Updated GitHub workflows from https://github.com/briandfoy/github_wor…

…kflows

3710950391309839cb9d3e2ae960a6f65d563b71

* linux.yml upgraded: 20250101.001 -> 20250126.002
* macos.yml upgraded: 20250101.001 -> 20250125.002
* release.yml upgraded: 20241118.001 -> 20241125.002
* windows.yml upgraded: 20250101.001 -> 20250126.001

.github/workflows/linux.yml

@@ -1,5 +1,5 @@
 # brian's standard GitHub Actions Ubuntu config for Perl 5 modules
-# version 20250101.001
+# version 20250126.002
 # https://github.com/briandfoy/github_workflows
 # https://github.com/features/actions
 # This file is licensed under the Artistic License 2.0
@@ -8,6 +8,24 @@
 # in your repo settings. Or not. It still works if it isn't defined.
 # In that environment, add whatever environment variables or secrets
 # that you want.
+#
+# Variables that you can set in the "automated_testing" environment:
+#
+# EXTRA_CPAN_MODULES  - extra arguments to the first call to cpan.
+#                       Just use EXTRA_CPANM_MODULES though. This is
+#                       here for legacy
+#
+# EXTRA_CPANM_MODULES - extra arguments to the first call to cpanm.
+#                       this is useful to install very particular
+#                       modules, such as DBD::mysql@4.050
+#
+# UBUNTU_EXTRA_APT_GET - extra packages to install before we start
+#
+# UBUNTU_EXTRA_CPANM_MODULES - extra arguments to the first call to cpanm
+#                       but only on Ubuntu. Other workflows won't use this.
+#                       this is useful to install very particular
+#                       modules, such as DBD::mysql@4.050
+
 ---
 name: ubuntu
 
@@ -52,7 +70,7 @@ on:
     pull_request:
     # weekly build on the master branch just to see what CPAN is doing
     schedule:
-        - cron: "17 9 * * 0"
+        - cron: "37 3 * * 0"
 jobs:
     perl:
         environment: automated_testing
@@ -84,13 +102,17 @@ jobs:
             - uses: actions/checkout@v3
             - name: Platform check
               run: uname -a
+            - name: setup platform
+              run: |
+                apt-get upgrade
+                apt-get -y install curl ${{ vars.UBUNTU_EXTRA_APT_GET }}
             - name: Perl version check
               run: |
                 perl -V
                 perl -v | perl -0777 -ne 'm/(v5\.\d+)/ && print "PERL_VERSION=$1"' >> $GITHUB_ENV
 # Some older versions of Perl have trouble with hostnames in certs. I
 # haven't figured out why.
-            - name: Setup environment
+            - name: enhance environment
               run: |
                 echo "PERL_LWP_SSL_VERIFY_HOSTNAME=0" >> $GITHUB_ENV
 # HTML::Tagset bumped its minimum version to v5.10 for no good reason
@@ -105,13 +127,14 @@ jobs:
             - name: fix html-tagset for v5.8
               if: env.PERL_VERSION == 'v5.8'
               run: |
+                cpan App::Cpan
                 curl -L -O https://cpan.metacpan.org/authors/id/P/PE/PETDANCE/HTML-Tagset-3.24.tar.gz
                 tar -xzf HTML-Tagset-3.24.tar.gz
                 cd HTML-Tagset-3.24
                 rm META.*
                 mv Makefile.PL Makefile.PL.orig
                 perl -n -e 'next if /(^use 5)|(MIN_PERL)/; print' Makefile.PL.orig > Makefile.PL
-                cpan -T .
+                cpan -M http://www.cpan.org -T .
                 cd ..
                 pwd
                 ls
@@ -124,13 +147,14 @@ jobs:
             - name: Install cpanm and multiple modules
               run: |
                 curl -L https://cpanmin.us | perl - App::cpanminus
-                cpanm --notest IO::Socket::SSL LWP::Protocol::https App::Cpan HTTP::Tiny ExtUtils::MakeMaker Test::Manifest Test::More
+                cpanm --notest IO::Socket::SSL LWP::Protocol::https App::Cpan HTTP::Tiny ExtUtils::MakeMaker Test::Manifest Test::More ${{ vars.EXTRA_CPANM_MODULES }} ${{ vars.UBUNTU_EXTRA_CPANM_MODULES }}
+                cpan -M http://www.cpan.org -T Test::Manifest ${{ vars.EXTRA_CPAN_MODULES }}
 # Install the dependencies, again not testing them. This installs the
 # module in the current directory, so we end up installing the module,
 # but that's not a big deal.
             - name: Install dependencies
               run: |
-                cpanm --notest --installdeps --with-suggests --with-recommends . ${{ vars.EXTRA_CPAN_MODULES }}
+                cpanm --notest --installdeps --with-suggests --with-recommends .
             - name: Show cpanm failures
               if: ${{ failure() }}
               run: |
@@ -170,7 +194,7 @@ jobs:
             - name: Run coverage tests
               if: env.PERL_VERSION != 'v5.8' && env.PERL_VERSION != 'v5.10'
               env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
               run: |
                 cpanm --notest Devel::Cover Devel::Cover::Report::Coveralls
                 perl Makefile.PL

