Skip to content

Commit 6cb6b76

Browse files
committed
ci: adopt org reusable workflows, drop intra-org SHA pin
- ci.yml: fold the code-quality + coverage jobs into the org-standard php-ci.yml reusable (PHPStan + PHP-CS-Fixer + PHPUnit-with-coverage + Codecov). Removes the per-repo codecov-action reference that Renovate kept bumping (#81, #82). The bespoke 'tests' job stays inline because the reusable matrices on PHP version only and cannot express this plugin's Symfony x Composer x prefer-lowest matrix or its network-test env. - auto-merge-deps.yml: replace the inlined copy with the reusable auto-merge-deps.yml caller (matches the rest of the org). - release.yml: drop the SHA pin on the intra-org reusable (release-composer-package.yml@<sha> -> @main). Intra-org reusable refs must track @main, not a pinned digest (stops Renovate #80). Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
1 parent 2a37721 commit 6cb6b76

3 files changed

Lines changed: 33 additions & 142 deletions

File tree

Lines changed: 6 additions & 66 deletions
Original file line numberDiff line numberDiff line change
@@ -1,73 +1,13 @@
1-
# Auto-merge dependency updates for repositories WITHOUT branch protection
2-
# Uses direct merge since --auto flag requires branch protection
31
name: Auto-merge dependency PRs
42

53
on:
6-
pull_request_target:
7-
types: [opened, synchronize, reopened]
4+
pull_request:
85

9-
permissions:
10-
contents: write
11-
pull-requests: write
6+
permissions: {}
127

138
jobs:
149
auto-merge:
15-
name: Auto-merge dependency PRs
16-
runs-on: ubuntu-latest
17-
# Use PR author login instead of github.actor to handle synchronize events
18-
# when someone else pushes to the dependabot/renovate branch
19-
if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]'
20-
21-
steps:
22-
- name: Harden Runner
23-
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
24-
with:
25-
egress-policy: audit
26-
27-
- name: Dependabot metadata
28-
id: metadata
29-
if: github.event.pull_request.user.login == 'dependabot[bot]'
30-
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
31-
with:
32-
github-token: "${{ secrets.GITHUB_TOKEN }}"
33-
34-
- name: Auto-approve PR
35-
run: gh pr review --approve "$PR_URL"
36-
env:
37-
PR_URL: ${{ github.event.pull_request.html_url }}
38-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
39-
40-
- name: Wait for CI checks
41-
run: |
42-
echo "Waiting for CI checks to complete..."
43-
for i in {1..60}; do
44-
CHECKS=$(gh pr checks "$PR_URL" --json name,state \
45-
--jq '[.[] | select(.name != "Auto-merge dependency PRs")]')
46-
47-
FAILED=$(echo "$CHECKS" | jq '[.[] | select(.state == "FAILURE" or .state == "ERROR")] | length')
48-
PENDING=$(echo "$CHECKS" | jq '[.[] | select(.state == "PENDING" or .state == "QUEUED" or .state == "IN_PROGRESS")] | length')
49-
50-
if [ "$FAILED" != "0" ]; then
51-
echo "Some checks failed, skipping merge"
52-
exit 1
53-
fi
54-
55-
if [ "$PENDING" = "0" ]; then
56-
echo "All checks passed!"
57-
exit 0
58-
fi
59-
60-
echo "Waiting for $PENDING check(s)... (attempt $i/60)"
61-
sleep 10
62-
done
63-
echo "Timeout waiting for checks"
64-
exit 1
65-
env:
66-
PR_URL: ${{ github.event.pull_request.html_url }}
67-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
68-
69-
- name: Merge PR
70-
run: gh pr merge --merge "$PR_URL"
71-
env:
72-
PR_URL: ${{ github.event.pull_request.html_url }}
73-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
10+
uses: netresearch/.github/.github/workflows/auto-merge-deps.yml@main
11+
permissions:
12+
contents: write
13+
pull-requests: write

