kenzok78 · pull · Oct 3, 2023 · Oct 3, 2023 · Nov 13, 2023 · Nov 22, 2023
diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml
@@ -0,0 +1,17 @@
+# Set to true to add reviewers to pull requests
+addReviewers: true
+
+# Set to true to add assignees to pull requests
+addAssignees: false
+
+# A list of reviewers to be added to pull requests (GitHub user name)
+reviewers:
+  - phantsure
+  - anuragc617
+  - tiwarishub
+  - vsvipul
+  - bishal-pdmsft
+
+# A number of reviewers added to the pull request
+# Set 0 to add all the reviewers (default: 0)
+numberOfReviewers: 1
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -1,3 +1,4 @@
 # Add 'code-scanning' label to any changes within 'code-scanning' folder or any subfolders
 code-scanning:
-- code-scanning/**/*
+- changed-files: 
+  - any-glob-to-any-file: code-scanning/**/*
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -26,6 +26,7 @@ It is not:
 - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests").
 - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
 - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification.
+- [ ] Should specify least privileged [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully.
 
 **For _CI_ workflows, the workflow:**
 
@@ -37,10 +38,10 @@ It is not:
 
 **For _Code Scanning_ workflows, the workflow:**
 
-- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci).
+- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning).
 - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows:
   - [ ] `name`: Name of the Code Scanning integration.
-  - [ ] `organization`: Name of the organization producing the Code Scanning integration.
+  - [ ] `creator`: Name of the organization/user producing the Code Scanning integration.
   - [ ] `description`: Short description of the Code Scanning integration.
   - [ ] `categories`: Array of languages supported by the Code Scanning integration.
   - [ ] `iconName`: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in [the `icons` directory](https://github.com/actions/starter-workflows/tree/main/icons).

diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml
@@ -0,0 +1,15 @@
+name: Issue assignment
+
+on:
+    issues:
+        types: [opened]
+
+jobs:
+    auto-assign:
+        runs-on: ubuntu-latest
+        steps:
+            - name: 'Auto-assign issue'
+              uses: pozil/[email protected]
+              with:
+                  assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft
+                  numOfAssignee: 1
diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml
@@ -0,0 +1,10 @@
+name: 'Auto Assign'
+on:
+  pull_request_target:
+    types: [opened, ready_for_review]
+
+jobs:
+  add-reviews:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: kentaro-m/[email protected]
diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml
@@ -5,10 +5,12 @@ on:
 
 jobs:
   build:
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     steps:
     - name: Close Issue
-      uses: peter-evans/close-issue@v1
+      uses: peter-evans/close-issue@v3
       if: contains(github.event.issue.labels.*.name, 'feature')
       with:
         comment: |

diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml
@@ -5,10 +5,12 @@ on:
 
 jobs:
   build:
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     steps:
     - name: Close Issue
-      uses: peter-evans/close-issue@v1
+      uses: peter-evans/close-issue@v3
       if: contains(github.event.issue.labels.*.name, 'support')
       with:
         comment: |

diff --git a/.github/workflows/labeler-triage.yml b/.github/workflows/labeler-triage.yml
@@ -5,12 +5,12 @@ permissions:
   pull-requests: write
 
 on:
-- pull_request_target
+  pull_request_target:
 
 jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@v3
+    - uses: actions/labeler@v5
       with:
-        repo-token: "${{ secrets.GITHUB_TOKEN }}"
+        repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -0,0 +1,31 @@
+name: Lint
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+
+  pre-commit:
+    name: pre-commit
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+
+      - name: Cache pre-commit
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Install pre-commit
+        run: pip3 install pre-commit
+
+      - name: Run pre-commit
+        run: pre-commit run --all-files --show-diff-on-failure --color always
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -1,16 +1,20 @@
 name: Mark stale issues and pull requests
 
 on:
-  schedule:
-  - cron: "21 4 * * *"
+  workflow_dispatch:
+  # schedule:
+  # - cron: "21 4 * * *"
 
 jobs:
   stale:
 
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@v8
       with:
         stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
         stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'

diff --git a/.github/workflows/sync_ghes.yaml → .github/workflows/sync-ghes.yaml b/.github/workflows/sync_ghes.yaml → .github/workflows/sync-ghes.yaml
@@ -2,21 +2,24 @@ name: Sync workflows for GHES
 
 on:
   push:
-    branches:
-    - main
+    branches: [ main ]
 
 jobs:
   sync:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - run: |
         git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
         git config user.email "[email protected]"
         git config user.name "GitHub Actions"
-    - uses: actions/setup-node@v2
+    - uses: actions/setup-node@v4
       with:
-        node-version: '12'
+        node-version: '20'
+        cache: 'npm'
+        cache-dependency-path: script/sync-ghes/package-lock.json
     - name: Check starter workflows for GHES compat
       run: |
         npm ci

diff --git a/.github/workflows/validate-data.yaml b/.github/workflows/validate-data.yaml
@@ -6,13 +6,17 @@ on:
 
 jobs:
   validate-data:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v4
         with:
-          node-version: "12"
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: script/validate-data/package-lock.json
 
       - name: Validate workflows
         run: |

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,6 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: trailing-whitespace
+    files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,3 +1,5 @@
-* @actions/starter-workflows
+* @actions/actions-workflow-development-reviewers @actions/starter-workflows
 
-/code-scanning/ @actions/advanced-security-code-scanning
+/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows
+/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows
+/pages/ @actions/pages @actions/actions-workflow-development-reviewers @actions/starter-workflows
diff --git a/README.md b/README.md
@@ -12,9 +12,11 @@ These are the workflow files for helping people get started with GitHub Actions.
 
