Fix workflows

.github/workflows/Benchmark.yml

@@ -8,7 +8,7 @@ jobs:
     steps:
     - uses: actions/checkout@v6
       with:
-        submodules: 'recursive'
+        submodules: recursive
     - name: Setup .NET
       uses: actions/setup-dotnet@v5
       with:
@@ -18,7 +18,7 @@ jobs:
       uses: benchmark-action/github-action-benchmark@v1
       with:
         name: CSharpMath.Rendering.Benchmarks
-        tool: 'benchmarkdotnet'
+        tool: benchmarkdotnet
         output-file-path: .benchmarkresults/results/CSharpMath.Rendering.Benchmarks.Program-report-full-compressed.json
         github-token: ${{ github.token }}
         auto-push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} # Push and deploy GitHub pages branch automatically

.github/workflows/Format.yml

@@ -12,6 +12,6 @@ jobs:
         workloads: maui-ios, maui-maccatalyst, maui-android, wasm-tools
     - uses: actions/checkout@v6
       with:
-        submodules: 'recursive'
+        submodules: recursive
     - name: Check formatting (Fix with "dotnet format --exclude Typography" at repository root)
       run: dotnet format --exclude Typography --verify-no-changes --verbosity diagnostic

.github/workflows/Label.yml

@@ -1,18 +1,20 @@
 name: Label breaking changes for semantic versioning
 
-on: [pull_request]
+on: pull_request_target # Run on the merge target branch instead of the merge commit to grant pull-requests:write permission
 jobs:
   Label:
     runs-on: windows-latest
+    permissions:
+      pull-requests: write # Allow adding a label to this pull request
     steps:
     - uses: actions/checkout@v6
       with:
-        submodules: recursive
+        fetch-depth: 0 # Fetch all commit history and tags, instead of the default fetch of only one commit
+        ref: ${{ github.event.pull_request.head.sha }}  # Checkout the PR branch
     - name: If there are changes in PublicApi.Shipped.txt, fail the workflow
       if: github.head_ref != 'action/ship-publicapi' # Same branch name specified in Release.yml
       run: |
-        git fetch origin ${{ github.base_ref }}
-        $changes = git diff --numstat --shortstat origin/${{ github.base_ref }}...HEAD -- '**/PublicApi.Shipped.txt'
+        $changes = git diff --numstat --shortstat origin/${{ github.base_ref }}...HEAD -- '**/PublicApi.Shipped.txt' # Note that ** must expand to at least one folder here, this doesn't check root
         Write-Output "$changes"
         if ($changes) {
           Write-Error "Changes detected in PublicApi.Shipped.txt files. Public API changes must be shipped through the release process, not in regular pull requests."
@@ -21,12 +23,9 @@ jobs:
       shell: pwsh
     - name: Label based on PublicApi.Unshipped.txt
       run: |
-        git fetch origin ${{ github.base_ref }}
-
-        # Determine the appropriate label (Sync these labels with release-drafter.yml)
-        if ("${{ github.head_ref }}" -eq "action/ship-publicapi") { # Same branch name specified in Release.yml
+        if ("${{ github.head_ref }}" -eq "action/ship-publicapi") {
           $labels = @('Type/Housekeeping')
-          Write-Output "This is a ship-publicapi PR, labeling as Type/Maintenance"
+          Write-Output "This is a ship-publicapi PR, labeling as Type/Housekeeping"
         } else {
           # For regular PRs, check for API changes
           $changes = git diff origin/${{ github.base_ref }}...HEAD -- '**/PublicApi.Unshipped.txt'
@@ -44,8 +43,8 @@ jobs:
               Write-Output "Publicly facing API changes include only additions. Labelling as enhancement."
             }
           } else {
-            $labels = @('Type/Bug')
-            Write-Output "No publicly facing API changes. Labelling as bug."
+            Write-Output "No publicly facing API changes. Exiting the workflow."
+            Exit
           }
         }
 

