ci: tidy up workflows and implement a consistent style (seerr-team#1905)

* feat(ci): tidy up workflows and implement a consistent style

all workflows now use ubuntu-24.04 as the runner type to match the release workflows

codeql.yml
 - bump actions to v3
 - add least-privilege perms + concurrency to stop duplicate runs
 - ignore docs only changes

conflict_labeler.yml
 - run on opened, reopened, and synchronize
 - bump action version
 - add concurrency group to avoid duplicate labeling

cypress.yml
 - skip docs-only changes; don’t run on draft PRs
 - add concurrency to stop duplicate runs + 10m timeout

docs-deploy.yml
 - add configure-pages@v5 and bump upload-pages-artifact to v4
 - set explicit pages/id-token perms + concurrency
 - minor cleanups (working-directory, ubuntu-24.04)

helm.yml
 - switch oras discover to oras manifest fetch
 - add concurrency to stop duplicate runs

lint-helm-charts.yml
 - bump action versions
 - enforce version bumps (--check-version-increment=true)
 - add least-privilege perms + concurrency to stop duplicate runs

support.yml
 - add least-privilege perms

test-docs-deploy.yml
 - add least-privilege perms + concurrency to stop duplicate runs

* fixed line 5 syntax error

* Updated based on comments from @M0NsTeRRR in PR-1905 discussion

* updated based on 2nd review from @M0NsTeRRR in PR-1905

* Merge of PR-1904 and PR-1905

* chore(pnpm-lock.yaml): updated the pnpm-lockfile

* ci(release.yml): fix the latest tag to use context labels

* ci: fix new lines at eof, removed cypress timeout, removed legacy qemu actions

* @M0NsTeRRR self review

Signed-off-by: Ludovic Ortega <[email protected]>

* fix: support workflow

Signed-off-by: Ludovic Ortega <[email protected]>

* fix: newline

---------

Signed-off-by: Ludovic Ortega <[email protected]>
Co-authored-by: Ludovic Ortega <[email protected]>
Co-authored-by: Ludovic Ortega <[email protected]>

Author: sudo-kraken

.github/workflows/ci.yml

@@ -7,6 +7,14 @@ on:
   push:
     branches:
       - develop
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   test:
@@ -17,152 +25,169 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Get PNPM version from package.json
+        id: pnpm-version
+        shell: sh
+        run: echo "pnpm_version=$(node -p 'require(`./package.json`).packageManager.split(\"@\")[1]')" >> $GITHUB_OUTPUT
+
       - name: Pnpm Setup
         uses: pnpm/action-setup@v4
         with:
-          version: 9
+          version: ${{ steps.pnpm-version.outputs.pnpm_version }}
+
       - name: Get pnpm store directory
         shell: sh
         run: |
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
       - name: Setup pnpm cache
         uses: actions/cache@v4
         with:
           path: ${{ env.STORE_PATH }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-pnpm-store-
+
       - name: Install dependencies
         env:
           HUSKY: 0
         run: pnpm install
+
       - name: Lint
         run: pnpm lint
+
       - name: Formatting
         run: pnpm format:check
+
       - name: Build
         run: pnpm build
 
   build:
-    name: Build & Publish Docker Images
+    name: Build (per-arch, native runners)
     if: github.ref == 'refs/heads/develop' && !contains(github.event.head_commit.message, '[skip ci]')
     strategy:
       matrix:
         include:
           - runner: ubuntu-24.04
             platform: linux/amd64
+            arch: amd64
           - runner: ubuntu-24.04-arm
             platform: linux/arm64
+            arch: arm64
     runs-on: ${{ matrix.runner }}
-    outputs:
-      digest-amd64: ${{ steps.set_outputs.outputs.digest-amd64 }}
-      digest-arm64: ${{ steps.set_outputs.outputs.digest-arm64 }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Commit timestamp
+        id: ts
+        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set lower case owner name
-        run: |
-          echo "OWNER_LC=${OWNER,,}" >>${GITHUB_ENV}
-        env:
-          OWNER: ${{ github.repository_owner }}
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@v4
-        with:
-          images: |
-            fallenbagel/jellyseerr
-            ghcr.io/${{ env.OWNER_LC }}/jellyseerr
-          tags: |
-            type=ref,event=branch
-            type=sha,prefix=,suffix=,format=short
-      - name: Build and push by digest
-        id: build
-        uses: docker/build-push-action@v5
+
+      - name: Warm cache (no push) — ${{ matrix.platform }}
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
           platforms: ${{ matrix.platform }}
-          push: true
+          push: false
           build-args: |
             COMMIT_TAG=${{ github.sha }}
             BUILD_VERSION=develop
-            BUILD_DATE=${{ github.event.repository.updated_at }}
-          outputs: |
-            type=image,push-by-digest=true,name=fallenbagel/jellyseerr,push=true
-            type=image,push-by-digest=true,name=ghcr.io/${{ env.OWNER_LC }}/jellyseerr,push=true
+            SOURCE_DATE_EPOCH=${{ steps.ts.outputs.TIMESTAMP }}
           cache-from: type=gha,scope=${{ matrix.platform }}
           cache-to: type=gha,mode=max,scope=${{ matrix.platform }}
           provenance: false
-      - name: Set outputs
-        id: set_outputs
-        run: |
-          platform="${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}"
-          echo "digest-${platform}=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
 
