unicornware/add-to-project.yml

## add-to-project.yml
# Add To Project
#
# Add new issues and pull requests to the project board.
#
# References:
#
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/learn-github-actions/expressions
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#issues
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#issues
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://github.com/actions/add-to-project

---
name: add-to-project
on:
  issues:
    types:
      - opened
  pull_request:
    types:
      - opened
      - synchronize
jobs:
  add-to-project:
    runs-on: ubuntu-latest
    steps:
      - id: add-item
        name: Add ${{ format('#{0}', github.event.number) }} to project
        uses: actions/add-to-project@v0.5.0
        with:
          github-token: ${{ secrets.PAT_REPO }}
          project-url: |
            ${{ format('{0}/orgs/{1}/projects/{2}', github.server_url, github.repository_owner, secrets.GH_PROJECT_ID) }}

## approve-pr.yml
# Approve Pull Request
#
# Automatically approve a pull request when a review is requested from @flexdevelopment by certain
# users.
#
# References:
#
# - https://cli.github.com/manual/gh_pr_review
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/learn-github-actions/expressions
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://github.com/actions/checkout
# - https://github.com/hmarr/debug-action

---
name: approve-pr
on:
  pull_request:
    types:
      - review_requested
env:
  GITHUB_TOKEN: ${{ secrets.PAT_BOT }}
jobs:
  approve-pr:
    runs-on: ubuntu-latest
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: checkout
        name: Checkout ${{ github.head_ref }}
        uses: actions/checkout@v3.5.2
        with:
          persist-credentials: false
          ref: ${{ github.head_ref }}
      - id: requested-reviewers
        name: Get requested reviewers
        run: |
          echo "result=${{ join(github.event.pull_request.requested_reviewers.*.login, ',') }}" >>$GITHUB_OUTPUT
      - id: approve
        name: Approve pull request
        if: |
          contains(steps.requested-reviewers.outputs.result, 'flexdevelopment')
          && (github.actor == 'dependabot[bot]' || github.actor == 'unicornware')
        run: gh pr review ${{ github.event.number }} --approve --body 'lgtm 👍🏾'

## auto-merge.yml
# Pull request auto-merge
#
# Automatically merge pull requests after requirements are met.
#
# References:
#
# - https://cli.github.com/manual/gh_pr_merge
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
# - https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://github.com/actions/checkout
# - https://github.com/hmarr/debug-action

---
name: auto-merge
on:
  pull_request:
    types:
      - opened
      - synchronize
env:
  GITHUB_TOKEN: ${{ secrets.PAT_REPO }}
jobs:
  auto-merge:
    if: github.event.pull_request.auto_merge == null && github.event.pull_request.draft == false
    runs-on: ubuntu-latest
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: checkout
        name: Checkout ${{ github.head_ref }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ github.head_ref }}
      - id: enable
        name: Enable auto-merge
        run: gh pr merge ${{ github.event.number }} --auto --squash

## cache-cleanup.yml
# Cache Cleanup
#
# Delete caches when a pull request is closed or on workflow dispatch.
#
# References:
#
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/learn-github-actions/expressions
# - https://docs.github.com/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
# - https://github.com/actions/checkout
# - https://github.com/actions/gh-actions-cache
# - https://github.com/hmarr/debug-action

---
name: cache-cleanup
on:
  pull_request:
    types:
      - closed
  workflow_dispatch:
    inputs:
      all:
        default: false
        description: delete caches without filtering by branch
        type: boolean
permissions:
  actions: write
env:
  BRANCH: |
    ${{ github.event.number && format('refs/pull/{0}/merge', github.event.number) || github.ref }}
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
concurrency:
  cancel-in-progress: true
  group: ${{ github.workflow }}-${{ format('refs/heads/{0}', github.head_ref || github.ref_name) }}
jobs:
  cache-cleanup:
    runs-on: ubuntu-latest
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: checkout
        name: Checkout main
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: main
      - id: gh-actions-cache
        name: Install actions/gh-actions-cache
        run: gh extension install actions/gh-actions-cache
      - id: cleanup
        name: Delete caches${{ !inputs.all && format(' created by {0}', env.BRANCH) || '' }}
        env:
          BRANCH_FILTER: ${{ !inputs.all && format('--branch {0}', env.BRANCH) || '' }}
        run: |
          # prevent workflow failure while deleting cache keys
          set +e

          # delete all caches or caches created by ${{ env.BRANCH }}
          for key in $(gh actions-cache list $BRANCH_FILTER --limit 100 | cut -f 1); do
            gh actions-cache delete $key $BRANCH_FILTER --confirm
          done

## ci.yml
# Continuous Integration
#
# References:
#
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/learn-github-actions/expressions
# - https://docs.github.com/actions/using-jobs/using-a-matrix-for-your-jobs
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#push
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
# - https://github.com/GitGuardian/ggshield-action
# - https://github.com/actions/cache
# - https://github.com/actions/cache/discussions/650
# - https://github.com/actions/checkout
# - https://github.com/actions/setup-node
# - https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#yarn2-configuration
# - https://github.com/actions/upload-artifact
# - https://github.com/andstor/file-existence-action
# - https://github.com/codecov/codecov-action
# - https://github.com/hmarr/debug-action
# - https://yarnpkg.com/cli/pack

