mui/material-ui
17 workflows · maturity 67% · 7 patterns · GitHub ↗
Practices
✓ Matrix✓ Permissions✓ Security scan○ AI review✓ Cache○ Concurrency✓ Reusable workflows
Detected patterns
Security dimensions
Tools: github/codeql-action/analyze, github/codeql-action/init, github/codeql-action/upload-sarif, ossf/scorecard-action
Workflows (17)
check-if-pr-has-label perms .github/workflows/check-if-pr-has-label.yml
View raw YAML
name: Check if PR has label
on:
pull_request:
types: [opened, reopened, labeled, unlabeled]
permissions: {}
jobs:
test-label-applied:
# Tests that label is added on the PR
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: mnajdova/github-action-required-labels@ca0df9249827e43aa4b4a0d25d9fe3e9b19b0705 # v2.1.0
with:
mode: minimum
count: 1
labels: ''
ci matrix perms .github/workflows/ci.yml
View raw YAML
name: CI
on:
push:
branches:
# should sync with ci-check.yml as a workaround to bypass github checks
- master
- next
- v*.x
pull_request:
paths-ignore:
# should sync with ci-check.yml as a workaround to bypass github checks
- 'docs/**'
permissions: {}
jobs:
continuous-releases:
name: Continuous releases
uses: mui/mui-public/.github/workflows/ci-base.yml@530ec94f97bfe64ae018a9fd8ff0c326cbd61298
# Tests dev-only scripts across all supported dev environments
test-dev:
# l10nbot does not affect dev scripts.
if: ${{ github.actor != 'l10nbot' }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
permissions:
contents: read
steps:
- run: echo '${{ github.actor }}'
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# fetch all tags which are required for `pnpm release:changelog`
fetch-depth: 0
- name: Set up pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
- name: Use Node.js
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: '22.18.0'
cache: 'pnpm' # https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#caching-packages-dependencies
- run: pnpm install
- name: Cache Next.js build
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: docs/.next/cache
key: ${{ runner.os }}-nextjs-${{ hashFiles('pnpm-lock.yaml') }}-${{ hashFiles('docs/**/*.js', 'docs/**/*.ts', 'docs/**/*.tsx', 'docs/**/*.jsx', 'docs/**/*.json', 'docs/**/*.md', 'docs/**/*.mdx') }}
restore-keys: |
${{ runner.os }}-nextjs-${{ hashFiles('pnpm-lock.yaml') }}-
${{ runner.os }}-nextjs-
- run: pnpm release:build
- name: Build docs
run: pnpm docs:build
env:
NODE_OPTIONS: --max_old_space_size=6144
# macOS-latest has 3 CPUs, but we get "EMFILE: too many open files" errors with that parallelism
# Limit Next.js to 2 CPUs to prevent file descriptor exhaustion. Empty string uses os.availableParallelism()
NEXT_PARALLELISM: ${{ runner.os == 'macOS' && '2' || '' }}
GITHUB_AUTH: Bearer ${{ secrets.GITHUB_TOKEN }}
# - run: pnpm release:changelog
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Debug export-detail.json on when pnpm docs:build fails with EMFILE error
if: failure()
run: cat ./docs/.next/export-detail.json || true
ci-check matrix perms .github/workflows/ci-check.yml
View raw YAML
# This workflow is a workaround for ci.yml to bypass the github checks
#
# Ref: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
name: CI Check
on:
push:
branches-ignore:
# should sync with ci.yml as a workaround to bypass github checks
- master
- next
- v*.x
pull_request:
paths:
# should sync with ci.yml as a workaround to bypass github checks
- 'docs/**'
permissions: {}
jobs:
continuous-releases:
name: Continuous releases
uses: mui/mui-public/.github/workflows/ci-base.yml@530ec94f97bfe64ae018a9fd8ff0c326cbd61298
test-dev:
if: ${{ github.actor != 'l10nbot' }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
steps:
- run: 'echo "No build required"'
closed-issue-message perms .github/workflows/closed-issue-message.yml
View raw YAML
name: Add closing message to issue
on:
issues:
types:
- closed
permissions: {}
jobs:
add-comment:
name: Add closing message
if: github.event.issue.state_reason == 'completed'
uses: mui/mui-public/.github/workflows/issues_add-closing-message.yml@530ec94f97bfe64ae018a9fd8ff0c326cbd61298
permissions:
contents: read
issues: write
codeql perms security .github/workflows/codeql.yml
View raw YAML
name: CodeQL
on:
schedule:
- cron: '0 2 * * *'
permissions: {}
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
languages: typescript
config-file: ./.github/codeql/codeql-config.yml
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
create-cherry-pick-pr perms .github/workflows/create-cherry-pick-pr.yml
View raw YAML
name: Create cherry-pick PR
on:
pull_request_target:
branches:
- 'next'
- 'v*.x'
- 'master'
types: ['closed']
permissions: {}
jobs:
create_pr:
name: Create cherry-pick PR
uses: mui/mui-public/.github/workflows/prs_create-cherry-pick-pr.yml@530ec94f97bfe64ae018a9fd8ff0c326cbd61298
permissions:
contents: write
pull-requests: write
ensure-triage-label perms .github/workflows/ensure-triage-label.yml
View raw YAML
name: Ensure triage label is present
on:
label:
types:
- deleted
issues:
types:
- opened
permissions: {}
jobs:
label_issues:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
script: |
const { data: labels } = await github.rest.issues.listLabelsOnIssue({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
