ci: major refactors (#2423)

* Migrate CF Pages to CF Wrangler action (based on jellyfin/jellyfin-web#5894)
* Create event-based workflows, all the specific actions are now reusable workflows

Signed-off-by: Fernando Fernández <[email protected]>

.github/workflows/pull_request.yml

@@ -0,0 +1,105 @@
+name: Pull Request 📥
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.head.sha || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  pull_request_target:
+    paths-ignore:
+      - '**/*.md'
+  merge_group:
+
+jobs:
+  compose-comment:
+    name: Compose PR comment
+    if: ${{ always() && !cancelled() }}
+    uses: ./.github/workflows/reusable/job_messages.yml
+    with:
+      commit: ${{ github.event.pull_request.head.sha }}
+      commenting_workflow_run_id: ${{ github.run_id }}
+      in_progress: true
+
+  push-comment:
+    name: Push comment to PR 🖥️
+    if: ${{ always() && !cancelled() && needs.compose-comment.result == 'success' }}
+    runs-on: ubuntu-latest
+    needs:
+      - compose-comment
+
+    steps:
+      - name: Create comment
+        uses: thollander/[email protected]
+        with:
+          GITHUB_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
+          message: ${{ needs.compose-comment.outputs.msg }}
+          comment_tag: ${{ needs.compose-comment.outputs.marker }}
+
+  project:
+    name: Project board 📊
+    if: ${{ always() }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: alex-page/[email protected]
+        with:
+          project: Ongoing development
+          column: In progress
+          repo-token: ${{ secrets.JF_BOT_TOKEN }}
+
+  label:
+    name: Labeling 🏷️
+    if: ${{ always() }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Label PR depending on modified files
+        uses: actions/[email protected]
+        with:
+          repo-token: ${{ secrets.JF_BOT_TOKEN }}
+
+  build:
+    name: Build 🏗️
+    uses: ./.github/workflows/reusable/package.yml
+    # Start build after the comment is created
+    needs:
+      - push-comment
+    # Needed for attestation publication
+    permissions:
+      id-token: write
+      attestations: write
+    with:
+      commit: ${{ github.event.pull_request.head.sha }}
+
+  quality_checks:
+    name: Quality checks 👌🧪
+    uses: ./.github/workflows/reusable/quality_checks.yml
+    permissions: {}
+    with:
+      commit: ${{ github.event.pull_request.head.sha }}
+
+  codeql:
+    name: CodeQL 🏗️
+    uses: ./.github/workflows/reusable/codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    with:
+      commit: ${{ github.event.pull_request.head.sha }}
+
+  deploy:
+    name: Deploy 🚀
+    uses: ./.github/workflows/reusable/deploy.yml
+    needs:
+      - build
+    permissions:
+      contents: read
+      deployments: write
+    secrets: inherit
+    with:
+      # If the PR is from the master branch of a fork, append the fork's name to the branch name
+      branch: ${{ github.event.pull_request.head.repo.full_name != github.repository && github.event.pull_request.head.ref == 'master' && format('{0}/{1}', github.event.pull_request.head.repo.full_name, github.event.pull_request.head.ref) || github.event.pull_request.head.ref }}
+      comment: true
+      pr_number: ${{ github.event.pull_request.number }}
+      commit: ${{ github.event.pull_request.head.sha }}

.github/workflows/push_release.yml

@@ -0,0 +1,64 @@
+name: Push & Release 🌍
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.ref }}
+  cancel-in-progress: true
+
+on:
+  release:
+    types:
+      - released
+      - prereleased
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - '**/*.md'
+
+jobs:
+  label:
+    name: Labeling 🏷️
+    if: ${{ always() && !cancelled() }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check all PRs for merge conflicts ⛔
+        uses: eps1lon/[email protected]
+        with:
+          dirtyLabel: "merge conflict"
+          repoToken: ${{ secrets.JF_BOT_TOKEN }}
+
+  main:
+    name: ${{ github.event_name == 'push' && 'Unstable 🚀⚠️' || 'Stable 🏷️✅' }}
+    uses: ./.github/workflows/reusable/package.yml
+    secrets: inherit
+    # Needed for attestation publication
+    permissions:
+      id-token: write
+      attestations: write
+    with:
+      commit: ${{ github.event_name == 'push' && github.sha }}
+      is_prerelease: ${{ github.event_name == 'release' && github.event.action == 'prereleased' }}
+      tag_name: ${{ github.event_name == 'release' && github.event.release.tag_name }}
+      push: true
+
+  codeql:
+    name: CodeQL 🏗️
+    uses: ./.github/workflows/reusable/codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+  deploy:
+    name: Deploy 🚀
+    uses: ./.github/workflows/reusable/deploy.yml
+    needs:
+      - main
+    permissions:
+      contents: read
+      deployments: write
+    secrets: inherit
+    with:
+      branch: ${{ github.ref_name }}
+      comment: false

.github/workflows/codeql.yml → .github/workflows/reusable/codeql.yml

@@ -1,29 +1,15 @@
 name: GitHub CodeQL 🔬
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.ref || github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 on:
-  push:
-    branches:
-      - master
-  pull_request:
-    paths-ignore:
-      - '**/*.md'
-  merge_group:
   workflow_call:
-  schedule:
-    - cron: 0 0 * * MON,FRI
-
+    inputs:
+      commit:
+        required: true
+        type: string
 jobs:
   analyze:
     name: Analyze 🔬
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
 
     strategy:
       fail-fast: false
@@ -35,6 +21,7 @@ jobs:
       - name: Checkout repository ⬇️
         uses: actions/[email protected]
         with:
+          ref: ${{ inputs.commit }}
           show-progress: false
 
       - name: Initialize CodeQL 🛠️