.github/workflows/ci.yml

Lines changed: 26 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -84,78 +84,29 @@ jobs:
8484
composer config --global --unset github-oauth.github.com 2>/dev/null || true
8585
vendor/bin/phpunit --testdox
8686
87-
code-quality:
88-
name: Code Quality
89-
runs-on: ubuntu-latest
90-
91-
steps:
92-
- name: Checkout code
93-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
94-
95-
- name: Setup PHP
96-
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
97-
with:
98-
php-version: '8.4'
99-
extensions: mbstring, xml, ctype, iconv
100-
tools: php-cs-fixer
101-
coverage: none
102-
103-
- name: Get Composer cache directory
104-
id: composer-cache
105-
run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
106-
107-
- name: Cache Composer packages
108-
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
109-
with:
110-
path: ${{ steps.composer-cache.outputs.dir }}
111-
key: ${{ runner.os }}-php-8.4-composer-${{ hashFiles('**/composer.json') }}
112-
restore-keys: |
113-
${{ runner.os }}-php-8.4-composer-
114-
115-
- name: Install dependencies
116-
run: composer install --prefer-dist --no-progress
117-
118-
- name: Run PHPStan
119-
run: vendor/bin/phpstan analyse --error-format=github
120-
121-
- name: Run PHP-CS-Fixer (dry run)
122-
run: php-cs-fixer fix --dry-run --diff --allow-risky=yes
123-
124-
coverage:
125-
name: Code Coverage
126-
runs-on: ubuntu-latest
127-
128-
steps:
129-
- name: Checkout code
130-
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
131-
132-
- name: Setup PHP
133-
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2
134-
with:
135-
php-version: '8.4'
136-
extensions: mbstring, xml, ctype, iconv
137-
coverage: xdebug
138-
139-
- name: Get Composer cache directory
140-
id: composer-cache
141-
run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
142-
143-
- name: Cache Composer packages
144-
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
145-
with:
146-
path: ${{ steps.composer-cache.outputs.dir }}
147-
key: ${{ runner.os }}-php-8.4-composer-${{ hashFiles('**/composer.json') }}
148-
restore-keys: |
149-
${{ runner.os }}-php-8.4-composer-
150-
151-
- name: Install dependencies
152-
run: composer install --prefer-dist --no-progress
153-
154-
- name: Run tests with coverage
155-
run: vendor/bin/phpunit --coverage-text --coverage-clover=coverage.xml
156-
157-
- name: Upload coverage to Codecov
158-
uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
159-
with:
160-
files: ./coverage.xml
161-
fail_ci_if_error: false
87+
# PHPStan + PHP-CS-Fixer + PHPUnit-with-coverage + Codecov upload, via
88+
# the org-standard reusable. The bespoke `tests` job above stays inline
89+
# because the reusable matrices on PHP version only and cannot express
90+
# this plugin's Symfony x Composer x prefer-lowest matrix or its
91+
# network-test env. Folding these checks into the reusable removes the
92+
# per-repo codecov-action reference that Renovate kept bumping.
93+
checks:
94+
name: Checks
95+
uses: netresearch/.github/.github/workflows/php-ci.yml@main
96+
permissions:
97+
contents: read
98+
with:
99+
php-versions: '["8.4"]'
100+
extensions: "mbstring, xml, ctype, iconv"
101+
extra-tools: "php-cs-fixer"
102+
coverage: "xdebug"
103+
run-phpstan: true
104+
phpstan-cmd: "vendor/bin/phpstan analyse --error-format=github"
105+
run-cs-fixer: true
106+
cs-fixer-cmd: "php-cs-fixer fix --dry-run --diff --allow-risky=yes"
107+
run-phpunit: true
108+
phpunit-cmd: "vendor/bin/phpunit --coverage-clover=coverage.xml"
109+
upload-coverage-codecov: true
110+
coverage-php-version: "8.4"
111+
secrets:
112+
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ permissions: {}
2323

2424
jobs:
2525
release:
26-
uses: netresearch/.github/.github/workflows/release-composer-package.yml@444271f57885b6a0aa7844dfdb08c78229e8f2f1 # main
26+
uses: netresearch/.github/.github/workflows/release-composer-package.yml@main
2727
permissions:
2828
contents: write
2929
with:

0 commit comments

Comments
 (0)