---
name: ci
on:
  pull_request:
  push:
    branches:
      - feat/**
      - hotfix/**
      - main
      - release/**
  workflow_dispatch:
permissions:
  contents: read
  packages: read
env:
  CACHE_PATH: node_modules
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  HUSKY: 0
  REF: ${{ github.head_ref || github.ref }}
  REF_NAME: ${{ github.head_ref || github.ref_name }}
  SHA: ${{ github.event.pull_request.head.sha || github.sha }}
concurrency:
  cancel-in-progress: true
  group: ${{ github.workflow }}-${{ github.ref }}
jobs:
  preflight:
    if: |
      github.event.head_commit.author.name != 'dependabot[bot]'
      && github.event.head_commit.author.username != 'flexdevelopment'
      && !startsWith(github.event.head_commit.message, 'release:')
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.version.outputs.result }}
      version-typescript: ${{ steps.version-typescript.outputs.result }}
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: node
        name: Setup Node.js
        uses: actions/setup-node@v3.6.0
        with:
          cache: yarn
          cache-dependency-path: yarn.lock
          node-version-file: .nvmrc
      - id: yarn
        name: Install dependencies
        run: yarn ${{ github.actor == 'dependabot[bot]' && '--no-immutable' || '--immutable' }}
      - id: cache
        name: Cache dependencies
        uses: actions/cache@v3.3.1
        with:
          key: ${{ runner.os }}-${{ github.run_id }}
          path: ${{ env.CACHE_PATH }}
      - id: version
        name: Get package version
        run: echo "result=$(jq .version package.json -r)" >>$GITHUB_OUTPUT
      - id: version-typescript
        name: Get TypeScript version
        run: echo "result=$(jq .devDependencies.typescript package.json -r)" >>$GITHUB_OUTPUT
  commitlint:
    needs: preflight
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          fetch-depth: 0
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: node
        name: Setup Node.js
        uses: actions/setup-node@v3.6.0
        with:
          cache: yarn
          cache-dependency-path: yarn.lock
          node-version-file: .nvmrc
      - id: cache
        name: Restore dependencies cache
        uses: actions/cache@v3.3.1
        with:
          key: ${{ runner.os }}-${{ github.run_id }}
          path: ${{ env.CACHE_PATH }}
      - id: lint
        name: Check commitlint status
        if: github.run_number != '1'
        run: yarn commitlint --from $SHA~${{ github.event.pull_request.commits || 1 }} --to $SHA
  gitguardian:
    needs: commitlint
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          fetch-depth: 0
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: scan
        name: Scan commits for secrets and policy breaches
        uses: GitGuardian/ggshield-action@master
        with:
          args: --all-policies --show-secrets --verbose
        env:
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
  format:
    needs:
      - commitlint
      - gitguardian
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: node
        name: Setup Node.js
        uses: actions/setup-node@v3.6.0
        with:
          cache: yarn
          cache-dependency-path: yarn.lock
          node-version-file: .nvmrc
      - id: cache
        name: Restore dependencies cache
        uses: actions/cache@v3.3.1
        with:
          key: ${{ runner.os }}-${{ github.run_id }}
          path: ${{ env.CACHE_PATH }}
      - id: format
        name: Check code formatting
        run: yarn check:format
  lint:
    needs:
      - commitlint
      - gitguardian
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: node
        name: Setup Node.js
        uses: actions/setup-node@v3.6.0
        with:
          cache: yarn
          cache-dependency-path: yarn.lock
          node-version-file: .nvmrc
      - id: cache
        name: Restore dependencies cache
        uses: actions/cache@v3.3.1
        with:
          key: ${{ runner.os }}-${{ github.run_id }}
          path: ${{ env.CACHE_PATH }}
      - id: lint
        name: Check lint status
        run: yarn check:lint
  spelling:
    needs:
      - commitlint
      - gitguardian
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: node
        name: Setup Node.js
        uses: actions/setup-node@v3.6.0
        with:
          cache: yarn
          cache-dependency-path: yarn.lock
          node-version-file: .nvmrc
      - id: cache
        name: Restore dependencies cache
        uses: actions/cache@v3.3.1
        with:
          key: ${{ runner.os }}-${{ github.run_id }}
          path: ${{ env.CACHE_PATH }}
      - id: spelling
        name: Check spelling
        run: yarn check:spelling
  typescript:
    needs:
      - commitlint
      - gitguardian
      - preflight
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        typescript-version:
          - ${{ needs.preflight.outputs.version-typescript }}
          - latest
          - ~4.9.0
          - ~4.8.0
    steps:
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: test-files-check
        name: Check for typecheck files
        uses: andstor/file-existence-action@v2.0.0
        with:
          files: '**/__tests__/*.spec-d.ts'
      - id: node
        if: steps.test-files-check.outputs.files_exists == 'true'
        name: Setup Node.js
        uses: actions/setup-node@v3.6.0
        with:
          cache: yarn
          cache-dependency-path: yarn.lock
          node-version-file: .nvmrc
      - id: cache
        if: steps.test-files-check.outputs.files_exists == 'true'
        name: Restore dependencies cache
        uses: actions/cache@v3.3.1
        with:
          key: ${{ runner.os }}-${{ github.run_id }}
          path: ${{ env.CACHE_PATH }}
      - id: typescript
        if: steps.test-files-check.outputs.files_exists == 'true'
        name: Install typescript@${{ matrix.typescript-version }}
        run: yarn add -D typescript@${{ matrix.typescript-version }}
      - id: set-typescript-version
        name: Set env.TYPESCRIPT_VERSION
        run: |
          echo "TYPESCRIPT_VERSION=$(jq .devDependencies.typescript package.json -r)" >>$GITHUB_ENV
      - id: print-typescript-version
        if: steps.test-files-check.outputs.files_exists == 'true'
        name: Print TypeScript version
        run: echo $TYPESCRIPT_VERSION
      - id: typecheck
        if: steps.test-files-check.outputs.files_exists == 'true'
        name: Run typecheck
        run: yarn typecheck
  test:
    needs:
      - commitlint
      - gitguardian
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        node-version:
          - 19
          - 18
          - 16
    steps:
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: test-files-check
        name: Check for test files
        uses: andstor/file-existence-action@v2.0.0
        with:
          files: '**/__tests__/*.spec.+(ts|tsx)'
      - id: node
        if: steps.test-files-check.outputs.files_exists == 'true'
        name: Setup Node.js v${{ matrix.node-version }}
        uses: actions/setup-node@v3.6.0
        with:
          cache: yarn
          cache-dependency-path: yarn.lock
          node-version: ${{ matrix.node-version }}
      - id: cache
        if: steps.test-files-check.outputs.files_exists == 'true'
        name: Restore dependencies cache
        uses: actions/cache@v3.3.1
        with:
          key: ${{ runner.os }}-${{ github.run_id }}
          path: ${{ env.CACHE_PATH }}
      - id: test
        if: steps.test-files-check.outputs.files_exists == 'true'
        name: Run tests
        run: yarn test:cov --segfault-retry=3
      - id: codecov
        name: Upload coverage report to Codecov
        if: steps.test-files-check.outputs.files_exists == 'true'
        uses: codecov/codecov-action@v3.1.1
        with:
          env_vars: GITHUB_JOB,GITHUB_REF,GITHUB_REF_TYPE,GITHUB_RUN_ID,GITHUB_SHA,GITHUB_WORKSPACE
          fail_ci_if_error: true
          file: ./coverage/lcov.info
          flags: ${{ format('node{0}', matrix.node-version) }}
          override_branch: ${{ env.REF }}
          override_build: ${{ github.run_id }}
          override_commit: ${{ env.SHA }}
          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
        env:
          GITHUB_JOB: ${{ github.job }}
          GITHUB_REF: ${{ github.ref }}
          GITHUB_REF_TYPE: ${{ github.ref_type }}
          GITHUB_RUN_ID: ${{ github.run_id }}
          GITHUB_SHA: ${{ env.SHA }}
          GITHUB_WORKSPACE: ${{ github.workspace }}
  build:
    needs:
      - commitlint
      - gitguardian
      - preflight
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: node
        name: Setup Node.js
        uses: actions/setup-node@v3.6.0
        with:
          cache: yarn
          cache-dependency-path: yarn.lock
          node-version-file: .nvmrc
      - id: cache
        name: Restore dependencies cache
        uses: actions/cache@v3.3.1
        with:
          key: ${{ runner.os }}-${{ github.run_id }}
          path: ${{ env.CACHE_PATH }}
      - id: pack
        name: Pack project
        run: yarn pack -o %s-%v.tgz
      - id: typecheck
        name: Run typecheck
        run: yarn check:types:build
      - id: pkg-size-report
        name: Package size report
        run: yarn pkg-size
      - id: archive
        name: Archive production artifacts
        uses: actions/upload-artifact@v3.1.2
        with:
          name: |
            ${{ format('@{0}-{1}-{2}', github.repository_owner, github.event.repository.name, needs.preflight.outputs.version) }}
          path: '*.tgz'

## dependabot-auto.yml
# Dependabot Auto
#
# Enable auto-merge and approve pull requests authored by @dependabot.
#
# Note: @dependabot generates Yarn v1 lockfiles despite this project using a different Yarn version.
# This corrupts the project lockfile. A workaround has been implemented to autofix lockfile format
# and deduplicate dependencies. Check https://github.com/dependabot/dependabot-core/issues/1297 for
# details pertaining to the safe removal of this workflow.
#
# References:
#
# - https://cli.github.com/manual/gh_pr_merge
# - https://cli.github.com/manual/gh_pr_review
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
# - https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://github.com/actions/checkout
# - https://github.com/crazy-max/ghaction-import-gpg
# - https://github.com/dependabot/fetch-metadata
# - https://github.com/hmarr/debug-action

