joke2k
diff --git a/‎.github/dependabot.yml‎
Lines changed: 18 additions & 2 deletions b/‎.github/dependabot.yml‎
Lines changed: 18 additions & 2 deletions
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 12 additions & 15 deletions b/‎.github/workflows/build.yml‎
Lines changed: 12 additions & 15 deletions
diff --git a/‎.github/workflows/change-pr-target.yml‎
Lines changed: 20 additions & 0 deletions b/‎.github/workflows/change-pr-target.yml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 23 additions & 12 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 23 additions & 12 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 60 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎.github/workflows/cs.yml‎
Lines changed: 12 additions & 8 deletions b/‎.github/workflows/cs.yml‎
Lines changed: 12 additions & 8 deletions
diff --git a/‎.github/workflows/docs.yml‎
Lines changed: 14 additions & 9 deletions b/‎.github/workflows/docs.yml‎
Lines changed: 14 additions & 9 deletions
@@ -5,16 +5,32 @@ updates:
   - package-ecosystem: pip
     # setup.py stored in repository root.
     directory: '/'
+    # Raise pull requests for version updates
+    # to pip against the `develop` branch
+    target-branch: develop
     schedule:
-      interval: daily
+      # Check for updates managed by pip once a week
+      interval: weekly
+    # Specify labels for npm pull requests
+    labels:
+      - pip
+      - dependencies
     assignees:
       - sergeyklay
 
   - package-ecosystem: github-actions
     # Workflow files stored in the
     # default location of `.github/workflows`
     directory: '/'
+    # Raise pull requests for version updates
+    # to pip against the `develop` branch
+    target-branch: develop
     schedule:
-      interval: daily
+      # Check for updates for GitHub actions once a week
+      interval: weekly
+    # Specify labels for npm pull requests
+    labels:
+      - github_actions
+      - dependencies
     assignees:
       - sergeyklay
@@ -2,15 +2,16 @@ name: Build
 
 on:
   push:
-    branches:
-      - develop
-      - main
-      - 'feature/**'
-      - 'release/**'
-      - 'fix/**'
+    branches-ignore:
+      # These should always correspond to pull requests, so ignore them for
+      # the push trigger and let them be triggered by the pull_request
+      # trigger, avoiding running the workflow twice.  This is a minor
+      # optimization so there's no need to ensure this is comprehensive.
+      - 'dependabot/**'
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+'
 
+  # The branches below must be a subset of the branches above
   pull_request:
     branches:
       - develop
@@ -19,18 +20,14 @@ on:
 jobs:
   build:
     name: Build and test package distribution
-    runs-on: ${{ matrix.os }}
-
-    strategy:
-      matrix:
-        os: [ ubuntu-latest, macos-latest, windows-latest ]
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3.0.2
+        uses: actions/checkout@v3.3.0
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v4.0.0
+        uses: actions/setup-python@v4.5.0
         with:
           python-version: '3.10'
 
@@ -67,10 +64,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3.0.2
+        uses: actions/checkout@v3.3.0
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v4.0.0
+        uses: actions/setup-python@v4.5.0
         with:
           python-version: '3.10'
 
 
@@ -0,0 +1,20 @@
+name: Make sure new PRs are sent to develop
+
+on:
+  pull_request_target:
+    types: [opened, edited]
+
+jobs:
+  check-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: Vankka/pr-target-branch-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          target: main
+          exclude: develop # Don't prevent going from develop -> main
+          change-to: develop
+          comment: |
+            Your PR was set to target `main`, PRs should be target `develop`
+            The base branch of this PR has been automatically changed to `develop`, please check that there are no merge conflicts.
@@ -2,13 +2,14 @@ name: CI
 
 on:
   push:
-    branches:
-      - develop
-      - main
-      - 'feature/**'
-      - 'release/**'
-      - 'fix/**'
-
+    branches-ignore:
+      # These should always correspond to pull requests, so ignore them for
+      # the push trigger and let them be triggered by the pull_request
+      # trigger, avoiding running the workflow twice.  This is a minor
+      # optimization so there's no need to ensure this is comprehensive.
+      - 'dependabot/**'
+
+  # The branches below must be a subset of the branches above
   pull_request:
     branches:
       - develop
@@ -46,23 +47,33 @@ jobs:
 
       matrix:
         python:
-          - '3.5'
-          - '3.6'
-          - '3.7'
           - '3.8'
           - '3.9'
           - '3.10'
+          - '3.11'
           - 'pypy-3.7'
         os: [ ubuntu-latest, macos-latest, windows-latest ]
 
