Brints · aniebietafia · Mar 13, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.github/issue-labeler.yml b/.github/issue-labeler.yml
@@ -0,0 +1,49 @@
+# Issue Labeler - labels issues based on title/body content
+
+bug:
+  - '(bug|fix|issue|error|crash|fail|broken)'
+
+enhancement:
+  - '(feature|enhancement|improve|add|new)'
+
+documentation:
+  - '(doc|docs|documentation|readme|guide)'
+
+question:
+  - '(question|how to|help|support|\?)'
+
+ai-ml:
+  - '(stt|tts|speech|voice|translation|translate|whisper|deepgram|deepl|gpt)'
+
+audio-media:
+  - '(audio|webrtc|websocket|ws|stream|signaling)'
+
+event-driven:
+  - '(kafka|zookeeper|event|topic|stream)'
+
+real-time:
+  - '(latency|instant|real-time|glass-to-glass)'
+
+infrastructure:
+  - '(docker|redis|postgres|alembic|migration)'
+
+security:
+  - '(auth|jwt|token|security|vulnerability|private)'
+
+performance:
+  - '(perf|optimization|speed|throughput|latency)'
+
+api:
+  - '(api|endpoint|rest|controller)'
+
+payment:
+  - '(payment|stripe|subscription|billing|invoice)'
+
+email:
+  - '(email|mail|notification|template)'
+
+ci-cd:
+  - '(ci|cd|github action|workflow|pipeline|build|stale|labeler)'
+
+dependencies:
+  - '(dependency|dependencies|upgrade|update|version)'
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -0,0 +1,30 @@
+backend:
+  - changed-files:
+    - any-glob-to-any-file: 'app/**/*'
+
+tests:
+  - changed-files:
+    - any-glob-to-any-file: 'tests/**/*'
+
+github-actions:
+  - changed-files:
+    - any-glob-to-any-file: '.github/**/*'
+
+migrations:
+  - changed-files:
+    - any-glob-to-any-file: 'alembic/**/*'
+
+config:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'pyproject.toml'
+      - 'requirements.txt'
+      - '.env.example'
+      - '.gitignore'
+
+devops:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'docker-compose.yml'
+      - 'Dockerfile'
+      - '.dockerignore'
diff --git a/.github/owasp-suppressions.xml b/.github/owasp-suppressions.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!--
+        OWASP Dependency Check Suppressions File
+        Add false positive suppressions here.
+
+        Example:
+        <suppress>
+            <notes>False positive - not affected</notes>
+            <packageUrl regex="true">^pkg:maven/com\.example/.*$</packageUrl>
+            <cve>CVE-YYYY-XXXXX</cve>
+        </suppress>
+    -->
+</suppressions>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,34 @@
+name: CI
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  quality-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+      - name: Lint with Black
+        run: black --check .
+      - name: Check imports with isort
+        run: isort --check-only .
+      - name: Type check with Mypy
+        run: mypy app
+      - name: Run tests with Pytest
+        env:
+          DATABASE_URL: postgresql://postgres:postgres@localhost:5432/fluentmeet_test
+          REDIS_URL: redis://localhost:6379/1
+        run: |
+          pytest --cov=app --cov-fail-under=5 tests/
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -0,0 +1,31 @@
+name: Code Quality
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  workflow_dispatch:
+
+jobs:
+  lint-and-typecheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruff mypy
+          # Install project deps to help mypy find types
+          pip install -r requirements.txt
+      - name: Lint with Ruff
+        run: ruff check .
+      - name: Format check with Ruff
+        run: ruff format --check .
+      - name: Type check with Mypy
+        run: mypy app
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,62 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [ dev, main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  schedule:
+    - cron: '30 1 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      issues: write
+      pull-requests: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended,security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+
+      - name: Notify on failure
+        if: failure() && github.event.pull_request.head.repo.full_name == github.repository
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const issue = context.payload.pull_request 
+              ? context.payload.pull_request.number 
+              : (context.payload.issue ? context.payload.issue.number : null);
+
+            if (issue) {
+              github.rest.issues.createComment({
+                issue_number: issue,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: '⚠️ CodeQL security scan failed. Please check the workflow logs.'
+              });
+            } else {
+              console.log('No issue or PR number found, skipping comment creation');
+            }
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -0,0 +1,35 @@
+name: OWASP Dependency Check
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  schedule:
+    - cron: '0 0 * * 1' # Weekly on Mondays at midnight
+  workflow_dispatch:
+
+jobs:
+  depcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Dependency Check
+        uses: dependency-check/Dependency-Check_Action@main
+        id: depcheck
+        with:
+          project: 'FluentMeet'
+          path: '.'
+          format: 'HTML'
+          out: 'reports' # Reports will be saved in the 'reports' directory
+          args: >
+            --failOnCVSS 7
+            --enableRetired
+
+      - name: Upload Test results
+        uses: actions/upload-artifact@v4
+        with:
+          name: DepCheck report
+          path: reports
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -0,0 +1,58 @@
+name: Auto Labeler
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+  issues:
+    types: [opened, edited]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  label-pr:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Label PR based on files changed
+        uses: actions/labeler@v5
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          configuration-path: .github/labeler.yml
+
+  label-pr-size:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Label PR by size
+        uses: codelytv/pr-size-labeler@v1
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          xs_label: 'size/XS'
+          xs_max_size: 10
+          s_label: 'size/S'
+          s_max_size: 100
+          m_label: 'size/M'
+          m_max_size: 500
+          l_label: 'size/L'
+          l_max_size: 1000
+          xl_label: 'size/XL'
+          fail_if_xl: false
+          message_if_xl: >
+            This PR is quite large! Consider breaking it into smaller PRs for easier review.
+
+  label-issue:
+    if: github.event_name == 'issues'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Label issues based on content
+        uses: github/issue-labeler@v3.4
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          configuration-path: .github/issue-labeler.yml
+          enable-versioned-regex: 0