 ### Directory structure
 
-* [ci](ci): solutions for Continuous Integration
-* [automation](automation): solutions for automating workflows.
-* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
+* [ci](ci): solutions for Continuous Integration workflows
+* [deployments](deployments): solutions for Deployment workflows
+* [automation](automation): solutions for automating workflows
+* [code-scanning](code-scanning): solutions for [Code Scanning](https://github.com/features/security)
+* [pages](pages): solutions for Pages workflows
 * [icons](icons): svg icons for the relevant template
 
 Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI).
@@ -23,14 +25,48 @@ For example: `ci/django.yml` and `ci/properties/django.properties.json`.
 
 ### Valid properties
 
-* `name`: the name shown in onboarding
+* `name`: the name shown in onboarding. This property is unique within the repository.
 * `description`: the description shown in onboarding
-* `iconName`: the icon name in the relevant folder, for example `django` should have an icon `icons/django.svg`. Only SVG is supported at this time
-* `categories`: the categories that it will be shown under
+* `iconName`: the icon name in the relevant folder, for example, `django` should have an icon `icons/django.svg`. Only SVG is supported at this time. Another option is to use [octicon](https://primer.style/octicons/). The format to use an octicon is `octicon <<icon name>>`. Example: `octicon person`
+* `creator`: creator of the template shown in onboarding. All the workflow templates from an author will have the same `creator` field.
+* `categories`: the categories that it will be shown under. Choose at least one category from the list [here](#categories). Further, choose the categories from the list of languages available [here](https://github.com/github/linguist/blob/master/lib/linguist/languages.yml) and the list of tech stacks available [here](https://github.com/github-starter-workflows/repo-analysis-partner/blob/main/tech_stacks.yml). When a user views the available templates, those templates that match the language and tech stacks will feature more prominently.
+
+### Categories
+* continuous-integration
+* deployment
+* testing
+* code-quality
+* code-review
+* dependency-management
+* monitoring
+* Automation
+* utilities
+* Pages
+* Hugo
 
 ### Variables
 These variables can be placed in the starter workflow and will be substituted as detailed below:
 
 * `$default-branch`: will substitute the branch from the repository, for example `main` and `master`
-* `$protected-branches`: will substitue any protected branches from the repository.
+* `$protected-branches`: will substitute any protected branches from the repository
 * `$cron-daily`: will substitute a valid but random time within the day
+
+## How to test templates before publishing
+
+### Disable template for public
+The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL.
+Example `properties.json` file:
+```json
+{
+    "name": "Node.js",
+    "description": "Build and test a Node.js project with npm.",
+    "iconName": "nodejs",
+    "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"],
+    "labels": ["preview"]
+}
+```
+
+For viewing the templates with `preview` label, provide query parameter `preview=true` to the  `new workflow` page URL. Eg. `https://github.com/<owner>/<repo_name>/actions/new?preview=true`.
+
+### Enable template for public
+Remove the `labels` array from `properties.json` file to publish the template to public
diff --git a/automation/greetings.yml b/automation/greetings.yml
@@ -1,6 +1,6 @@
 name: Greetings
 
-on: [pull_request, issues]
+on: [pull_request_target, issues]
 
 jobs:
   greeting:
@@ -12,5 +12,5 @@ jobs:
     - uses: actions/first-interaction@v1
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
-        issue-message: 'Message that will be displayed on users first issue'
-        pr-message: 'Message that will be displayed on users first pull request'
+        issue-message: "Message that will be displayed on users' first issue"
+        pr-message: "Message that will be displayed on users' first pull request"
diff --git a/automation/label.yml b/automation/label.yml
@@ -6,7 +6,7 @@
 # https://github.com/actions/labeler
 
 name: Labeler
-on: [pull_request]
+on: [pull_request_target]
 
 jobs:
   label:
@@ -17,6 +17,6 @@ jobs:
       pull-requests: write
 
     steps:
-    - uses: actions/labeler@v2
+    - uses: actions/labeler@v4
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/automation/manual.yml b/automation/manual.yml
@@ -15,6 +15,8 @@ on:
         default: 'World'
         # Input has to be provided for the workflow to run
         required: true
+        # The data type of the input
+        type: string
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -27,4 +29,4 @@ jobs:
     steps:
     # Runs a single command using the runners shell
     - name: Send greeting
-      run: echo "Hello ${{ github.event.inputs.name }}"
+      run: echo "Hello ${{ inputs.name }}"
diff --git a/automation/stale.yml b/automation/stale.yml
@@ -1,3 +1,8 @@
+# This workflow warns and then closes issues and PRs that have had no activity for a specified amount of time.
+#
+# You can adjust the behavior by modifying this file.
+# For more information, see:
+# https://github.com/actions/stale
 name: Mark stale issues and pull requests
 
 on:
@@ -13,7 +18,7 @@ jobs:
       pull-requests: write
 
     steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@v5
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'Stale issue message'