|
| 1 | +name: PR Compliance Checks |
| 2 | + |
| 3 | +on: |
| 4 | + pull_request: |
| 5 | + types: [opened, synchronize, reopened, ready_for_review] |
| 6 | + branches: [main] |
| 7 | + workflow_dispatch: |
| 8 | + |
| 9 | +concurrency: |
| 10 | + group: ${{ github.workflow }}-${{ github.ref }} |
| 11 | + cancel-in-progress: true |
| 12 | + |
| 13 | +jobs: |
| 14 | + conventional-commits: |
| 15 | + name: Validate Conventional Commits (Warning Only) |
| 16 | + runs-on: ubuntu-latest |
| 17 | + if: ${{ !github.event.pull_request.draft }} |
| 18 | + continue-on-error: true |
| 19 | + permissions: |
| 20 | + pull-requests: write |
| 21 | + issues: write |
| 22 | + contents: read |
| 23 | + steps: |
| 24 | + - name: Checkout code |
| 25 | + uses: actions/checkout@v4 |
| 26 | + with: |
| 27 | + fetch-depth: 0 |
| 28 | + |
| 29 | + - name: Validate conventional commits |
| 30 | + id: commitlint |
| 31 | + uses: wagoid/commitlint-github-action@v6 |
| 32 | + with: |
| 33 | + configFile: .commitlintrc.warning.json |
| 34 | + continue-on-error: true |
| 35 | + |
| 36 | + - name: Add commit message guidance comment |
| 37 | + if: steps.commitlint.outcome == 'failure' |
| 38 | + uses: actions/github-script@v7 |
| 39 | + with: |
| 40 | + script: | |
| 41 | + const { data: comments } = await github.rest.issues.listComments({ |
| 42 | + owner: context.repo.owner, |
| 43 | + repo: context.repo.repo, |
| 44 | + issue_number: context.issue.number, |
| 45 | + }); |
| 46 | +
|
| 47 | + const botComment = comments.find(comment => |
| 48 | + comment.user.type === 'Bot' && |
| 49 | + comment.body.includes('Conventional Commit Format') |
| 50 | + ); |
| 51 | +
|
| 52 | + if (!botComment) { |
| 53 | + await github.rest.issues.createComment({ |
| 54 | + owner: context.repo.owner, |
| 55 | + repo: context.repo.repo, |
| 56 | + issue_number: context.issue.number, |
| 57 | + body: [ |
| 58 | + "## ⚠️ Conventional Commit Format", |
| 59 | + "", |
| 60 | + "Your commit messages don't follow the conventional commit format, but **this won't block your PR from being merged**. We recommend downloading [this extension](https://marketplace.visualstudio.com/items?itemName=vivaxy.vscode-conventional-commits) if you are using VS Code.", |
| 61 | + "", |
| 62 | + "### Expected Format:", |
| 63 | + "```", |
| 64 | + "<type>[optional scope]: <description>", |
| 65 | + "", |
| 66 | + "[optional body]", |
| 67 | + "", |
| 68 | + "[optional footer(s)]", |
| 69 | + "```", |
| 70 | + "", |
| 71 | + "### Examples:", |
| 72 | + "- `feat: add changelog generation support`", |
| 73 | + "- `fix: resolve login redirect issue`", |
| 74 | + "- `docs: update README with new instructions`", |
| 75 | + "- `chore: update dependencies`", |
| 76 | + "", |
| 77 | + "### Valid Types:", |
| 78 | + "`feat`, `fix`, `docs`, `style`, `refactor`, `perf`, `test`, `build`, `ci`, `chore`, `revert`", |
| 79 | + "", |
| 80 | + "This helps with:", |
| 81 | + "- 📝 Automatic changelog generation", |
| 82 | + "- 🚀 Automated semantic versioning", |
| 83 | + "- 📊 Better project history tracking", |
| 84 | + "", |
| 85 | + "*This is a non-blocking warning - your PR can still be merged without fixing this.*" |
| 86 | + ].join('\n') |
| 87 | + }); |
| 88 | + } |
| 89 | +
|
| 90 | + security-audit: |
| 91 | + name: Security Audit |
| 92 | + runs-on: ubuntu-latest |
| 93 | + if: ${{ !github.event.pull_request.draft }} |
| 94 | + permissions: |
| 95 | + security-events: write |
| 96 | + contents: read |
| 97 | + steps: |
| 98 | + - name: Checkout code |
| 99 | + uses: actions/checkout@v4 |
