From ad3e782536599445e9ed066987f26b09981ed063 Mon Sep 17 00:00:00 2001 From: Mehmet Samet Duman Date: Thu, 2 Apr 2026 21:10:55 +0300 Subject: NOISSUE Update GitHub workflows for fuzzing, dependency review, labeling, and stale issue management Signed-off-by: Mehmet Samet Duman --- .github/workflows/cmark-fuzz.yml | 23 ++++++++-- .github/workflows/json4cpp-dependency-review.yml | 23 ---------- .github/workflows/json4cpp-fuzz.yml | 18 ++++++-- .github/workflows/json4cpp-labeler.yml | 26 ----------- .github/workflows/json4cpp-scorecards.yml | 56 ------------------------ .github/workflows/json4cpp-stale.yml | 35 --------------- .github/workflows/neozip-fuzz.yml | 21 +++++---- .github/workflows/repo-dependency-review.yml | 24 ++++++++++ .github/workflows/repo-labeler.yml | 25 +++++++++++ .github/workflows/repo-scorecards.yml | 54 +++++++++++++++++++++++ .github/workflows/repo-stale.yml | 35 +++++++++++++++ .github/workflows/tomlplusplus-fuzz.yml | 20 ++++++--- .github/workflows/uvim-label.yml | 15 ------- 13 files changed, 198 insertions(+), 177 deletions(-) delete mode 100644 .github/workflows/json4cpp-dependency-review.yml delete mode 100644 .github/workflows/json4cpp-labeler.yml delete mode 100644 .github/workflows/json4cpp-scorecards.yml delete mode 100644 .github/workflows/json4cpp-stale.yml create mode 100644 .github/workflows/repo-dependency-review.yml create mode 100644 .github/workflows/repo-labeler.yml create mode 100644 .github/workflows/repo-scorecards.yml create mode 100644 .github/workflows/repo-stale.yml delete mode 100644 .github/workflows/uvim-label.yml diff --git a/.github/workflows/cmark-fuzz.yml b/.github/workflows/cmark-fuzz.yml index fd999ca929..28f14b8244 100644 --- a/.github/workflows/cmark-fuzz.yml +++ b/.github/workflows/cmark-fuzz.yml @@ -1,17 +1,32 @@ name: "cmark: Fuzz" on: + push: + branches: [master] + paths: + - 'cmark/**' + - '.github/workflows/cmark-fuzz.yml' pull_request: paths: - 'cmark/**' - '.github/workflows/cmark-fuzz.yml' + workflow_dispatch: + +concurrency: + group: cmark-fuzz-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read jobs: - Fuzzing: + fuzzing: + name: Fuzzing runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - name: Build Fuzzers + id: build uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master with: oss-fuzz-project-name: 'cmark' @@ -23,8 +38,8 @@ jobs: fuzz-seconds: 600 dry-run: false - name: Upload Crash - uses: actions/upload-artifact@v7 - if: failure() + uses: actions/upload-artifact@v4 + if: failure() && steps.build.outcome == 'success' with: - name: artifacts + name: cmark-fuzz-artifacts path: ./out/artifacts diff --git a/.github/workflows/json4cpp-dependency-review.yml b/.github/workflows/json4cpp-dependency-review.yml deleted file mode 100644 index 42b6cc2b8c..0000000000 --- a/.github/workflows/json4cpp-dependency-review.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: "json4cpp: Dependency Review" - -on: - pull_request: - paths: - - 'json4cpp/**' - -permissions: - contents: read - -jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 - with: - egress-policy: audit - - - name: Checkout Repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Dependency Review - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/json4cpp-fuzz.yml b/.github/workflows/json4cpp-fuzz.yml index 78805aa597..893435c953 100644 --- a/.github/workflows/json4cpp-fuzz.yml +++ b/.github/workflows/json4cpp-fuzz.yml @@ -1,15 +1,27 @@ -name: "json4cpp: CIFuzz" +name: "json4cpp: Fuzz" on: + push: + branches: [master, develop] + paths: + - 'json4cpp/**' + - '.github/workflows/json4cpp-fuzz.yml' pull_request: paths: - 'json4cpp/**' + - '.github/workflows/json4cpp-fuzz.yml' + workflow_dispatch: + +concurrency: + group: json4cpp-fuzz-${{ github.ref }} + cancel-in-progress: true permissions: contents: read jobs: - Fuzzing: + fuzzing: + name: Fuzzing runs-on: ubuntu-22.04 steps: - name: Harden Runner @@ -35,5 +47,5 @@ jobs: uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: failure() && steps.build.outcome == 'success' with: - name: artifacts + name: json4cpp-fuzz-artifacts path: ./out/artifacts diff --git a/.github/workflows/json4cpp-labeler.yml b/.github/workflows/json4cpp-labeler.yml deleted file mode 100644 index 2448a6a1ae..0000000000 --- a/.github/workflows/json4cpp-labeler.