b5e1c3a8f5
* feat: Add GitHub Actions workflows for security audits, CodeQL analysis, contributor updates, performance benchmarks, integration tests, fuzz testing, and reusable Rust build jobs - Implemented `sec-audit.yml` for Rust package security audits using `rustsec/audit-check` and `cargo-deny-action`. - Created `sec-codeql.yml` for CodeQL analysis scheduled twice daily. - Added `sync-contributors.yml` to update the NOTICE file with new contributors automatically. - Introduced `test-benchmarks.yml` for performance benchmarks using Criterion. - Established `test-e2e.yml` for running integration and end-to-end tests. - Developed `test-fuzz.yml` for fuzz testing with configurable runtime. - Created `test-rust-build.yml` as a reusable job for executing Rust commands with customizable parameters. - Documented main branch delivery flows in `main-branch-flow.md` for clarity on CI/CD processes. * ci(workflows): update workflow scripts and rename for clarity; remove obsolete lint feedback script * chore(ci): externalize workflow scripts and relocate main flow doc * chore(ci): align workflow names with file naming style
74 lines
3.1 KiB
YAML
74 lines
3.1 KiB
YAML
name: PR Label Policy Check
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- ".github/label-policy.json"
|
|
- ".github/workflows/pr-labeler.yml"
|
|
- ".github/workflows/pr-auto-response.yml"
|
|
push:
|
|
paths:
|
|
- ".github/label-policy.json"
|
|
- ".github/workflows/pr-labeler.yml"
|
|
- ".github/workflows/pr-auto-response.yml"
|
|
|
|
concurrency:
|
|
group: pr-label-policy-check-${{ github.event.pull_request.number || github.sha }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
contributor-tier-consistency:
|
|
runs-on: blacksmith-2vcpu-ubuntu-2404
|
|
timeout-minutes: 10
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
|
|
- name: Verify shared label policy and workflow wiring
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
python3 - <<'PY'
|
|
import json
|
|
import re
|
|
from pathlib import Path
|
|
|
|
policy_path = Path('.github/label-policy.json')
|
|
policy = json.loads(policy_path.read_text(encoding='utf-8'))
|
|
color = str(policy.get('contributor_tier_color', '')).upper()
|
|
rules = policy.get('contributor_tiers', [])
|
|
if not re.fullmatch(r'[0-9A-F]{6}', color):
|
|
raise SystemExit('invalid contributor_tier_color in .github/label-policy.json')
|
|
if not rules:
|
|
raise SystemExit('contributor_tiers must not be empty in .github/label-policy.json')
|
|
|
|
labels = set()
|
|
prev_min = None
|
|
for entry in rules:
|
|
label = str(entry.get('label', '')).strip().lower()
|
|
min_merged = int(entry.get('min_merged_prs', 0))
|
|
if not label.endswith('contributor'):
|
|
raise SystemExit(f'invalid contributor tier label: {label}')
|
|
if label in labels:
|
|
raise SystemExit(f'duplicate contributor tier label: {label}')
|
|
if prev_min is not None and min_merged > prev_min:
|
|
raise SystemExit('contributor_tiers must be sorted descending by min_merged_prs')
|
|
labels.add(label)
|
|
prev_min = min_merged
|
|
|
|
workflow_paths = [
|
|
Path('.github/workflows/pr-labeler.yml'),
|
|
Path('.github/workflows/pr-auto-response.yml'),
|
|
]
|
|
for workflow in workflow_paths:
|
|
text = workflow.read_text(encoding='utf-8')
|
|
if '.github/label-policy.json' not in text:
|
|
raise SystemExit(f'{workflow} must load .github/label-policy.json')
|
|
if re.search(r'contributorTierColor\s*=\s*"[0-9A-Fa-f]{6}"', text):
|
|
raise SystemExit(f'{workflow} contains hardcoded contributorTierColor')
|
|
|
|
print('label policy file is valid and workflow consumers are wired to shared policy')
|
|
PY
|