Merge pull request #270 from AliMD/release/v0.15

Release: v0.15.0

.gitattributes

@@ -0,0 +1,3 @@
+deploy.sh  filter=crypt diff=crypt merge=crypt
+_up.sh  filter=crypt diff=crypt merge=crypt
+*.env  filter=crypt diff=crypt merge=crypt

.github/dependabot.yml

@@ -0,0 +1,13 @@
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/build.yaml

@@ -3,27 +3,44 @@
 name: Build
 
 on:
+  workflow_dispatch:
+
   pull_request:
+    branches:
+      - next*
+      - main
+      - release/*
+
   push:
     branches:
-      - next
+      - next*
       - main
       - release/*
 
 env:
-  NODE_VERSION: '16.x'
+  NODE_VERSION: latest
 
 jobs:
   build-ts:
+    name: Build Typescript
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v3
 
-      - uses: actions/setup-node@v3
+      - name: Setup nodejs
+        uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
+          cache: yarn
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
 
-      - run: yarn install --frozen-lockfile
-      - run: yarn build:ts
+      - name: Build Typescript
+        run: yarn build:ts

.github/workflows/codeql.yaml

@@ -0,0 +1,67 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: CodeQL
+
+on:
+  workflow_dispatch:
+
+  pull_request:
+    paths:
+      - '**.ts'
+      - '**.js'
+    branches:
+      - next*
+      - main
+      - release/*
+
+  push:
+    paths:
+      - '**.ts'
+      - '**.js'
+    branches:
+      - next*
+      - main
+      - release/*
+
+  schedule:
+    - cron: '0 7 * * 1'
+    #        * * * * *
+    #        │ │ │ │ │
+    #        │ │ │ │ └───── day of the week (0 - 6 or SUN-SAT)
+    #        │ │ │ └─────── month (1 - 12 or JAN-DEC)
+    #        │ │ └───────── day of the month (1 - 31)
+    #        │ └─────────── hour (0 - 23)
+    #        └───────────── minute (0 - 59)
+
+jobs:
+  analyze-code-ql:
+    name: CodeQL Analyze
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'TypeScript' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      - name: Auto build
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/dependency-review.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Dependency Review
+
+on:
+  pull_request:
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v2

.github/workflows/lint.yaml

@@ -3,27 +3,63 @@
 name: Lint
 
 on:
+  workflow_dispatch:
+
   pull_request:
+    branches:
+      - next*
+      - main
+      - release/*
+
   push:
     branches:
-      - next
+      - next*
       - main
       - release/*
 
+  schedule:
+    - cron: '0 7 * * 4'
+    #        * * * * *
+    #        │ │ │ │ │
+    #        │ │ │ │ └───── day of the week (0 - 6 or SUN-SAT)
+    #        │ │ │ └─────── month (1 - 12 or JAN-DEC)
+    #        │ │ └───────── day of the month (1 - 31)
+    #        │ └─────────── hour (0 - 23)
+    #        └───────────── minute (0 - 59)
+
 env:
-  NODE_VERSION: '16.x'
+  NODE_VERSION: latest
 
 jobs:
-  lint:
+  lint-ts:
+    name: ESLint Scanning
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout repository
+        uses: actions/checkout@v3
 
-      - uses: actions/setup-node@v3
+      - name: Setup nodejs
+        uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
+          cache: yarn
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
 
-      - run: yarn install --frozen-lockfile
-      - run: yarn lint
+      - name: Run ESLint
+        run: yarn lint:ts
+          --format @microsoft/eslint-formatter-sarif
+          --output-file eslint-results.sarif
+        continue-on-error: true
+
+      - name: Upload analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: eslint-results.sarif
+          wait-for-processing: true

.github/workflows/publish-container.yml

@@ -0,0 +1,98 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Publish Containers
+
+on:
+  workflow_dispatch:
+
+  push:
+    branches:
+      - next
+    tags:
+      - 'v*.*.*'
+
+  pull_request:
+    paths:
+      - 'packages/container/**'
+      - '.github/workflows/publish-container.yml'
+    branches:
+      - next
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build:
+    if: github.repository_owner == 'AliMD'
+
+    name: Build & Publish Containers
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - image: alpine
+            version:
+              short: 3
+              full: 3.16
+          - image: tdlib
+            version:
+              short: 1
+              full: 1.8
+
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{env.REGISTRY}}/${{github.repository_owner}}/${{matrix.image}}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}},prefix=alwatr-
+            type=semver,pattern={{major}}.{{minor}},prefix=alwatr-
+            type=raw,value=${{matrix.version.short}}
+            type=raw,value=${{matrix.version.full}}
+
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@main
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log into registry ${{env.REGISTRY}}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{env.REGISTRY}}
+          username: ${{github.repository_owner}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Build and push container image
+        id: build-and-push
+        uses: docker/build-push-action@v3
+        with:
+          context: packages/container/${{matrix.image}}
+          push: ${{github.event_name != 'pull_request'}}
+          tags: ${{steps.meta.outputs.tags}}
+          labels: ${{steps.meta.outputs.labels}}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign the published container image
+        if: ${{github.event_name != 'pull_request'}}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: echo "${{steps.meta.outputs.tags}}" | xargs -I {} cosign sign {}@${{steps.build-and-push.outputs.digest}}

.github/workflows/publish-npm.yml

@@ -0,0 +1,53 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Publish NPM
+
+on:
+  workflow_dispatch:
+
+  release:
+    types:
+      - created
+
+  push:
+    tags:
+      - 'v*.*.*'
+
+env:
+  NODE_VERSION: latest
+
+jobs:
+  publish-npm:
+    if: github.repository_owner == 'AliMD'
+
+    name: Publish NPM
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup nodejs
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{env.NODE_VERSION}}
+          registry-url: https://registry.npmjs.org/
+          cache: yarn
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Build Typescript
+        run: yarn build:ts
+
+      - name: Run ESLint
+        run: yarn lint:ts
+
+      - name: Publish
+        run: yarn run publish --yes
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}