Skip to content

Commit d0686c4

Browse files
authored
Merge pull request #137 from kpj2006/workflow
Workflow
2 parents 3baea5f + 9976329 commit d0686c4

6 files changed

Lines changed: 1026 additions & 488 deletions

File tree

Lines changed: 153 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,153 @@
1+
# Automatically scans every PR for newly added dependencies
2+
# Blocks merges if a dependency license is NOT in the allow-list
3+
# Flags CVEs with moderate+ severity
4+
# Docs: https://github.com/actions/dependency-review-action
5+
6+
7+
name: Dependency Review
8+
9+
on:
10+
pull_request:
11+
branches:
12+
- main
13+
- master
14+
- develop
15+
# Only re-run when dependency manifests actually change
16+
paths:
17+
# JavaScript / TypeScript / Node
18+
- "**/package.json"
19+
- "**/package-lock.json"
20+
- "**/yarn.lock"
21+
- "**/pnpm-lock.yaml"
22+
# Python
23+
- "**/requirements*.txt"
24+
- "**/Pipfile.lock"
25+
- "**/pyproject.toml"
26+
- "**/poetry.lock"
27+
# Rust
28+
- "**/Cargo.toml"
29+
- "**/Cargo.lock"
30+
# Go
31+
- "**/go.mod"
32+
- "**/go.sum"
33+
# Java / Kotlin / Android
34+
- "**/pom.xml"
35+
- "**/build.gradle"
36+
- "**/build.gradle.kts"
37+
- "**/*.gradle"
38+
# Ruby
39+
- "**/Gemfile.lock"
40+
# Docker / Infrastructure
41+
- "**/Dockerfile"
42+
- "**/docker-compose*.yml"
43+
- "**/docker-compose*.yaml"
44+
# GitHub Actions themselves
45+
- ".github/workflows/*.yml"
46+
- ".github/workflows/*.yaml"
47+
48+
permissions:
49+
contents: read # Required to read the repo content
50+
# pull-requests: write # Required to post review comments on the PR
51+
52+
jobs:
53+
dependency-review:
54+
name: Dependency & License Review
55+
runs-on: ubuntu-latest
56+
57+
steps:
58+
- name: Run Dependency Review
59+
uses: actions/dependency-review-action@v4
60+
with:
61+
# ── VULNERABILITY SETTINGS ──────────────────────────
62+
# Fail if any newly added dependency has a CVE at this
63+
# severity level or above. Options: low | moderate | high | critical
64+
fail-on-severity: moderate
65+
66+
# Which dependency scopes to check for vulnerabilities
67+
# Options: runtime | development | unknown (comma-separated)
68+
fail-on-scopes: runtime
69+
70+
# ── LICENSE ENFORCEMENT ─────────────────────────────
71+
# ALLOW: Only these licenses are permitted in new dependencies.
72+
# PRs introducing any other license will fail automatically.
73+
# Full SPDX list: https://spdx.org/licenses/
74+
allow-licenses: >-
75+
MIT,
76+
Apache-2.0,
77+
BSD-2-Clause,
78+
BSD-3-Clause,
79+
ISC,
80+
CC0-1.0,
81+
Unlicense,
82+
GPL-2.0-only,
83+
GPL-2.0-or-later,
84+
GPL-3.0-only,
85+
GPL-3.0-or-later,
86+
LGPL-2.0-only,
87+
LGPL-2.0-or-later,
88+
LGPL-2.1-only,
89+
LGPL-2.1-or-later,
90+
LGPL-3.0-only,
91+
LGPL-3.0-or-later,
92+
AGPL-3.0-only,
93+
AGPL-3.0-or-later,
94+
MPL-2.0,
95+
EUPL-1.2,
96+
Python-2.0,
97+
PSF-2.0
98+
99+
# PER-PACKAGE EXCEPTIONS: Packages excluded from license checks entirely.
100+
# Use for packages with unrecognized/non-standard license declarations.
101+
# Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version"
102+
# ── Edit this list when adding approved exceptions ──
103+
# allow-dependencies-licenses: >-
104+
# pkg:npm/example-package,
105+
# pkg:pypi/example-package
106+
107+
# ── SCOPE FILTERING ─────────────────────────────────
108+
# Skip dev-only dependencies (test frameworks, linters, etc.)
109+
# They are not shipped to production so risk is lower.
110+
# Set to "all" to also scan devDependencies.
111+
# Options: runtime | development | all
112+
# Using "runtime" keeps noise low in template repos
113+
# where dev deps vary wildly by project type.
114+
# Uncomment the line below to enforce on devDeps too:
115+
# fail-on-scopes: runtime, development
116+
allow-ghsas: "" # Leave empty to block all known GHSAs
117+
118+
# ── OUTPUT & COMMENTS ────────────────────────────────
119+
# Post a detailed summary comment directly on the PR
120+
# comment-summary-in-pr: always
121+
122+
# Fail (don't just warn) on license violations.
123+
# Change to "true" to only warn without failing.
124+
warn-only: false
125+
126+
# ── VULNERABILITY DATABASE ───────────────────────────
127+
# Use the GitHub Advisory Database (GHSA) as the source.
128+
# This is the default; listed explicitly for clarity.
129+
# vulnerability-check: true # default
130+
# Add explicitly so teams know it's active
131+
show-openssf-scorecard: true
132+
warn-on-openssf-scorecard-level: 3
133+
134+
# Post a status summary badge to PR
135+
# summarize:
136+
# name: Post Review Summary
137+
# runs-on: ubuntu-latest
138+
# needs: dependency-review
139+
# if: always()
140+
141+
# steps:
142+
# - name: 📋 Summarize Result
143+
# run: |
144+
# if [ "${{ needs.dependency-review.result }}" == "success" ]; then
145+
# echo "✅ Dependency review passed — no license violations or CVEs found."
146+
# else
147+
# echo "❌ Dependency review failed — check the PR comment for details."
148+
# echo ""
149+
# echo "Common fixes:"
150+
# echo " • Replace dependencies using licenses not in allow-licenses"
151+
# echo " • Upgrade vulnerable packages to patched versions"
152+
# echo " • Add an explicit exception to allow-dependencies-licenses if intentional"
153+
# fi