---
name: dependabot-auto
on: pull_request
env:
  GITHUB_TOKEN: ${{ secrets.PAT_BOT }}
  YARN_ENABLE_IMMUTABLE_INSTALLS: false
jobs:
  dependabot-auto:
    if: github.actor == 'dependabot[bot]' || github.actor == 'flexdevelopment'
    runs-on: ubuntu-latest
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: metadata
        name: Fetch metadata
        uses: dependabot/fetch-metadata@v1.3.6
        with:
          skip-commit-verification: true
      - id: checkout
        name: Checkout ${{ github.head_ref }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: ${{ steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
          ref: ${{ github.head_ref }}
          token: ${{ env.GITHUB_TOKEN }}
      - id: gpg-import
        name: Import GPG key
        if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
        uses: crazy-max/ghaction-import-gpg@v5.2.0
        with:
          git_commit_gpgsign: true
          git_config_global: true
          git_user_signingkey: true
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
      # todo: remove when https://github.com/crazy-max/ghaction-import-gpg/issues/118 is resolved
      - id: gpg-trust
        name: Set trust on GPG key
        if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
        run: |
          gpg --no-tty --command-fd 0 --edit-key ${{ steps.gpg-import.outputs.keyid }} << EOTRUST
          trust
          5
          y
          quit
          EOTRUST
      - id: lockfile-fix
        name: Fix yarn.lock
        if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
        run: yarn --mode=update-lockfile
      - id: dedupe
        name: Deduplicate dependencies
        if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
        run: yarn dedupe --mode=update-lockfile
      - id: lockfile-push
        name: Push yarn.lock
        if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
        env:
          GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
          GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
          COMMIT_MESSAGE: 'build(yarn): [dependabot skip] fix lockfile for @dependabot'
        run: |
          git add yarn.lock
          git status
          git diff-index --quiet HEAD || git commit -s -m "$COMMIT_MESSAGE" && git push -f
      - id: approve-pr
        name: Approve pull request containing minor or patch updates
        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
        run: gh pr review ${{ github.event.number }} --approve

## infrastructure.yml
# Repository Infrastructure Management
#
# Update repository infrastructure on `push` or `workflow_dispatch` when the infrastructure config
# file (or this workflow) is updated. The user triggering the workflow run (`github.actor`) must be
# a repository admin.
#
# Note: The permissions of `github.actor` is checked because workflow re-runs will reuse the
# privileges of `github.actor` even if the actor initiating the re-run (`github.triggering_actor`)
# has different privileges.
#
# References:
#
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#push
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
# - https://github.com/actions-cool/check-user-permission
# - https://github.com/actions/checkout
# - https://github.com/flex-development/rice-action
# - https://github.com/hmarr/debug-action

---
name: infrastructure
on:
  push:
    branches:
      - main
      - release/**
    paths:
      - .github/infrastructure.yml
      - .github/workflows/infrastructure.yml
  workflow_dispatch:
concurrency:
  cancel-in-progress: true
  group: ${{ github.workflow }}-${{ github.ref }}
jobs:
  infrastructure:
    runs-on: ubuntu-latest
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: check-actor-permission
        name: Check @${{ github.actor }} permission level
        uses: actions-cool/check-user-permission@v2.2.0
        with:
          require: admin
          username: ${{ github.actor }}
      - id: checkout
        name: Checkout ${{ github.ref_name }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ github.ref }}
      - id: update
        if: steps.check-actor-permission.outputs.require-result == 'true'
        name: Update repository infrastructure
        uses: flex-development/rice-action@1.0.0
        with:
          token: ${{ secrets.PAT_REPO }}

## integrity.yml
# Integrity Check
#
# References:
#
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#push
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
# - https://github.com/actions/checkout
# - https://yarnpkg.com/cli/dedupe

---
name: integrity
on:
  pull_request:
    paths:
      - .github/workflows/integrity.yml
      - .yarnrc.yml
      - yarn.lock
    types:
      - opened
      - reopened
      - synchronize
  push:
    branches:
      - main
    paths:
      - .github/workflows/integrity.yml
      - .yarnrc.yml
      - yarn.lock
  workflow_dispatch:
permissions:
  packages: read
env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
concurrency:
  cancel-in-progress: true
  group: ${{ github.workflow }}-${{ github.ref }}
jobs:
  integrity:
    if: github.actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        name: Checkout ${{ github.head_ref || github.ref_name }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ github.head_ref || github.ref }}
      - id: dedupe-check
        name: Check for duplicate dependencies in lockfile
        run: yarn dedupe --check

## label-linked-issues.yml
# Label Linked Issues
#
# Add the `status:merged`, `status:prereleased`, or `status:released` label to a pull request's
# linked issues when a pull request is merged into `main` or on workflow dispatch.
#
# References:
#
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/learn-github-actions/expressions
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
# - https://docs.github.com/graphql/reference/objects#pullrequest
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
# - https://github.com/actions/github-script
# - https://github.com/hmarr/debug-action
# - https://github.com/octokit/graphql-action

---
name: label-linked-issues
on:
  pull_request:
    branches:
      - main
    types:
      - closed
  workflow_dispatch:
    inputs:
      pr:
        description: pull request number
        required: true
        type: number
permissions:
  issues: write
jobs:
  label-linked-issues:
    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged
    runs-on: ubuntu-latest
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: checkout
        name: Checkout main
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: main
      - id: version
        name: Get project version
        run: echo "result=$(jq .version package.json -r)" >>$GITHUB_OUTPUT
      - id: query
        name: Query linked issues
        uses: octokit/graphql-action@v2.2.23
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          query: |
            query ($limit: Int = 20, $owner: String!, $pr: Int!, $repo: String!) {
              repository(name: $repo, owner: $owner) {
                pullRequest(number: $pr) {
                  closingIssuesReferences(
                    first: $limit
                    orderBy: { direction: ASC, field: CREATED_AT }
                  ) {
                    edges {
                      node {
                        number
                      }
                    }
                  }
                }
              }
            }
          owner: ${{ github.repository_owner }}
          pr: ${{ inputs.pr || github.event.number }}
          repo: ${{ github.event.repository.name }}
      - id: label
        name: Label linked issues
        uses: actions/github-script@v6.4.1
        env:
          DATA: ${{ steps.query.outputs.data }}
          PRERELEASE: ${{ contains(steps.version.outputs.result, '-') }}
          RELEASE_BRANCH: ${{ contains(github.head_ref || github.ref_name, 'release/') }}
        with:
          script: |
            const { closingIssuesReferences } = JSON.parse(process.env.DATA).repository.pullRequest

            const issues = closingIssuesReferences.edges.map(edge => edge.node.number)

            const release = JSON.parse(process.env.RELEASE_BRANCH || 'false')
            const prerelease = JSON.parse(process.env.PRERELEASE || 'false')

            for (const issue_number of issues) {
              await github.rest.issues.addLabels({
                ...context.repo,
                issue_number,
                labels: [release ? `status:${prerelease ? 'pre' : ''}released` : 'status:merged']
              })
            }

## lock-inactive-threads.yml
# Lock Inactive Threads
#
# References:
#
# - https://github.com/dessant/lock-threads
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#schedule

---
name: lock-inactive-threads
on:
  schedule:
    - cron: 0 0 * * *
permissions:
  issues: write
  pull-requests: write
jobs:
  lock-inactive-threads:
    runs-on: ubuntu-latest
    steps:
      - id: lock
        name: Lock inactive issues and pull requests
        uses: dessant/lock-threads@v4.0.0
        with:
          issue-comment: |
            This issue has been automatically locked since there has not been any recent activity
            after it was closed. Please open a new issue for related bugs or features. Be sure to
            reference this issue.
          issue-inactive-days: 60
          pr-comment: |
            This pull request has been automatically locked since there has not been any recent
            activity after it was closed. Please open a new issue for related bugs or features. Be
            sure to reference this issue.
          pr-inactive-days: 60

