English | 日本語

Reusable GitHub Actions workflows shared across nozomiishii projects.

Validates pull request titles against the Conventional Commits spec. Restricts types to feat / fix / chore and enforces a lowercase-ASCII subject pattern.

Scopes are forbidden by default — feat(api): ... will fail unless the caller opts in via the scopes input. Pass a newline-separated whitelist to allow only specific scopes:

name: Pull Request title
on:
  pull_request:
    types: [opened, edited, synchronize]
permissions:
  pull-requests: read
jobs:
  pull-request:
    uses: nozomiishii/workflows/.github/workflows/pull-request.yaml@v2
    # Optional: allow specific scopes. Omit this block to forbid all scopes.
    # with:
    #   scopes: |
    #     api
    #     cli

Audits GitHub Actions workflows with rhysd/actionlint and zizmorcore/zizmor. dorny/paths-filter gates the lint jobs on changes to .github/**/*.yaml; an aggregator required job always reports, making it safe to register as a single branch-protection required check (github-actions / required).

zizmor runs with persona: auditor and fails the job on findings of any severity (informational / low / medium / high). Any finding must be either fixed or explicitly suppressed via a .github/zizmor.yaml config or an inline # zizmor: ignore[<rule>] comment, so warnings can't silently pile up.

If the caller repo does not ship a .github/zizmor.yaml, the reusable workflow fetches this repo's .github/zizmor.yaml at the same SHA the caller pinned and writes it onto the runner — anonymous-definition is disabled and OP_SERVICE_ACCOUNT_TOKEN is allowlisted for secrets-outside-env, the baseline used across nozomiishii/* repos. Committing your own .github/zizmor.yaml in the caller repo replaces the default entirely.

Fork / mirror note: the default-injection path is hardcoded to fetch from nozomiishii/workflows. If you fork or mirror this repo (e.g. your-org/workflows) and call the fork from your own caller, the SHA resolver will not match and the job fails with Failed to resolve nozomiishii/workflows SHA from workflow run. In that case, commit a .github/zizmor.yaml in the caller repo — the workflow honors caller-provided configs and skips the fetch.

name: GitHub Actions
on:
  pull_request:
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
permissions:
  contents: read
  pull-requests: read
  actions: read
jobs:
  github-actions:
    uses: nozomiishii/workflows/.github/workflows/github-actions.yaml@v3

Trigger must be pull_request only. The reusable workflow runs actions/checkout with persist-credentials: false, and dorny/paths-filter falls back to git fetch for any non-pull_request event (e.g. push, workflow_dispatch on a non-default branch) — the fetch then fails with exit 128 because credentials were dropped. pull_request works because paths-filter takes the GitHub REST API path instead.

pull-requests: read is required because dorny/paths-filter uses the GitHub API to list PR files on pull_request events. Public repositories can access that endpoint without the scope, but private repositories will fail with "Resource not accessible by integration" unless the caller grants it. actions: read is required by zizmor's auditor persona to inspect referenced actions metadata.

Scans the repository tree for committed secrets via secretlint/secretlint.

name: Secret scan
on:
  workflow_dispatch:
  push:
    branches: [main]
  pull_request:
permissions:
  contents: read
jobs:
  secret-scan:
    uses: nozomiishii/workflows/.github/workflows/secret-scan.yaml@v2

Versions follow Conventional Commits + Release Please. Pin callers by SHA with the tag name in a trailing comment so Renovate can suggest upgrades:

uses: nozomiishii/workflows/.github/workflows/pull-request.yaml@<sha>  # v2.0.0

MIT