diff --git a/.github/workflows/backend-linter.yml b/.github/workflows/backend-linter.yml index ec6f18d4..35aae402 100644 --- a/.github/workflows/backend-linter.yml +++ b/.github/workflows/backend-linter.yml @@ -17,14 +17,15 @@ permissions: pull-requests: read # Optional: allow write access to checks to allow the action to annotate code in the PR. checks: write + id-token: write jobs: golangci-lint: name: Run Golangci-lint - runs-on: ubuntu-latest + runs-on: depot-ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Set up Go uses: actions/setup-go@v6 diff --git a/.github/workflows/build-next.yml b/.github/workflows/build-next.yml index 403ca5bf..ef128ddc 100644 --- a/.github/workflows/build-next.yml +++ b/.github/workflows/build-next.yml @@ -9,17 +9,18 @@ concurrency: group: build-next-image cancel-in-progress: true +permissions: + contents: read + packages: write + id-token: write + attestations: write + jobs: build-next: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - id-token: write - attestations: write + runs-on: depot-ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v4 @@ -34,6 +35,9 @@ jobs: with: go-version-file: "backend/go.mod" + - name: Set up Depot CLI + uses: depot/setup-action@v1 + - name: Set up QEMU uses: docker/setup-qemu-action@v3 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index e8ae44a6..5e2913ff 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -13,16 +13,17 @@ on: - "**.md" - ".github/**" +permissions: + contents: read + actions: write + id-token: write + jobs: build: if: github.event.pull_request.head.ref != 'i18n_crowdin' - timeout-minutes: 20 - permissions: - contents: read - actions: write - runs-on: ubuntu-latest + runs-on: depot-ubuntu-24.04-16 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -49,10 +50,7 @@ jobs: test: if: github.event.pull_request.head.ref != 'i18n_crowdin' - permissions: - contents: read - actions: write - runs-on: ubuntu-latest + runs-on: depot-ubuntu-24.04-16 needs: build strategy: fail-fast: false @@ -70,7 +68,7 @@ jobs: storage: database steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 062a5208..4c9ca81a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,17 +5,18 @@ on: tags: - "v*.*.*" +permissions: + contents: write + packages: write + attestations: write + id-token: write + jobs: build: - runs-on: ubuntu-latest - permissions: - contents: write - packages: write - attestations: write - id-token: write + runs-on: depot-ubuntu-24.04-16 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v4 - name: Setup Node.js @@ -112,14 +113,12 @@ jobs: run: gh release upload ${{ github.ref_name }} backend/.bin/* publish-release: - runs-on: ubuntu-latest + runs-on: depot-ubuntu-latest needs: [build] - permissions: - contents: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Mark release as published run: gh release edit ${{ github.ref_name }} --draft=false diff --git a/.github/workflows/svelte-check.yml b/.github/workflows/svelte-check.yml index b49deddc..c03fe966 100644 --- a/.github/workflows/svelte-check.yml +++ b/.github/workflows/svelte-check.yml @@ -21,20 +21,22 @@ on: - "frontend/svelte.config.js" workflow_dispatch: +permissions: + contents: read + checks: write + pull-requests: write + id-token: write + jobs: type-check: name: Run Svelte Check # Don't run on dependabot branches if: github.actor != 'dependabot[bot]' - runs-on: ubuntu-latest - permissions: - contents: read - checks: write - pull-requests: write + runs-on: depot-ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v4 diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index ca2b36a0..03ea3293 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -9,14 +9,16 @@ on: paths: - "backend/**" +permissions: + contents: read + id-token: write + actions: write + jobs: test-backend: - permissions: - contents: read - actions: write - runs-on: ubuntu-latest + runs-on: depot-ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: go-version-file: "backend/go.mod" diff --git a/.github/workflows/update-aaguids.yml b/.github/workflows/update-aaguids.yml index 18778b05..fbe42e13 100644 --- a/.github/workflows/update-aaguids.yml +++ b/.github/workflows/update-aaguids.yml @@ -8,14 +8,15 @@ on: permissions: contents: write pull-requests: write + id-token: write jobs: update-aaguids: - runs-on: ubuntu-latest + runs-on: depot-ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Fetch JSON data run: | diff --git a/depot.json b/depot.json new file mode 100644 index 00000000..028fecaf --- /dev/null +++ b/depot.json @@ -0,0 +1 @@ +{ "id": "c36t29j6bz" }