NOISSUE Update GitHub workflows for fuzzing, dependency review, labeling, and stale issue management

Signed-off-by: Mehmet Samet Duman <yongdohyun@projecttick.org>

9 files changed, 73 insertions, 52 deletions

diff --git a/.github/workflows/cmark-fuzz.yml b/.github/workflows/cmark-fuzz.yml
index fd999ca929..28f14b8244 100644
--- a/.github/workflows/cmark-fuzz.yml
+++ b/.github/workflows/cmark-fuzz.yml
@@ -1,17 +1,32 @@
 name: "cmark: Fuzz"
 
 on:
+  push:
+    branches: [master]
+    paths:
+      - 'cmark/**'
+      - '.github/workflows/cmark-fuzz.yml'
   pull_request:
     paths:
       - 'cmark/**'
       - '.github/workflows/cmark-fuzz.yml'
+  workflow_dispatch:
+
+concurrency:
+  group: cmark-fuzz-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
 
 jobs:
-  Fuzzing:
+  fuzzing:
+    name: Fuzzing
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
       - name: Build Fuzzers
+        id: build
         uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
         with:
           oss-fuzz-project-name: 'cmark'
@@ -23,8 +38,8 @@ jobs:
           fuzz-seconds: 600
           dry-run: false
       - name: Upload Crash
-        uses: actions/upload-artifact@v7
-        if: failure()
+        uses: actions/upload-artifact@v4
+        if: failure() && steps.build.outcome == 'success'
         with:
-          name: artifacts
+          name: cmark-fuzz-artifacts
           path: ./out/artifacts
diff --git a/.github/workflows/json4cpp-fuzz.yml b/.github/workflows/json4cpp-fuzz.yml
index 78805aa597..893435c953 100644
--- a/.github/workflows/json4cpp-fuzz.yml
+++ b/.github/workflows/json4cpp-fuzz.yml
@@ -1,15 +1,27 @@
-name: "json4cpp: CIFuzz"
+name: "json4cpp: Fuzz"
 
 on:
+  push:
+    branches: [master, develop]
+    paths:
+      - 'json4cpp/**'
+      - '.github/workflows/json4cpp-fuzz.yml'
   pull_request:
     paths:
       - 'json4cpp/**'
+      - '.github/workflows/json4cpp-fuzz.yml'
+  workflow_dispatch:
+
+concurrency:
+  group: json4cpp-fuzz-${{ github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
-  Fuzzing:
+  fuzzing:
+    name: Fuzzing
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
@@ -35,5 +47,5 @@ jobs:
       uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       if: failure() && steps.build.outcome == 'success'
       with:
-        name: artifacts
+        name: json4cpp-fuzz-artifacts
         path: ./out/artifacts
diff --git a/.github/workflows/neozip-fuzz.yml b/.github/workflows/neozip-fuzz.yml
index 3e63443cea..59b74debab 100644
--- a/.github/workflows/neozip-fuzz.yml
+++ b/.github/workflows/neozip-fuzz.yml
@@ -1,28 +1,31 @@
 name: "neozip: Fuzz"
 
 on:
-  pull_request:
+  push:
+    branches: [master, develop]
     paths:
       - 'neozip/**'
       - '.github/workflows/neozip-fuzz.yml'
-  workflow_dispatch:
-  push:
-    branches:
-      - master
-      - develop
+  pull_request:
     paths:
       - 'neozip/**'
+      - '.github/workflows/neozip-fuzz.yml'
+  workflow_dispatch:
 
 concurrency:
   group: neozip-fuzz-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   fuzzing:
     name: Fuzzing
     runs-on: ubuntu-latest
     steps:
       - name: Build Fuzzers
+        id: build
         uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
         with:
           oss-fuzz-project-name: 'zlib-ng'
@@ -36,8 +39,8 @@ jobs:
           dry-run: false
 
       - name: Upload Crash
-        uses: actions/upload-artifact@v7
-        if: failure()
+        uses: actions/upload-artifact@v4
+        if: failure() && steps.build.outcome == 'success'
         with:
-          name: artifacts
+          name: neozip-fuzz-artifacts
           path: ./out/artifacts
diff --git a/.github/workflows/json4cpp-dependency-review.yml b/.github/workflows/repo-dependency-review.yml
index 42b6cc2b8c..469ecfbdfb 100644
--- a/.github/workflows/json4cpp-dependency-review.yml
+++ b/.github/workflows/repo-dependency-review.yml
@@ -1,9 +1,9 @@
-name: "json4cpp: Dependency Review"
+name: "Dependency Review"
 