.github/workflows/macos.yml

@@ -1,10 +1,43 @@
 # brian's standard GitHub Actions macOS config for Perl 5 modules
-# version 20220902.001
+# version 20250125.002
 # https://github.com/briandfoy/github_workflows
 # https://github.com/features/actions
 # This file is licensed under the Artistic License 2.0
+#
+# This uses the AUTOMATED_TESTING environment that you can set up
+# in your repo settings. Or not. It still works if it isn't defined.
+# In that environment, add whatever environment variables or secrets
+# that you want.
+#
+# Variables that you can set in the "automated_testing" environment:
+#
+# EXTRA_CPAN_MODULES  - extra arguments to the first call to cpan.
+#                       Just use EXTRA_CPANM_MODULES though. This is
+#                       here for legacy
+#
+# EXTRA_CPANM_MODULES - extra arguments to the first call to cpanm.
+#                       this is useful to install very particular
+#                       modules, such as DBD::mysql@4.050
+#
+# MACOS_EXTRA_CPANM_MODULES - extra arguments to the first call to cpanm
+#                       but only on macOS. Other workflows won't use this.
+#                       this is useful to install very particular
+#                       modules, such as DBD::mysql@4.050
+
+
+
+---
 name: macos
 
+# https://github.com/actions/checkout/issues/1590
+env:
+    ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-concurrency
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}
+    cancel-in-progress: true
+
 on:
     push:
         branches:
@@ -32,10 +65,13 @@ on:
             - 'Changes'
             - 'LICENSE'
             - 'README.pod'
-        pull_request:
+            - 'README.md'
+            - 'SECURITY.md'
+    pull_request:
 
 jobs:
     perl:
+        environment: automated_testing
         runs-on: macOS-latest
         steps:
             - uses: actions/checkout@v3
@@ -44,7 +80,7 @@ jobs:
             - name: Set up Perl
               run: |
                 brew install perl
-                ls -d /usr/local/Cellar/perl/*/bin | head -1 >> $GITHUB_PATH
+                ls -d /opt/homebrew/Cellar/perl/*/bin | head -1 >> $GITHUB_PATH
                 perl -v | perl -0777 -ne 'm/(v5\.\d+)/ && print "PERL_VERSION=$1"' >> $GITHUB_ENV
             - name: Perl version check
               run: perl -V
@@ -60,8 +96,8 @@ jobs:
             - name: Prepare cpan
               run: |
                 openssl version
-                cpan -M http://www.cpan.org -T IO::Socket::SSL HTTP::Tiny
-                cpan -M https://www.cpan.org -T ExtUtils::MakeMaker Test::Manifest
+                cpan -M https://www.cpan.org -T App::cpanminus IO::Socket::SSL HTTP::Tiny ExtUtils::MakeMaker Test::Manifest ${{ vars.EXTRA_CPAN_MODULES }}
+                cpanm --notest Test::Manifest  ${{ vars.EXTRA_CPANM_MODULES }} ${{ vars.MACOS_EXTRA_CPANM_MODULES }}
 # Install the dependencies, again not testing them. This installs the
 # module in the current directory, so we end up installing the module,
 # but that's not a big deal.
@@ -102,7 +138,7 @@ jobs:
             - name: Run coverage tests
               if: env.PERL_VERSION != 'v5.8'
               env:
-                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
               run: |
                 cpan -M https://www.cpan.org -T Devel::Cover Devel::Cover::Report::Coveralls
                 perl Makefile.PL

.github/workflows/release.yml

@@ -1,23 +1,72 @@
 # brian's standard GitHub Actions release config for Perl 5 modules
-# version 20220827.002
+# version 20241125.002
 # https://github.com/briandfoy/github_workflows
 # https://github.com/features/actions
 # This file is licensed under the Artistic License 2.0
+#
+# This action builds a Perl distribution and adds it as a release
+# on GitHub. This does not upload to PAUSE, but that wouldn't be
+# that hard, but that doesn't fit with my workflow since this part
+# happens after everything else has succeeded.
+#
+# This requires that you configure a repository secret named
+# RELEASE_ACTION_TOKEN with a GitHub Personal Access Token
+# that has "read and write" permissions on Repository/Contents
+#
+# Variables that you can set in the "automated_testing" environment:
+#
+# EXTRA_CPAN_MODULES  - extra arguments to the first call to cpan.
+#                       Just use EXTRA_CPANM_MODULES though. This is
+#                       here for legacy
+#
+# EXTRA_CPANM_MODULES - extra arguments to the first call to cpanm.
+#                       this is useful to install very particular
+#                       modules, such as DBD::mysql@4.050
+#
+# UBUNTU_EXTRA_CPANM_MODULES - extra arguments to the first call to cpanm
+#                       but only on Ubuntu. Other workflows won't use this.
+#                       this is useful to install very particular
+#                       modules, such as DBD::mysql@4.050
+---
 name: release
 
