diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..d2a6d111 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,14 @@ +name: Dependency Review + +on: + pull_request: + branches: [main] + +permissions: {} + +jobs: + dependency-review: + uses: Mininglamp-OSS/.github/.github/workflows/reusable-dependency-review.yml@v1 + permissions: + contents: read + pull-requests: write diff --git a/.github/workflows/pr-title-lint.yml b/.github/workflows/pr-title-lint.yml new file mode 100644 index 00000000..856769ee --- /dev/null +++ b/.github/workflows/pr-title-lint.yml @@ -0,0 +1,21 @@ +name: PR Title Lint + +on: + # pull_request_target: metadata-only automation — the reusable checks out NO PR + # code and reads the PR title via env (never interpolated), so fork PRs cannot + # execute code or inject via the title. zizmor: ignore[dangerous-triggers] + pull_request_target: + types: [opened, edited, reopened, synchronize] + +permissions: {} + +jobs: + pr-title-lint: + uses: Mininglamp-OSS/.github/.github/workflows/reusable-pr-title-lint.yml@v1 + with: + pr_number: ${{ github.event.pull_request.number }} + pr_title: ${{ github.event.pull_request.title }} + repo_owner: ${{ github.event.repository.owner.login }} + repo_name: ${{ github.event.repository.name }} + permissions: + pull-requests: write diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml new file mode 100644 index 00000000..ab0c9346 --- /dev/null +++ b/.github/workflows/secret-scan.yml @@ -0,0 +1,15 @@ +name: Secret Scan + +on: + pull_request: + branches: [main] + push: + branches: [main] + +permissions: {} + +jobs: + secret-scan: + uses: Mininglamp-OSS/.github/.github/workflows/reusable-secret-scan.yml@v1 + permissions: + contents: read