA) + curl -s -X POST \ + --fail-with-body \ + -F "token=$PIPE_TRIGGER_TOKEN" \ + -F "ref=main" \ + -F "variables[SHA]=$SHA" \ + -F "variables[SHORT_SHA]=${SHORT_SHA}" \ + -F "variables[BRANCH]=$BRANCH" \ + -F "variables[PR]=$PR_NUMBER" \ + -F "variables[AUTHOR]=${AUTHOR}" \ + https://codebase.helmholtz.cloud/api/v4/projects/7930/trigger/pipeline diff --git a/.github/actions/trigger_codebase_tests.yml b/.github/actions/trigger_codebase_tests.yml new file mode 100644 index 0000000000..79a9309380 --- /dev/null +++ b/.github/actions/trigger_codebase_tests.yml @@ -0,0 +1,37 @@ +name: Trigger Codebase Tests +description: "Trigger tests on Codebase for performance testing and analysis." +inputs: + branch: + description: "The branch to trigger tests on. Defaults to 'main'." + required: false + default: "main" + sha: + description: "The commit SHA to trigger tests on. Defaults to the current commit." + required: false + default: "${{ github.sha }}" + pr_number: + description: "The pull request number to trigger tests on. Defaults to the current PR number." + required: false + default: "" +runs: + using: "composite" + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Trigger tests for PR + if : ${{ inputs.pr_number == '' }} + env: + PIPE_TRIGGER_TOKEN: ${{ secrets.CB_PIPELINE }} + BRANCH: ${{ inputs.branch }} + PR_NUMBER: ${{ inputs.pr_number }} + run: | + curl -s -X POST \ + --fail-with-body \ + -F "token=$PIPE_TRIGGER_TOKEN" \ + -F "ref=main" \ + -F "variables[GHBRANCH]=$BRANCH" \ + https://codebase.helmholtz.cloud/api/v4/projects/7930/trigger/pipeline diff --git a/.github/workflows/increment_version.sh b/.github/scripts/increment_version.sh similarity index 100% rename from .github/workflows/increment_version.sh rename to .github/scripts/increment_version.sh diff --git a/.github/workflows/bench_trigger.yml b/.github/workflows/bench_trigger.yml deleted file mode 100644 index b5f30dc186..0000000000 --- a/.github/workflows/bench_trigger.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Trigger benchmarks -on: - push: - branches: - - main - pull_request: - types: [synchronize] - -jobs: - trigger-benchmark: - name: Trigger Benchmarks - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Trigger benchmarks (PR) - id: setup_pr - if: contains(github.event.pull_request.labels.*.name, 'benchmark PR') - env: - AUTHOR: ${{ github.event.pull_request.assignee.login }} - BRANCH: ${{ github.head_ref }} - PIPE_TRIGGER_TOKEN: ${{ secrets.BENCH_PIPE_TRIGGER }} - SHA: ${{ github.event.pull_request.head.sha }} - PR_NUMBER: ${{ github.event.pull_request.number }} - run: | - SHORT_SHA=$(git rev-parse --short $SHA) - curl -s -X POST \ - --fail-with-body \ - -F "token=$PIPE_TRIGGER_TOKEN" \ - -F "ref=main" \ - -F "variables[SHA]=$SHA" \ - -F "variables[SHORT_SHA]=${SHORT_SHA}" \ - -F "variables[BRANCH]=$BRANCH" \ - -F "variables[PR]=$PR_NUMBER" \ - -F "variables[AUTHOR]=${AUTHOR:-heat_team}" \ - https://codebase.helmholtz.cloud/api/v4/projects/7930/trigger/pipeline - - name: Trigger benchmarks (Push main) - id: setup_push - if: ${{ github.event_name == 'push' }} - env: - AUTHOR: ${{ github.event.pull_request.assignee.login }} - PIPE_TRIGGER_TOKEN: ${{ secrets.BENCH_PIPE_TRIGGER }} - SHA: ${{ github.sha }} - run: | - SHORT_SHA=$(git rev-parse --short $GITHUB_SHA) - curl -s -X POST \ - --fail-with-body \ - -F "token=$PIPE_TRIGGER_TOKEN" \ - -F "ref=main" \ - -F "variables[SHA]=$SHA" \ - -F "variables[SHORT_SHA]=${SHORT_SHA}" \ - -F "variables[BRANCH]=main" \ - -F "variables[AUTHOR]=${AUTHOR:-heat_team}" \ - https://codebase.helmholtz.cloud/api/v4/projects/7930/trigger/pipeline diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 7af6662720..0000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,78 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: ["main"] - pull_request: - # The branches below must be a subset of the branches above - branches: ["main"] - schedule: - - cron: "0 0 * * 1" - -permissions: - contents: read - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["python"] - # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml deleted file mode 100644 index b3f620bdc1..0000000000 --- a/.github/workflows/dependency-review.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: 'Dependency Review' -on: [pull_request] - -permissions: - contents: read - -jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - name: 'Checkout Repository' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: 'Dependency Review' - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 diff --git a/.github/workflows/inactivity.yml b/.github/workflows/inactivity.yml deleted file mode 100644 index 18e0df971e..0000000000 --- a/.github/workflows/inactivity.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Close inactive issues -on: - schedule: - - cron: "30 1 * * 1" - -permissions: - contents: read - -jobs: - close-issues: - runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 - with: - days-before-issue-stale: 60 - days-before-issue-close: 60 - stale-issue-label: "stale" - stale-issue-message: "This issue is stale because it has been open for 60 days with no activity." - close-issue-message: "This issue was closed because it has been inactive for 60 days since being marked as stale." - days-before-pr-stale: 60 - days-before-pr-close: 60 - stale-pr-label: "stale" - stale-pr-message: "This pull request is stale because it has been open for 60 days with no activity." - close-pr-message: "This pull request was closed because it has been inactive for 60 days since being marked as stale." - repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/markdown-links-check.yml b/.github/workflows/markdown-links-check.yml deleted file mode 100644 index 5cf1c55828..0000000000 --- a/.github/workflows/markdown-links-check.