chore: repo updates#12
Conversation
There was a problem hiding this comment.
Pull request overview
Updates repository automation and packaging configuration, replacing the previous release/dependabot workflows and adding support scripts for local development hooks.
Changes:
- Add a Composer script for installing CaptainHook git hooks.
- Replace the Release Please workflow/config with a new “Release” workflow that runs on merged PRs.
- Update distribution exports via
.gitattributesand remove the Dependabot auto-merge workflow.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| composer.json | Adds install-hooks Composer script to install enabled CaptainHook hooks. |
| .github/workflows/release.yml | Introduces a new release workflow triggered on merged PR close events. |
| .github/workflows/release-please.yml | Removes the existing Release Please workflow. |
| .github/workflows/dependabot-auto-merge.yml | Removes the existing Dependabot auto-merge workflow. |
| .github/release-please-config.json | Removes Release Please configuration no longer used. |
| .gitattributes | Excludes additional tooling/config/docs files from exported archives. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| pull_request: | ||
| types: [ closed ] | ||
|
|
||
| jobs: | ||
| release: | ||
| if: github.event.pull_request.merged == true | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| ref: ${{ github.event.pull_request.merge_commit_sha }} |
There was a problem hiding this comment.
This workflow runs on pull_request (closed) but performs write operations (contents: write, creating/updating releases). For PRs coming from forks, GitHub Actions restricts the GITHUB_TOKEN to read-only on pull_request events regardless of the permissions block, which can cause the release step to fail. If releases should run for fork-based contributions, consider triggering on push to main after merge, or using pull_request_target with appropriate hardening (checkout the merge commit SHA and avoid running untrusted code).
| pull_request: | |
| types: [ closed ] | |
| jobs: | |
| release: | |
| if: github.event.pull_request.merged == true | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.merge_commit_sha }} | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.sha }} |
| /CHANGELOG.md export-ignore | ||
| /README.md export-ignore |
There was a problem hiding this comment.
The new export-ignore entries for CHANGELOG.md and README.md don't follow the column alignment used in the rest of this file (see lines 5-13). Aligning spacing keeps the file consistent and easier to scan.
| /CHANGELOG.md export-ignore | |
| /README.md export-ignore | |
| /CHANGELOG.md export-ignore | |
| /README.md export-ignore |
No description provided.