diff --git a/.github/renovate.json b/.github/renovate.json index fea3b9f..f164eaf 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -7,5 +7,6 @@ ], "git-submodules": { "enabled": true - } + }, + "rebaseWhen": "behind-base-branch" } diff --git a/.github/workflows/mkdocs-deploy.yml b/.github/workflows/mkdocs-deploy.yml index 2154627..c746613 100644 --- a/.github/workflows/mkdocs-deploy.yml +++ b/.github/workflows/mkdocs-deploy.yml @@ -6,10 +6,10 @@ on: workflow_dispatch: permissions: - contents: write + contents: read jobs: - deploy: + build: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 @@ -25,5 +25,24 @@ jobs: - name: Build the site with MkDocs run: uv run mkdocs build --strict + - name: Upload static files as artifact + uses: actions/upload-pages-artifact@v4 + with: + path: ./site + + deploy: + needs: build + runs-on: ubuntu-latest + + permissions: + pages: write + id-token: write + + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + + steps: - name: Deploy to GitHub Pages - run: uv run mkdocs gh-deploy --force + id: deployment + uses: actions/deploy-pages@v4 diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 5bbd3fd..608340e 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -1,17 +1,18 @@ name: Build the site with MkDocs -permissions: - contents: read - on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 1 diff --git a/.github/workflows/update-from-submodule.yml b/.github/workflows/update-from-submodule.yml index c2e4202..65afaac 100644 --- a/.github/workflows/update-from-submodule.yml +++ b/.github/workflows/update-from-submodule.yml @@ -1,22 +1,23 @@ name: Update From Submodule on: - pull_request_target: + pull_request: types: [opened, synchronize] - branches: - - main + branches: [ main ] workflow_dispatch: permissions: contents: write jobs: - update-files: - if: github.actor == 'renovate[bot]' && startsWith(github.event.pull_request.head.ref, 'renovate/submodules-') + update-from-submodule: + if: > + github.actor == 'renovate[bot]' && + startsWith(github.event.pull_request.head.ref, 'renovate/submodules-') + runs-on: ubuntu-latest - steps: - - name: Checkout pull request branch with submodules + - name: Checkout PR branch with submodules uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: # Checkout the repository at the merge commit @@ -24,13 +25,20 @@ jobs: fetch-depth: 0 submodules: true - - name: Validate PR source branch + - name: Validate PR source repository and branch + shell: bash run: | - if [[ ${{ github.event.pull_request.head.repo.full_name }} != '${{ github.repository }}' ]]; then - echo "Untrusted repository detected! Exiting."; - exit 1; + if [[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + echo "Untrusted repository detected! Exiting..." + exit 1 fi + - name: Configure git identity + shell: bash + run: | + git config --global user.name "renovate[bot]" + git config --global user.email "29139614+renovate[bot]@users.noreply.github.com" + - name: Import GPG key uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6 with: @@ -53,8 +61,9 @@ jobs: run: bash update-changelog.bash - name: Commit and push changes + shell: bash run: | git add . git commit -m "Update files based on submodule changes" - git pull --rebase origin ${{ github.event.pull_request.head.ref }} - git push origin HEAD:${{ github.event.pull_request.head.ref }} + git pull --rebase origin "${{ github.event.pull_request.head.ref }}" + git push origin HEAD:"${{ github.event.pull_request.head.ref }}"