dockhippie
diff --git a/‎.github/renovate.json‎
Lines changed: 4 additions & 4 deletions b/‎.github/renovate.json‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/semantic.yml‎
Lines changed: 23 additions & 0 deletions b/‎.github/semantic.yml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎.github/settings.yml‎
Lines changed: 70 additions & 18 deletions b/‎.github/settings.yml‎
Lines changed: 70 additions & 18 deletions
diff --git a/‎.github/workflows/automerge.yml‎
Lines changed: 2 additions & 4 deletions b/‎.github/workflows/automerge.yml‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎.github/workflows/docker.yml‎
Lines changed: 32 additions & 49 deletions b/‎.github/workflows/docker.yml‎
Lines changed: 32 additions & 49 deletions
diff --git a/‎.github/workflows/readme.yml‎
Lines changed: 5 additions & 7 deletions b/‎.github/workflows/readme.yml‎
Lines changed: 5 additions & 7 deletions
@@ -6,10 +6,10 @@
     "packageRules": [
         {
             "description": "Update tags without merge",
-            "datasources": [
+            "matchDatasources": [
                 "github-tags"
             ],
-            "updateTypes": [
+            "matchUpdateTypes": [
                 "major",
                 "minor"
             ],
@@ -21,10 +21,10 @@
         },
         {
             "description": "Update tags without merge",
-            "datasources": [
+            "matchDatasources": [
                 "github-tags"
             ],
-            "updateTypes": [
+            "matchUpdateTypes": [
                 "patch"
             ],
             "enabled": true,
 
@@ -0,0 +1,23 @@
+---
+commitsOnly: true
+anyCommit: true
+allowMergeCommits: true
+allowRevertCommits: true
+
+types:
+  - feat
+  - fix
+  - docs
+  - style
+  - refactor
+  - perf
+  - test
+  - build
+  - ci
+  - chore
+  - revert
+  - major
+  - minor
+  - patch
+
+...
@@ -11,8 +11,8 @@ repository:
 
   default_branch: master
 
+  allow_merge_commit: false
   allow_squash_merge: true
-  allow_merge_commit: true
   allow_rebase_merge: true
 
   allow_update_branch: true
@@ -21,23 +21,75 @@ repository:
   enable_automated_security_fixes: true
   enable_vulnerability_alerts: true
 
-branches:
-  - name: master
-    protection:
-      required_pull_request_reviews: null
-      required_status_checks:
-        strict: true
-        contexts: []
-      enforce_admins: false
-      restrictions:
-        apps:
-          - dockhippie
-          - renovate
-        users: []
-        teams:
-          - admins
-          - bots
-          - members
+rulesets:
+  - name: prevent destruction
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: required_linear_history
+      - type: deletion
+      - type: non_fast_forward
+
+  - name: check verification
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: required_status_checks
+        parameters:
+          strict_required_status_checks_policy: true
+          required_status_checks:
+            - context: Semantic PR
+              integration_id: 198092
+    bypass_actors:
+      - actor_id: 1
+        actor_type: OrganizationAdmin
+        bypass_mode: always
+      - actor_id: 951565 # app
+        actor_type: Integration
+        bypass_mode: always
+      - actor_id: 6277016 # bots
+        actor_type: Team
+        bypass_mode: always
+
+  - name: require reviewing
+    target: branch
+    enforcement: active
+    conditions:
+      ref_name:
+        include:
+          - "~DEFAULT_BRANCH"
+        exclude: []
+    rules:
+      - type: pull_request
+        parameters:
+          allowed_merge_methods:
+            - squash
+            - rebase
+          dismiss_stale_reviews_on_push: false
+          require_code_owner_review: false
+          require_last_push_approval: false
+          required_approving_review_count: 0
+          required_review_thread_resolution: false
+    bypass_actors:
+      - actor_id: 1
+        actor_type: OrganizationAdmin
+        bypass_mode: always
+      - actor_id: 951565 # app
+        actor_type: Integration
+        bypass_mode: always
+      - actor_id: 6277016 # bots
+        actor_type: Team
+        bypass_mode: always
 
 teams:
   - name: admins
 
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: automerge
 
 "on":
@@ -10,6 +11,7 @@ name: automerge
 permissions:
   contents: write
   pull-requests: write
+  issues: write
 
 jobs:
   dependabot:
@@ -18,7 +20,6 @@ jobs:
 
     steps:
       - name: Generate token
-        id: token
         uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
@@ -29,19 +30,16 @@ jobs:
             {"contents": "write", "pull_requests": "write", "issues": "write"}
 
       - name: Fetch metadata
-        id: metadata
         uses: dependabot/fetch-metadata@v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Approve request
-        id: approve
         run: gh pr review --approve "${{github.event.pull_request.html_url}}"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Enable automerge
-        id: automerge
         run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}"
         env:
           GH_TOKEN: ${{ steps.token.outputs.token }}
 
