3ware · chris3ware · Mar 3, 2023 · Mar 1, 2023 · Mar 1, 2023 · Mar 1, 2023
@@ -6,9 +6,12 @@
   "language": "en-GB",
   // words - list of words to be always considered correct
   "words": [
+    "amannn",
+    "analyzer",
     "aquasecurity",
     "codeql",
     "conventionalcommits",
+    "cycjimmy",
     "linters",
     "markdownlint",
     "noreply",

@@ -5,7 +5,7 @@
 
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "monthly"
+      interval: monthly
@@ -4,7 +4,7 @@
 #
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
-name: "Dependency Review"
+name: Dependency Review
 on: [pull_request]
 
 permissions:
@@ -14,7 +14,7 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: "Checkout Repository"
+      - name: Checkout Repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-      - name: "Dependency Review"
+      - name: Dependency Review
         uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
@@ -1,9 +1,9 @@
-name: "Terraform directory"
+name: Terraform directory
 on:
   workflow_call:
     outputs:
       terraform-dir:
-        description: "The terraform directory to initialise"
+        description: The terraform directory to initialise
         value: ${{ jobs.terraform-directory.outputs.dir }}
 
 # Declare default permissions as read only.
@@ -19,23 +19,23 @@ jobs:
     outputs:
       dir: ${{ steps.changed-dir.outputs.all_changed_files }}
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Get changed files"
+      - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6
 
-      - name: "List all changed files"
+      - name: List all changed files
         run: |
           for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
             echo "$file was changed"
           done
 
       # Find the directory where files have been changed.
-      - name: "Get terraform directory"
+      - name: Get terraform directory
         id: changed-dir
         uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6
         # Step fails if nothing found.
@@ -47,7 +47,7 @@ jobs:
           dir_names: true
           dir_names_exclude_root: true
 
-      - name: "List terraform directory"
+      - name: List terraform directory
         if: ${{ steps.changed-dir.conclusion == 'success'}}
         run: |
           echo "${{ steps.changed-dir.outputs.all_changed_files }}"
@@ -1,10 +1,10 @@
 # This workflow generates an installation access token for GitHub authentication
-name: "Generate workflow token"
+name: Generate workflow token
 on:
   workflow_call:
     outputs:
       temp-token:
-        description: "The temporary installation access token"
+        description: The temporary installation access token
         value: ${{ jobs.get-temp-token.outputs.token }}
 
 # Declare default permissions as read only.
@@ -17,15 +17,15 @@ jobs:
     outputs:
       token: ${{ steps.encrypt-token.outputs.encrypted-token }}
     steps:
-      - name: "Get GitHub authentication token"
+      - name: Get GitHub authentication token
         id: get-workflow-token
         uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0
         with:
           application_id: ${{ secrets.THREEWARE_RELEASE_APPLICATION_ID }}
           application_private_key: ${{ secrets.THREEWARE_RELEASE_APPLICATION_PRIVATE_KEY }}
           organization: 3ware
 
-      - name: "Encrypt the token for reuse between jobs / workflows"
+      - name: Encrypt the token for reuse between jobs / workflows
         id: encrypt-token
         run: |
           ENCRYPTED_TOKEN=$(gpg --symmetric --batch --passphrase "$KEY" \

@@ -0,0 +1,24 @@
+# Generic workflow, that runs on main, so required_status_checks pass
+# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
+
+name: Lint
+
+on:
+  push:
+    branches: [main]
+  workflow_call: {}
+
+# Declare default permissions as read only.
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Lint with trunk
+        run: echo "No linting required"
@@ -1,12 +1,10 @@
-name: "Lint"
+name: Lint
 on:
+  push:
+    branches: [main]
   pull_request:
-    types:
-      - opened
-      - edited
-      - synchronize
-    branches:
-      - main
+    types: [opened, synchronize]
+    branches: [main]
   workflow_call:
     inputs:
       terraform-version:
@@ -30,26 +28,26 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
-    needs: ["find-terraform"]
+    needs: [find-terraform]
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Setup Terraform"
+      - name: Setup Terraform
         if: ${{ needs.find-terraform.outputs.terraform-dir != '' }}
         uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
         with:
           terraform_version: ${{ inputs.terraform-version }}
           cli_config_credentials_token: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }}
 
