[CI] Workflow update and alignment (#2883)

- Work around python_safety failure regarding pip version
- Apply minimal permissions for the default GITHUB_TOKEN. "content: read" is required for checkout. If one is setup, all other permissions are set to "none": https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
- Always install latest Python 3 and check explicitly whether there is a newer version than what is cached on the runner.
- Always cancel concurrent workflows with the same reference, e.g. when multiple commits are pushed in high frequency.
- Remove doubled code in the Ubuntu test workflow by using a job matrix for available/supported distros, just as we do in the Python test workflow.

Signed-off-by: MichaIng <micha@dietpi.com>

.github/workflows/docker.yml

@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login != github.event.pull_request.base.repo.owner.login

.github/workflows/pre-commit-autoupdate.yml

@@ -23,8 +23,8 @@ jobs:
         token: ${{ secrets.GH_PAT }}
     - uses: actions/setup-python@v5
       with:
-        # https://github.com/actions/python-versions/releases
-        python-version: '3.12'
+        python-version: '3.x'
+        check-latest: true
     - env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |

.github/workflows/pre-commit.yml

@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login != github.event.pull_request.base.repo.owner.login
@@ -16,8 +19,8 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-python@v5
       with:
-        # https://github.com/actions/python-versions/releases
-        python-version: '3.12'
+        python-version: '3.x'
+        check-latest: true
     - run: |
         pip install pre-commit
         pre-commit --version

.github/workflows/python_safety.yml

@@ -2,10 +2,17 @@ name: python_safety
 
 on: [pull_request, push]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   python_safety:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login != github.event.pull_request.base.repo.owner.login
-    runs-on: 'ubuntu-22.04'
+    runs-on: ubuntu-22.04
     steps:
       - run: sudo apt-get -q update
       - run: sudo DEBIAN_FRONTEND="noninteractive" apt-get -qq --no-install-recommends install
@@ -14,6 +21,8 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: 3.x
+          check-latest: true
       - run: pip install --upgrade pip setuptools
       - run: pip install safety .
+      - run: rm -Rfv /opt/hostedtoolcache/Python/3.12.1/x64/lib/python3.12/site-packages/pip-23.2.1.dist-info  # Workaround: https://github.com/motioneye-project/motioneye/pull/2883
       - run: safety check

.github/workflows/shellcheck.yml

@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   shellcheck:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login != github.event.pull_request.base.repo.owner.login

.github/workflows/test_python.yml

@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login != github.event.pull_request.base.repo.owner.login

.github/workflows/ubuntu_build.yml

@@ -1,4 +1,3 @@
-# https://github.com/motioneye-project/motioneye/wiki/%28Install-On-Ubuntu-%2820.04-or-Newer%29
 name: ubuntu_build
 
 on: [pull_request, push]
@@ -7,30 +6,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
-  focal:
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login != github.event.pull_request.base.repo.owner.login
-    runs-on: ubuntu-20.04
-    steps:
-      - run: sudo apt-mark hold grub-efi-amd64-signed # GRUB does not always find the drive it was configured for
-      - run: sudo apt-get -q update
-      - run: sudo DEBIAN_FRONTEND=noninteractive apt-get -qq --no-install-recommends dist-upgrade
-      - run: sudo DEBIAN_FRONTEND=noninteractive apt-get -qq --no-install-recommends install
-                  ca-certificates curl gcc libcurl4-openssl-dev libssl-dev python3-dev
-      - run: curl -sSfO 'https://bootstrap.pypa.io/get-pip.py'
-      - run: sudo python3 get-pip.py
-      - run: sudo python3 -m pip install --upgrade pip setuptools wheel
-      - run: |
-          REPO=$GITHUB_REPOSITORY BRANCH=$GITHUB_REF_NAME
-          [ ${{ github.event_name }} = 'pull_request' ] && REPO=${{ github.event.pull_request.head.repo.full_name }} BRANCH=${{ github.event.pull_request.head.ref }}
-          sudo python3 -m pip install "https://github.com/$REPO/archive/$BRANCH.tar.gz"
-      - run: sudo motioneye_init --skip-apt-update
-      - run: i=0; until ss -tln | grep 8765; do [ $i -le 10 ] || exit 0; sleep 1; i=$(expr $i + 1); done
-      - run: sudo systemctl status motioneye
-      - run: sudo systemctl is-active motioneye
-  jammy:
+  build:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login != github.event.pull_request.base.repo.owner.login
-    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        dist: ['ubuntu-20.04', 'ubuntu-22.04']
+    runs-on: ${{ matrix.dist }}
+    name: "Test on ${{ matrix.dist }}"
     steps:
       - run: sudo apt-mark hold grub-efi-amd64-signed # GRUB does not always find the drive it was configured for
       - run: sudo apt-get -q update

.github/workflows/update_locales.yml

@@ -6,14 +6,18 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: sh
+
 jobs:
   update_locales:
     # Skip for forks and dependabot which have no access to secrets (PAT)
     if: github.event.pull_request.head.repo.fork == false && github.actor != 'dependabot[bot]'
     runs-on: ubuntu-22.04
-    defaults:
-      run:
-        shell: sh
     steps:
 
     - uses: actions/setup-python@v5

motioneye/locale/motioneye.js.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-10-07 08:12+0000\n"
+"POT-Creation-Date: 2023-12-09 23:08+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

motioneye/locale/motioneye.pot

@@ -8,14 +8,14 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2023-10-07 08:12+0000\n"
+"POT-Creation-Date: 2023-12-09 23:08+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Generated-By: Babel 2.13.0\n"
+"Generated-By: Babel 2.13.1\n"
 
 #: motioneye/server.py:232
 msgid "interrompa signalo ricevita, fermanta …"