Add prompt rules for network/TLS diagnostics #203
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Repo Checks | |
| on: | |
| pull_request_target: | |
| branches: [main] | |
| types: [opened, synchronize, reopened] | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| pull-request-trust: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request_target' | |
| steps: | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 20 | |
| - name: Checkout trusted base checks | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| path: .trusted-base | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Check PR author account age | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| PR_AUTHOR: ${{ github.event.pull_request.user.login }} | |
| PR_AUTHOR_MINIMUM_AGE_DAYS: ${{ vars.PR_AUTHOR_MINIMUM_AGE_DAYS || '30' }} | |
| PR_AUTHOR_AGE_ALLOWLIST: ${{ vars.PR_AUTHOR_AGE_ALLOWLIST || 'PatrickJS,dependabot[bot],Copilot' }} | |
| run: | | |
| node .trusted-base/scripts/check-pr-author.mjs \ | |
| --username "$PR_AUTHOR" \ | |
| --minimum-age-days "$PR_AUTHOR_MINIMUM_AGE_DAYS" \ | |
| --allowlist "$PR_AUTHOR_AGE_ALLOWLIST" | |
| readme-hygiene: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request_target' || github.event_name == 'push' | |
| steps: | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 20 | |
| - name: Checkout trusted base checks | |
| if: github.event_name == 'pull_request_target' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| path: .trusted-base | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Checkout pull request content | |
| if: github.event_name == 'pull_request_target' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| path: pr | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Determine pull request changed files | |
| if: github.event_name == 'pull_request_target' | |
| shell: bash | |
| env: | |
| BASE_REF: ${{ github.event.pull_request.base.ref }} | |
| run: | | |
| git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git" | |
| git -C pr fetch --no-tags trusted-base "$BASE_REF" | |
| base="$(git -C pr rev-parse FETCH_HEAD)" | |
| git -C pr diff --name-only "$base"...HEAD > pr/.changed-files | |
| git -C pr diff --unified=0 "$base"...HEAD -- README.md > pr/.readme.diff || true | |
| - name: Run trusted README hygiene checks | |
| if: github.event_name == 'pull_request_target' | |
| run: node .trusted-base/scripts/check-readme-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files --diff-file .readme.diff | |
| - name: Checkout push content | |
| if: github.event_name == 'push' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Determine push changed files | |
| if: github.event_name == 'push' | |
| shell: bash | |
| run: | | |
| if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then | |
| base="${{ github.event.before }}" | |
| else | |
| base="$(git rev-list --max-parents=0 HEAD)" | |
| fi | |
| git diff --name-only "$base"...HEAD > .changed-files | |
| git diff --unified=0 "$base"...HEAD -- README.md > .readme.diff || true | |
| - name: Run README hygiene checks | |
| if: github.event_name == 'push' | |
| run: node scripts/check-readme-hygiene.mjs --changed-files .changed-files --diff-file .readme.diff | |
| rule-hygiene: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request_target' || github.event_name == 'push' | |
| steps: | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 20 | |
| - name: Checkout trusted base checks | |
| if: github.event_name == 'pull_request_target' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| path: .trusted-base | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Checkout pull request content | |
| if: github.event_name == 'pull_request_target' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| path: pr | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Determine pull request changed files | |
| if: github.event_name == 'pull_request_target' | |
| shell: bash | |
| env: | |
| BASE_REF: ${{ github.event.pull_request.base.ref }} | |
| run: | | |
| git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git" | |
| git -C pr fetch --no-tags trusted-base "$BASE_REF" | |
| base="$(git -C pr rev-parse FETCH_HEAD)" | |
| git -C pr diff --name-only "$base"...HEAD > pr/.changed-files | |
| - name: Run trusted rule hygiene checks | |
| if: github.event_name == 'pull_request_target' | |
| run: node .trusted-base/scripts/check-rule-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files | |
| - name: Checkout push content | |
| if: github.event_name == 'push' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Determine push changed files | |
| if: github.event_name == 'push' | |
| shell: bash | |
| run: | | |