## no-response.yml
# No Response
#
# Closes issues that don't have enough information to be actionable.
#
# References:
#
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#issue_comment
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#schedule
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment
# - https://github.com/lee-dohm/no-response

---
name: no-response
on:
  issue_comment:
    types:
      - created
  schedule:
    # five minutes after the hour, every hour
    - cron: 5 * * * *
permissions:
  issues: write
jobs:
  no-response:
    runs-on: ubuntu-latest
    steps:
      - id: close-issues
        name: Closes issues missing actionable info
        uses: lee-dohm/no-response@v0.5.0
        with:
          closeComment: |
            This issue has been automatically closed because there has been no response to our
            request for more information from the original author. With only the information that is
            currently available, there isn't enough information to take action. Please reach out if
            you have or find the answers needed so next steps, if any, can be determined.
          daysUntilClose: 14
          responseRequiredLabel: status:awaiting-answers
          token: ${{ secrets.GITHUB_TOKEN }}

## publish.yml
# Publish
#
# Cross-publish package to GitHub Package Registry and NPM when a GitHub release is published or on
# workflow dispatch.
#
# References:
#
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/learn-github-actions/expressions
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#release
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#release
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
# - https://github.com/actions/checkout
# - https://github.com/actions/setup-node
# - https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#yarn2-configuration
# - https://github.com/hmarr/debug-action

---
name: publish
on:
  release:
    types:
      - published
  workflow_dispatch:
    inputs:
      tag:
        description: release tag
        required: true
        type: string
env:
  REF: ${{ format('refs/tags/{0}', inputs.tag || github.event.release.tag_name) }}
  TAG: ${{ inputs.tag || github.event.release.tag_name }}
concurrency:
  cancel-in-progress: true
  group: ${{ github.workflow }}-${{ inputs.tag || github.event.release.tag_name }}
jobs:
  preflight:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    outputs:
      publish-command: ${{ steps.publish-command.outputs.result }}
      version: ${{ steps.version.outputs.result }}
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: checkout
        name: Checkout ${{ env.TAG }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: version
        name: Get package version
        run: echo "result=$(jq .version package.json -r)" >>$GITHUB_OUTPUT
      - id: artifact
        name: Get release artifact download URL
        run: |
          echo "result=${{ github.event_name == 'release' && github.event.release.assets[0].browser_download_url || format('{0}/{1}/releases/download/{2}/%40{3}-{4}-{5}.tgz', github.server_url, github.repository, env.TAG, github.repository_owner, github.event.repository.name, steps.version.outputs.result) }}" >>$GITHUB_OUTPUT
      - id: dist-tag
        name: Get dist tag
        uses: flex-development/dist-tag-action@1.1.2
        with:
          target: ${{ steps.version.outputs.result }}
      - id: publish-command
        name: Get publish command
        env:
          ARTIFACT: ${{ steps.artifact.outputs.result }}
          FLAGS: ${{ steps.dist-tag.outputs.flag }}
        run: echo "result=npm publish $ARTIFACT $FLAGS" >>$GITHUB_OUTPUT
  gpr:
    needs: preflight
    permissions:
      packages: write
    runs-on: ubuntu-latest
    environment:
      name: gpr
      url: |
        ${{ format('{0}/{1}/pkgs/npm/{2}', github.server_url, github.repository,
        github.event.repository.name) }}
    steps:
      - id: checkout
        name: Checkout ${{ env.TAG }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: npmrc-cleanup
        name: Remove stale .npmrc file
        run: rm .npmrc
      - id: npmrc
        name: Setup .npmrc file
        uses: actions/setup-node@v3.6.0
        with:
          always-auth: true
          node-version-file: .nvmrc
          registry-url: https://npm.pkg.github.com
          scope: ${{ github.repository_owner }}
      - id: npmrc-print
        name: Print contents of .npmrc file
        run: cat $NPM_CONFIG_USERCONFIG
      - id: publish
        name: Publish package
        run: ${{ needs.preflight.outputs.publish-command }}
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  npm:
    needs:
      - gpr
      - preflight
    permissions:
      packages: write
    runs-on: ubuntu-latest
    environment:
      name: npm
      url: |
        ${{ format('https://npmjs.com/package/@{0}/v/{1}', github.repository,
        needs.preflight.outputs.version) }}
    steps:
      - id: checkout
        name: Checkout ${{ env.TAG }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ env.REF }}
      - id: npmrc-cleanup
        name: Remove stale .npmrc file
        run: rm .npmrc
      - id: npmrc
        name: Setup .npmrc file
        uses: actions/setup-node@v3.6.0
        with:
          always-auth: true
          node-version-file: .nvmrc
          registry-url: https://registry.npmjs.org
          scope: ${{ github.repository_owner }}
      - id: npmrc-print
        name: Print contents of .npmrc file
        run: cat $NPM_CONFIG_USERCONFIG
      - id: publish
        name: Publish package
        run: ${{ needs.preflight.outputs.publish-command }}
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

## release.yml
# Release
#
# Publish a GitHub release on release branch merge or workflow dispatch.
#
# References:
#
# - https://cli.github.com/manual/gh_release_create
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/learn-github-actions/expressions
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
# - https://git-scm.com/book/en/v2/Git-Basics-Tagging
# - https://github.com/actions/checkout
# - https://github.com/bdougie/close-issues-based-on-label
# - https://github.com/crazy-max/ghaction-import-gpg
# - https://github.com/flex-development/dist-tag-action
# - https://github.com/hmarr/debug-action
# - https://yarnpkg.com/cli/pack

---
name: release
on:
  pull_request:
    branches:
      - main
    types:
      - closed
  workflow_dispatch:
    inputs:
      sha:
        description: release commit sha
        required: true
        type: string
env:
  REF: ${{ inputs.sha || github.event.pull_request.merge_commit_sha }}
  REF_NAME: ${{ format('main@{0}', inputs.sha || github.event.pull_request.merge_commit_sha) }}
jobs:
  preflight:
    if: |
      (github.event.pull_request.merged && startsWith(github.head_ref, 'release/')) ||
      (github.event_name == 'workflow_dispatch' && github.ref_name == 'main')
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      prerelease: ${{ steps.dist-tag.outputs.prerelease }}
      tag: ${{ steps.tag.outputs.result }}
      version: ${{ steps.version.outputs.result }}
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          ref: ${{ env.REF }}
      - id: version
        name: Get package version
        run: echo "result=$(jq .version package.json -r)" >>$GITHUB_OUTPUT
      - id: tag-prefix
        name: Get release tag prefix
        run: echo "result=$(jq .tagPrefix package.json -r)" >>$GITHUB_OUTPUT
      - id: tag
        name: Get release tag
        run: |
          echo "result=${{ format('{0}{1}', steps.tag-prefix.outputs.result, steps.version.outputs.result) }}" >>$GITHUB_OUTPUT
      - id: dist-tag
        name: Get dist tag
        uses: flex-development/dist-tag-action@1.1.2
        with:
          target: ${{ steps.version.outputs.result }}
  publish:
    needs: preflight
    permissions:
      contents: write
      packages: read
    runs-on: ubuntu-latest
    environment:
      name: release
      url:
        ${{ format('{0}/{1}/releases/tag/{2}', github.server_url, github.repository,
        needs.preflight.outputs.tag) }}
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      HUSKY: 0
      NODE_ENV: production
      NODE_NO_WARNINGS: 1
      NOTES_FILE: ./RELEASE_NOTES.md
      PRERELEASE: ${{ needs.preflight.outputs.prerelease }}
      TAG: ${{ needs.preflight.outputs.tag }}
    steps:
      - id: checkout
        name: Checkout ${{ env.REF_NAME }}
        uses: actions/checkout@v3.5.0
        with:
          fetch-depth: 0
          persist-credentials: true
          ref: ${{ env.REF }}
      - id: gpg-import
        name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v5.2.0
        with:
          git_config_global: true
          git_tag_gpgsign: true
          git_user_signingkey: true
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
      # todo: remove when https://github.com/crazy-max/ghaction-import-gpg/issues/118 is resolved
      - id: gpg-trust
        name: Set trust on GPG key
        run: |
          gpg --no-tty --command-fd 0 --edit-key ${{ steps.gpg-import.outputs.keyid }} << EOTRUST
          trust
          5
          y
          quit
          EOTRUST
      - id: yarn
        name: Install dependencies
        run: yarn
      - id: pack
        name: Pack project
        run: yarn pack -o %s-%v.tgz
      - id: release-notes
        name: Generate release notes
        run: yarn changelog --outfile $NOTES_FILE --write
      - id: tag
        name: Create annotated tag
        env:
          GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
          GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
        run: |
          git tag --annotate --force --sign $TAG --message "release: $TAG"
          git tag --verify $TAG
          git push origin $TAG
      - id: publish
        name: Publish release
        env:
          GITHUB_TOKEN: ${{ secrets.PAT_REPO }}
        run: gh release create $TAG *.tgz -t=$TAG -p=$PRERELEASE -F=$NOTES_FILE
      - id: close-issues
        name: Close released issues
        uses: bdougie/close-issues-based-on-label@master
        env:
          LABEL: status:${{ needs.preflight.outputs.prerelease && 'prereleased' || 'released' }}