.github/workflows/setup-labels.yml

Lines changed: 210 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,210 @@
1+
name: Setup Repository Labels
2+
3+
on:
4+
workflow_dispatch: # Manual trigger
5+
push:
6+
branches: [main, master]
7+
paths:
8+
- '.github/workflows/setup-labels.yml'
9+
10+
permissions:
11+
issues: write
12+
13+
jobs:
14+
create-labels:
15+
runs-on: ubuntu-latest
16+
steps:
17+
- name: Create all required labels
18+
uses: actions/github-script@v7
19+
with:
20+
github-token: ${{ secrets.GITHUB_TOKEN }}
21+
script: |
22+
// Define all labels with colors and descriptions
23+
const requiredLabels = [
24+
// ==================== CONTRIBUTOR LABELS ====================
25+
{
26+
name: 'org-member',
27+
color: '0E8A16',
28+
description: 'Member of the organization with admin/maintain permissions'
29+
},
30+
{
31+
name: 'first-time-contributor',
32+
color: '7057FF',
33+
description: 'First PR of an external contributor'
34+
},
35+
{
36+
name: 'repeat-contributor',
37+
color: '6F42C1',
38+
description: 'PR from an external contributor who already had PRs merged'
39+
},
40+
41+
// ==================== ISSUE TRACKING LABELS ====================
42+
{
43+
name: 'no-issue-linked',
44+
color: 'D73A4A',
45+
description: 'PR is not linked to any issue'
46+
},
47+
48+
// ==================== FILE TYPE LABELS ====================
49+
{
50+
name: 'documentation',
51+
color: '0075CA',
52+
description: 'Changes to documentation files'
53+
},
54+
{
55+
name: 'frontend',
56+
color: 'FEF2C0',
57+
description: 'Changes to frontend code'
58+
},
59+
{
60+
name: 'backend',
61+
color: 'BFD4F2',
62+
description: 'Changes to backend code'
63+
},
64+
{
65+
name: 'javascript',
66+
color: 'F1E05A',
67+
description: 'JavaScript/TypeScript code changes'
68+
},
69+
{
70+
name: 'python',
71+
color: '3572A5',
72+
description: 'Python code changes'
73+
},
74+
{
75+
name: 'configuration',
76+
color: 'EDEDED',
77+
description: 'Configuration file changes'
78+
},
79+
{
80+
name: 'github-actions',
81+
color: '2088FF',
82+
description: 'GitHub Actions workflow changes'
83+
},
84+
{
85+
name: 'dependencies',
86+
color: '0366D6',
87+
description: 'Dependency file changes'
88+
},
89+
{
90+
name: 'tests',
91+
color: 'C5DEF5',
92+
description: 'Test file changes'
93+
},
94+
{
95+
name: 'docker',
96+
color: '0DB7ED',
97+
description: 'Docker-related changes'
98+
},
99+
{
100+
name: 'ci-cd',
101+
color: '6E5494',
102+
description: 'CI/CD pipeline changes'
103+
},
104+
105+
// ==================== SIZE LABELS ====================
106+
{
107+
name: 'size/XS',
108+
color: '00FF00',
109+
description: 'Extra small PR (≤10 lines changed)'
110+
},
111+
{
112+
name: 'size/S',
113+
color: '77FF00',
114+
description: 'Small PR (11-50 lines changed)'
115+
},
116+
{
117+
name: 'size/M',
118+
color: 'FFFF00',
119+
