mikepenz · mikepenz · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -62,6 +62,9 @@ jobs:
   build:
     name: Build
     runs-on: macos-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -104,6 +107,7 @@ jobs:
           detailed_summary: true
 
       - name: Archive Test Report
+        if: always()
         uses: actions/upload-artifact@v7
         with:
           name: "Test-Artifacts"
@@ -114,23 +118,24 @@ jobs:
         run: ./gradlew apiCheck
 
       - name: Run Lint
-        if: github.event_name  == 'pull_request'
+        if: github.event_name == 'pull_request'
         run: ./gradlew lintDebug
 
-      - name: Setup Ruby
-        if: github.event_name  == 'pull_request'
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.0'
-          bundler-cache: true
-
-      - name: Run Danger
-        if: github.event_name  == 'pull_request'
+      - name: Collect Lint SARIF reports
+        if: github.event_name == 'pull_request'
         run: |
-          gem install danger
-          bundle exec danger --dangerfile=Dangerfile --danger_id=danger-pr
-        env:
-          DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          mkdir -p sarif-reports
+          find . -name "lint-results-debug.sarif" | while read f; do
+            module=$(echo "$f" | sed 's|^\./||' | sed 's|/build/reports/.*||' | sed 's|/|-|g')
+            cp "$f" "sarif-reports/${module}-lint.sarif"
+          done
+
+      - name: Upload Lint SARIF
+        if: always() && github.event_name == 'pull_request'
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: 'sarif-reports'
+          category: android-lint
 
       - name: Prepare Keystore and Local.
         if: startsWith(github.ref, 'refs/tags/')

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
@@ -0,0 +1,29 @@
+name: PR Checks
+
+on:
+  pull_request:
+
+permissions:
+  pull-requests: read
+
+jobs:
+  quality-gates:
+    name: Quality Gates
+    runs-on: ubuntu-latest
+    steps:
+      - name: PR Quality Gates
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number
+            });
+            const labels = pr.labels.map(l => l.name);
+            if (labels.some(l => l.includes('DO NOT MERGE')))
+              core.setFailed('PR specifies label DO NOT MERGE');
+            if (labels.some(l => l.includes('Engineers at work')) || pr.title.includes('[WIP]'))
+              core.warning('PR is marked as Work in Progress');
+            if (pr.additions + pr.deletions > 5000)
+              core.warning('Big PR');
diff --git a/Dangerfile b/Dangerfile
diff --git a/Gemfile b/Gemfile
diff --git a/Gemfile.lock b/Gemfile.lock
diff --git a/settings.gradle.kts b/settings.gradle.kts
@@ -28,7 +28,7 @@ dependencyResolutionManagement {
 
     versionCatalogs {
         create("baseLibs") {
-            from("com.mikepenz:version-catalog:0.14.1")
+            from("com.mikepenz:version-catalog:0.14.2")
         }
     }
 }