Scheduled jobs¶

opentemplate runs scheduled jobs weekly, typically on weekends.

Jobs¶

Most scheduled jobs focus on security (security-_ workflows) and are run periodically as vulnerabilities evolve, namely:

• Security posture analysis: ossf/scorecard ⧉
• Vulnerability scanning: google/osv-scanner ⧉
• Bug detection and code quality: semgrep/semgrep ⧉

Dependency automation¶

Automating dependency updates ensures security and stability.

Renovate¶

• Updates run on weekends.
• Dependencies are grouped by dev-<type>.
• Updates are handled by github-actions[bot].

Adjustments¶

New dev-<type> groups require:

• A corresponding entry in renovate.json.
• (Probably) a new .github/workflows/renovate-<type>.yml workflow.

pre-commit¶

Independent pre-commit hooks update weekly. All hooks run against the latest main branch state to ensure updates are correct.

Content generation¶

cog ⧉ automates content generation based on source code comments (DO NOT EDIT UNTIL end marker in pyproject.toml).

Additionally, opennudge/cogeol ⧉ integrates Python's end-of-life ⧉ data to simplify management.

Together with GitHub Actions, these ensure:

• Support for the latest three Python versions.
• CI/CD always runs appropriate versions.
• PRs are opened for new releases and scheduled deprecations.

Template updates¶

Code sources¶

• .github/renovate.json
• .github/workflows/pre-commit-update*.yml
• .github/workflows/security-osv-scanner-update*.yml
• .github/workflows/security-semgrep*.yml
• .github/workflows/*-renovate.yml
• .github/workflows/generation*.yml