.github/workflows/Nightly.yml

@@ -16,7 +16,7 @@ jobs:
         GITHUB_TOKEN: ${{ github.token }}
     - uses: actions/checkout@v6
       with:
-        submodules: 'recursive'
+        submodules: recursive
     - uses: actions/setup-dotnet@main
       with:
         dotnet-version: '10.x'
@@ -75,12 +75,6 @@ jobs:
       with:
         name: CSharpMath.Rendering.Tests results
         path: CSharpMath.Rendering.Tests/*/*.png
-    - name: Upload CSharpMath.Xaml.Tests.NuGet results as CI artifacts
-      uses: actions/upload-artifact@v4
-      if: always()
-      with:
-        name: CSharpMath.Xaml.Tests.NuGet results
-        path: CSharpMath.Xaml.Tests.NuGet/*.png
     - name: Upload NuGet packages as CI artifacts
       uses: actions/upload-artifact@v4
       if: always()
@@ -97,11 +91,12 @@ jobs:
         # By using *.* as the file path, this command will fail when .nupkgs folder contains any file that isn't a .nupkg or .snupkg file.
         # --skip-duplicate enables re-running this workflow even if some packages from the same commit are already uploaded.
         # --no-symbols omits uploading .snupkg files which is not supported by GitHub Packages: https://github.com/orgs/community/discussions/38678
-        dotnet nuget push '.nupkgs\*.*' -s 'https://nuget.pkg.github.com/verybadcat/index.json' -k ${{ github.token }} --skip-duplicate --no-symbols
+        dotnet nuget push '.nupkgs\*.*' -s 'https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json' -k ${{ github.token }} --skip-duplicate --no-symbols
       shell: pwsh
     - name: Publish CSharpMath.Uno.Example
       run: |
         git fetch origin gh-pages
+        if (-not $?) { Exit } # For forks that didn't include the gh-pages branch, don't fail the workflow
         git worktree add website/wwwroot gh-pages
         Get-ChildItem -Path website/wwwroot/* -Exclude dev,.nojekyll | Remove-Item -Recurse -Force # dev is the output folder of Benchmark.yml and .nojekyll ensures _framework folder is served, keep them
         # TODO: why can't this publish use --no-build? For example, see https://github.com/verybadcat/CSharpMath/actions/runs/21600019106/job/62243168945

.github/workflows/Release.yml

@@ -7,13 +7,13 @@ jobs:
   CSharpMath:
     runs-on: windows-latest
     permissions:
-      # permissions requested by https://github.com/marketplace/actions/create-pull-request#token
+      # Permissions requested by https://github.com/marketplace/actions/create-pull-request#token
       contents: write
       pull-requests: write
     steps:
     - uses: actions/checkout@v6
       with:
-        submodules: 'recursive'
+        submodules: recursive
     - uses: actions/setup-dotnet@main
       with:
         dotnet-version: '10.x'
@@ -56,4 +56,5 @@ jobs:
         commit-message: 'Move PublicApi.Unshipped.txt to PublicApi.Shipped.txt for ${{ github.event.release.tag_name }}'
         title: 'Ship PublicApi for ${{ github.event.release.tag_name }}'
         body: 'This PR moves the contents of PublicApi.Unshipped.txt to PublicApi.Shipped.txt to mark the API as shipped for version ${{ github.event.release.tag_name }}.'
-        branch: action/ship-publicapi # Same branch name specified in Label.yml
+        branch: action/ship-publicapi # Same branch name specified in Label.yml
+        base: '${{ github.event.repository.default_branch }}' # Releases are checked out on the tag commit but we need a target branch for the pull request. Let's just always submit it against the default branch

.github/workflows/Test.yml

@@ -22,7 +22,7 @@ jobs:
         workloads: ${{ case(startsWith(matrix.os, 'ubuntu'), 'maui-android, wasm-tools', 'maui, wasm-tools') }}
     - uses: actions/checkout@v6
       with:
-        submodules: 'recursive'
+        submodules: recursive
     - name: Build Everything
       run: dotnet build
     - name: Run Tests