bevyengine
diff --git a/‎.github/actions/install-linux-deps/action.yml‎
Lines changed: 5 additions & 0 deletions b/‎.github/actions/install-linux-deps/action.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 8 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.github/workflows/action-on-PR-labeled.yml‎
Lines changed: 12 additions & 7 deletions b/‎.github/workflows/action-on-PR-labeled.yml‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎.github/workflows/ci-comment-failures.yml‎
Lines changed: 17 additions & 16 deletions b/‎.github/workflows/ci-comment-failures.yml‎
Lines changed: 17 additions & 16 deletions
@@ -33,6 +33,10 @@ inputs:
     description: Install xkb (libxkbcommon-dev)
     required: false
     default: "false"
+  x264:
+    description: Install x264 (libx264-dev)
+    required: false
+    default: "false"
 runs:
   using: composite
   steps:
@@ -47,3 +51,4 @@ runs:
         ${{ fromJSON(inputs.udev) && 'libudev-dev' || '' }}
         ${{ fromJSON(inputs.wayland) && 'libwayland-dev' || '' }}
         ${{ fromJSON(inputs.xkb) && 'libxkbcommon-dev' || '' }}
+        ${{ fromJSON(inputs.x264) && 'libx264-164 libx264-dev' || '' }}
@@ -6,6 +6,14 @@ updates:
       interval: weekly
     labels:
       - "C-Dependencies"
+    groups:
+      wgpu:
+        patterns:
+          - "*wgpu*"
+          - "naga*"
+      accesskit:
+        patterns:
+          - "accesskit*"
   - package-ecosystem: github-actions
     directory: /
     schedule:
 
@@ -7,19 +7,21 @@ on:
   pull_request_target:
     types:
       - labeled
-
-permissions:
-  pull-requests: 'write'
+    branches:
+      - "main"
 
 jobs:
   comment-on-migration-guide-label:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: github.event.label.name == 'M-Migration-Guide'
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 2
+          persist-credentials: false
       - name: Get changes
         id: get_changes
         shell: bash {0}
@@ -30,7 +32,7 @@ jobs:
         env:
           BASE_SHA: ${{ github.event.pull_request.base.sha }}
           HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         if: steps.get_changes.outputs.found_changes == '0'
         with:
           script: |
@@ -43,13 +45,16 @@ jobs:
               Please review the [instructions for writing migration guides](https://github.com/bevyengine/bevy/tree/main/release-content/migration_guides.md), then expand or revise the content in the [migration guides directory](https://github.com/bevyengine/bevy/tree/main/release-content/migration-guides) to reflect your changes.`
             })
   comment-on-release-note-label:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: github.event.label.name == 'M-Release-Note'
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 2
+          persist-credentials: false
       - name: Get changes
         id: get_changes
         shell: bash {0}
@@ -60,7 +65,7 @@ jobs:
         env:
           BASE_SHA: ${{ github.event.pull_request.base.sha }}
           HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         if: steps.get_changes.outputs.found_changes == '0'
         with:
           script: |
 
@@ -1,11 +1,7 @@
 name: CI - PR Comments
 
- # This workflow has write permissions on the repo
- # It must not checkout a PR and run untrusted code
-
-# Also requesting write permissions on PR to be able to comment
-permissions:
-  pull-requests: 'write'
+# This workflow has write permissions on the repo
+# It must not checkout a PR and run untrusted code
 
 on:
   workflow_run:
@@ -14,16 +10,17 @@ on:
       - completed
 
 jobs:
-
   missing-examples:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: >
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'failure'
     steps:
-      - name: 'Download artifact'
+      - name: "Download artifact"
         id: find-artifact
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           result-encoding: string
           script: |
@@ -63,7 +60,7 @@ jobs:
           fi
       - name: "Comment on PR"
         if: ${{ steps.find-artifact.outputs.result == 'true' && steps.check-last-comment.outputs.result == 'false' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -87,14 +84,16 @@ jobs:
             }
 
   missing-features:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: >
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'failure'
     steps:
-      - name: 'Download artifact'
+      - name: "Download artifact"
         id: find-artifact
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           result-encoding: string
           script: |
@@ -134,7 +133,7 @@ jobs:
           fi
       - name: "Comment on PR"
         if: ${{ steps.find-artifact.outputs.result == 'true' && steps.check-last-comment.outputs.result == 'false' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -158,14 +157,16 @@ jobs:
             }
 
   msrv:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: >
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'failure'
     steps:
-      - name: 'Download artifact'
+      - name: "Download artifact"
         id: find-artifact
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           result-encoding: string
           script: |
@@ -205,7 +206,7 @@ jobs:
           fi
       - name: "Comment on PR"
         if: ${{ steps.find-artifact.outputs.result == 'true' && steps.check-last-comment.outputs.result == 'false' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |