Skip to content

Deploy centralized organization stale bot#48

Open
ChrisGe4 wants to merge 10 commits intogoogle-github-actions:mainfrom
ChrisGe4:main
Open

Deploy centralized organization stale bot#48
ChrisGe4 wants to merge 10 commits intogoogle-github-actions:mainfrom
ChrisGe4:main

Conversation

@ChrisGe4
Copy link
Copy Markdown

@ChrisGe4 ChrisGe4 commented Apr 10, 2026
edited
Loading

  • Deploy a centralized multi-repository stale bot utilizing GitHub's official actions/stale within a dynamic matrix workflow.

  • To prevent individual repositories from bypassing security standards, enforce
    Actionlint and Scorecard centrally using a GitHub Organization Ruleset.

@ChrisGe4 ChrisGe4 assigned verbanicm and unassigned verbanicm Apr 10, 2026
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Apr 10, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 10, 2026
View reviewed changes
.github/workflows/centralized-stale.yml
@@ -0,0 +1,101 @@
name: 'Centralized Organization Stale Bot'
Copy link
Copy Markdown
Member

@verbanicm verbanicm Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ChrisGe4 can you add a default permissions block here, i dont think youre using the github token so permissions: {} should worki think?

Copy link
Copy Markdown
Author

@ChrisGe4 ChrisGe4 Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

.github/workflows/scorecard.yml Outdated

permissions:
contents: read
security-events: write
.github/workflows/actionlint.yml Outdated
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
.github/workflows/actionlint.yml Outdated
steps:
- uses: actions/checkout@v4
- name: 'Run actionlint with reviewdog'
uses: reviewdog/action-actionlint@v1.7.2
.github/workflows/centralized-stale.yml Outdated
}

- name: 'Run official stale bot'
uses: actions/stale@v9
.github/workflows/scorecard.yml Outdated
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
.github/workflows/scorecard.yml Outdated
with:
persist-credentials: false
- name: 'Run Scorecard'
uses: ossf/scorecard-action@v2.4.3
.github/workflows/scorecard.yml Outdated
results_format: 'sarif'
publish_results: false
- name: 'Upload to GitHub Security Tab'
uses: github/codeql-action/upload-sarif@v4.35.1
verbanicm
verbanicm reviewed Apr 10, 2026
View reviewed changes
.github/workflows/actionlint.yml
Copy link
Copy Markdown
Member

@verbanicm verbanicm Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you run https://github.com/sethvargo/ratchet over these files? It will pin the actions to a SHA for security based on the current version

Copy link
Copy Markdown
Author

@ChrisGe4 ChrisGe4 Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

verbanicm
verbanicm reviewed Apr 10, 2026
View reviewed changes
.github/workflows/actionlint.yml
Copy link
Copy Markdown
Member

@verbanicm verbanicm Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also as discussed offline, can you ensure all yaml values are quoted, see https://github.com/abcxyz/guardian/blob/main/.github/workflows/build.yml for an example

Copy link
Copy Markdown
Author

@ChrisGe4 ChrisGe4 Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@verbanicm verbanicm verbanicm left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@verbanicm verbanicm

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ChrisGe4 @github-advanced-security @verbanicm