ci: update workflows

.github/workflows/actionlint.yaml

@@ -1,13 +1,14 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Actionlint
+permissions: { contents: read }
 
 on:
   workflow_dispatch: {}
-  pull_request: {}
-
-permissions:
-  contents: read
+  pull_request:
+    paths:
+      - ".github/workflows/*.yaml"
+      - mise.toml
 
 jobs:
   actionlint:

.github/workflows/codeql.yml

@@ -6,8 +6,7 @@ on:
   workflow_dispatch: {}
   push: { branches: ["main"] }
   pull_request: { branches: ["main"] }
-  schedule:
-    - cron: '0 0 * * *'
+  schedule: [{cron: '0 0 * * *'}]
 
 permissions:
   security-events: write

.github/workflows/commitlint.yaml

@@ -1,13 +1,11 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Commitlint
+permissions: { contents: read }
 
 on:
   pull_request_target: {}
 
-permissions:
-  contents: read
-
 jobs:
   commitlint:
     runs-on: ubuntu-latest

.github/workflows/golangci-lint.yaml

@@ -1,10 +1,16 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: GolangCI Lint
+permissions: { contents: read }
 
 on:
   workflow_dispatch: {}
-  pull_request: {}
+  pull_request:
+    paths:
+      - .github/workflows/golangci-lint.yaml
+      - .golangci.yaml
+      - "**.go"
+      - mise.toml
 
 jobs:
   golangci-lint:

.github/workflows/goreleaser.yaml

@@ -1,23 +1,22 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Goreleaser
+permissions: { contents: read }
 
 on:
+  push: { tags: ["*"] }
   workflow_dispatch:
     inputs:
       dry-run:
         description: Dry Run
         required: false
         default: false
         type: boolean
-
-  push:
-    tags: ["*"]
-
   pull_request:
     paths:
       - .github/workflows/goreleaser.yaml
       - .goreleaser.yaml
+      - mise.toml
 
 jobs:
   goreleaser:
@@ -34,9 +33,7 @@ jobs:
       - name: Run goreleaser (dry-run)
         if: github.event_name == 'pull_request'
         run: goreleaser --snapshot
-        env:
-          TAP_GITHUB_TOKEN: "${{ secrets.GHCR_RW_TOKEN }}"
-
+        env: { TAP_GITHUB_TOKEN: "${{ secrets.GHCR_RW_TOKEN }}" }
 
       - name: Generate Token
         uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2

.github/workflows/label-sync.yaml

@@ -1,9 +1,10 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Label Sync
+permissions: { contents: read }
 
 on:
-  # Manual Trigger
+  schedule: [{ cron: "0 * * * *" }]
   workflow_dispatch:
     inputs:
       dry-run:
@@ -12,23 +13,17 @@ on:
         required: false
         type: boolean
 
-  # Dry Run on any PR that changes the labels config or the workflow
   pull_request:
     paths:
       - .github/workflows/label-sync.yaml
       - .github/labels.yaml
 
-  # "Wet" Run on any push to the main branch that changes the labels config or the workflow
   push:
     branches: ["main", "master"]
     paths:
       - .github/workflows/label-sync.yaml
       - .github/labels.yaml
 
-  # "Wet" Run hourly
-  schedule:
-    - cron: "0 * * * *"
-
 jobs:
   label-sync:
     runs-on: ubuntu-latest

.github/workflows/labeler.yaml

@@ -1,6 +1,7 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Labeler
+permissions: { contents: read }
 
 on:
   pull_request_target: {}

.github/workflows/release.yaml

@@ -1,8 +1,11 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Release
+permissions: { contents: read }
 
 on:
-  # Manually trigger a new release from the Actions tab
+  schedule: [{ cron: "0 0 * * *" }]
+  pull_request: { branches: ["main", "master"] }
   workflow_dispatch:
     inputs:
       version-increment:
@@ -22,13 +25,9 @@ on:
         required: false
         type: boolean
 
