From 2f059f603962ebe5402414bac1958a242e4911fd Mon Sep 17 00:00:00 2001 From: Kegan Maher Date: Fri, 6 Dec 2024 08:53:48 -0800 Subject: [PATCH 1/5] feat(github): enable dependabot for python, actions --- .github/dependabot.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..563c6a3 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,27 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" # pyproject.toml + schedule: + interval: "daily" + commit-message: + prefix: "chore" + include: "scope" + labels: + - "dependencies" + - package-ecosystem: "github-actions" + # Workflow files stored in the + # default location of `.github/workflows` + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: "chore" + include: "scope" + labels: + - "dependencies" From 750bfcdb279a0c5a7d8e369f7e92aa625563ba89 Mon Sep 17 00:00:00 2001 From: Kegan Maher Date: Fri, 6 Dec 2024 09:11:43 -0800 Subject: [PATCH 2/5] feat(ci): workflow adds dependabot PRs to project sets Effort=1, Status=In Review --- .github/workflows/dependency-triage.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/dependency-triage.yml diff --git a/.github/workflows/dependency-triage.yml b/.github/workflows/dependency-triage.yml new file mode 100644 index 0000000..cf3f489 --- /dev/null +++ b/.github/workflows/dependency-triage.yml @@ -0,0 +1,24 @@ +name: "Dependency PR triage" + +on: + pull_request: + types: [opened] + +jobs: + dependency-triage: + runs-on: ubuntu-latest + # see https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events + if: github.actor == 'dependabot[bot]' || github.actor == 'pre-commit-ci[bot]' + steps: + - uses: actions/add-to-project@main + with: + project-url: https://github.com/orgs/compiler/projects/${{ vars.GH_PROJECT }} + github-token: ${{ secrets.GH_PROJECTS_TOKEN }} + + - uses: EndBug/project-fields@v2 + with: + operation: set + fields: Effort,Status + values: 1,In review + project_url: https://github.com/orgs/compiler/projects/${{ vars.GH_PROJECT }} + github_token: ${{ secrets.GH_PROJECTS_TOKEN }} From 08457837b8bbfac441376797db3ab669becad51c Mon Sep 17 00:00:00 2001 From: Kegan Maher Date: Fri, 6 Dec 2024 09:19:26 -0800 Subject: [PATCH 3/5] feat(ci): label actions-related PRs --- .github/workflows/labeler-actions.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/labeler-actions.yml diff --git a/.github/workflows/labeler-actions.yml b/.github/workflows/labeler-actions.yml new file mode 100644 index 0000000..ecc5cd7 --- /dev/null +++ b/.github/workflows/labeler-actions.yml @@ -0,0 +1,17 @@ +name: Label actions + +on: + pull_request: + types: [opened] + paths: + - ".github/dependabot.yml" + - ".github/workflows/**" + +jobs: + label-actions: + runs-on: ubuntu-latest + steps: + - name: add-label + uses: andymckay/labeler@master + with: + add-labels: "actions" From c57b02c1bc55188982110e7b3198944bca2a0f02 Mon Sep 17 00:00:00 2001 From: Kegan Maher Date: Fri, 6 Dec 2024 09:19:46 -0800 Subject: [PATCH 4/5] feat(ci): label docs-related PRs --- .github/workflows/labeler-docs.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/labeler-docs.yml diff --git a/.github/workflows/labeler-docs.yml b/.github/workflows/labeler-docs.yml new file mode 100644 index 0000000..8790501 --- /dev/null +++ b/.github/workflows/labeler-docs.yml @@ -0,0 +1,19 @@ +name: Label docs + +on: + pull_request: + branches: [main] + types: [opened] + paths: + - "docs/**" + - "mkdocs.yml" + - ".github/workflows/mkdocs.yml" + +jobs: + label-docs: + runs-on: ubuntu-latest + steps: + - name: add-label + uses: andymckay/labeler@master + with: + add-labels: "documentation" From 8c5f85d2c0634601f32d762df984f5febcb12b0c Mon Sep 17 00:00:00 2001 From: Kegan Maher Date: Fri, 6 Dec 2024 09:23:21 -0800 Subject: [PATCH 5/5] feat(ci): CodeQL workflow - runs on push, PR, schedule - checks JS and Python when included in changes --- .github/workflows/codeql.yml | 67 ++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..1eb315e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,67 @@ +# https://codeql.github.com/ +name: CodeQL + +on: + push: + paths: + - "**.js" + - "**.py" + pull_request: + branches: [main] + paths: + - "**.js" + - "**.py" + schedule: + - cron: "24 9 * * 6" + +jobs: + setup: + name: Set up CodeQL analysis + runs-on: ubuntu-latest + # Required permissions + permissions: + pull-requests: read + outputs: + # changes is a JSON array with names of all filters matching any of the changed files + languages: ${{ steps.filter.outputs.changes }} + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3 + id: filter + with: + filters: | + javascript: "**.js" + python: "**.py" + + codeql: + name: CodeQL Analyze + runs-on: ubuntu-latest + needs: setup + if: ${{ needs.setup.outputs.languages != '[]' }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + # Parse JSON array containing names of all filters matching any of changed files + # e.g. ['javascript', 'python'] if both file types had changes + language: ${{ fromJSON(needs.setup.outputs.languages) }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-configuration-details-using-the-config-input + config: | + paths-ignore: + - tests + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3