## typescript-canary.yml
# TypeScript Canary Check
#
# Run type tests against the latest and next versions of TypeScript.
#
# References:
#
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/using-jobs/using-a-matrix-for-your-jobs
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#schedule
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
# - https://github.com/actions/checkout
# - https://github.com/actions/setup-node
# - https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#yarn2-configuration
# - https://github.com/hmarr/debug-action
# - https://vitest.dev/guide/testing-types.html#run-typechecking

---
name: typescript-canary
on:
  schedule:
    # every day, 3 hours after typescript@next release
    # https://github.com/microsoft/TypeScript/blob/v4.9.5/.github/workflows/nightly.yaml
    - cron: 0 10 * * *
  workflow_dispatch:
permissions:
  contents: read
  packages: read
env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  HUSKY: 0
concurrency:
  cancel-in-progress: true
  group: ${{ github.workflow }}-${{ github.ref }}
jobs:
  typescript-canary:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        typescript-version:
          - next
          - latest
    steps:
      - id: debug
        name: Print environment variables and event payload
        uses: hmarr/debug-action@v2.1.0
      - id: checkout
        name: Checkout ${{ github.ref_name }}
        uses: actions/checkout@v3.5.0
        with:
          persist-credentials: false
          ref: ${{ github.ref }}
      - id: node
        name: Setup Node.js
        uses: actions/setup-node@v3.6.0
        with:
          cache: yarn
          cache-dependency-path: yarn.lock
          node-version-file: .nvmrc
      - id: yarn
        name: Install dependencies
        run: yarn ${{ github.actor == 'dependabot[bot]' && '--no-immutable' || '--immutable' }}
      - id: typescript
        name: Install typescript@${{ matrix.typescript-version }}
        run: yarn add -D typescript@${{ matrix.typescript-version }}
      - id: set-typescript-version
        name: Set env.TYPESCRIPT_VERSION
        run: |
          echo "TYPESCRIPT_VERSION=$(jq .devDependencies.typescript package.json -r)" >>$GITHUB_ENV
      - id: print-typescript-version
        name: Print TypeScript version
        run: echo $TYPESCRIPT_VERSION
      - id: build
        name: Build project
        run: yarn build
      - id: typecheck
        name: Run typecheck
        run: yarn typecheck
      - id: typecheck-build
        name: Run typecheck-build
        run: yarn check:types:build
	# Add To Project
	#
	# Add new issues and pull requests to the project board.
	#
	# References:
	#
	# - https://docs.github.com/actions/learn-github-actions/contexts
	# - https://docs.github.com/actions/learn-github-actions/expressions
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#issues
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#issues
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
	# - https://github.com/actions/add-to-project

	---
	name: add-to-project
	on:
	issues:
	types:
	- opened
	pull_request:
	types:
	- opened
	- synchronize
	jobs:
	add-to-project:
	runs-on: ubuntu-latest
	steps:
	- id: add-item
	name: Add ${{ format('#{0}', github.event.number) }} to project
	uses: actions/add-to-project@v0.5.0
	with:
	github-token: ${{ secrets.PAT_REPO }}
	project-url: \|
	${{ format('{0}/orgs/{1}/projects/{2}', github.server_url, github.repository_owner, secrets.GH_PROJECT_ID) }}
	# Approve Pull Request
	#
	# Automatically approve a pull request when a review is requested from @flexdevelopment by certain
	# users.
	#
	# References:
	#
	# - https://cli.github.com/manual/gh_pr_review
	# - https://docs.github.com/actions/learn-github-actions/contexts
	# - https://docs.github.com/actions/learn-github-actions/expressions
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
	# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
	# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
	# - https://github.com/actions/checkout
	# - https://github.com/hmarr/debug-action

	---
	name: approve-pr
	on:
	pull_request:
	types:
	- review_requested
	env:
	GITHUB_TOKEN: ${{ secrets.PAT_BOT }}
	jobs:
	approve-pr:
	runs-on: ubuntu-latest
	steps:
	- id: debug
	name: Print environment variables and event payload
	uses: hmarr/debug-action@v2.1.0
	- id: checkout
	name: Checkout ${{ github.head_ref }}
	uses: actions/checkout@v3.5.2
	with:
	persist-credentials: false
	ref: ${{ github.head_ref }}
	- id: requested-reviewers
	name: Get requested reviewers
	run: \|
	echo "result=${{ join(github.event.pull_request.requested_reviewers.*.login, ',') }}" >>$GITHUB_OUTPUT
	- id: approve
	name: Approve pull request
	if: \|
	contains(steps.requested-reviewers.outputs.result, 'flexdevelopment')
	&& (github.actor == 'dependabot[bot]' \|\| github.actor == 'unicornware')
	run: gh pr review ${{ github.event.number }} --approve --body 'lgtm 👍🏾'
	# Pull request auto-merge
	#
	# Automatically merge pull requests after requirements are met.
	#
	# References:
	#
	# - https://cli.github.com/manual/gh_pr_merge
	# - https://docs.github.com/actions/learn-github-actions/contexts
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
	# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
	# - https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
	# - https://github.com/actions/checkout
	# - https://github.com/hmarr/debug-action

	---
	name: auto-merge
	on:
	pull_request:
	types:
	- opened
	- synchronize
	env:
	GITHUB_TOKEN: ${{ secrets.PAT_REPO }}
	jobs:
	auto-merge:
	if: github.event.pull_request.auto_merge == null && github.event.pull_request.draft == false
	runs-on: ubuntu-latest
	steps:
	- id: debug
	name: Print environment variables and event payload
	uses: hmarr/debug-action@v2.1.0
	- id: checkout
	name: Checkout ${{ github.head_ref }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ github.head_ref }}
	- id: enable
	name: Enable auto-merge
	run: gh pr merge ${{ github.event.number }} --auto --squash
	# Cache Cleanup
	#
	# Delete caches when a pull request is closed or on workflow dispatch.
	#
	# References:
	#
	# - https://docs.github.com/actions/learn-github-actions/contexts
	# - https://docs.github.com/actions/learn-github-actions/expressions
	# - https://docs.github.com/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
	# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
	# - https://github.com/actions/checkout
	# - https://github.com/actions/gh-actions-cache
	# - https://github.com/hmarr/debug-action