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Markdown Links Check -# runs every monday at 9 am -on: - schedule: - - cron: "0 9 * * 1" - -permissions: - contents: read - -jobs: - check-links: - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # master - - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 - # checks all markdown files from root but ignores subfolders - # By Removing the max-depth variable we can modify it -> to check all the .md files in the entire repo. - with: - use-quiet-mode: 'yes' - # Specifying yes to show only errors in the output - use-verbose-mode: 'yes' - # Specifying yes to show detailed HTTP status for checked links. - max-depth: 0 diff --git a/.github/workflows/backport.yml b/.github/workflows/pr_close.yml similarity index 84% rename from .github/workflows/backport.yml rename to .github/workflows/pr_close.yml index b5b8aaa7f8..ccc5b2c716 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/pr_close.yml @@ -1,4 +1,4 @@ -name: Backport merged pull request +name: On PR Close on: pull_request_target: types: [closed] @@ -9,7 +9,6 @@ jobs: backport: name: Backport pull request runs-on: ubuntu-latest - # Don't run on closed unmerged pull requests if: github.event.pull_request.merged steps: - uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/pr_open.yml similarity index 93% rename from .github/workflows/release-drafter.yml rename to .github/workflows/pr_open.yml index 8de202c002..aee8508340 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/pr_open.yml @@ -1,10 +1,9 @@ -name: Release Drafter - +name: On PR Open on: pull_request: types: [opened, reopened] jobs: - update_release_draft: + update_release_drafter: permissions: contents: write # for release-drafter/release-drafter to create a github release pull-requests: write # for release-drafter/release-drafter to add label to PR diff --git a/.github/workflows/pr_update.yml b/.github/workflows/pr_update.yml new file mode 100644 index 0000000000..003281a292 --- /dev/null +++ b/.github/workflows/pr_update.yml @@ -0,0 +1,30 @@ +name: On PR Update +on: [pull_request] +permissions: + contents: write # so it can comment + pull-requests: write # so it can create pull requests +jobs: + trigger-benchmarks: + name: Trigger Benchmarks + runs-on: ubuntu-latest + steps: + - uses: ./.github/actions/trigger_codebase_benchmarks.yml + if: contains(github.event.pull_request.labels.*.name, 'benchmark PR') + with: + branch: ${{ github.heat_ref }} + sha: ${{ github.event.pull_request.head.sha }} + author: ${{ github.event.pull_request.assignee.login || 'heat_team' }} + pr_number: ${{ github.event.pull_request.number }} + + dependency-review: + name: Dependency Review + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 diff --git a/.github/workflows/push_main.yml b/.github/workflows/push_main.yml new file mode 100644 index 0000000000..6ac075db99 --- /dev/null +++ b/.github/workflows/push_main.yml @@ -0,0 +1,15 @@ +name: On push to main +on: + push: + branches: + - main +jobs: + trigger-benchmarks: + name: Trigger Benchmarks + runs-on: ubuntu-latest + steps: + - uses: ./.github/actions/trigger_codebase_benchmarks.yml + with: + branch: "main" + sha: ${{ github.sha}} + author: ${{ 'heat_team'}} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml deleted file mode 100644 index dbe5e05092..0000000000 --- a/.github/workflows/scorecard.yml +++ /dev/null @@ -1,77 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - -name: Scorecard supply-chain security -on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: '37 10 * * 5' - push: - branches: [ "main" ] - -# Declare default permissions as read only. -permissions: read-all - -jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-latest - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - # Needed to publish results and get a badge (see publish_results below). - id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - name: "Checkout code" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 - with: - results_file: results.sarif - results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. - publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 - with: - sarif_file: results.sarif diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml new file mode 100644 index 0000000000..ba49c2b297 --- /dev/null +++ b/.github/workflows/weekly.yml @@ -0,0 +1,121 @@ +name: Weekly Workflow + +on: + schedule: + - cron: '0 6 * * 1' # Runs at 06:00 UTC every Monday + workflow_dispatch: + +permissions: + actions: read + contents: read + security-events: write + pull-requests: write +jobs: + codeql: + name: CodeQL Analysis + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + with: + languages: python + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + with: + category: "/language:python" + scorecard: + name: Code Quality Scorecard + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + with: + sarif_file: results.sarif + check-links: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # master + - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 + # checks all markdown files from root but ignores subfolders + # By Removing the max-depth variable we can modify it -> to check all the .md files in the entire repo. + with: + use-quiet-mode: 'yes' + # Specifying yes to show only errors in the output + use-verbose-mode: 'yes' + # Specifying yes to show detailed HTTP status for checked links. + max-depth: 0 + + inactivity: + name: Inactivity Management + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 + with: + days-before-issue-stale: 60 + days-before-issue-close: 60 + stale-issue-label: "stale" + stale-issue-message: "This issue is stale because it has been open for 60 days with no activity." + close-issue-message: "This issue was closed because it has been inactive for 60 days since being marked as stale." + days-before-pr-stale: 60 + days-before-pr-close: 60 + stale-pr-label: "stale" + stale-pr-message: "This pull request is stale because it has been open for 60 days with no activity." + close-pr-message: "This pull request was closed because it has been inactive for 60 days since being marked as stale." + repo-token: ${{ secrets.GITHUB_TOKEN }}