build(deps): bump github/codeql-action from 4.35.1 to 4.35.2

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.35.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...95e58e9a2cdfd71adc6e0353d5c52f41a045d225) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-04-17 06:13:44 +00:00
18 changed files with 1289 additions and 5758 deletions
@@ -0,0 +1,127 @@
 name: ci
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  workflow_dispatch:
  schedule:
    - cron: '0 10 * * *'
  push:
    branches:
      - 'master'
      - 'releases/v*'
    tags:
      - 'v*'
  pull_request:
 jobs:
  default:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
        id: qemu
        uses: ./
      -
        name: Available platforms
        run: echo ${{ steps.qemu.outputs.platforms }}
  main:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        image:
          - tonistiigi/binfmt:latest
          - tonistiigi/binfmt:master
        platforms:
          - all
          - arm64,riscv64,arm
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
        id: qemu
        uses: ./
        with:
          image: ${{ matrix.image }}
          platforms: ${{ matrix.platforms }}
      -
        name: Available platforms
        run: echo ${{ steps.qemu.outputs.platforms }}
  error:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Stop docker
        run: |
          sudo systemctl stop docker docker.socket
      -
        name: Set up QEMU
        id: qemu
        continue-on-error: true
        uses: ./
      -
        name: Check
        run: |
          echo "${{ toJson(steps.qemu) }}"
          if [ "${{ steps.qemu.outcome }}" != "failure" ] || [ "${{ steps.qemu.conclusion }}" != "success" ]; then
            echo "::error::Should have failed"
            exit 1
          fi
  cache-image:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        cache:
          - true
          - false
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
        id: qemu
        uses: ./
        with:
          image: tonistiigi/binfmt:master
          cache-image: ${{ matrix.cache }}
      -
        name: Available platforms
        run: echo ${{ steps.qemu.outputs.platforms }}
  version:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        image:
          - tonistiigi/binfmt:master
          - tonistiigi/binfmt:latest
          - tonistiigi/binfmt:qemu-v7.0.0
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Set up QEMU
        uses: ./
        with:
          image: ${{ matrix.image }}
@@ -0,0 +1,46 @@
 name: codeql
 permissions:
  contents: read
 on:
  push:
    branches:
      - 'master'
      - 'releases/v*'
  pull_request:
 env:
  NODE_VERSION: "24"
 jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Enable corepack
        run: |
          corepack enable
          yarn --version
      -
        name: Set up Node
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: ${{ env.NODE_VERSION }}
      -
        name: Initialize CodeQL
        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          languages: javascript-typescript
          build-mode: none
      -
        name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          category: "/language:javascript-typescript"
@@ -0,0 +1,17 @@
 name: pr-assign-author
 permissions:
  contents: read
 on:
  pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
    types:
      - opened
      - reopened
 jobs:
  run:
    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@d89fe92d808a15e2b2ed5cdb62db7c172c31410d # v1.6.0
    permissions:
      contents: read
      pull-requests: write
@@ -0,0 +1,28 @@
 name: publish
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  release:
    types:
      - published
 jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Publish
        uses: actions/publish-immutable-action@4bc8754ffc40f27910afb20287dbbbb675a4e978 # v0.0.4
@@ -0,0 +1,35 @@
 name: test
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches:
      - 'master'
      - 'releases/v*'
  pull_request:
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Test
        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          source: .
          targets: test
      -
        name: Upload coverage
        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          files: ./coverage/clover.xml
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -0,0 +1,56 @@
 name: update-dist
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  pull_request:
    types:
      - opened
      - synchronize
 jobs:
  update-dist:
    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
    runs-on: ubuntu-latest
    steps:
      -
        name: GitHub auth token from GitHub App
        id: docker-read-app
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
          owner: docker
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          fetch-depth: 0
          token: ${{ steps.docker-read-app.outputs.token }}
      -
        name: Build
        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          source: .
          targets: build
      -
        name: Commit and push dist
        run: |
          if [ -n "$(git status --porcelain -- dist)" ]; then
            (
              set -x
              git config user.name "github-actions[bot]"
              git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
              git add dist
              git commit -m "chore: update generated content"
              git push
            )
          else
            echo "No changes in dist"
          fi
@@ -0,0 +1,46 @@
 name: validate
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches:
      - 'master'
      - 'releases/v*'
  pull_request:
 jobs:
  prepare:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.generate.outputs.matrix }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Generate matrix
        id: generate
        uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          target: validate
  validate:
    runs-on: ubuntu-latest
    needs:
      - prepare
    strategy:
      fail-fast: false
      matrix:
        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
    steps:
      -
        name: Validate
        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          targets: ${{ matrix.target }}
@@ -0,0 +1,29 @@
 name: zizmor
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 on:
  workflow_dispatch:
  push:
    branches:
      - 'master'
      - 'releases/v*'
    tags:
      - 'v*'
  pull_request:
 jobs:
  zizmor:
    uses: crazy-max/.github/.github/workflows/zizmor.yml@d89fe92d808a15e2b2ed5cdb62db7c172c31410d # v1.6.0
    permissions:
      contents: read
      security-events: write
    with:
      min-severity: medium
      min-confidence: medium
      persona: pedantic
@@ -26,5 +26,5 @@ outputs:
 runs:
  using: 'node24'
-  main: 'dist/index.cjs'
+  main: 'dist/index.js'
-  post: 'dist/index.cjs'
+  post: 'dist/index.js'
@@ -0,0 +1,3 @@
 {
  "type": "module"
 }
@@ -4,11 +4,10 @@
  "type": "module",
  "main": "src/main.ts",
  "scripts": {
-    "build": "esbuild src/main.ts --bundle --platform=node --target=node24 --format=cjs --outfile=dist/index.cjs --sourcemap --minify && yarn run license",
+    "build": "ncc build src/main.ts --source-map --minify --license licenses.txt",
    "lint": "eslint --max-warnings=0 .",
    "format": "eslint --fix .",
-    "test": "vitest run",
+    "test": "vitest run"
    "license": "generate-license-file --input package.json --output dist/licenses.txt --overwrite --ci --no-spinner --eol lf"
  },
  "repository": {
    "type": "git",
@@ -31,13 +30,12 @@
    "@types/node": "^24.11.0",
    "@typescript-eslint/eslint-plugin": "^8.56.1",
    "@typescript-eslint/parser": "^8.56.1",
    "@vercel/ncc": "^0.38.4",
    "@vitest/coverage-v8": "^4.0.18",
    "@vitest/eslint-plugin": "^1.6.9",
    "esbuild": "^0.28.0",
    "eslint": "^9.39.3",
    "eslint-config-prettier": "^10.1.8",
    "eslint-plugin-prettier": "^5.5.5",
    "generate-license-file": "^4.1.1",
    "globals": "^17.3.0",
    "prettier": "^3.8.1",
    "typescript": "^5.9.3",