| 100 | + |
| 101 | + - name: Setup Node.js |
| 102 | + uses: actions/setup-node@v4 |
| 103 | + with: |
| 104 | + node-version-file: ".nvmrc" |
| 105 | + cache: "npm" |
| 106 | + |
| 107 | + - name: Install dependencies |
| 108 | + run: npm ci |
| 109 | + |
| 110 | + - name: Fix vulnerabilities |
| 111 | + run: npm audit fix |
| 112 | + |
| 113 | + - name: Run npm audit |
| 114 | + run: npm audit --audit-level=moderate |
| 115 | + |
| 116 | + - name: Initialize CodeQL |
| 117 | + uses: github/codeql-action/init@v3 |
| 118 | + with: |
| 119 | + languages: javascript |
| 120 | + |
| 121 | + - name: Perform CodeQL Analysis |
| 122 | + uses: github/codeql-action/analyze@v3 |
| 123 | + |
| 124 | + # Use this for any files that we want to be certain exist |
| 125 | + # Basically creates a forcing function to discuss were anyone to want to remove them |
| 126 | + file-validation: |
| 127 | + name: Required Files Check |
| 128 | + runs-on: ubuntu-latest |
| 129 | + if: ${{ !github.event.pull_request.draft }} |
| 130 | + steps: |
| 131 | + - name: Checkout code |
| 132 | + uses: actions/checkout@v4 |
| 133 | + |
| 134 | + - name: Check required files |
| 135 | + run: | |
| 136 | + required_files=( |
| 137 | + "package.json" |
| 138 | + "package-lock.json" |
| 139 | + "README.md" |
| 140 | + "LICENSE" |
| 141 | + ".gitignore" |
| 142 | + "tsconfig.json" |
| 143 | + "SECURITY.md" |
| 144 | + "CONTRIBUTING.md" |
| 145 | + ".nvmrc" |
| 146 | + ".prettierrc" |
| 147 | + ".prettierignore" |
| 148 | + ) |
| 149 | +
|
| 150 | + missing_files=() |
| 151 | + for file in "${required_files[@]}"; do |
| 152 | + if [[ ! -f "$file" ]]; then |
| 153 | + missing_files+=("$file") |
| 154 | + fi |
| 155 | + done |
| 156 | +
|
| 157 | + if [[ ${#missing_files[@]} -gt 0 ]]; then |
| 158 | + echo "❌ Missing required files:" |
| 159 | + printf '%s\n' "${missing_files[@]}" |
| 160 | + exit 1 |
| 161 | + else |
| 162 | + echo "✅ All required files present" |
| 163 | + fi |
| 164 | +
|
| 165 | + compliance-summary: |
| 166 | + name: Compliance Summary |
| 167 | + runs-on: ubuntu-latest |
| 168 | + needs: [conventional-commits, security-audit, file-validation] |
| 169 | + if: always() && !github.event.pull_request.draft |
| 170 | + steps: |
| 171 | + - name: Check compliance status |
| 172 | + run: | |
| 173 | + echo "## 🔍 Compliance Check Results" >> $GITHUB_STEP_SUMMARY |
| 174 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 175 | +
|
| 176 | + if [[ "${{ needs.conventional-commits.result }}" == "success" ]]; then |
| 177 | + echo "✅ Conventional Commits: PASSED" >> $GITHUB_STEP_SUMMARY |
| 178 | + elif [[ "${{ needs.conventional-commits.result }}" == "failure" ]]; then |
| 179 | + echo "⚠️ Conventional Commits: WARNING (non-blocking)" >> $GITHUB_STEP_SUMMARY |
| 180 | + else |
| 181 | + echo "❌ Conventional Commits: SKIPPED" >> $GITHUB_STEP_SUMMARY |
| 182 | + fi |
| 183 | +
|
| 184 | + if [[ "${{ needs.security-audit.result }}" == "success" ]]; then |
| 185 | + echo "✅ Security Audit: PASSED" >> $GITHUB_STEP_SUMMARY |
| 186 | + else |
| 187 | + echo "❌ Security Audit: FAILED" >> $GITHUB_STEP_SUMMARY |
| 188 | + fi |
| 189 | +
|
| 190 | + if [[ "${{ needs.file-validation.result }}" == "success" ]]; then |
| 191 | + echo "✅ File Validation: PASSED" >> $GITHUB_STEP_SUMMARY |
| 192 | + else |
| 193 | + echo "❌ File Validation: FAILED" >> $GITHUB_STEP_SUMMARY |
| 194 | + fi |
| 195 | +
|
| 196 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 197 | + echo "📊 **Overall Status**: ${{ job.status }}" >> $GITHUB_STEP_SUMMARY |
0 commit comments