From 017e9c79b0f15923b789e39078dfd47a91b036e5 Mon Sep 17 00:00:00 2001 From: Matthew Watkins Date: Fri, 5 Jun 2026 11:16:08 +0100 Subject: [PATCH] Chore: remove redundant workflow copies Remove workflow copies now maintained centrally in the .github repository. An organisation-level Ruleset will enforce the canonical versions, making these per-repository copies redundant. Removed: - autolabeler.yaml - semantic-pull-request.yaml - sha-pinned-actions.yaml Co-Authored-By: Claude Signed-off-by: Matthew Watkins --- .github/workflows/autolabeler.yaml | 59 -------------------- .github/workflows/semantic-pull-request.yaml | 55 ------------------ .github/workflows/sha-pinned-actions.yaml | 29 ---------- 3 files changed, 143 deletions(-) delete mode 100644 .github/workflows/autolabeler.yaml delete mode 100644 .github/workflows/semantic-pull-request.yaml delete mode 100644 .github/workflows/sha-pinned-actions.yaml diff --git a/.github/workflows/autolabeler.yaml b/.github/workflows/autolabeler.yaml deleted file mode 100644 index 6697d82..0000000 --- a/.github/workflows/autolabeler.yaml +++ /dev/null @@ -1,59 +0,0 @@ ---- -# SPDX-FileCopyrightText: 2025 The Linux Foundation -# SPDX-License-Identifier: Apache-2.0 - -name: 'Autolabeler' - -# yamllint disable-line rule:truthy -on: - # pull_request is required for autolabeler - pull_request: - types: - - opened - - synchronize - - reopened - # pull_request_target is required for autolabeler on PRs from forks - pull_request_target: - types: - - opened - - synchronize - - reopened - -permissions: {} - -concurrency: - # yamllint disable-line rule:line-length - group: ${{ format('al-{0}-pr-{1}', github.event_name, github.event.pull_request.number) }} - cancel-in-progress: true - -jobs: - autolabel: - name: 'Autolabel PR' - # Run on pull_request_target for forks, or pull_request for same-repo PRs - # This prevents duplicate runs for same-repo PRs - # yamllint disable rule:line-length - if: > - (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork) || - (github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork) - # yamllint enable rule:line-length - # SECURITY: pull_request_target with write permissions is safe here because: - # 1. This workflow does NOT checkout any code from the PR - # 2. The workflow code itself runs from the base branch (not the fork) - # 3. release-drafter only makes GitHub API calls (no code execution) - # 4. pull_request_target is needed ONLY for autolabeling fork PRs - permissions: - # write permission is required for autolabeler - pull-requests: write - # read is sufficient; autolabeler does not create releases - contents: read - runs-on: 'ubuntu-latest' - timeout-minutes: 3 - steps: - # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 - with: - egress-policy: 'audit' - - # yamllint disable-line rule:line-length - - uses: release-drafter/release-drafter/autolabeler@693d20e7c1ce1a81d3a41962f85914253b518449 # v7.3.1 diff --git a/.github/workflows/semantic-pull-request.yaml b/.github/workflows/semantic-pull-request.yaml deleted file mode 100644 index 9764b26..0000000 --- a/.github/workflows/semantic-pull-request.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -# SPDX-License-Identifier: Apache-2.0 -# SPDX-FileCopyrightText: 2025 The Linux Foundation - -name: '🛠️ Semantic Pull Request' - -# yamllint disable-line rule:truthy -on: - # Not supported when workflow contains: amannn/action-semantic-pull-request - # workflow_dispatch: - pull_request: - types: [opened, reopened, edited, synchronize] - -permissions: {} - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - semantic-pull-request: - name: "Semantic Pull Request" - permissions: - contents: read - runs-on: ubuntu-24.04 - timeout-minutes: 3 - steps: - # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 - with: - egress-policy: audit - - - name: "Validate pull request title" - # yamllint disable-line rule:line-length - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - # Requires the type to be capitalised, - # but accept any of the standard types - types: | - Fix - Feat - Chore - Docs - Style - Refactor - Perf - Test - Revert - CI - Build - validateSingleCommit: true - validateSingleCommitMatchesPrTitle: true diff --git a/.github/workflows/sha-pinned-actions.yaml b/.github/workflows/sha-pinned-actions.yaml deleted file mode 100644 index fa2dc22..0000000 --- a/.github/workflows/sha-pinned-actions.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# SPDX-License-Identifier: Apache-2.0 -# SPDX-FileCopyrightText: 2025 The Linux Foundation - -# Verifies action/workflow calls are pinned to SHA commit values -name: '📌 Audit GitHub Actions' - -# yamllint disable-line rule:truthy -on: - workflow_dispatch: - pull_request: - branches: - - main - - master - paths: ['.github/**'] - -permissions: {} - -concurrency: - group: "${{ github.workflow }}-${{ github.ref }}" - cancel-in-progress: true - -jobs: - verify: - name: 'Check SHA pinned actions' - # yamllint disable-line rule:line-length - uses: lfit/releng-reusable-workflows/.github/workflows/reuse-verify-github-actions.yaml@9b7880d03148ac73ba5f4e32d423b322db94ebc1 # v0.3.4 - permissions: - contents: read