description: 'Medium PR (51-200 lines changed)'
120+
},
121+
{
122+
name: 'size/L',
123+
color: 'FF9900',
124+
description: 'Large PR (201-500 lines changed)'
125+
},
126+
{
127+
name: 'size/XL',
128+
color: 'FF0000',
129+
description: 'Extra large PR (>500 lines changed)'
130+
}
131+
];
132+
133+
console.log('='.repeat(60));
134+
console.log('🏷️ REPOSITORY LABEL SETUP');
135+
console.log('='.repeat(60));
136+
console.log(`Total labels to create: ${requiredLabels.length}\n`);
137+
138+
// Get existing labels with pagination
139+
const existingLabels = await github.paginate(
140+
github.rest.issues.listLabelsForRepo,
141+
{
142+
owner: context.repo.owner,
143+
repo: context.repo.repo,
144+
per_page: 100
145+
}
146+
);
147+
148+
const existingLabelNames = existingLabels.map(label => label.name);
149+
150+
let created = 0;
151+
let updated = 0;
152+
let skipped = 0;
153+
let failed = 0;
154+
155+
// Process each label
156+
for (const label of requiredLabels) {
157+
try {
158+
if (!existingLabelNames.includes(label.name)) {
159+
// Create new label
160+
await github.rest.issues.createLabel({
161+
owner: context.repo.owner,
162+
repo: context.repo.repo,
163+
name: label.name,
164+
color: label.color,
165+
description: label.description
166+
});
167+
console.log(`✅ Created: ${label.name} (#${label.color})`);
168+
created++;
169+
} else {
170+
// Update existing label (in case color/description changed)
171+
const existingLabel = existingLabels.find(l => l.name === label.name);
172+
if (existingLabel.color !== label.color || existingLabel.description !== label.description) {
173+
await github.rest.issues.updateLabel({
174+
owner: context.repo.owner,
175+
repo: context.repo.repo,
176+
name: label.name,
177+
color: label.color,
178+
description: label.description
179+
});
180+
console.log(`🔄 Updated: ${label.name} (#${label.color})`);
181+
updated++;
182+
} else {
183+
console.log(`⏭️ Skipped: ${label.name} (already exists)`);
184+
skipped++;
185+
}
186+
}
187+
} catch (error) {
188+
console.log(`❌ Failed: ${label.name} - ${error.message}`);
189+
failed++;
190+
}
191+
}
192+
193+
// Summary
194+
console.log('\n' + '='.repeat(60));
195+
console.log('📊 SUMMARY');
196+
console.log('='.repeat(60));
197+
console.log(`✅ Created: ${created}`);
198+
console.log(`🔄 Updated: ${updated}`);
199+
console.log(`⏭️ Skipped: ${skipped}`);
200+
console.log(`❌ Failed: ${failed}`);
201+
console.log('='.repeat(60));
202+
203+
// Fail the step if any labels failed to create/update
204+
if (failed > 0) {
205+
core.setFailed(`Label setup failed! ${failed} label(s) could not be created or updated.`);
206+
} else if (created > 0 || updated > 0) {
207+
console.log('\n🎉 Label setup complete! Your repository is ready.');
208+
} else {
209+
console.log('\n✨ All labels are already up to date.');
210+
}

0 commit comments

Comments
 (0)