+# https://github.com/actions/checkout/issues/1590
+env:
+    ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+
+permissions:
+    contents: write
+    id-token: write
+    attestations: write
+
 on:
     push:
+# tag a release commit with "release-....". This workflow then runs
+# whenever it sees that tag, and doesn't run for other commits.
         tags:
             - 'release-*'
+# With workflow_dispatch, you can trigger this manually. This is
+# especially handy when you want to re-run a job that failed because
+# the token had expired. Update the GitHub secret and re-run on the
+# same commit.
+    workflow_dispatch:
+
 jobs:
     perl:
+# We need a GitHub secret, so create an Environment named "release"
+# * Go to Settings > Environment (repo settings, not account settings)
+# * Make an environment named "release"
+# * Add a secret named "RELEASE_ACTION_TOKEN" with a GitHub token with repo permissions
+# If you use a different token name, update "RELEASE_ACTION_TOKEN" in the last
+# step in this job.
+        environment: release
         runs-on: ${{ matrix.os }}
         strategy:
-          matrix:
-            os:
-                - ubuntu-20.04
-            perl-version:
-                - 'latest'
+            matrix:
+                os:
+                    - ubuntu-20.04
+                perl-version:
+                    - 'latest'
         container:
             image: perl:${{ matrix.perl-version }}
         steps:
@@ -31,39 +80,58 @@ jobs:
 # cpanm first, which is easy. I can install IO::Socket::SSL with that,
 # then switch back to cpan. I didn't explore this further, but what you
 # see here hasn't caused problems for me.
-# Need HTTP::Tiny 0.055 or later.
+#
+# Need HTTP::Tiny 0.055 or later. Probably don't need it at all since I'm
+# not using cpan here.
+#
+# Test::Manifest is there because it's a thing I do. If you are writing
+# modules and don't know what it is, you don't need it.
             - name: Install cpanm and multiple modules
               run: |
                 curl -L https://cpanmin.us | perl - App::cpanminus
-                cpanm --notest IO::Socket::SSL App::Cpan HTTP::Tiny
-                cpan -M https://www.cpan.org -T ExtUtils::MakeMaker Test::Manifest
+                cpanm --notest IO::Socket::SSL HTTP::Tiny ExtUtils::MakeMaker Test::Manifest ${{ vars.EXTRA_CPANM_MODULES }} ${{ vars.UBUNTU_EXTRA_CPANM_MODULES }}
+                cpan -M http://www.cpan.org -T Test::Manifest ${{ vars.EXTRA_CPAN_MODULES }}
 # Install the dependencies, again not testing them. This installs the
 # module in the current directory, so we end up installing the module,
 # but that's not a big deal.
             - name: Install dependencies
               run: |
-                cpan -M https://www.cpan.org -T .
+                cpanm --notest --installdeps --with-suggests --with-recommends .
+# This makes the distribution and tests it, but assumes by the time we
+# got here, everything else was already tested.
             - name: Create distro
               run: |
                 perl Makefile.PL
                 make disttest
                 make dist 2>/dev/null | grep Created | awk '{ print "ASSET_NAME=" $2 }' >> $GITHUB_ENV
             - name: version
-              run: echo "::set-output name=version::$(perl -le 'print $ARGV[0] =~ m/(.*?).tar.gz/' *.tar.gz)"
+              run: |
+                perl -le '($name) = $ARGV[0] =~ m/(.*?).tar.gz/; print qq(name=$name)' *.tar.gz >> $GITHUB_OUTPUT
               id: version
-            - name: release
-              uses: actions/create-release@v1
-              id: create_release
-              env:
-                GITHUB_TOKEN: ${{ github.token }}
+            - name: Changes extract
+              run: |
+                perl -00 -lne 'next unless /\A\d+\.\d+(_\d+)?/; s/^\h+([*-])/$1/gm; s/^-/    -/gm; print; last' Changes > Changes-latest
+                cat Changes-latest
+              id: extract
+# https://cli.github.com/manual/gh_attestation_verify
+# DISTRO_FILE is the .tar.gz in the release
+# GITHUB_ACCOUNT is the github name of the releaser
+#  gh auth login
+#  gh attestation verify DISTRO_FILE --owner GITHUB_ACCOUNT
+            - name: Generate artifact attestation
+              id: attestation
+              uses: actions/attest-build-provenance@v1
               with:
-                draft: false
-                prerelease: false
-                release_name: ${{ steps.version.outputs.version }}
-                tag_name: ${{ github.ref }}
-                body_path: Changes
+                  subject-path: ${{ env.ASSET_NAME }}
             - name: upload
               uses: softprops/action-gh-release@v1
-              if: startsWith(github.ref, 'refs/tags/')
               with:
-                files: "*.tar.gz"
+                  body_path: Changes-latest
+                  draft: false
+                  prerelease: false
+                  name: ${{ steps.version.outputs.name }}
+                  files: |
+                    ${{ env.ASSET_NAME }}
+                    ${{ steps.attestation.outputs.bundle-path }}
+                    ${{ vars.EXTRA_RELEASE_PATHS }}
+                  token: ${{ secrets.RELEASE_ACTION_TOKEN }}