	---
	name: cache-cleanup
	on:
	pull_request:
	types:
	- closed
	workflow_dispatch:
	inputs:
	all:
	default: false
	description: delete caches without filtering by branch
	type: boolean
	permissions:
	actions: write
	env:
	BRANCH: \|
	${{ github.event.number && format('refs/pull/{0}/merge', github.event.number) \|\| github.ref }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	concurrency:
	cancel-in-progress: true
	group: ${{ github.workflow }}-${{ format('refs/heads/{0}', github.head_ref \|\| github.ref_name) }}
	jobs:
	cache-cleanup:
	runs-on: ubuntu-latest
	steps:
	- id: debug
	name: Print environment variables and event payload
	uses: hmarr/debug-action@v2.1.0
	- id: checkout
	name: Checkout main
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: main
	- id: gh-actions-cache
	name: Install actions/gh-actions-cache
	run: gh extension install actions/gh-actions-cache
	- id: cleanup
	name: Delete caches${{ !inputs.all && format(' created by {0}', env.BRANCH) \|\| '' }}
	env:
	BRANCH_FILTER: ${{ !inputs.all && format('--branch {0}', env.BRANCH) \|\| '' }}
	run: \|
	# prevent workflow failure while deleting cache keys
	set +e

	# delete all caches or caches created by ${{ env.BRANCH }}
	for key in $(gh actions-cache list $BRANCH_FILTER --limit 100 \| cut -f 1); do
	gh actions-cache delete $key $BRANCH_FILTER --confirm
	done
	# Continuous Integration
	#
	# References:
	#
	# - https://docs.github.com/actions/learn-github-actions/contexts
	# - https://docs.github.com/actions/learn-github-actions/expressions
	# - https://docs.github.com/actions/using-jobs/using-a-matrix-for-your-jobs
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
	# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#push
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
	# - https://github.com/GitGuardian/ggshield-action
	# - https://github.com/actions/cache
	# - https://github.com/actions/cache/discussions/650
	# - https://github.com/actions/checkout
	# - https://github.com/actions/setup-node
	# - https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#yarn2-configuration
	# - https://github.com/actions/upload-artifact
	# - https://github.com/andstor/file-existence-action
	# - https://github.com/codecov/codecov-action
	# - https://github.com/hmarr/debug-action
	# - https://yarnpkg.com/cli/pack