-      #Initialise terraform in the directory where terraform file have changed.
-      - name: "Initialise Terraform"
+      # Initialise terraform in the directory where terraform file have changed.
+      - name: Initialise Terraform
         if: ${{ needs.find-terraform.outputs.terraform-dir != ''}}
         working-directory: ${{ needs.find-terraform.outputs.terraform-dir }}
         run: terraform init
 
-      - name: "Lint with trunk"
-        if: ${{ always() }} #Run anyway, even if no terraform
+      - name: Lint with trunk
+        if: ${{ always() }} # Run anyway, even if no terraform
         uses: trunk-io/trunk-action@9cf65e08e822e9842fd9ef7ed2a2bd9092de0986 # v1.0.6
@@ -0,0 +1,24 @@
+# Generic workflow, that runs on main, so required_status_checks pass
+# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
+
+name: Validate PR title
+
+on:
+  push:
+    branches: [main]
+  workflow_call: {}
+
+# Declare default permissions as read only.
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  conventional-pr-title:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Validate pull request title is conventional
+        run: echo "No pull request title to check"
@@ -1,12 +1,9 @@
-name: "Validate PR title"
+name: Validate PR title
 
 on:
   pull_request_target:
-    types:
-      - opened
-      - edited
-      - synchronize
-  workflow_call:
+    types: [opened, edited]
+  workflow_call: {}
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -22,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - name: "Validate pull request title is conventional"
+      - name: Validate pull request title is conventional
         uses: amannn/action-semantic-pull-request@b6bca70dcd3e56e896605356ce09b76f7e1e0d39 # v5.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -2,24 +2,24 @@
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 
-name: "Scorecard supply-chain security"
+name: Scorecard supply-chain security
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   # branch_protection_rule:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: "27 7 * * 6"
+    - cron: 27 7 * * 6
   push:
-    branches: ["main"]
+    branches: [main]
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
-    name: "Scorecard analysis"
+    name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -31,12 +31,12 @@ jobs:
       # actions: read
 
     steps:
-      - name: "Checkout code"
+      - name: Checkout code
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
           persist-credentials: false
 
-      - name: "Run analysis"
+      - name: Run analysis
         uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
         with:
           results_file: results.sarif
@@ -58,15 +58,15 @@ jobs:
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
-      - name: "Upload artifact"
+      - name: Upload artifact
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
+      - name: Upload to code-scanning
         uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
         with:
           sarif_file: results.sarif
@@ -1,11 +1,10 @@
-name: "Semantic Release"
+name: Semantic Release
 
 on:
-  workflow_dispatch:
-  workflow_call:
+  workflow_dispatch: {}
+  workflow_call: {}
   push:
-    branches:
-      - main
+    branches: [main]
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -21,14 +20,14 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
-    needs: ["get-temp-token"]
+    needs: [get-temp-token]
     steps:
-      - name: "Checkout repository"
+      - name: Checkout repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           persist-credentials: false
 
-      - name: "Decrypt the installation access token"
+      - name: Decrypt the installation access token
         id: decrypt-token
         run: |
           DECRYPTED_TOKEN=$(gpg --decrypt --quiet --batch --passphrase "$KEY" \
@@ -39,7 +38,7 @@ jobs:
         env:
           KEY: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }}
 
-      - name: "Create GitHub release and update CHANGELOG"
+      - name: Create GitHub release and update CHANGELOG
         if: ${{ ! env.ACT }}
         uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0
         with:
@@ -51,7 +50,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.decrypt-token.outputs.temp-token }}
 
-      - name: "Local test release"
+      - name: Local test release
         if: ${{ env.ACT }}
         uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0
         with: