Skip to content

Improve GH Actions and Dependabot #366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eloi010 merged 9 commits into from
Feb 11, 2026
+68 −15
Merged

Improve GH Actions and Dependabot #366

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e9a8682
feat: add dependabot configuration for GitHub Actions updates
eloi010 Feb 11, 2026
324c44f
ci: enhance permissions for GitHub Actions workflow
eloi010 Feb 11, 2026
794f0a4
ci: update actions/checkout and actions/upload-artifact
eloi010 Feb 11, 2026
efcb013
ci: improve GitHub Actions workflows with enhanced installation steps…
eloi010 Feb 11, 2026
58c51fa
ci: update job name for clarity in GitHub Actions workflow
eloi010 Feb 11, 2026
a91cd44
ci: consolidate system package installation in GitHub Actions workflow
eloi010 Feb 11, 2026
71ac2fa
ci: enhance security in GitHub Actions by enforcing TLS for font down…
eloi010 Feb 11, 2026
c01f80b
ci: fix path for Tectonic command in GitHub Actions build step
eloi010 Feb 11, 2026
0ebab0f
ci: adding --fix-missing again
eloi010 Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
version: 2

updates:
# 1) GitHub Actions
- package-ecosystem: github-actions
directory: / # GitHub scans .github/workflows from here
schedule:
interval: weekly
day: monday
time: "03:00"
open-pull-requests-limit: 5
assignees: ["OlivierBBB", "letypequividelespoubelles"]
labels: ["dependencies", "github-actions"]
commit-message:
prefix: "deps(actions)"
include: "scope"
groups:
core-actions-minor-patch:
update-types: ["minor", "patch"]
patterns:
- "actions/*"
- "github/*"
third-party-actions-minor-patch:
update-types: ["minor", "patch"]
patterns:
- "*"
exclude-patterns:
- "actions/*"
- "github/*"
cooldown:
default-days: 7
Comment thread
eloi010 marked this conversation as resolved.
48 changes: 34 additions & 14 deletions .github/workflows/compile.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,32 +1,52 @@
name: Build & Upload the Specification

on:
push:
branches: [ main ]
workflow_dispatch:

permissions: {} # lock everything by default (least-privilege)

jobs:
archive-build-spec:
name: Build & Upload Specification PDF
permissions:
contents: read
Copy link

Copilot AI Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

permissions: {} at the workflow level removes all default GITHUB_TOKEN scopes, but this job later uploads an artifact. actions/upload-artifact typically requires the token to have actions: write; with only contents: read granted here, the upload step may be denied. Consider adding the minimal required actions permission at the job level (or to just the upload step via a separate job if you want to keep tighter scoping).

Suggested change
contents: read
contents: read
actions: write

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Collaborator

@OlivierBBB OlivierBBB Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eloi010 is that @copilot comment valid ?

Copy link
Copy Markdown
Collaborator Author

@eloi010 eloi010 Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is not. That said, the original workflow never ran with restricted permissions, so this hasn't been tested empirically for this repo. The workflow dispatch will be the definitive proof. If the upload step fails with a 403, then adding actions: write is the fix, but I don't expect it to.

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Install JetBrainsMono
run: mkdir JetBrainsMono
&& cd JetBrainsMono
&& wget https://download.jetbrains.com/fonts/JetBrainsMono-2.304.zip
&& unzip JetBrainsMono-2.304.zip
&& sudo mv fonts/ttf/*.ttf /usr/share/fonts/
&& cd -
- name: Install fontawesome
run: sudo apt-get install fonts-font-awesome
env:
JETBRAINS_MONO_SHA256: "6f6376c6ed2960ea8a963cd7387ec9d76e3f629125bc33d1fdcd7eb7012f7bbf"
run: |
wget -q --secure-protocol=TLSv1_2 https://download.jetbrains.com/fonts/JetBrainsMono-2.304.zip -O JetBrainsMono.zip
echo "${JETBRAINS_MONO_SHA256} JetBrainsMono.zip" | sha256sum -c
unzip -q JetBrainsMono.zip -d JetBrainsMono
sudo mv JetBrainsMono/fonts/ttf/*.ttf /usr/share/fonts/
rm -rf JetBrainsMono JetBrainsMono.zip
- name: Install system packages
run: |
sudo apt-get update
sudo apt-get install -y --fix-missing fonts-font-awesome texlive-full
- name: Install tectonic
run: curl --proto '=https' --tlsv1.2 -fsSL https://drop-sh.fullyjustified.net |sh
- name: Install lualatex
# run: sudo apt-get install texlive-latex-base && sudo apt install texlive-luatex && sudo apt-get install texlive-latex-extra
run: sudo apt-get update && sudo apt install texlive-full --fix-missing
env:
TECTONIC_VERSION: "0.15.0"
TECTONIC_SHA256: "875fbbc9ab48560d7776088c608e0beee49197b57ab4a2f6c5385b2c661c842f"
run: |
curl --proto '=https' --tlsv1.2 -fsSL \
"https://github.com/tectonic-typesetting/tectonic/releases/download/tectonic%40${TECTONIC_VERSION}/tectonic-${TECTONIC_VERSION}-x86_64-unknown-linux-gnu.tar.gz" \
-o tectonic.tar.gz
echo "${TECTONIC_SHA256} tectonic.tar.gz" | sha256sum -c
tar xzf tectonic.tar.gz
sudo install -m 755 tectonic /usr/local/bin/tectonic
rm tectonic.tar.gz tectonic
Comment thread
cursor[bot] marked this conversation as resolved.
- name: Compile Specification
run: make ospec
- name: Upload the Specification
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v6
with:
name: specification.pdf
path: spec/_all_spec.pdf
2 changes: 2 additions & 0 deletions .github/workflows/security-code-scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ on:
required: false
workflow_dispatch:

permissions: {} # lock everything by default (least-privilege)

jobs:
security-scan:
uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2
Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ recompile-%: lua_build
cd $* && tectonic -X compile _all_$*.tex

buildOnGithub-%: lua_build
cd $* && ../tectonic -X compile _all_$*.tex
cd $* && tectonic -X compile _all_$*.tex

alu: view-alu
blake: view-blake_data
Expand Down