	---
	name: ci
	on:
	pull_request:
	push:
	branches:
	- feat/**
	- hotfix/**
	- main
	- release/**
	workflow_dispatch:
	permissions:
	contents: read
	packages: read
	env:
	CACHE_PATH: node_modules
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	HUSKY: 0
	REF: ${{ github.head_ref \|\| github.ref }}
	REF_NAME: ${{ github.head_ref \|\| github.ref_name }}
	SHA: ${{ github.event.pull_request.head.sha \|\| github.sha }}
	concurrency:
	cancel-in-progress: true
	group: ${{ github.workflow }}-${{ github.ref }}
	jobs:
	preflight:
	if: \|
	github.event.head_commit.author.name != 'dependabot[bot]'
	&& github.event.head_commit.author.username != 'flexdevelopment'
	&& !startsWith(github.event.head_commit.message, 'release:')
	runs-on: ubuntu-latest
	outputs:
	version: ${{ steps.version.outputs.result }}
	version-typescript: ${{ steps.version-typescript.outputs.result }}
	steps:
	- id: debug
	name: Print environment variables and event payload
	uses: hmarr/debug-action@v2.1.0
	- id: checkout
	name: Checkout ${{ env.REF_NAME }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ env.REF }}
	- id: node
	name: Setup Node.js
	uses: actions/setup-node@v3.6.0
	with:
	cache: yarn
	cache-dependency-path: yarn.lock
	node-version-file: .nvmrc
	- id: yarn
	name: Install dependencies
	run: yarn ${{ github.actor == 'dependabot[bot]' && '--no-immutable' \|\| '--immutable' }}
	- id: cache
	name: Cache dependencies
	uses: actions/cache@v3.3.1
	with:
	key: ${{ runner.os }}-${{ github.run_id }}
	path: ${{ env.CACHE_PATH }}
	- id: version
	name: Get package version
	run: echo "result=$(jq .version package.json -r)" >>$GITHUB_OUTPUT
	- id: version-typescript
	name: Get TypeScript version
	run: echo "result=$(jq .devDependencies.typescript package.json -r)" >>$GITHUB_OUTPUT
	commitlint:
	needs: preflight
	runs-on: ubuntu-latest
	steps:
	- id: checkout
	name: Checkout ${{ env.REF_NAME }}
	uses: actions/checkout@v3.5.0
	with:
	fetch-depth: 0
	persist-credentials: false
	ref: ${{ env.REF }}
	- id: node
	name: Setup Node.js
	uses: actions/setup-node@v3.6.0
	with:
	cache: yarn
	cache-dependency-path: yarn.lock
	node-version-file: .nvmrc
	- id: cache
	name: Restore dependencies cache
	uses: actions/cache@v3.3.1
	with:
	key: ${{ runner.os }}-${{ github.run_id }}
	path: ${{ env.CACHE_PATH }}
	- id: lint
	name: Check commitlint status
	if: github.run_number != '1'
	run: yarn commitlint --from $SHA~${{ github.event.pull_request.commits \|\| 1 }} --to $SHA
	gitguardian:
	needs: commitlint
	runs-on: ubuntu-latest
	steps:
	- id: checkout
	name: Checkout ${{ env.REF_NAME }}
	uses: actions/checkout@v3.5.0
	with:
	fetch-depth: 0
	persist-credentials: false
	ref: ${{ env.REF }}
	- id: scan
	name: Scan commits for secrets and policy breaches
	uses: GitGuardian/ggshield-action@master
	with:
	args: --all-policies --show-secrets --verbose
	env:
	GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
	GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
	GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
	GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
	GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
	format:
	needs:
	- commitlint
	- gitguardian
	runs-on: ubuntu-latest
	steps:
	- id: checkout
	name: Checkout ${{ env.REF_NAME }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ env.REF }}
	- id: node
	name: Setup Node.js
	uses: actions/setup-node@v3.6.0
	with:
	cache: yarn
	cache-dependency-path: yarn.lock
	node-version-file: .nvmrc
	- id: cache
	name: Restore dependencies cache
	uses: actions/cache@v3.3.1
	with:
	key: ${{ runner.os }}-${{ github.run_id }}
	path: ${{ env.CACHE_PATH }}
	- id: format
	name: Check code formatting
	run: yarn check:format
	lint:
	needs:
	- commitlint
	- gitguardian
	runs-on: ubuntu-latest
	steps:
	- id: checkout
	name: Checkout ${{ env.REF_NAME }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ env.REF }}
	- id: node
	name: Setup Node.js
	uses: actions/setup-node@v3.6.0
	with:
	cache: yarn
	cache-dependency-path: yarn.lock
	node-version-file: .nvmrc
	- id: cache
	name: Restore dependencies cache
	uses: actions/cache@v3.3.1
	with:
	key: ${{ runner.os }}-${{ github.run_id }}
	path: ${{ env.CACHE_PATH }}
	- id: lint
	name: Check lint status
	run: yarn check:lint
	spelling:
	needs:
	- commitlint
	- gitguardian
	runs-on: ubuntu-latest
	steps:
	- id: checkout
	name: Checkout ${{ env.REF_NAME }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ env.REF }}
	- id: node
	name: Setup Node.js
	uses: actions/setup-node@v3.6.0
	with:
	cache: yarn
	cache-dependency-path: yarn.lock
	node-version-file: .nvmrc
	- id: cache
	name: Restore dependencies cache
	uses: actions/cache@v3.3.1
	with:
	key: ${{ runner.os }}-${{ github.run_id }}
	path: ${{ env.CACHE_PATH }}
	- id: spelling
	name: Check spelling
	run: yarn check:spelling
	typescript:
	needs:
	- commitlint
	- gitguardian
	- preflight
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	typescript-version:
	- ${{ needs.preflight.outputs.version-typescript }}
	- latest
	- ~4.9.0
	- ~4.8.0
	steps:
	- id: checkout
	name: Checkout ${{ env.REF_NAME }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ env.REF }}
	- id: test-files-check
	name: Check for typecheck files
	uses: andstor/file-existence-action@v2.0.0
	with:
	files: '*/__tests__/.spec-d.ts'
	- id: node
	if: steps.test-files-check.outputs.files_exists == 'true'
	name: Setup Node.js
	uses: actions/setup-node@v3.6.0
	with:
	cache: yarn
	cache-dependency-path: yarn.lock
	node-version-file: .nvmrc
	- id: cache
	if: steps.test-files-check.outputs.files_exists == 'true'
	name: Restore dependencies cache
	uses: actions/cache@v3.3.1
	with:
	key: ${{ runner.os }}-${{ github.run_id }}
	path: ${{ env.CACHE_PATH }}
	- id: typescript
	if: steps.test-files-check.outputs.files_exists == 'true'
	name: Install typescript@${{ matrix.typescript-version }}
	run: yarn add -D typescript@${{ matrix.typescript-version }}
	- id: set-typescript-version
	name: Set env.TYPESCRIPT_VERSION
	run: \|
	echo "TYPESCRIPT_VERSION=$(jq .devDependencies.typescript package.json -r)" >>$GITHUB_ENV
	- id: print-typescript-version
	if: steps.test-files-check.outputs.files_exists == 'true'
	name: Print TypeScript version
	run: echo $TYPESCRIPT_VERSION
	- id: typecheck
	if: steps.test-files-check.outputs.files_exists == 'true'
	name: Run typecheck
	run: yarn typecheck
	test:
	needs:
	- commitlint
	- gitguardian
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	node-version:
	- 19
	- 18
	- 16
	steps:
	- id: checkout
	name: Checkout ${{ env.REF_NAME }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ env.REF }}
	- id: test-files-check
	name: Check for test files
	uses: andstor/file-existence-action@v2.0.0
	with:
	files: '*/__tests__/.spec.+(ts\|tsx)'
	- id: node
	if: steps.test-files-check.outputs.files_exists == 'true'
	name: Setup Node.js v${{ matrix.node-version }}
	uses: actions/setup-node@v3.6.0
	with:
	cache: yarn
	cache-dependency-path: yarn.lock
	node-version: ${{ matrix.node-version }}
	- id: cache
	if: steps.test-files-check.outputs.files_exists == 'true'
	name: Restore dependencies cache
	uses: actions/cache@v3.3.1
	with:
	key: ${{ runner.os }}-${{ github.run_id }}
	path: ${{ env.CACHE_PATH }}
	- id: test
	if: steps.test-files-check.outputs.files_exists == 'true'
	name: Run tests
	run: yarn test:cov --segfault-retry=3
	- id: codecov
	name: Upload coverage report to Codecov
	if: steps.test-files-check.outputs.files_exists == 'true'
	uses: codecov/codecov-action@v3.1.1
	with:
	env_vars: GITHUB_JOB,GITHUB_REF,GITHUB_REF_TYPE,GITHUB_RUN_ID,GITHUB_SHA,GITHUB_WORKSPACE
	fail_ci_if_error: true
	file: ./coverage/lcov.info
	flags: ${{ format('node{0}', matrix.node-version) }}
	override_branch: ${{ env.REF }}
	override_build: ${{ github.run_id }}
	override_commit: ${{ env.SHA }}
	token: ${{ secrets.CODECOV_TOKEN }}
	verbose: true
	env:
	GITHUB_JOB: ${{ github.job }}
	GITHUB_REF: ${{ github.ref }}
	GITHUB_REF_TYPE: ${{ github.ref_type }}
	GITHUB_RUN_ID: ${{ github.run_id }}
	GITHUB_SHA: ${{ env.SHA }}
	GITHUB_WORKSPACE: ${{ github.workspace }}
	build:
	needs:
	- commitlint
	- gitguardian
	- preflight
	runs-on: ubuntu-latest
	steps:
	- id: checkout
	name: Checkout ${{ env.REF_NAME }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ env.REF }}
	- id: node
	name: Setup Node.js
	uses: actions/setup-node@v3.6.0
	with:
	cache: yarn
	cache-dependency-path: yarn.lock
	node-version-file: .nvmrc
	- id: cache
	name: Restore dependencies cache
	uses: actions/cache@v3.3.1
	with:
	key: ${{ runner.os }}-${{ github.run_id }}
	path: ${{ env.CACHE_PATH }}
	- id: pack
	name: Pack project
	run: yarn pack -o %s-%v.tgz
	- id: typecheck
	name: Run typecheck
	run: yarn check:types:build
	- id: pkg-size-report
	name: Package size report
	run: yarn pkg-size
	- id: archive
	name: Archive production artifacts
	uses: actions/upload-artifact@v3.1.2
	with:
	name: \|
	${{ format('@{0}-{1}-{2}', github.repository_owner, github.event.repository.name, needs.preflight.outputs.version) }}
	path: '*.tgz'
	# Dependabot Auto
	#
	# Enable auto-merge and approve pull requests authored by @dependabot.
	#
	# Note: @dependabot generates Yarn v1 lockfiles despite this project using a different Yarn version.
	# This corrupts the project lockfile. A workaround has been implemented to autofix lockfile format
	# and deduplicate dependencies. Check https://github.com/dependabot/dependabot-core/issues/1297 for
	# details pertaining to the safe removal of this workflow.
	#
	# References:
	#
	# - https://cli.github.com/manual/gh_pr_merge
	# - https://cli.github.com/manual/gh_pr_review
	# - https://docs.github.com/actions/learn-github-actions/contexts
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
	# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
	# - https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
	# - https://github.com/actions/checkout
	# - https://github.com/crazy-max/ghaction-import-gpg
	# - https://github.com/dependabot/fetch-metadata
	# - https://github.com/hmarr/debug-action

