From 0dfb080e7b35966a44033bc69dee76e72b41e9bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 3 May 2026 05:43:07 +0000 Subject: [PATCH 1/3] Bump the github-actions group with 7 updates Bumps the github-actions group with 7 updates: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.19.0` | `2.19.1` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml](https://github.com/bemanproject/infra-workflows) | `1.5.3` | `1.7.1` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml](https://github.com/bemanproject/infra-workflows) | `1.5.3` | `1.7.1` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml](https://github.com/bemanproject/infra-workflows) | `1.5.3` | `1.7.1` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml](https://github.com/bemanproject/infra-workflows) | `1.5.3` | `1.7.1` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml](https://github.com/bemanproject/infra-workflows) | `1.5.3` | `1.7.1` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml](https://github.com/bemanproject/infra-workflows) | `1.5.3` | `1.7.1` | Updates `step-security/harden-runner` from 2.19.0 to 2.19.1 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/8d3c67de8e2fe68ef647c8db1e6a09f647780f40...a5ad31d6a139d249332a2605b85202e8c0b78450) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml` from 1.5.3 to 1.7.1 - [Commits](https://github.com/bemanproject/infra-workflows/compare/503ac65da3fd803044bc82b2fe748b2fc6f503cd...4d946e210ce2ee68ccd8607c8acccacf171830c5) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml` from 1.5.3 to 1.7.1 - [Commits](https://github.com/bemanproject/infra-workflows/compare/503ac65da3fd803044bc82b2fe748b2fc6f503cd...4d946e210ce2ee68ccd8607c8acccacf171830c5) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml` from 1.5.3 to 1.7.1 - [Commits](https://github.com/bemanproject/infra-workflows/compare/503ac65da3fd803044bc82b2fe748b2fc6f503cd...4d946e210ce2ee68ccd8607c8acccacf171830c5) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml` from 1.5.3 to 1.7.1 - [Commits](https://github.com/bemanproject/infra-workflows/compare/503ac65da3fd803044bc82b2fe748b2fc6f503cd...4d946e210ce2ee68ccd8607c8acccacf171830c5) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml` from 1.5.3 to 1.7.1 - [Commits](https://github.com/bemanproject/infra-workflows/compare/503ac65da3fd803044bc82b2fe748b2fc6f503cd...4d946e210ce2ee68ccd8607c8acccacf171830c5) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml` from 1.5.3 to 1.7.1 - [Commits](https://github.com/bemanproject/infra-workflows/compare/503ac65da3fd803044bc82b2fe748b2fc6f503cd...4d946e210ce2ee68ccd8607c8acccacf171830c5) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 4 ++-- .github/workflows/ci_tests.yml | 8 ++++---- .github/workflows/codeql.yml | 2 +- .github/workflows/doxygen-gh-pages.yml | 2 +- .github/workflows/ossf-scorecard-analysis.yml | 2 +- .github/workflows/pre-commit-check.yml | 2 +- .github/workflows/pre-commit-update.yml | 2 +- .github/workflows/pre-commit.yml | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f441470d..f3e2ff79 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: - {name: "Ubuntu GCC 12", tag: "gcc:12", toolchain: "gcc-12", cmake_args: "-G \"Ninja Multi-Config\" -DCMAKE_CONFIGURATION_TYPES=\"RelWithDebInfo;Asan\" -DCMAKE_PREFIX_PATH=\"./infra/cmake\" "} steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit @@ -128,7 +128,7 @@ jobs: steps: # See https://github.com/cli/cli/issues/5075 - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml index cdfce15a..923cd5f6 100644 --- a/.github/workflows/ci_tests.yml +++ b/.github/workflows/ci_tests.yml @@ -16,10 +16,10 @@ on: jobs: beman-submodule-check: - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml@503ac65da3fd803044bc82b2fe748b2fc6f503cd # 1.5.3 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml@4d946e210ce2ee68ccd8607c8acccacf171830c5 # 1.7.1 preset-test: - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml@503ac65da3fd803044bc82b2fe748b2fc6f503cd # 1.5.3 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml@4d946e210ce2ee68ccd8607c8acccacf171830c5 # 1.7.1 with: matrix_config: > [ @@ -34,7 +34,7 @@ jobs: ] build-and-test: - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml@503ac65da3fd803044bc82b2fe748b2fc6f503cd # 1.5.3 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml@4d946e210ce2ee68ccd8607c8acccacf171830c5 # 1.7.1 with: matrix_config: > { @@ -147,4 +147,4 @@ jobs: permissions: contents: read issues: write - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml@503ac65da3fd803044bc82b2fe748b2fc6f503cd # 1.5.3 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml@4d946e210ce2ee68ccd8607c8acccacf171830c5 # 1.7.1 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 83e6114b..c40b617d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -59,7 +59,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/doxygen-gh-pages.yml b/.github/workflows/doxygen-gh-pages.yml index ddbe766b..2dc9576a 100644 --- a/.github/workflows/doxygen-gh-pages.yml +++ b/.github/workflows/doxygen-gh-pages.yml @@ -16,7 +16,7 @@ jobs: contents: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/ossf-scorecard-analysis.yml b/.github/workflows/ossf-scorecard-analysis.yml index d6b1ee29..534d411c 100644 --- a/.github/workflows/ossf-scorecard-analysis.yml +++ b/.github/workflows/ossf-scorecard-analysis.