ci: add pr labeler, security hardening

HumanSignal · Jul 25, 2022 · 3897c81 · 3897c81
1 parent ff2949b
commit 3897c81
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 3 deletions.
diff --git a/.github/autolabeler.yml b/.github/autolabeler.yml
@@ -0,0 +1,32 @@
+template: "Mandatory field" #https://github.com/release-drafter/release-drafter/blob/master/bin/generate-schema.js#L15
+autolabeler:
+  - label: 'breaking'
+    body:
+      - '/BREAKING CHANGE/i'
+  - label: 'fix'
+    title:
+      - '/^fix:/'
+  - label: 'feat'
+    title:
+      - '/^feat:/'
+  - label: 'docs'
+    title:
+      - '/^docs:/'
+  - label: 'chore'
+    title:
+      - '/^chore:/'
+  - label: 'ci'
+    title:
+      - '/^ci:/'
+  - label: 'perf'
+    title:
+      - '/^perf:/'
+  - label: 'refactor'
+    title:
+      - '/^refactor:/'
+  - label: 'style'
+    title:
+      - '/^style:/'
+  - label: 'test'
+    title:
+      - '/^test:/'
diff --git a/.github/pr-title-checker-config.json b/.github/pr-title-checker-config.json
@@ -0,0 +1,28 @@
+{
+  "LABEL": {
+    "name": "title needs formatting",
+    "color": "EEEEEE"
+  },
+  "CHECKS": {
+    "prefixes": [
+      "fix: ",
+      "feat: ",
+      "docs: ",
+      "chore: ",
+      "ci: ",
+      "perf: ",
+      "refactor: ",
+      "style: ",
+      "test: "
+    ],
+    "ignoreLabels": [
+      "skip-changelog",
+      "skip-ci"
+    ]
+  },
+  "MESSAGES": {
+    "success": "PR title is valid",
+    "failure": "PR title is invalid",
+    "notice": "Please read the doc: [Release versioning strategy](https://heartex.atlassian.net/l/c/brYSL9qf)"
+  }
+}
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -0,0 +1,35 @@
+name: "PR labeler"
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - master
+      - 'release/**'
+
+jobs:
+  autolabel:
+    name: "PR label validator"
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: hmarr/[email protected]
+      - uses: thehanimo/[email protected]
+        name: "Validate PR's title"
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          pass_on_octokit_error: false
+          configuration_path: ".github/pr-title-checker-config.json"
+      - uses: release-drafter/[email protected]
+        name: "Set PR's label based on title"
+        with:
+          disable-releaser: true
+          config-name: autolabeler.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -8,9 +8,15 @@ on:
       - 'requirements**'
     tags-ignore:
       - '**'
-  pull_request_target:
-    types: [ opened, synchronize, reopened, ready_for_review ]
-    branches: [ '*', '*/*', master ]
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+    branches:
+      - master
+      - 'release/**'
 
 env:
   CACHE_NAME_PREFIX: v1