chore: update workflows

.github/workflows/automerge.yml

@@ -1,4 +1,4 @@
-name: "Auto Merge"
+name: Auto-merge
 on:
   pull_request_target:
     types:
@@ -17,10 +17,11 @@ on:
 
 jobs:
   auto-merge:
-    name: Auto Merge
+    name: Auto-merge
     runs-on: ubuntu-latest
     steps:
-      - uses: reitermarkus/automerge@v2
+      - name: Enable auto-merge if PR is ready
+        uses: reitermarkus/automerge@v2
         with:
           token: ${{ secrets.PUSH_TO_PROTECTED_BRANCH }}
           merge-method: squash

.github/workflows/codeql.yml

@@ -0,0 +1,32 @@
+name: CodeQL
+on:
+  push:
+    branches: [master, next]
+  pull_request:
+    branches: [next]
+  schedule:
+    - cron: '38 22 * * 6'
+
+jobs:
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript']
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3

.github/workflows/dependabot.yml

@@ -0,0 +1,27 @@
+name: Approve PR (dependabot)
+on:
+  pull_request_target:
+    branches: [next]
+
+permissions:
+  pull-requests: write
+  issues: write
+  contents: write
+
+jobs:
+  approve-pr:
+    name: Approve PR
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch metadata
+        id: metadata
+        uses: dependabot/[email protected]
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Approve PR if non-major update
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.PUSH_TO_PROTECTED_BRANCH }}

.github/workflows/labeler.yml

@@ -1,4 +1,4 @@
-name: "Labeler"
+name: Labeler
 on:
   issues:
     types: [opened, edited]
@@ -11,7 +11,8 @@ jobs:
     if: github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
-      - uses: ZPTXDev/issue-labeler@master
+      - name: Assign Labels
+        uses: ZPTXDev/issue-labeler@master
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           configuration-path: .github/labeler.yml

.github/workflows/automate.yml → .github/workflows/release.yml

@@ -1,44 +1,69 @@
-name: 'General Automation'
+name: Release
 on:
   push:
     branches: [ master, next ]
-  pull_request_target:
-    branches: next
-
-permissions:
-  pull-requests: write
-  issues: write
-  contents: write
 
 jobs:
-  approve-pr-dependabot:
-    name: Approve PR (dependabot)
-    if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
+  semantic-release:
+    name: Semantic Release
+    if: github.repository_owner == 'ZPTXDev'
     runs-on: ubuntu-latest
     steps:
-      - id: metadata
-        uses: dependabot/[email protected]
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PUSH_TO_PROTECTED_BRANCH }}
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
         with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - if: steps.metadata.outputs.update-type != 'version-update:semver-major'
-        run: gh pr review --approve "$PR_URL"
+          version: 9
+      - name: Use Node.js 18
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          cache: 'pnpm'
+      - name: Install dependencies
+        run: pnpm install
+      - name: Run tests
+        run: pnpm test
+      - name: Build
+        run: pnpm run build
+      - name: Release
+        uses: cycjimmy/semantic-release-action@v4
+        with:
+          branches: |
+            [
+              'master',
+              { name: 'next', prerelease: true }
+            ]
+          extra_plugins: |
+            @semantic-release/git
+            https://github.com/ZPTXDev/semantic-release-github-milestones#master
         env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
           GITHUB_TOKEN: ${{ secrets.PUSH_TO_PROTECTED_BRANCH }}
-  publish-docs:
-    name: Publish Docs
-    if: github.event_name == 'push' && github.repository_owner == 'ZPTXDev'
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  update-docs:
+    name: Update Docs
+    needs: semantic-release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
         with:
           token: ${{ secrets.PUSH_TO_PROTECTED_BRANCH }}
-      - uses: actions/setup-node@v4
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+      - name: Use Node.js 18
+        uses: actions/setup-node@v4
         with:
           node-version: 18
-      - run: npm ci
-      - run: npm run build
-      - run: npm test
+          cache: 'pnpm'
+      - name: Install dependencies
+        run: pnpm install
+      - name: Build
+        run: pnpm run build
       - run: npx typedoc src/index.ts --name "${{ github.event.repository.name }} (${{ github.ref_name }})"
       - uses: JamesIves/github-pages-deploy-action@v4
         with:
@@ -50,28 +75,3 @@ jobs:
           git-config-name: zptx-bot
           git-config-email: [email protected]
           clean: false
-  semantic-release:
-    name: Semantic Release
-    if: github.event_name == 'push' && github.repository_owner == 'ZPTXDev'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.PUSH_TO_PROTECTED_BRANCH }}
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 18
-      - run: npm ci && npm run build
-      - uses: cycjimmy/semantic-release-action@v4
-        with:
-          branches: |
-            [
-              'master',
-              {name: 'next', prerelease: true}
-            ]
-          extra_plugins: |
-            @semantic-release/git
-            https://github.com/ZPTXDev/semantic-release-github-milestones#master
-        env:
-          GITHUB_TOKEN: ${{ secrets.PUSH_TO_PROTECTED_BRANCH }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}