@@ -1,7 +1,9 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: latest
 
 "on":
+  workflow_dispatch:
   push:
     branches:
       - master
@@ -14,15 +16,28 @@ name: latest
     paths:
       - latest/*
       - .github/workflows/docker.yml
-  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
 
 jobs:
   docker:
     runs-on: ubuntu-latest
 
+    strategy:
+      fail-fast: false
+      matrix:
+        variant:
+          - arch: amd64
+            platform: linux/amd64
+          - arch: arm64
+            platform: linux/arm64
+          - arch: arm
+            platform: linux/arm/v6
+
     steps:
       - name: Checkout source
-        id: source
         uses: actions/checkout@v5
 
       - name: Docker meta
@@ -39,23 +54,20 @@ jobs:
             maintainer=Thomas Boerger <thomas@webhippie.de>
 
       - name: Setup QEMU
-        id: qemu
         uses: docker/setup-qemu-action@v3
 
       - name: Setup Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Hub login
-        id: login1
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Quay login
-        id: login2
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
@@ -64,66 +76,41 @@ jobs:
           password: ${{ secrets.QUAY_PASSWORD }}
 
       - name: Ghcr login
-        id: login3
         uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build amd64
-        id: amd64
+      - name: Build image
         uses: docker/build-push-action@v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: latest/
           provenance: false
-          file: latest/Dockerfile.amd64
-          platforms: linux/amd64
+          file: latest/Dockerfile.${{ matrix.variant.arch }}
+          platforms: ${{ matrix.variant.platform }}
           push: ${{ github.event_name != 'pull_request' }}
           labels: ${{ steps.meta.outputs.labels }}
           tags: |
-            webhippie/python:latest-amd64
-            quay.io/webhippie/python:latest-amd64
-            ghcr.io/dockhippie/python:latest-amd64
+            webhippie/python:latest-${{ matrix.variant.arch }}
+            quay.io/webhippie/python:latest-${{ matrix.variant.arch }}
+            ghcr.io/dockhippie/python:latest-${{ matrix.variant.arch }}
 
-      - name: Build arm64
-        id: arm64
-        uses: docker/build-push-action@v6
-        with:
-          builder: ${{ steps.buildx.outputs.name }}
-          context: latest/
-          provenance: false
-          file: latest/Dockerfile.arm64
-          platforms: linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          labels: ${{ steps.meta.outputs.labels }}
-          tags: |
-            webhippie/python:latest-arm64
-            quay.io/webhippie/python:latest-arm64
-            ghcr.io/dockhippie/python:latest-arm64
+  manifest:
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
 
-      - name: Build arm
-        id: arm
-        uses: docker/build-push-action@v6
-        with:
-          builder: ${{ steps.buildx.outputs.name }}
-          context: latest/
-          provenance: false
-          file: latest/Dockerfile.arm
-          platforms: linux/arm/v6
-          push: ${{ github.event_name != 'pull_request' }}
-          labels: ${{ steps.meta.outputs.labels }}
-          tags: |
-            webhippie/python:latest-arm
-            quay.io/webhippie/python:latest-arm
-            ghcr.io/dockhippie/python:latest-arm
+    needs:
+      - docker
+
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v5
 
       - name: Hub manifest
-        id: manifest1
         uses: actionhippie/manifest@v1
-        if: github.event_name != 'pull_request'
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
@@ -133,9 +120,7 @@ jobs:
           ignore_missing: true
 
       - name: Quay manifest
-        id: manifest2
         uses: actionhippie/manifest@v1
-        if: github.event_name != 'pull_request'
         with:
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
@@ -145,9 +130,7 @@ jobs:
           ignore_missing: true
 
       - name: Ghcr manifest
-        id: manifest3
         uses: actionhippie/manifest@v1
-        if: github.event_name != 'pull_request'
         with:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
@@ -1,13 +1,12 @@
 ---
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
 name: readme
 
 "on":
+  workflow_dispatch:
   push:
     branches:
       - master
-    paths:
-      - README.md
-  workflow_dispatch:
 
 jobs:
   readme:
@@ -17,18 +16,17 @@ jobs:
       - name: Checkout source
         uses: actions/checkout@v5
 
-      - name: Push readme
+      - name: Hub readme
         uses: actionhippie/pushrm@v1
-        if: github.event_name != 'pull_request'
         with:
           provider: dockerhub
           target: webhippie/python
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-          description: Docker image for python
+          description: Docker image for Python
           readme: README.md
 
-      - name: Push readme
+      - name: Quay readme
         uses: actionhippie/pushrm@v1
         with:
           provider: quay