diff --git a/.github/workflows/ci_checks.yml b/.github/workflows/ci_checks.yml new file mode 100644 index 0000000..89c96d8 --- /dev/null +++ b/.github/workflows/ci_checks.yml @@ -0,0 +1,23 @@ +--- +name: CI + +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + contents: read + issues: none + pull-requests: none + +jobs: + call_reusable_ci: + name: Standardized CI + uses: complytime/org-infra/.github/workflows/reusable_ci.yml@main + permissions: + contents: read + issues: read diff --git a/.github/workflows/ci_dependencies.yml b/.github/workflows/ci_dependencies.yml new file mode 100644 index 0000000..7c937c7 --- /dev/null +++ b/.github/workflows/ci_dependencies.yml @@ -0,0 +1,87 @@ +--- +name: Dependencies + +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + contents: read + issues: none + pull-requests: none + +jobs: + call_deps_reviewer: + name: General + uses: complytime/org-infra/.github/workflows/reusable_deps_reviewer.yml@main + + call_dependabot_reviewer: + name: Dependabot + uses: complytime/org-infra/.github/workflows/reusable_dependabot_reviewer.yml@main + + comment_on_dependabot_prs: + name: Dependabot Comment + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + needs: [call_deps_reviewer, call_dependabot_reviewer] + permissions: + issues: read + pull-requests: write + steps: + - name: Comment from Dependabot Reviewer + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 + env: + REVIEW_CONCLUSION: ${{ needs.call_deps_reviewer.outputs.review_conclusion }} + RISK_LEVEL: ${{ needs.call_dependabot_reviewer.outputs.risk_level }} + UPDATES_COUNT: ${{ needs.call_dependabot_reviewer.outputs.updates_count }} + with: + issue-number: ${{ github.event.pull_request.number }} + edit-mode: replace + body: | + 🤖 **Standardized Dependabot Review Summary** 🤖 + + This PR was processed by the organization's reusable CI pipeline. + + - **Dependencies Review:** **${{ env.REVIEW_CONCLUSION }}** + - [View detailed logs](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) + - **Calculated Risk:** **${{ env.RISK_LEVEL }}** + - **Dependency Usage:** At least **${{ env.UPDATES_COUNT }}** repositories are using this dependency version + + --- + + Maintainer check list: + 1. Ensure the PR passed all CI tests (required status checks). + 2. Investigate failures for Major updates or any manual review requirement. + 3. Don't overlook breaking changes and changelog information. + 4. If the scorecard value is low, consider to contribute to make it higher. Everybody wins! + 5. Be diligent. When in doubt, ask another maintainer for additional review. + + approve_dependabot_prs: + name: Dependabot Auto-approve + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + needs: [call_deps_reviewer, call_dependabot_reviewer] + permissions: + pull-requests: write + steps: + - name: Auto-approve if Confident + if: ${{ env.RISK_LEVEL != 'high' && env.REVIEW_CONCLUSION == 'success' && env.UPDATES_COUNT > 10 }} + env: + REVIEW_CONCLUSION: ${{ needs.call_deps_reviewer.outputs.review_conclusion }} + RISK_LEVEL: ${{ needs.call_dependabot_reviewer.outputs.risk_level }} + UPDATES_COUNT: ${{ needs.call_dependabot_reviewer.outputs.updates_count }} + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + script: | + github.rest.pulls.createReview({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number, + event: 'APPROVE', + body: 'Automatically approved by GitHub Action for Dependabot PRs.' + }); + console.log('Dependabot PR approved successfully.'); diff --git a/.github/workflows/ci_scheduled.yml b/.github/workflows/ci_scheduled.yml new file mode 100644 index 0000000..c6a0e70 --- /dev/null +++ b/.github/workflows/ci_scheduled.yml @@ -0,0 +1,22 @@ +--- +name: Scheduled Jobs + +on: + schedule: + - cron: '0 0 * * *' + +permissions: + contents: read + actions: none + id-token: none + security-events: none + +jobs: + call_reusable_scheduled: + name: OSV-Scanner and Scorecards + permissions: + contents: read + actions: read + security-events: write + id-token: write + uses: complytime/org-infra/.github/workflows/reusable_scheduled.yml@main diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml new file mode 100644 index 0000000..3bdf560 --- /dev/null +++ b/.github/workflows/ci_security.yml @@ -0,0 +1,36 @@ +--- +name: Security Checks + +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + contents: read + actions: none + id-token: none + security-events: none + packages: none + +jobs: + call_reusable_vuln_scan: + name: OSV-Scanner + permissions: + contents: read + actions: read + security-events: write + id-token: write + packages: write + uses: complytime/org-infra/.github/workflows/reusable_vuln_scan.yml@main + + call_reusable_security: + name: OpenSSF Scorecards + permissions: + contents: read + id-token: write + security-events: write + uses: complytime/org-infra/.github/workflows/reusable_security.yml@main diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100644 index 0000000..d3b399d --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,12 @@ +--- +extends: default + +# https://yamllint.readthedocs.io/en/stable/rules.html +rules: + comments: disable + document-start: disable + empty-lines: + level: warning + indentation: + spaces: consistent + line-length: disable diff --git a/commitlint.config.js b/commitlint.config.js new file mode 100644 index 0000000..ddf41a3 --- /dev/null +++ b/commitlint.config.js @@ -0,0 +1,6 @@ +module.exports = { + extends: ['@commitlint/config-conventional'], + rules: { + 'subject-case': [0, 'always', 'lower-case'], + } +};