diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml index f3873871d77..0c2cdff0ca1 100644 --- a/.github/codeql-config.yml +++ b/.github/codeql-config.yml @@ -4,10 +4,5 @@ paths: - openaev-front/src - openaev-framework/src - openaev-model/src - - openaev-injectors/openaev-http/src - - openaev-injectors/openaev-lade/src - - openaev-injectors/openaev-mastodon/src - - openaev-injectors/openaev-ovh/src - - openaev-injectors/openaev-ssh/src paths-ignore: - openaev-front/src/static diff --git a/.github/workflows/auto-close-add-solved.yml b/.github/workflows/auto-close-add-solved.yml index 5dfeb7dbb44..a81f53c41d2 100644 --- a/.github/workflows/auto-close-add-solved.yml +++ b/.github/workflows/auto-close-add-solved.yml @@ -2,7 +2,7 @@ name: Auto Close and Solve Issues on: pull_request: branches: - - release/* + - release/current - master types: - closed @@ -28,20 +28,20 @@ jobs: script: | const prTitle = context.payload.pull_request.title; core.info(`PR Title: ${prTitle}`); - + // Match only issue-containing groups at the end const endPattern = /(?:\((?:[^)]*#\d+[^)]*)\)|#\d+)(?:\s+(?:\((?:[^)]*#\d+[^)]*)\)|#\d+))*\s*$/; const endMatch = prTitle.match(endPattern); - + let issueNumbers = []; - + if (endMatch) { // Extract all #number patterns from the matched section const allMatches = endMatch[0].matchAll(/#(\d+)/g); issueNumbers = [...allMatches] .map(match => match[1]) .filter((value, index, self) => self.indexOf(value) === index); // Remove duplicates - + if (issueNumbers.length > 0) { core.info(`Found ${issueNumbers.length} issue number(s): ${issueNumbers.join(', ')}`); core.setOutput('issue_numbers', issueNumbers.join(' ')); @@ -70,17 +70,17 @@ jobs: const issueNumbers = "${{ needs.extract_issue_number.outputs.issue_numbers }}" .split(' ') .filter(num => num.trim() !== ''); - + core.info(`Processing ${issueNumbers.length} issue(s): ${issueNumbers.join(', ')}`); core.startGroup('Processing Issues'); - + let successCount = 0; let failureCount = 0; - + for (const issueNumber of issueNumbers) { try { core.startGroup(`Issue #${issueNumber}`); - + // Add "solved" label await github.rest.issues.addLabels({ owner: context.repo.owner, @@ -89,7 +89,7 @@ jobs: labels: ["solved"] }); core.info(`✓ Added "solved" label`); - + // Close the issue await github.rest.issues.update({ owner: context.repo.owner, @@ -98,21 +98,21 @@ jobs: state: "closed" }); core.info(`✓ Closed issue`); - + successCount++; core.endGroup(); - + } catch (error) { core.error(`✗ Failed to process issue #${issueNumber}: ${error.message}`); failureCount++; core.endGroup(); } } - + core.endGroup(); - + // Summary core.notice(`Successfully processed ${successCount} issue(s)`); if (failureCount > 0) { core.warning(`Failed to process ${failureCount} issue(s)`); - } \ No newline at end of file + } diff --git a/.github/workflows/auto-set-label.yml b/.github/workflows/auto-set-label.yml deleted file mode 100644 index 92eaff3f276..00000000000 --- a/.github/workflows/auto-set-label.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Assign PR team labels -on: - pull_request: - branches: - - master -permissions: - contents: read - pull-requests: write -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - - name: Setting labels - uses: FiligranHQ/auto-label@1.0.0 - with: - labels_by_organization: "{\"FiligranHQ\":[\"filigran team\"]}" \ No newline at end of file diff --git a/.github/workflows/check-verified-commit.yml b/.github/workflows/check-verified-commit.yml deleted file mode 100644 index a583578e2cf..00000000000 --- a/.github/workflows/check-verified-commit.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Check signed commits in PR -on: [pull_request,pull_request_target] -permissions: - contents: read - pull-requests: write -jobs: - check-signed-commits: - name: Check signed commits in PR - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - steps: - - name: Information about how to sign commits see https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits - # "with comment" below does not work for forks. - run: | - echo "If you need to sign commits, Please see https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits" - - name: Check signed commits in PR on fail see above information. - uses: 1Password/check-signed-commits-action@v1 - with: - comment: | - Thank you for your contribution. This PR is but one step away from being ready for merging: all commits must be PGP-signed. To get started, please see docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits diff --git a/.github/workflows/openaev-auto-label.yml b/.github/workflows/openaev-auto-label.yml new file mode 100644 index 00000000000..ea9491d70b1 --- /dev/null +++ b/.github/workflows/openaev-auto-label.yml @@ -0,0 +1,14 @@ +name: "[OpenAEV] Auto Label" +on: + pull_request_target: + branches: [master, release/current] + types: [opened, reopened] +permissions: + contents: read + pull-requests: write +jobs: + auto-label: + runs-on: ubuntu-latest + steps: + - name: "Auto Label" + uses: FiligranHQ/filigran-ci-tools/actions/auto-label@main diff --git a/.github/workflows/openaev-check-signed-commit.yml b/.github/workflows/openaev-check-signed-commit.yml