Chore/release setup

.github/workflows/codeql.yml

@@ -1,21 +1,14 @@
 ---
 name: "CodeQL Analysis"
 
-"on":
-  push:
-    branches: ["main"]
+on:
   pull_request:
-    branches: ["main"]
+    branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]
   schedule:
     - cron: "23 2 * * 1"  # Weekly on Mondays at 2:23 AM UTC
   workflow_dispatch: {}
 
-permissions:
-  security-events: write
-  contents: read
-  actions: read
-  packages: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -27,6 +20,8 @@ jobs:
     timeout-minutes: 360
     permissions:
       security-events: write
+      contents: read
+      actions: read
       packages: read
 
     strategy:
@@ -40,13 +35,13 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
           queries: +security-extended,security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/publish.yaml

@@ -66,23 +66,23 @@ jobs:
             if git show origin/gh-pages:last_run.txt >/dev/null 2>&1; then
               TIMESTAMP=$(git show origin/gh-pages:last_run.txt)
               echo "$TIMESTAMP" > last_run.txt
-              echo "🔄 Restored last_run.txt from gh-pages: \`$TIMESTAMP\`" >> $GITHUB_STEP_SUMMARY
+              echo "🔄 Restored last_run.txt from gh-pages: \`$TIMESTAMP\`" >> "$GITHUB_STEP_SUMMARY"
             else
-              echo "⚠️ last_run.txt not found on gh-pages branch" >> $GITHUB_STEP_SUMMARY
+              echo "⚠️ last_run.txt not found on gh-pages branch" >> "$GITHUB_STEP_SUMMARY"
             fi
 
             if git show origin/gh-pages:posts_data.json >/dev/null 2>&1; then
               git show origin/gh-pages:posts_data.json > posts_data.json
-              echo "🔄 Restored posts_data.json from gh-pages" >> $GITHUB_STEP_SUMMARY
+              echo "🔄 Restored posts_data.json from gh-pages" >> "$GITHUB_STEP_SUMMARY"
             else
-              echo "⚠️ posts_data.json not found on gh-pages branch" >> $GITHUB_STEP_SUMMARY
+              echo "⚠️ posts_data.json not found on gh-pages branch" >> "$GITHUB_STEP_SUMMARY"
             fi
           else
-            echo "🆕 gh-pages branch does not exist yet; skipping last_run restore" >> $GITHUB_STEP_SUMMARY
+            echo "🆕 gh-pages branch does not exist yet; skipping last_run restore" >> "$GITHUB_STEP_SUMMARY"
           fi
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7
         with:
           version: "latest"
           python-version: "3.12"
@@ -107,14 +107,16 @@ jobs:
           PAGES_REPO: ${{ github.repository }}
           FORCE_FULL_REGEN: ${{ github.event.inputs.force_full_regen || 'false' }}
         run: |
-          echo "## 🏗️ Site Generation" >> $GITHUB_STEP_SUMMARY
-          echo "- 👤 Dev.to: \`${DEVTO_USERNAME}\`" >> $GITHUB_STEP_SUMMARY
-          echo "- 📦 Repo: \`${{ github.repository }}\`" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## 🏗️ Site Generation"
+            echo "- 👤 Dev.to: \`${DEVTO_USERNAME}\`"
+            echo "- 📦 Repo: \`${{ github.repository }}\`"
+          } >> "$GITHUB_STEP_SUMMARY"
           uv run python -m devto_mirror.site_generation.generator
 
       - name: Note site generation success
         if: steps.generate.outputs.no_new_posts != 'true'
-        run: echo "✅ Generated" >> $GITHUB_STEP_SUMMARY
+        run: echo "✅ Generated" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Prepare timestamp-only deployment
         if: steps.generate.outputs.no_new_posts == 'true'
@@ -126,7 +128,7 @@ jobs:
       - name: Deploy timestamp-only update
         if: steps.generate.outputs.no_new_posts == 'true'
         timeout-minutes: 5
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./_deploy
@@ -140,16 +142,16 @@ jobs:
       - name: Validate generated site
         if: steps.generate.outputs.no_new_posts != 'true'
         run: |
-          echo "## ✅ Site Validation" >> $GITHUB_STEP_SUMMARY
+          echo "## ✅ Site Validation" >> "$GITHUB_STEP_SUMMARY"
           uv run python scripts/validate_site_generation.py
-          echo "✅ Validation passed" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Validation passed" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Generate sitemap and index
         if: steps.generate.outputs.no_new_posts != 'true'
         run: |
-          echo "## 📄 Generating Sitemap" >> $GITHUB_STEP_SUMMARY
+          echo "## 📄 Generating Sitemap" >> "$GITHUB_STEP_SUMMARY"
           uv run python -m devto_mirror.site_generation.renderer
-          echo "✅ Sitemap generated" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Sitemap generated" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Prepare deployment directory
         if: steps.generate.outputs.no_new_posts != 'true'
@@ -183,7 +185,7 @@ jobs:
       - name: Deploy to gh-pages
         if: steps.generate.outputs.no_new_posts != 'true'
         timeout-minutes: 5
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./_deploy

.github/workflows/release-please.yml

@@ -0,0 +1,33 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+
+    steps:
+      - name: Run Release Please
+        id: release
+        uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        with:
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json

.github/workflows/security-ci.yml

@@ -1,10 +1,8 @@
 name: Security and Quality CI
 
 on:
-  push:
-    branches: [main]
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, ready_for_review]
   workflow_dispatch: {}
 
 permissions:
@@ -25,24 +23,24 @@ jobs:
           fetch-depth: 0
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7
         with:
           version: "latest"
           python-version: "3.12"
           enable-cache: true
 
       - name: Install dependencies
         run: |
-          echo "## 🔧 Installing dependencies" >> $GITHUB_STEP_SUMMARY
+          echo "## 🔧 Installing dependencies" >> "$GITHUB_STEP_SUMMARY"
           uv sync --locked --group dev
           make install
-          echo "✅ Dependencies installed" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Dependencies installed" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Run validation
         run: |
-          echo "## 🔍 Validation Results" >> $GITHUB_STEP_SUMMARY
+          echo "## 🔍 Validation Results" >> "$GITHUB_STEP_SUMMARY"
           make ai-checks
-          echo "✅ All checks passed" >> $GITHUB_STEP_SUMMARY
+          echo "✅ All checks passed" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Generate coverage and reports
         run: |

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.1.0"
+}

lefthook.yml

@@ -15,6 +15,9 @@ pre-commit:
     security:
       run: make security
       stage_fixed: true
+    actionlint:
+      glob: ".github/workflows/*.y*ml"
+      run: actionlint {staged_files}
 
 pre-push:
   parallel: true
@@ -25,3 +28,5 @@ pre-push:
       run: uv run python scripts/check_detect_secrets.py
     validate-site:
       run: uv run python scripts/validate_site_generation.py
+    actionlint:
+      run: actionlint

release-please-config.json

@@ -0,0 +1,14 @@
+{
+  "release-type": "python",
+  "include-component-in-tag": false,
+  "packages": {
+    ".": {
+      "release-type": "python",
+      "package-name": "devto-mirror",
+      "extra-files": [
+        "pyproject.toml",
+        "src/devto_mirror/__init__.py"
+      ]
+    }
+  }
+}