});
if (labels.length <= 0) {
await github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ['status: waiting for maintainer']
})
}
issue-cleanup perms .github/workflows/issue-cleanup.yml
View raw YAML
name: Cleanup issue comment
on:
issues:
types:
- opened
permissions: {}
jobs:
issue_cleanup:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
script: |
const issue = await github.rest.issues.get({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const lines = issue.data.body.split('\n')
const _ = extractInputSection(lines, 'Latest version')
const searchKeywords = extractInputSection(lines, 'Search keywords')
const orderID = extractInputSection(lines, 'Order ID or Support key')
lines.push('')
lines.push('**Search keywords**: ' + searchKeywords)
if (orderID !== '' && orderID !== '_No response_') {
lines.push('**Order ID**: ' + orderID)
}
const body = lines.join('\n')
await github.rest.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body,
})
function extractInputSection(lines, title) {
const index = lines.findIndex(line => line.startsWith('###') && line.includes(title))
if (index === -1) {
return ''
}
return lines.splice(index, 4)[2].trim()
}
maintenance perms .github/workflows/maintenance.yml
View raw YAML
name: Maintenance
on:
# So that PRs touching the same files as the push are updated
push:
branches:
# #target-branch-reference
- master
- v6.x
# So that the `dirtyLabel` is removed if conflicts are resolved
# Could put too much strain on rate limit
# If we hit the rate limit too often remove this event
pull_request_target:
branches:
# #target-branch-reference
- master
- v6.x
types: [synchronize]
permissions: {}
jobs:
main:
# l10nbot creates a lot of commits at once which starves CI.
# We rely on other pushes to mark these branches as outdated.
if: ${{ github.actor != 'l10nbot' }}
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- run: echo '${{ github.actor }}'
- name: Check if prs are dirty
uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
with:
dirtyLabel: 'PR: out-of-date'
removeOnDirtyLabel: 'PR: ready to ship'
repoToken: '${{ secrets.GITHUB_TOKEN }}'
retryAfter: 130
retryMax: 10
mark-duplicate perms .github/workflows/mark-duplicate.yml
View raw YAML
name: Mark duplicate
on:
issue_comment:
types: [created]
permissions: {}
jobs:
mark-duplicate:
runs-on: ubuntu-latest
if: ${{ !github.event.issue.pull_request }}
permissions:
contents: read
issues: write
steps:
- name: Mark duplicate
uses: actions-cool/issues-helper@200c78641dbf33838311e5a1e0c31bbdb92d7cf0 # v3.8.0
with:
actions: 'mark-duplicate'
token: ${{ secrets.GITHUB_TOKEN }}
duplicate-labels: 'duplicate'
remove-labels: 'status: incomplete,status: waiting for maintainer'
close-issue: true
no-response perms .github/workflows/no-response.yml
View raw YAML
name: No response
# `issues`.`closed`, `issue_comment`.`created`, and `scheduled` event types are required for this Action
# to work properly.
on:
issues:
types: [closed]
issue_comment:
types: [created]
schedule:
# These runs in our repos are spread evenly throughout the day to avoid hitting rate limits.
# If you change this schedule, consider changing the remaining repositories as well.
# Runs at 12 am, 12 pm
- cron: '0 0,12 * * *'
permissions: {}
jobs:
noResponse:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- uses: MBilalShafi/no-response-add-label@8336c12292902f27b931154c34ba4670cb9899a2
with:
token: ${{ secrets.GITHUB_TOKEN }}
# Number of days of inactivity before an Issue is closed for lack of response
daysUntilClose: 7
# Label requiring a response
responseRequiredLabel: 'status: waiting for author'
# Label to add back when required label is removed
optionalFollowupLabel: 'status: waiting for maintainer'
# Comment to post when closing an Issue for lack of response. Set to `false` to disable
closeComment: >
Since the issue is missing key information and has been inactive for 7 days, it has been automatically closed.
If you wish to see the issue reopened, please provide the missing information.
priority-support-validation-prompt perms .github/workflows/priority-support-validation-prompt.yml
View raw YAML
name: Priority Support Validation Prompt
on:
issues:
types:
- labeled
permissions: {}
jobs:
comment:
name: Create or update comment
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Find Comment
uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4
id: findComment
with:
issue-number: ${{ github.event.issue.number }}
comment-author: 'github-actions[bot]'
body-includes: You have created a priority support request
- name: Create comment
if: ${{ steps.findComment.outputs.comment-id == '' && contains(github.event.label.name, 'unknown') }}
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
with:
issue-number: ${{ github.event.issue.number }}
body: |
You have created a support request under the ["Priority Support"](https://mui.com/legal/technical-support-sla/#priority-support) terms, which is a paid add-on to MUI X Premium ⏰. Please validate your support key using the link below:
https://tools-public.mui.com/prod/pages/validateSupport?repo=mui-x&issueId=${{ github.event.issue.number }}
Do not share your support key in this issue!