-  merge_and_push:
-    name: Create and Push Multi-arch Manifest
+  publish:
+    name: Publish multi-arch image
     needs: build
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Commit timestamp
+        id: ts
+        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set lower case owner name
-        run: |
-          echo "OWNER_LC=${OWNER,,}" >>${GITHUB_ENV}
-        env:
-          OWNER: ${{ github.repository_owner }}
-      - name: Create and push manifest
-        run: |
-          docker manifest create fallenbagel/jellyseerr:develop \
-            --amend fallenbagel/jellyseerr@${{ needs.build.outputs.digest-amd64 }} \
-            --amend fallenbagel/jellyseerr@${{ needs.build.outputs.digest-arm64 }}
-          docker manifest push fallenbagel/jellyseerr:develop
 
-          # GHCR manifest
-          docker manifest create ghcr.io/${{ env.OWNER_LC }}/jellyseerr:develop \
-            --amend ghcr.io/${{ env.OWNER_LC }}/jellyseerr@${{ needs.build.outputs.digest-amd64 }} \
-            --amend ghcr.io/${{ env.OWNER_LC }}/jellyseerr@${{ needs.build.outputs.digest-arm64 }}
-          docker manifest push ghcr.io/${{ env.OWNER_LC }}/jellyseerr:develop
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ github.repository }}
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=raw,value=develop
+            type=sha
+          labels: |
+            org.opencontainers.image.created=${{ steps.ts.outputs.TIMESTAMP }}
+
+      - name: Build & Push (multi-arch, single tag)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          build-args: |
+            COMMIT_TAG=${{ github.sha }}
+            BUILD_VERSION=develop
+            SOURCE_DATE_EPOCH=${{ steps.ts.outputs.TIMESTAMP }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: |
+            type=gha,scope=linux/amd64
+            type=gha,scope=linux/arm64
+          cache-to: type=gha,mode=max
+          provenance: false
 
   discord:
     name: Send Discord Notification
-    needs: merge_and_push
+    needs: publish
     if: always() && github.event_name != 'pull_request' && !contains(github.event.head_commit.message, '[skip ci]')
     runs-on: ubuntu-24.04
     steps:
-      - name: Get Build Job Status
-        uses: technote-space/workflow-conclusion-action@v3
       - name: Combine Job Status
         id: status
         run: |
           failures=(neutral, skipped, timed_out, action_required)
-          if [[ ${array[@]} =~ $WORKFLOW_CONCLUSION ]]; then
+          if [[ ${array[@]} =~ ${{ needs.publish.result }} ]]; then
             echo "status=failure" >> $GITHUB_OUTPUT
           else
-            echo "status=$WORKFLOW_CONCLUSION" >> $GITHUB_OUTPUT
+            echo "status=${{ needs.publish.result }}" >> $GITHUB_OUTPUT
           fi
+
       - name: Post Status to Discord
         uses: sarisia/actions-status-discord@v1
         with:

.github/workflows/codeql.yml

@@ -3,39 +3,52 @@ name: 'CodeQL'
 on:
   push:
     branches: ['develop']
+    paths-ignore:
+      - '**/*.md'
+      - 'docs/**'
   pull_request:
     branches: ['develop']
+    paths-ignore:
+      - '**/*.md'
+      - 'docs/**'
   schedule:
     - cron: '50 7 * * 5'
 
+permissions:
+  contents: read
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
     permissions:
-      actions: read
       contents: read
       security-events: write
-
     strategy:
       fail-fast: false
       matrix:
-        language: [javascript]
-
+        language: [actions, javascript]
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/conflict_labeler.yml

@@ -2,18 +2,24 @@ name: Merge Conflict Labeler
 
 on:
   push:
-    branches:
-      - develop
+    branches: [develop]
+
   pull_request_target:
-    branches:
-      - develop
-    types: [synchronize]
+    branches: [develop]
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: merge-conflict-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   label:
     name: Labeling
-    runs-on: ubuntu-latest
-    if: ${{ github.repository == 'Fallenbagel/jellyseerr' }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
     permissions:
       contents: read
       pull-requests: write