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit diff --git a/.github/workflows/pre-commit-check.yml b/.github/workflows/pre-commit-check.yml index 2810e0cc..3c65a6e5 100644 --- a/.github/workflows/pre-commit-check.yml +++ b/.github/workflows/pre-commit-check.yml @@ -15,4 +15,4 @@ jobs: checks: write issues: write pull-requests: write - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@503ac65da3fd803044bc82b2fe748b2fc6f503cd # ratchet:bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@1.5.3 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@4d946e210ce2ee68ccd8607c8acccacf171830c5 # ratchet:bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@1.7.1 diff --git a/.github/workflows/pre-commit-update.yml b/.github/workflows/pre-commit-update.yml index 2b545d17..d9c3ea18 100644 --- a/.github/workflows/pre-commit-update.yml +++ b/.github/workflows/pre-commit-update.yml @@ -15,7 +15,7 @@ jobs: permissions: contents: write pull-requests: write - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml@503ac65da3fd803044bc82b2fe748b2fc6f503cd # 1.5.3 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml@4d946e210ce2ee68ccd8607c8acccacf171830c5 # 1.7.1 secrets: APP_ID: ${{ secrets.AUTO_PR_BOT_APP_ID }} PRIVATE_KEY: ${{ secrets.AUTO_PR_BOT_PRIVATE_KEY }} diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 782a278d..9bdf3577 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit @@ -50,7 +50,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit From 25560b4ad67983ae1eae73fbe13171fe4c883090 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 3 May 2026 05:43:36 +0000 Subject: [PATCH 2/3] Bump github/codeql-action in the github-owned-actions group Bumps the github-owned-actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 4.35.2 to 4.35.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/95e58e9a2cdfd71adc6e0353d5c52f41a045d225...e46ed2cbd01164d986452f91f178727624ae40d7) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-owned-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/ossf-scorecard-analysis.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 83e6114b..884f2c64 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -77,7 +77,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -106,7 +106,7 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/ossf-scorecard-analysis.yml b/.github/workflows/ossf-scorecard-analysis.yml index d6b1ee29..e808f0d1 100644 --- a/.github/workflows/ossf-scorecard-analysis.yml +++ b/.github/workflows/ossf-scorecard-analysis.yml @@ -56,6 +56,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: sarif_file: results.sarif From ab2aee0d805b6de4bfd3a5d63fb8ad1c1e0864fe Mon Sep 17 00:00:00 2001 From: Steve Downey Date: Mon, 11 May 2026 17:47:39 -0400 Subject: [PATCH 3/3] Bootstrap docs-comment.yml for workflow_run PR commenting --- .github/workflows/docs-comment.yml | 92 ++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 .github/workflows/docs-comment.yml diff --git a/.github/workflows/docs-comment.yml b/.github/workflows/docs-comment.yml new file mode 100644 index 00000000..5e1def68 --- /dev/null +++ b/.github/workflows/docs-comment.yml @@ -0,0 +1,92 @@ +# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + +# Posts a PR preview comment after the Documentation workflow completes. +# +# This is intentionally a separate workflow from docs.yml. The +# `pull_request` event (used in docs.yml) always runs with a read-only +# GITHUB_TOKEN for fork PRs, so it cannot post comments. The +# `workflow_run` event runs code from the BASE branch — never from the +# fork — and is granted write permissions safely. No fork code executes +# here; we only read trusted metadata from the workflow_run context. +# +# Reference: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_run + +name: Documentation Preview Comment + +on: + workflow_run: + workflows: ["Documentation"] + types: [completed] + +permissions: + pull-requests: write + +jobs: + comment: + name: Post preview link + runs-on: ubuntu-latest + # Only comment on PR builds that succeeded. Push and + # workflow_dispatch builds don't have a PR to comment on. + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + with: + egress-policy: audit + + - name: Post or update PR preview comment + uses: actions/github-script@v7 + with: + script: | + const MARKER = '' + const run = context.payload.workflow_run + const runUrl = run.html_url + const sha = run.head_sha.slice(0, 7) + const body = [ + MARKER, + `📚 **Documentation preview** for \`${sha}\` — [workflow run](${runUrl})`, + '', + 'To review: open the **docs-site** artifact from that run,', + 'extract the zip, and open `index.html` in a browser.', + ].join('\n') + + // Locate the open PR that matches this workflow run's head + // branch. For same-repo PRs github.event.pull_request is + // available directly; for fork PRs we search by head label. + const headLabel = `${run.head_repository.owner.login}:${run.head_branch}` + const { data: prs } = await github.rest.pulls.list({ + owner: context.repo.owner, + repo: context.repo.repo, + head: headLabel, + state: 'open', + }) + if (prs.length === 0) { + core.info(`No open PR found for head ${headLabel}; skipping comment.`) + return + } + const issue_number = prs[0].number + + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number, + }) + const existing = comments.find(c => c.body.includes(MARKER)) + if (existing) { + await github.rest.issues.updateComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: existing.id, + body, + }) + } else { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number, + body, + }) + }