new file mode 100644 index 00000000000..a064648ae71 --- /dev/null +++ b/.github/workflows/openaev-check-signed-commit.yml @@ -0,0 +1,13 @@ +name: "[OpenAEV] Check Signed Commits in PR" +on: + pull_request_target: + branches: [master, release/current] +permissions: + contents: read + pull-requests: write +jobs: + check-signed-commits: + runs-on: ubuntu-latest + steps: + - name: Check signed commits in PR + uses: FiligranHQ/filigran-ci-tools/actions/check-signed-commit@main diff --git a/.github/workflows/openaev-validate-pr-title.yml b/.github/workflows/openaev-validate-pr-title.yml new file mode 100644 index 00000000000..d8a2e2ab092 --- /dev/null +++ b/.github/workflows/openaev-validate-pr-title.yml @@ -0,0 +1,24 @@ +name: "[OpenAEV] Validate PR title Worker" +on: + pull_request: + branches: [master, release/current] + types: [opened, edited, reopened, ready_for_review, synchronize] +permissions: + contents: read +jobs: + validate-pr-title: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: "Generate a token" + id: generate-token + if: github.event.pull_request.head.repo.full_name == github.repository + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.OPENAEV_PR_CHECKS_APP_ID }} + private-key: ${{ secrets.OPENAEV_PR_CHECKS_PRIVATE_KEY }} + - name: "Validate PR title and create check" + uses: FiligranHQ/filigran-ci-tools/actions/pr-title-check@main + with: + token: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/pr-title-check-worker.yml b/.github/workflows/pr-title-check-worker.yml deleted file mode 100644 index 84c54182fe0..00000000000 --- a/.github/workflows/pr-title-check-worker.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: "PR Title check worker" -on: - pull_request: - types: [opened, edited, reopened, ready_for_review, synchronize] -permissions: - contents: read - checks: write -jobs: - validate-pr-title: - runs-on: ubuntu-latest - continue-on-error: true - permissions: - contents: read - checks: write - steps: - - name: Generate a token - id: generate-token - if: github.event.pull_request.head.repo.full_name == github.repository - uses: actions/create-github-app-token@v2 - with: - app-id: ${{ secrets.OPENAEV_PR_CHECKS_APP_ID }} - private-key: ${{ secrets.OPENAEV_PR_CHECKS_PRIVATE_KEY }} - - name: Validate PR title and create check - shell: bash - env: - GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} - REPO: ${{ github.repository }} - SHA: ${{ github.event.pull_request.head.sha }} - run: | - set -euo pipefail - TITLE="${{ github.event.pull_request.title }}" - EXIT_CODE=0 - echo "PR title: $TITLE" - # Skip validation for renovate - if [[ "$TITLE" == *"chore(deps)"* ]]; then - echo "⚠️ Skipping validation for renovate PRs." - OUTPUT_TITLE="⚠️ Skipping validation for Renovate PRs." - OUTPUT_SUMMARY="⚠️ Skipping validation for Renovate PRs." - CONCLUSION="success" - else - # Full pattern: - # [category/subcategory] type(scope?): description (#123) - FULL_PATTERN='^\[([a-z]+(/[a-z]+)*)\] (feat|fix|chore|docs|style|refactor|perf|test|build|ci|revert)(\([a-z-]+\))?: [a-z].*( \(#[0-9]+\))$' - if [[ "$TITLE" =~ $FULL_PATTERN ]]; then - echo "✅ PR title is valid." - OUTPUT_TITLE="✅ PR title is valid." - OUTPUT_SUMMARY="✅ PR title is valid." - CONCLUSION="success" - else - EXIT_CODE=1 - # Diagnose common failures - # 1) Check category block: [category/category] - CATEGORY_PATTERN='^\[([a-z]+(/[a-z]+)*)\]' - if ! [[ "$TITLE" =~ $CATEGORY_PATTERN ]]; then - REASON="Bad [category] block. Expected: [category] or [category/category]" - fi - # 2) Check type + optional scope - TYPE_PATTERN='^\[([a-z]+(/[a-z]+)*)\] (feat|fix|chore|docs|style|refactor|perf|test|build|ci|revert)(\([a-z-]+\))?: ' - if [[ -z "${REASON:-}" ]] && ! [[ "$TITLE" =~ $TYPE_PATTERN ]]; then - REASON="Bad type(scope): block. Expected type: feat, fix, chore, docs, style, refactor, perf, test, build, ci, revert (optionally with scope: type(scope):)" - fi - # 3) Check description starts with lowercase letter - DESC_PATTERN='^\[([a-z]+(/[a-z]+)*)\] (feat|fix|chore|docs|style|refactor|perf|test|build|ci|revert)(\([a-z-]+\))?: [a-z]' - if [[ -z "${REASON:-}" ]] && ! [[ "$TITLE" =~ $DESC_PATTERN ]]; then - REASON="Bad description. Must start with a lowercase letter after ': '" - fi - # 4) Check issue reference at the end: (#XXX) - ISSUE_PATTERN='\(#[0-9]+\)$' - if [[ -z "${REASON:-}" ]] && ! [[ "$TITLE" =~ $ISSUE_PATTERN ]]; then - REASON="Bad (#XXX) ending block. Missing issue reference" - fi - if [[ -z "${REASON:-}" ]]; then - REASON="Bad title. Does not match the required pattern" - fi - echo "❌ Invalid PR title: $REASON" - echo "Required format:" - echo "[category] type(scope?): description (#123)" - OUTPUT_TITLE="$REASON" - OUTPUT_SUMMARY="❌ Invalid PR title: $REASON. \nRequired: [category] type(scope?): description (#XXX)" - CONCLUSION="failure" - fi - fi - # Create custom check run only if not from fork - if [[ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then - CHECK_RUN=$( - curl -sS -X POST \ - -H "Authorization: Bearer $GITHUB_TOKEN" \ - -H "Accept: application/vnd.github+json" \ - https://api.github.com/repos/$REPO/check-runs \ - -d @- <