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: "json4cpp: Pull Request Labeler" - -on: - pull_request_target: - types: [opened, synchronize] - -permissions: - contents: read - -jobs: - label: - permissions: - contents: read - pull-requests: write - - runs-on: ubuntu-latest - - steps: - - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 - with: - egress-policy: audit - - - uses: srvaroa/labeler@e8fbb2561481ef6e711a770f0234e9379dc76892 # master - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/json4cpp-scorecards.yml b/.github/workflows/json4cpp-scorecards.yml deleted file mode 100644 index f8a6a10f46..0000000000 --- a/.github/workflows/json4cpp-scorecards.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: "json4cpp: Scorecard supply-chain security" - -on: - branch_protection_rule: - schedule: - - cron: '20 7 * * 2' - push: - branches: ["develop"] - paths: - - 'json4cpp/**' - -permissions: - contents: read - -jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-latest - permissions: - security-events: write - id-token: write - contents: read - actions: read - issues: read - pull-requests: read - checks: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 - with: - egress-policy: audit - - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Run analysis - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 - with: - results_file: results.sarif - results_format: sarif - publish_results: true - - - name: Upload artifact - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 - with: - sarif_file: results.sarif diff --git a/.github/workflows/json4cpp-stale.yml b/.github/workflows/json4cpp-stale.yml deleted file mode 100644 index 6a061eed3c..0000000000 --- a/.github/workflows/json4cpp-stale.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: "json4cpp: Comment and close stale issues and PR" - -on: - schedule: - - cron: '0 0 * * *' - -permissions: - contents: read - -jobs: - stale: - runs-on: ubuntu-latest - - permissions: - issues: write - pull-requests: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 - with: - egress-policy: audit - - - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 - with: - stale-issue-label: 'state: stale' - stale-pr-label: 'state: stale' - exempt-issue-labels: 'pinned,security' - stale-issue-message: 'This issue has been marked as stale because it has been open for 90 days without activity. If this issue is still relevant, please add a comment or remove the "stale" label. Otherwise, it will be closed in 10 days. Thank you for helping us prioritize our work!' - stale-pr-message: 'This pull request has been marked as stale because it has had no activity for 30 days. While we won''t close it automatically, we encourage you to update or comment if it is still relevant. Keeping pull requests active and up-to-date helps us review and merge changes more efficiently. Thank you for your contributions!' - close-issue-message: 'This issue has been closed after being marked as stale for 10 days without any further activity. If this was done in error or the issue is still relevant, please feel free to reopen it or create a new issue. We appreciate your understanding and contributions.' - days-before-stale: 90 - days-before-pr-stale: 30 - days-before-close: 10 - days-before-pr-close: -1 diff --git a/.github/workflows/neozip-fuzz.yml b/.github/workflows/neozip-fuzz.yml index 3e63443cea..59b74debab 100644 --- a/.github/workflows/neozip-fuzz.yml +++ b/.github/workflows/neozip-fuzz.yml @@ -1,28 +1,31 @@ name: "neozip: Fuzz" on: - pull_request: + push: + branches: [master, develop] paths: - 'neozip/**' - '.github/workflows/neozip-fuzz.yml' - workflow_dispatch: - push: - branches: - - master - - develop + pull_request: paths: - 'neozip/**' + - '.github/workflows/neozip-fuzz.yml' + workflow_dispatch: concurrency: group: neozip-fuzz-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: fuzzing: name: Fuzzing runs-on: ubuntu-latest steps: - name: Build Fuzzers + id: build uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master with: oss-fuzz-project-name: 'zlib-ng' @@ -36,8 +39,8 @@ jobs: dry-run: false - name: Upload Crash - uses: actions/upload-artifact@v7 - if: failure() + uses: actions/upload-artifact@v4 + if: failure() && steps.build.outcome == 'success' with: - name: artifacts + name: neozip-fuzz-artifacts path: ./out/artifacts diff --git a/.github/workflows/repo-dependency-review.yml b/.github/workflows/repo-dependency-review.yml new file mode 100644 index 0000000000..469ecfbdfb --- /dev/null +++ b/.github/workflows/repo-dependency-review.yml @@ -0,0 +1,24 @@ +name: "Dependency Review" + +# Scans dependency manifest changes in every pull request. +# Blocks merging of