| if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then | |
| base="${{ github.event.before }}" | |
| else | |
| base="$(git rev-list --max-parents=0 HEAD)" | |
| fi | |
| git diff --name-only "$base"...HEAD > .changed-files | |
| - name: Run rule hygiene checks | |
| if: github.event_name == 'push' | |
| run: node scripts/check-rule-hygiene.mjs --changed-files .changed-files | |
| issue-template-policy: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request_target' || github.event_name == 'push' | |
| steps: | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 20 | |
| - name: Checkout trusted base checks | |
| if: github.event_name == 'pull_request_target' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| path: .trusted-base | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Checkout pull request content | |
| if: github.event_name == 'pull_request_target' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| path: pr | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Run trusted issue template policy checks | |
| if: github.event_name == 'pull_request_target' | |
| run: node .trusted-base/scripts/check-issue-template-policy.mjs --root "$GITHUB_WORKSPACE/pr" | |
| - name: Checkout push content | |
| if: github.event_name == 'push' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Run issue template policy checks | |
| if: github.event_name == 'push' | |
| run: node scripts/check-issue-template-policy.mjs | |
| repo-security: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request_target' || github.event_name == 'push' | |
| steps: | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 20 | |
| - name: Checkout trusted base checks | |
| if: github.event_name == 'pull_request_target' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| path: .trusted-base | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Checkout pull request content | |
| if: github.event_name == 'pull_request_target' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| path: pr | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Determine pull request changed files | |
| if: github.event_name == 'pull_request_target' | |
| shell: bash | |
| env: | |
| BASE_REF: ${{ github.event.pull_request.base.ref }} | |
| run: | | |
| git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git" | |
| git -C pr fetch --no-tags trusted-base "$BASE_REF" | |
| base="$(git -C pr rev-parse FETCH_HEAD)" | |
| git -C pr diff --name-only "$base"...HEAD > pr/.changed-files | |
| - name: Run trusted repo security checks | |
| if: github.event_name == 'pull_request_target' | |
| run: node .trusted-base/scripts/check-repo-security.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files | |
| - name: Checkout push content | |
| if: github.event_name == 'push' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Determine push changed files | |
| if: github.event_name == 'push' | |
| shell: bash | |
| run: | | |
| if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then | |
| base="${{ github.event.before }}" | |
| else | |
| base="$(git rev-list --max-parents=0 HEAD)" | |
| fi | |
| git diff --name-only "$base"...HEAD > .changed-files | |
| - name: Run repo security checks | |
| if: github.event_name == 'push' | |
| run: node scripts/check-repo-security.mjs --changed-files .changed-files | |
| test: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' || github.event_name == 'push' | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 20 | |
| - name: Enable pnpm | |
| run: | | |
| corepack enable | |
| corepack prepare pnpm@10.20.0 --activate | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Run tests | |
| run: pnpm test | |
| awesome-lint: | |
| name: awesome-lint | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request_target' | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 20 | |
| - name: Enable pnpm | |
| run: | | |
| corepack enable | |
| corepack prepare pnpm@10.20.0 --activate | |
| - name: Checkout trusted base checks | |
| if: github.event_name == 'pull_request' | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.sha }} | |
| path: .trusted-base | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - name: Run trusted awesome-list checks | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| node .trusted-base/scripts/check-awesome-list.mjs --root "$GITHUB_WORKSPACE" | |
| (cd .trusted-base && pnpm dlx awesome-lint@2.3.0 "$GITHUB_WORKSPACE/README.md") | |
| - name: Install dependencies | |
| if: github.event_name != 'pull_request' | |
| run: pnpm install --frozen-lockfile | |
| - name: Run awesome-list checks | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| pnpm run check:awesome-list | |
| pnpm run check:awesome-list:upstream |