-  # Dry run on any PR to the main branch to make sure the workflow would run
-  # successfully before merging
-  pull_request:
-    branches: ["main"]
-
-  schedule:
-    - cron: "0 0 * * *"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
 
 jobs:
   release:

.github/workflows/renovate.yaml

@@ -1,8 +1,10 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Renovate
+permissions: { contents: read }
 
 on:
+  schedule: [{ cron: "0 * * * *" }]
   workflow_dispatch:
     inputs:
       dry-run:
@@ -14,21 +16,13 @@ on:
         description: Log Level
         type: choice
         default: debug
-        options:
-          - debug
-          - info
+        options: [ debug, info ]
         required: true
       version:
         description: Renovate Version
         default: latest
         required: true
 
-  schedule:
-    - cron: "0 * * * *"
-
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
   cancel-in-progress: true

.github/workflows/test.yaml

@@ -1,10 +1,10 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Test
+permissions: { contents: read }
 
 on:
   workflow_dispatch: {}
-
   pull_request:
     paths:
       - .github/workflows/test.yaml
@@ -19,8 +19,7 @@ jobs:
 
       - name: Setup Go
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
-        with:
-          go-version-file: go.mod
+        with: { go-version-file: go.mod }
 
       - name: Run tests
         run: go test -v ./... -race -covermode=atomic

.github/workflows/trivy-scan.yaml

@@ -3,6 +3,8 @@
 name: Trivy
 
 on:
+  schedule: [{cron: "1 0 * * *"}]
+  pull_request: {}
   workflow_dispatch:
     inputs:
       dry-run:
@@ -11,16 +13,14 @@ on:
         default: false
         type: boolean
 
-  pull_request:
-    paths: [ ".github/workflows/trivy-scan.yaml" ]
-
-  schedule:
-    - cron: "1 0 * * *"
-
 permissions:
   security-events: write
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   scan:
     runs-on: ubuntu-latest

.github/workflows/yamllint.yaml

@@ -1,13 +1,15 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: YAML Lint
+permissions: { contents: read }
 
 on:
   workflow_dispatch: {}
-  pull_request: {}
-
-permissions:
-  contents: read
+  pull_request:
+    paths:
+      - .github/workflows/yamllint.yaml
+      - mise.toml
+      - "**.yaml"
 
 jobs:
   yamllint:

.mise.toml

@@ -13,7 +13,6 @@ k9s = "latest"
 # Linters
 actionlint = "latest"
 yamllint = "latest"
-"npm:markdownlint-cli" = "latest"
 "npm:@commitlint/cli" = "latest"
 
 

.renovaterc.json

@@ -8,29 +8,15 @@
         ":disableRateLimiting",
         ":semanticCommits",
         ":timezone(Europe/Bucharest)",
+        "github>mirceanton/renovate-config//auto-merge/all.json5",
         "github>mirceanton/renovate-config//labels/all.json5",
         "github>mirceanton/renovate-config//semantic-commits/all.json5"
     ],
     "packageRules": [
-        {
-            "description": "Auto-merge GitHub Actions",
-            "matchManagers": ["github-actions"],
-            "automerge": true,
-            "automergeType": "branch",
-            "matchUpdateTypes": ["minor", "patch", "digest", "pinDigest"],
-            "minimumReleaseAge": "7 days"
-        },
-        {
-            "description": "Auto-merge Mise Packages",
-            "matchManagers": ["mise"],
-            "automerge": true,
-            "automergeType": "branch",
-            "matchUpdateTypes": ["minor", "patch", "digest"],
-            "minimumReleaseAge": "7 days"
-        },
         {
             "description": "Auto-merge Helm Values",
             "matchManagers": ["helm-values"],
+            "matchPackageNames": ["/ghcr.io/mirceanton/external-dns-provider-mikrotik/"],
             "automerge": true,
             "automergeType": "branch",
             "matchUpdateTypes": ["major", "minor", "patch", "digest"]