PRs that introduce known-vulnerable packages. +on: + pull_request: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - name: Checkout Repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Dependency Review + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/repo-labeler.yml b/.github/workflows/repo-labeler.yml new file mode 100644 index 0000000000..3d5e84a94a --- /dev/null +++ b/.github/workflows/repo-labeler.yml @@ -0,0 +1,25 @@ +name: "Labeler" + +on: + pull_request_target: + types: [opened, synchronize, reopened] + +permissions: + contents: read + +jobs: + label: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + + steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/labeler@v6 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/repo-scorecards.yml b/.github/workflows/repo-scorecards.yml new file mode 100644 index 0000000000..06291bb004 --- /dev/null +++ b/.github/workflows/repo-scorecards.yml @@ -0,0 +1,54 @@ +name: "Scorecard supply-chain security" + +on: + branch_protection_rule: + schedule: + - cron: '20 7 * * 2' + push: + branches: [master, main, develop] + +permissions: + contents: read + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + actions: read + issues: read + pull-requests: read + checks: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: Upload artifact + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + with: + sarif_file: results.sarif diff --git a/.github/workflows/repo-stale.yml b/.github/workflows/repo-stale.yml new file mode 100644 index 0000000000..9919ce314a --- /dev/null +++ b/.github/workflows/repo-stale.yml @@ -0,0 +1,35 @@ +name: "Stale: Comment and close stale issues and PRs" + +on: + schedule: + - cron: '0 0 * * *' + +permissions: + contents: read + +jobs: + stale: + runs-on: ubuntu-latest + + permissions: + issues: write + pull-requests: write + + steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 + with: + stale-issue-label: 'state: stale' + stale-pr-label: 'state: stale' + exempt-issue-labels: 'pinned,security' + stale-issue-message: 'This issue has been marked as stale because it has been open for 90 days without activity. If this issue is still relevant, please add a comment or remove the "stale" label. Otherwise, it will be closed in 10 days. Thank you for helping us prioritize our work!' + stale-pr-message: 'This pull request has been marked as stale because it has had no activity for 30 days. While we won''t close it automatically, we encourage you to update or comment if it is still relevant. Keeping pull requests active and up-to-date helps us review and merge changes more efficiently. Thank you for your contributions!' + close-issue-message: 'This issue has been closed after being marked as stale for 10 days without any further activity. If this was done in error or the issue is still relevant, please feel free to reopen it or create a new issue. We appreciate your understanding and contributions.' + days-before-stale: 90 + days-before-pr-stale: 30 + days-before-close: 10 + days-before-pr-close: -1 diff --git a/.github/workflows/tomlplusplus-fuzz.yml b/.github/workflows/tomlplusplus-fuzz.yml index 0ead0d2974..7d346a172c 100644 --- a/.github/workflows/tomlplusplus-fuzz.yml +++ b/.github/workflows/tomlplusplus-fuzz.yml @@ -1,19 +1,27 @@ -name: "tomlplusplus: CIFuzz" +name: "tomlplusplus: Fuzz" on: push: - branches: - - master + branches: [master] paths: - 'tomlplusplus/**' + - '.github/workflows/tomlplusplus-fuzz.yml' pull_request: paths: - 'tomlplusplus/**' + - '.github/workflows/tomlplusplus-fuzz.yml' + workflow_dispatch: -permissions: {} +concurrency: + group: tomlplusplus-fuzz-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read jobs: - Fuzzing: + fuzzing: + name: Fuzzing runs-on: ubuntu-latest permissions: security-events: write @@ -35,7 +43,7 @@ jobs: uses: actions/upload-artifact@v4 if: failure() && steps.build.outcome == 'success' with: - name: artifacts + name: tomlplusplus-fuzz-artifacts path: ./out/artifacts - name: Upload Sarif if: always() && steps.build.outcome == 'success' diff --git a/.github/workflows/uvim-label.yml b/.github/workflows/uvim-label.yml deleted file mode 100644 index 30dbfe5c2e..0000000000 --- a/.github/workflows/uvim-label.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: "uvim: Labeler" - -on: [pull_request_target] - -jobs: - label: - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - - steps: - - uses: actions/labeler@v6 - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" -- cgit 0.0.5-2-1-g0f52