	---
	name: dependabot-auto
	on: pull_request
	env:
	GITHUB_TOKEN: ${{ secrets.PAT_BOT }}
	YARN_ENABLE_IMMUTABLE_INSTALLS: false
	jobs:
	dependabot-auto:
	if: github.actor == 'dependabot[bot]' \|\| github.actor == 'flexdevelopment'
	runs-on: ubuntu-latest
	steps:
	- id: debug
	name: Print environment variables and event payload
	uses: hmarr/debug-action@v2.1.0
	- id: metadata
	name: Fetch metadata
	uses: dependabot/fetch-metadata@v1.3.6
	with:
	skip-commit-verification: true
	- id: checkout
	name: Checkout ${{ github.head_ref }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: ${{ steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
	ref: ${{ github.head_ref }}
	token: ${{ env.GITHUB_TOKEN }}
	- id: gpg-import
	name: Import GPG key
	if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
	uses: crazy-max/ghaction-import-gpg@v5.2.0
	with:
	git_commit_gpgsign: true
	git_config_global: true
	git_user_signingkey: true
	gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
	# todo: remove when https://github.com/crazy-max/ghaction-import-gpg/issues/118 is resolved
	- id: gpg-trust
	name: Set trust on GPG key
	if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
	run: \|
	gpg --no-tty --command-fd 0 --edit-key ${{ steps.gpg-import.outputs.keyid }} << EOTRUST
	trust
	5
	y
	quit
	EOTRUST
	- id: lockfile-fix
	name: Fix yarn.lock
	if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
	run: yarn --mode=update-lockfile
	- id: dedupe
	name: Deduplicate dependencies
	if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
	run: yarn dedupe --mode=update-lockfile
	- id: lockfile-push
	name: Push yarn.lock
	if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
	env:
	GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
	GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
	COMMIT_MESSAGE: 'build(yarn): [dependabot skip] fix lockfile for @dependabot'
	run: \|
	git add yarn.lock
	git status
	git diff-index --quiet HEAD \|\| git commit -s -m "$COMMIT_MESSAGE" && git push -f
	- id: approve-pr
	name: Approve pull request containing minor or patch updates
	if: steps.metadata.outputs.update-type != 'version-update:semver-major'
	run: gh pr review ${{ github.event.number }} --approve
	# Repository Infrastructure Management
	#
	# Update repository infrastructure on `push` or `workflow_dispatch` when the infrastructure config
	# file (or this workflow) is updated. The user triggering the workflow run (`github.actor`) must be
	# a repository admin.
	#
	# Note: The permissions of `github.actor` is checked because workflow re-runs will reuse the
	# privileges of `github.actor` even if the actor initiating the re-run (`github.triggering_actor`)
	# has different privileges.
	#
	# References:
	#
	# - https://docs.github.com/actions/learn-github-actions/contexts
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#push
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
	# - https://github.com/actions-cool/check-user-permission
	# - https://github.com/actions/checkout
	# - https://github.com/flex-development/rice-action
	# - https://github.com/hmarr/debug-action

	---
	name: infrastructure
	on:
	push:
	branches:
	- main
	- release/**
	paths:
	- .github/infrastructure.yml
	- .github/workflows/infrastructure.yml
	workflow_dispatch:
	concurrency:
	cancel-in-progress: true
	group: ${{ github.workflow }}-${{ github.ref }}
	jobs:
	infrastructure:
	runs-on: ubuntu-latest
	steps:
	- id: debug
	name: Print environment variables and event payload
	uses: hmarr/debug-action@v2.1.0
	- id: check-actor-permission
	name: Check @${{ github.actor }} permission level
	uses: actions-cool/check-user-permission@v2.2.0
	with:
	require: admin
	username: ${{ github.actor }}
	- id: checkout
	name: Checkout ${{ github.ref_name }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ github.ref }}
	- id: update
	if: steps.check-actor-permission.outputs.require-result == 'true'
	name: Update repository infrastructure
	uses: flex-development/rice-action@1.0.0
	with:
	token: ${{ secrets.PAT_REPO }}
	# Integrity Check
	#
	# References:
	#
	# - https://docs.github.com/actions/learn-github-actions/contexts
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#push
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
	# - https://github.com/actions/checkout
	# - https://yarnpkg.com/cli/dedupe

	---
	name: integrity
	on:
	pull_request:
	paths:
	- .github/workflows/integrity.yml
	- .yarnrc.yml
	- yarn.lock
	types:
	- opened
	- reopened
	- synchronize
	push:
	branches:
	- main
	paths:
	- .github/workflows/integrity.yml
	- .yarnrc.yml
	- yarn.lock
	workflow_dispatch:
	permissions:
	packages: read
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	concurrency:
	cancel-in-progress: true
	group: ${{ github.workflow }}-${{ github.ref }}
	jobs:
	integrity:
	if: github.actor != 'dependabot[bot]'
	runs-on: ubuntu-latest
	steps:
	- id: checkout
	name: Checkout ${{ github.head_ref \|\| github.ref_name }}
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: ${{ github.head_ref \|\| github.ref }}
	- id: dedupe-check
	name: Check for duplicate dependencies in lockfile
	run: yarn dedupe --check
	# Label Linked Issues
	#
	# Add the `status:merged`, `status:prereleased`, or `status:released` label to a pull request's
	# linked issues when a pull request is merged into `main` or on workflow dispatch.
	#
	# References:
	#
	# - https://docs.github.com/actions/learn-github-actions/contexts
	# - https://docs.github.com/actions/learn-github-actions/expressions
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
	# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
	# - https://docs.github.com/graphql/reference/objects#pullrequest
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
	# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
	# - https://github.com/actions/github-script
	# - https://github.com/hmarr/debug-action
	# - https://github.com/octokit/graphql-action

	---
	name: label-linked-issues
	on:
	pull_request:
	branches:
	- main
	types:
	- closed
	workflow_dispatch:
	inputs:
	pr:
	description: pull request number
	required: true
	type: number
	permissions:
	issues: write
	jobs:
	label-linked-issues:
	if: github.event_name == 'workflow_dispatch' \|\| github.event.pull_request.merged
	runs-on: ubuntu-latest
	steps:
	- id: debug
	name: Print environment variables and event payload
	uses: hmarr/debug-action@v2.1.0
	- id: checkout
	name: Checkout main
	uses: actions/checkout@v3.5.0
	with:
	persist-credentials: false
	ref: main
	- id: version
	name: Get project version
	run: echo "result=$(jq .version package.json -r)" >>$GITHUB_OUTPUT
	- id: query
	name: Query linked issues
	uses: octokit/graphql-action@v2.2.23
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	query: \|
	query ($limit: Int = 20, $owner: String!, $pr: Int!, $repo: String!) {
	repository(name: $repo, owner: $owner) {
	pullRequest(number: $pr) {
	closingIssuesReferences(
	first: $limit
	orderBy: { direction: ASC, field: CREATED_AT }
	) {
	edges {
	node {
	number
	}
	}
	}
	}
	}
	}
	owner: ${{ github.repository_owner }}
	pr: ${{ inputs.pr \|\| github.event.number }}
	repo: ${{ github.event.repository.name }}
	- id: label
	name: Label linked issues
	uses: actions/github-script@v6.4.1
	env:
	DATA: ${{ steps.query.outputs.data }}
	PRERELEASE: ${{ contains(steps.version.outputs.result, '-') }}
	RELEASE_BRANCH: ${{ contains(github.head_ref \|\| github.ref_name, 'release/') }}
	with:
	script: \|
	const { closingIssuesReferences } = JSON.parse(process.env.DATA).repository.pullRequest

	const issues = closingIssuesReferences.edges.map(edge => edge.node.number)

	const release = JSON.parse(process.env.RELEASE_BRANCH \|\| 'false')
	const prerelease = JSON.parse(process.env.PRERELEASE \|\| 'false')

	for (const issue_number of issues) {
	await github.rest.issues.addLabels({
	...context.repo,
	issue_number,
	labels: [release ? `status:${prerelease ? 'pre' : ''}released` : 'status:merged']
	})
	}
	# Lock Inactive Threads
	#
	# References:
	#
	# - https://github.com/dessant/lock-threads
	# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#schedule

	---
	name: lock-inactive-threads
	on:
	schedule:
	- cron: 0 0 * * *
	permissions:
	issues: write
	pull-requests: write
	jobs:
	lock-inactive-threads:
	runs-on: ubuntu-latest
	steps:
	- id: lock
	name: Lock inactive issues and pull requests
	uses: dessant/lock-threads@v4.0.0
	with:
	issue-comment: \|
	This issue has been automatically locked since there has not been any recent activity
	after it was closed. Please open a new issue for related bugs or features. Be sure to
	reference this issue.
	issue-inactive-days: 60
	pr-comment: \|
	This pull request has been automatically locked since there has not been any recent
	activity after it was closed. Please open a new issue for related bugs or features. Be
	sure to reference this issue.
	pr-inactive-days: 60