+        # These versions are no longer supported by Python team, and may
+        # eventually be dropped from GitHub Actions.  The support of these
+        # versions by django-environ will continue for as long as possible,
+        # and may be discontinued at any time.
+        include:
+          - python: '3.5'
+            os: ubuntu-20.04
+          - python: '3.6'
+            os: ubuntu-20.04
+          - python: '3.7'
+            os: ubuntu-20.04
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3.0.2
+        uses: actions/checkout@v3.3.0
         with:
           fetch-depth: 5
 
       - name: Set up Python ${{ matrix.python }}
-        uses: actions/setup-python@v4.0.0
+        uses: actions/setup-python@v4.5.0
         with:
           python-version: ${{ matrix.python }}
 
 
@@ -0,0 +1,60 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - develop
+      - main
+
+  # The branches below must be a subset of the branches above
+  pull_request:
+    branches:
+      - develop
+      - main
+
+  schedule:
+    - cron: '40 22 * * 5'
+      #       |  | | | |
+      #       |  | | | |____ day of the week (0 - 6 or SUN-SAT)
+      #       |  | | |____ month (1 - 12 or JAN-DEC)
+      #       |  | |____ day of the month (1 - 31)
+      #       |  |____ hour (0 - 23)
+      #       |____ minute (0 - 59)
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    # The maximum number of minutes to let a workflow run
+    # before GitHub automatically cancels it. Default: 360
+    timeout-minutes: 30
+
+    strategy:
+      # When set to true, GitHub cancels
+      # all in-progress jobs if any matrix job fails.
+      fail-fast: false
+
+      matrix:
+        language:
+          - python
+
+    steps:
+    - name: Checkout repository
+      uses: actions/[email protected]
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
@@ -2,12 +2,12 @@ name: CS
 
 on:
   push:
-    branches:
-      - develop
-      - main
-      - 'feature/**'
-      - 'release/**'
-      - 'fix/**'
+    branches-ignore:
+      # These should always correspond to pull requests, so ignore them for
+      # the push trigger and let them be triggered by the pull_request
+      # trigger, avoiding running the workflow twice.  This is a minor
+      # optimization so there's no need to ensure this is comprehensive.
+      - 'dependabot/**'
 
   pull_request:
     branches:
@@ -19,12 +19,16 @@ jobs:
     runs-on: ubuntu-latest
     name: Code linting
 
+    # The maximum number of minutes to let a workflow run
+    # before GitHub automatically cancels it. Default: 360
+    timeout-minutes: 30
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3.0.2
+        uses: actions/checkout@v3.3.0
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v4.0.0
+        uses: actions/setup-python@v4.5.0
         with:
           python-version: '3.10'
 
 
@@ -2,13 +2,14 @@ name: Docs
 
 on:
   push:
-    branches:
-      - develop
-      - main
-      - 'feature/**'
-      - 'release/**'
-      - 'fix/**'
-
+    branches-ignore:
+      # These should always correspond to pull requests, so ignore them for
+      # the push trigger and let them be triggered by the pull_request
+      # trigger, avoiding running the workflow twice.  This is a minor
+      # optimization so there's no need to ensure this is comprehensive.
+      - 'dependabot/**'
+
+  # The branches below must be a subset of the branches above
   pull_request:
     branches:
       - develop
@@ -19,12 +20,16 @@ jobs:
     runs-on: ubuntu-latest
     name: Build and test package documentation
 
+    # The maximum number of minutes to let a workflow run
+    # before GitHub automatically cancels it. Default: 360
+    timeout-minutes: 30
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3.0.2
+        uses: actions/checkout@v3.3.0
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v4.0.0
+        uses: actions/setup-python@v4.5.0
         with:
           python-version: '3.10'