Merge branch 'main' into dependabot/npm_and_yarn/concurrently-9.1.0

.github/release-drafter.yml

@@ -5,7 +5,7 @@ template: |
   # Changelog
   $CHANGES
 
-  See details of [all code changes](https://github.com/github-community-projects/private-mirrors/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION) since previous release
+  See details of [all code changes](https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION) since previous release
 
 categories:
   - title: '🚀 Features'
@@ -32,14 +32,18 @@ version-resolver:
   major:
     labels:
       - 'breaking'
+      - 'major'
   minor:
     labels:
       - 'enhancement'
-      - 'fix'
+      - 'feature'
+      - 'minor'
   patch:
     labels:
+      - 'fix'
       - 'documentation'
       - 'maintenance'
+      - 'patch'
   default: patch
 autolabeler:
   - label: 'automation'

.github/workflows/auto-labeler.yml

@@ -12,13 +12,10 @@ permissions:
 jobs:
   main:
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
-    name: Auto label pull requests
-    runs-on: ubuntu-latest
-    steps:
-      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # pin@v6
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          config-name: release-drafter.yml
+    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
+    with:
+      config-name: release-drafter.yml
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-title.yml

@@ -6,6 +6,7 @@ on:
   pull_request_target:
     types:
       - opened
+      - reopened
       - edited
       - synchronize
 
@@ -15,27 +16,9 @@ permissions:
 jobs:
   main:
     permissions:
+      contents: read
       pull-requests: read
       statuses: write
-    name: Validate PR title
-    runs-on: ubuntu-latest
-    steps:
-      - uses: amannn/action-semantic-pull-request@40166f00814508ec3201fc8595b393d451c8cd80 # pin@v5
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          # Configure which types are allowed (newline-delimited).
-          # From: https://github.com/commitizen/conventional-commit-types/blob/master/index.json
-          # listing all below
-          types: |
-            build
-            chore
-            ci
-            docs
-            feat
-            fix
-            perf
-            refactor
-            revert
-            style
-            test
+    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -13,26 +13,31 @@ permissions:
   contents: read
 
 jobs:
-  create_release:
-    # release if
-    # manual deployment OR
-    # merged to main and labelled with release labels
-    if: |
-      (github.event_name == 'workflow_dispatch') ||
-      (github.event.pull_request.merged == true &&
-      (contains(github.event.pull_request.labels.*.name, 'breaking') ||
-      contains(github.event.pull_request.labels.*.name, 'feature') ||
-      contains(github.event.pull_request.labels.*.name, 'vuln') ||
-      contains(github.event.pull_request.labels.*.name, 'release')))
-    runs-on: ubuntu-latest
+  release:
     permissions:
       contents: write
       pull-requests: read
-    steps:
-      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # pin@v6
-        id: release-drafter
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          config-name: release-drafter.yml
-          publish: true
+    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
+    with:
+      publish: true
+      release-config-name: release-drafter.yml
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+  release_image:
+    needs: release
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@6a0a6d0de2227f9d5d11af90a87b2e2fd6b5463d
+    with:
+      image-name: ${{ github.repository }}
+      full-tag: ${{ needs.release.outputs.full-tag }}
+      short-tag: ${{ needs.release.outputs.short-tag }}
+      create-attestation: true
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+      image-registry: ghcr.io
+      image-registry-username: ${{ github.actor }}
+      image-registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecard.yml

@@ -36,12 +36,12 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: 'Upload artifact'
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
         with:
           sarif_file: results.sarif

Dockerfile

@@ -15,6 +15,13 @@ ENV NEXT_TELEMETRY_DISABLED 1
 RUN npm run build
 
 FROM node:22-alpine@sha256:c06bea602e410a3321622c7782eb35b0afb7899d9e28300937ebf2e521902555 AS runner
+LABEL maintainer="@github" \
+    org.opencontainers.image.url="https://github.com/github-community-projects/private-mirrors" \
+    org.opencontainers.image.source="https://github.com/github-community-projects/private-mirrors" \
+    org.opencontainers.image.documentation="https://github.com/github-community-projects/private-mirrors" \
+    org.opencontainers.image.vendor="GitHub Community Projects" \
+    org.opencontainers.image.description="A GitHub App that allows you to contribute upstream using private mirrors of public projects."
+
 RUN apk add --no-cache git
 WORKDIR /app