+# Scans dependency manifest changes in every pull request.
+# Blocks merging of PRs that introduce known-vulnerable packages.
 on:
   pull_request:
-    paths:
-      - 'json4cpp/**'
 
 permissions:
   contents: read
@@ -19,5 +19,6 @@ jobs:
 
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
       - name: Dependency Review
         uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
diff --git a/.github/workflows/json4cpp-labeler.yml b/.github/workflows/repo-labeler.yml
index 2448a6a1ae..3d5e84a94a 100644
--- a/.github/workflows/json4cpp-labeler.yml
+++ b/.github/workflows/repo-labeler.yml
@@ -1,26 +1,25 @@
-name: "json4cpp: Pull Request Labeler"
+name: "Labeler"
 
 on:
   pull_request_target:
-    types: [opened, synchronize]
+    types: [opened, synchronize, reopened]
 
 permissions:
   contents: read
 
 jobs:
   label:
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: write
 
-    runs-on: ubuntu-latest
-
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
-      - uses: srvaroa/labeler@e8fbb2561481ef6e711a770f0234e9379dc76892 # master
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      - uses: actions/labeler@v6
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/json4cpp-scorecards.yml b/.github/workflows/repo-scorecards.yml
index f8a6a10f46..06291bb004 100644
--- a/.github/workflows/json4cpp-scorecards.yml
+++ b/.github/workflows/repo-scorecards.yml
@@ -1,13 +1,11 @@
-name: "json4cpp: Scorecard supply-chain security"
+name: "Scorecard supply-chain security"
 
 on:
   branch_protection_rule:
   schedule:
     - cron: '20 7 * * 2'
   push:
-    branches: ["develop"]
-    paths:
-      - 'json4cpp/**'
+    branches: [master, main, develop]
 
 permissions:
   contents: read
diff --git a/.github/workflows/json4cpp-stale.yml b/.github/workflows/repo-stale.yml
index 6a061eed3c..9919ce314a 100644
--- a/.github/workflows/json4cpp-stale.yml
+++ b/.github/workflows/repo-stale.yml
@@ -1,4 +1,4 @@
-name: "json4cpp: Comment and close stale issues and PR"
+name: "Stale: Comment and close stale issues and PRs"
 
 on:
   schedule:
diff --git a/.github/workflows/tomlplusplus-fuzz.yml b/.github/workflows/tomlplusplus-fuzz.yml
index 0ead0d2974..7d346a172c 100644
--- a/.github/workflows/tomlplusplus-fuzz.yml
+++ b/.github/workflows/tomlplusplus-fuzz.yml
@@ -1,19 +1,27 @@
-name: "tomlplusplus: CIFuzz"
+name: "tomlplusplus: Fuzz"
 
 on:
   push:
-    branches:
-      - master
+    branches: [master]
     paths:
       - 'tomlplusplus/**'
+      - '.github/workflows/tomlplusplus-fuzz.yml'
   pull_request:
     paths:
       - 'tomlplusplus/**'
+      - '.github/workflows/tomlplusplus-fuzz.yml'
+  workflow_dispatch:
 
-permissions: {}
+concurrency:
+  group: tomlplusplus-fuzz-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
 
 jobs:
-  Fuzzing:
+  fuzzing:
+    name: Fuzzing
     runs-on: ubuntu-latest
     permissions:
       security-events: write
@@ -35,7 +43,7 @@ jobs:
       uses: actions/upload-artifact@v4
       if: failure() && steps.build.outcome == 'success'
       with:
-        name: artifacts
+        name: tomlplusplus-fuzz-artifacts
         path: ./out/artifacts
     - name: Upload Sarif
       if: always() && steps.build.outcome == 'success'
diff --git a/.github/workflows/uvim-label.yml b/.github/workflows/uvim-label.yml
deleted file mode 100644
index 30dbfe5c2e..0000000000
--- a/.github/workflows/uvim-label.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-name: "uvim: Labeler"
-
-on: [pull_request_target]
-
-jobs:
-  label:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-
-    steps:
-    - uses: actions/labeler@v6
-      with:
-        repo-token: "${{ secrets.GITHUB_TOKEN }}"