feat: restructure build process

.github/semantic.yml

@@ -0,0 +1,23 @@
+---
+commitsOnly: true
+anyCommit: true
+allowMergeCommits: true
+allowRevertCommits: true
+
+types:
+  - feat
+  - fix
+  - docs
+  - style
+  - refactor
+  - perf
+  - test
+  - build
+  - ci
+  - chore
+  - revert
+  - major
+  - minor
+  - patch
+
+...

.github/settings.yml

@@ -11,8 +11,8 @@ repository:
 
   default_branch: master
 
+  allow_merge_commit: false
   allow_squash_merge: true
-  allow_merge_commit: true
   allow_rebase_merge: true
 
   allow_update_branch: true
@@ -21,23 +21,75 @@ repository:
   enable_automated_security_fixes: true
   enable_vulnerability_alerts: true
 
-branches:
-  - name: master
-    protection:
-      required_pull_request_reviews: null
-      required_status_checks:
-        strict: true
-        contexts: []
-      enforce_admins: false
-      restrictions:
-        apps:
-          - dockhippie
-          - renovate
-        users: []
-        teams:
-          - admins
-          - bots
-          - members
+rulesets:
+  - name: prevent destruction
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: required_linear_history
+      - type: deletion
+      - type: non_fast_forward
+
+  - name: check verification
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: required_status_checks
+        parameters:
+          strict_required_status_checks_policy: true
+          required_status_checks:
+            - context: Semantic PR
+              integration_id: 198092
+    bypass_actors:
+      - actor_id: 1
+        actor_type: OrganizationAdmin
+        bypass_mode: always
+      - actor_id: 951565 # app
+        actor_type: Integration
+        bypass_mode: always
+      - actor_id: 6277016 # bots
+        actor_type: Team
+        bypass_mode: always
+
+  - name: require reviewing
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: pull_request
+        parameters:
+          allowed_merge_methods:
+            - squash
+            - rebase
+          dismiss_stale_reviews_on_push: false
+          require_code_owner_review: false
+          require_last_push_approval: false
+          required_approving_review_count: 0
+          required_review_thread_resolution: false
+    bypass_actors:
+      - actor_id: 1
+        actor_type: OrganizationAdmin
+        bypass_mode: always
+      - actor_id: 951565 # app
+        actor_type: Integration
+        bypass_mode: always
+      - actor_id: 6277016 # bots
+        actor_type: Team
+        bypass_mode: always
 
 teams:
   - name: admins

.github/workflows/automerge.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: automerge
 
 "on":
@@ -10,6 +11,7 @@ name: automerge
 permissions:
   contents: write
   pull-requests: write
+  issues: write
 
 jobs:
   dependabot:
@@ -18,7 +20,6 @@ jobs:
 
     steps:
       - name: Generate token
-        id: token
         uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
@@ -29,19 +30,16 @@ jobs:
             {"contents": "write", "pull_requests": "write", "issues": "write"}
 
       - name: Fetch metadata
-        id: metadata
         uses: dependabot/fetch-metadata@v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Approve request
-        id: approve
         run: gh pr review --approve "${{github.event.pull_request.html_url}}"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Enable automerge
-        id: automerge
         run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}"
         env:
           GH_TOKEN: ${{ steps.token.outputs.token }}

.github/workflows/docker.yml

@@ -1,7 +1,9 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: latest
 
 "on":
+  workflow_dispatch:
   push:
     branches:
       - master
@@ -14,15 +16,26 @@ name: latest
     paths:
       - latest/*
       - .github/workflows/docker.yml
-  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
 
 jobs:
   docker:
     runs-on: ubuntu-latest
 
+    strategy:
+      fail-fast: false
+      matrix:
+        variant:
+          - arch: amd64
+            platform: linux/amd64
+          - arch: arm64
+            platform: linux/arm64
+
     steps:
       - name: Checkout source
-        id: source
         uses: actions/checkout@v5
 
       - name: Docker meta
@@ -39,23 +52,20 @@ jobs:
             maintainer=Thomas Boerger <thomas@webhippie.de>
 
       - name: Setup QEMU
-        id: qemu
         uses: docker/setup-qemu-action@v3
 
       - name: Setup Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Hub login
-        id: login1
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Quay login
-        id: login2
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
@@ -64,50 +74,41 @@ jobs:
           password: ${{ secrets.QUAY_PASSWORD }}
 
       - name: Ghcr login
-        id: login3
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build amd64
-        id: amd64
+      - name: Build image
         uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: latest/
           provenance: false
-          file: latest/Dockerfile.amd64
-          platforms: linux/amd64
+          file: latest/Dockerfile.${{ matrix.variant.arch }}
+          platforms: ${{ matrix.variant.platform }}
           push: ${{ github.event_name != 'pull_request' }}
           labels: ${{ steps.meta.outputs.labels }}
           tags: |
-            webhippie/java:latest-amd64
-            quay.io/webhippie/java:latest-amd64
-            ghcr.io/dockhippie/java:latest-amd64
+            webhippie/java:latest-${{ matrix.variant.arch }}
+            quay.io/webhippie/java:latest-${{ matrix.variant.arch }}
+            ghcr.io/dockhippie/java:latest-${{ matrix.variant.arch }}
 
-      - name: Build arm64
-        id: arm64
-        uses: docker/build-push-action@v6
-        with:
-          builder: ${{ steps.buildx.outputs.name }}
-          context: latest/
-          provenance: false
-          file: latest/Dockerfile.arm64
-          platforms: linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          labels: ${{ steps.meta.outputs.labels }}
-          tags: |
-            webhippie/java:latest-arm64
-            quay.io/webhippie/java:latest-arm64
-            ghcr.io/dockhippie/java:latest-arm64
+  manifest:
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+
+    needs:
+      - docker
+
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v5
 
       - name: Hub manifest
-        id: manifest1
         uses: actionhippie/manifest@v1
-        if: github.event_name != 'pull_request'
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
@@ -117,9 +118,7 @@ jobs:
           ignore_missing: true
 
       - name: Quay manifest
-        id: manifest2
         uses: actionhippie/manifest@v1
-        if: github.event_name != 'pull_request'
         with:
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
@@ -129,9 +128,7 @@ jobs:
           ignore_missing: true
 
       - name: Ghcr manifest
-        id: manifest3
         uses: actionhippie/manifest@v1
-        if: github.event_name != 'pull_request'
         with:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/readme.yml

@@ -1,13 +1,12 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: readme
 
 "on":
+  workflow_dispatch:
   push:
     branches:
       - master
-    paths:
-      - README.md
-  workflow_dispatch:
 
 jobs:
   readme:
@@ -17,18 +16,17 @@ jobs:
       - name: Checkout source
         uses: actions/checkout@v5
 
-      - name: Push readme
+      - name: Hub readme
         uses: actionhippie/pushrm@v1
-        if: github.event_name != 'pull_request'
         with:
           provider: dockerhub
           target: webhippie/java
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-          description: Docker image for java
+          description: Docker image for Java
           readme: README.md
 
-      - name: Push readme
+      - name: Quay readme
         uses: actionhippie/pushrm@v1
         with:
           provider: quay