Priority Support is only provided to verified customers. Once you have verified your support key, we will remove the `support: unknown` label and add the `support: priority` label to this issue. Only then the time for the SLA will start counting.
- name: Update comment
if: ${{ steps.findComment.outputs.comment-id != '' && contains(github.event.label.name, 'priority') }}
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
with:
comment-id: ${{ steps.findComment.outputs.comment-id }}
body: |
Thank you for verifying your support key 🔑, your SLA starts now.
edit-mode: replace
publish perms .github/workflows/publish.yml
View raw YAML
name: Publish packages
on:
workflow_dispatch:
inputs:
sha:
description: 'Commit SHA to release from'
required: true
type: string
dry-run:
description: 'Run in dry-run mode without actually publishing packages'
required: false
type: boolean
default: false
github-release:
description: 'Create a GitHub release after publishing'
required: false
type: boolean
default: true
dist-tag:
description: 'npm dist tag to publish to'
required: false
type: string
default: 'latest'
permissions: {}
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: write # Required for pushing tags and creating releases
id-token: write # Required for provenance
environment:
name: npm-publish
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ inputs.sha }}
fetch-depth: 0 # Fetch full history for proper git operations
- name: Prepare for publishing
uses: mui/mui-public/.github/actions/publish-prepare@530ec94f97bfe64ae018a9fd8ff0c326cbd61298
- name: Publish packages
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Build common flags
ARGS=""
if [ "${{ inputs.dry-run }}" = "true" ]; then
ARGS="$ARGS --dry-run"
fi
if [ "${{ inputs.github-release }}" = "true" ]; then
ARGS="$ARGS --github-release"
fi
if [ -n "${{ inputs.dist-tag }}" ]; then
ARGS="$ARGS --tag ${{ inputs.dist-tag }}"
fi
pnpm code-infra publish --ci $ARGS
publish-canaries perms .github/workflows/publish-canaries.yml
View raw YAML
name: Publish canary packages to npm
on:
workflow_dispatch:
permissions: {}
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
- name: Use Node.js
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: '22.18.0'
cache: 'pnpm' # https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#caching-packages-dependencies
- run: pnpm install
- run: pnpm canary:release --ignore @mui/icons-material --yes --skip-last-commit-comparison
env:
NPM_TOKEN: ${{secrets.NPM_TOKEN}}
scorecards perms security .github/workflows/scorecards.yml
View raw YAML
name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
- cron: '0 2 * * *'
permissions: {}
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Used to receive a badge.
id-token: write
# Needs for private repositories.
contents: read
actions: read
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
# (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecards on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Publish the results for public repositories to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
publish_results: true
# Upload the results to GitHub's code scanning dashboard.
- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: results.sarif
support-stackoverflow perms .github/workflows/support-stackoverflow.yml
View raw YAML
# Configuration for support-requests - https://github.com/dessant/support-requests
name: Support Stack Overflow
on:
issues:
types: [labeled, unlabeled, reopened]
permissions: {}
jobs:
mark-support:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- uses: dessant/support-requests@47d5ea12f6c9e4a081637de9626b7319b415a3bf # v4.0.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
# Label used to mark issues as support requests
support-label: 'support: Stack Overflow'
# Comment to post on issues marked as support requests. Add a link
# to a support page, or set to `false` to disable
issue-comment: |
👋 Thanks for using this project!
We use GitHub issues exclusively as a bug and feature requests tracker, however, this issue appears to be a support request.
For support with Material UI please check out https://mui.com/material-ui/getting-started/support/. Thanks!
If you have a question on Stack Overflow, you are welcome to link to it here, it might help others.
If your issue is subsequently confirmed as a bug, and the report follows the issue template, it can be reopened.
close-issue: true
issue-close-reason: 'not planned'
lock-issue: false
vale-action perms .github/workflows/vale-action.yml
View raw YAML
name: Vale action
on: [pull_request]
permissions: {}
jobs:
vale:
name: runner / vale
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Extract Vale version from pnpm-lock.yaml
id: vale-version
run: |
# Extract version from lock file
VERSION=$(awk -F"@|'" '/@vvago\/vale@/ {print $4}' pnpm-lock.yaml | head -n1)
echo "Extracted Vale version: $VERSION"
echo "vale_version=$VERSION" >> $GITHUB_OUTPUT
- uses: errata-ai/vale-action@d89dee975228ae261d22c15adcd03578634d429c # v2.1.1
continue-on-error: true # GitHub Action flag needed until https://github.com/errata-ai/vale-action/issues/89 is fixed
with:
version: ${{ steps.vale-version.outputs.vale_version }}
# Errors should be more visible
fail_on_error: true
# The other reports don't work, not really https://github.com/reviewdog/reviewdog#reporters
reporter: github-pr-check
# Required, set by GitHub actions automatically:
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
token: ${{secrets.GITHUB_TOKEN}}