Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @NITISH-R-G
24 changes: 24 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Bug Report
description: File a bug report
title: "[Bug]: "
labels: ["bug"]
body:
- type: markdown
attributes:
value: |
Thanks for taking the time to fill out this bug report!
- type: textarea
id: what-happened
attributes:
label: What happened?
description: Also tell us, what did you expect to happen?
placeholder: Tell us what you see!
value: "A bug happened!"
validations:
required: true
- type: textarea
id: logs
attributes:
label: Relevant log output
description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
render: shell
Comment on lines +22 to +24

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Add a redaction warning before collecting logs.

This public field explicitly asks reporters to paste raw logs, which can easily expose tokens, emails, or internal hostnames. Add a short “please remove secrets/PII first” notice in Line 23 or as a preceding markdown block.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/ISSUE_TEMPLATE/bug_report.yml around lines 22 - 24, The bug report
template’s “Relevant log output” field invites raw logs without warning about
sensitive data, so add a short redaction notice before that prompt in the
ISSUE_TEMPLATE section. Update the YAML around the log output field to include a
brief “remove secrets/PII first” warning, keeping the existing label/description
structure intact and making sure the notice appears immediately before or with
the relevant log output prompt.

21 changes: 21 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Feature Request
description: Suggest an idea for this project
title: "[Feature]: "
labels: ["enhancement"]
body:
- type: markdown
attributes:
value: |
Thanks for taking the time to fill out this feature request!
- type: textarea
id: feature-description
attributes:
label: Description
description: A clear and concise description of what you want.
validations:
required: true
- type: textarea
id: use-cases
attributes:
label: Use Cases
description: What are the use cases for this feature?
22 changes: 22 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
## Description

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Use a top-level heading at the start of the template.

Line 1 begins with ##, so markdownlint will flag this file with MD041 if docs linting is enforced.

Suggested fix
-## Description
+# Pull Request
+
+## Description
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## Description
# Pull Request
## Description
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 1-1: First line in a file should be a top-level heading

(MD041, first-line-heading, first-line-h1)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/PULL_REQUEST_TEMPLATE.md at line 1, The pull request template starts
with a second-level heading, which triggers markdownlint MD041. Update the
template content at the top of the file so it begins with a top-level heading,
keeping the rest of the PR description structure unchanged.

Source: Linters/SAST tools


Please include a summary of the change and which issue is fixed.

Fixes # (issue)

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] This change requires a documentation update

## Checklist:

- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] New and existing unit tests pass locally with my changes
34 changes: 34 additions & 0 deletions .github/labeler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Add 'python' label to any changes within 'ev_grid_oracle', 'server', 'training', 'tools', 'viz' or 'tests' folders
python:
- any:
- changed-files:
- any-glob-to-any-file:
- ev_grid_oracle/**/*
- server/**/*
- training/**/*
- tools/**/*
- viz/**/*
- tests/**/*
- '*.py'

# Add 'frontend' label to any changes within 'web' folder
frontend:
- any:
- changed-files:
- any-glob-to-any-file:
- web/**/*

# Add 'documentation' label to any changes to .md files
documentation:
- any:
- changed-files:
- any-glob-to-any-file:
- '**/*.md'
- docs/**/*

# Add 'github-actions' label to any changes within .github folder
github-actions:
- any:
- changed-files:
- any-glob-to-any-file:
- .github/**/*
Comment on lines +29 to +34

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Narrow the github-actions label to workflow files.

Lines 29-34 currently tag any .github/** change as github-actions, so edits to issue templates and other repository metadata will be mislabeled as workflow changes. Point this rule at .github/workflows/**/* and add a separate metadata label if you want broader routing.

Suggested fix
 # Add 'github-actions' label to any changes within .github folder
 github-actions:
   - any:
     - changed-files:
       - any-glob-to-any-file:
-        - .github/**/*
+        - .github/workflows/**/*
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Add 'github-actions' label to any changes within .github folder
github-actions:
- any:
- changed-files:
- any-glob-to-any-file:
- .github/**/*
# Add 'github-actions' label to any changes within .github folder
github-actions:
- any:
- changed-files:
- any-glob-to-any-file:
- .github/workflows/**/*
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/labeler.yml around lines 29 - 34, The github-actions label rule in
the labeler configuration is too broad because it matches all changes under the
.github directory; update the github-actions mapping in the labeler config to
target only workflow files via .github/workflows/**/*, and if broader .github
changes still need routing, add a separate rule for metadata/templates using a
distinct label.

27 changes: 0 additions & 27 deletions .github/workflows/ai-insights.yml

This file was deleted.

24 changes: 24 additions & 0 deletions .github/workflows/ai-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: AI PR Reviewer

on:
pull_request:
types: [opened, synchronize, reopened]
Comment on lines +3 to +5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Add a concurrency group to cancel superseded runs.

Each synchronize push starts a new review run; without a concurrency guard, overlapping runs waste OpenAI credits and may post redundant reviews.

♻️ Proposed addition
 on:
   pull_request:
     types: [opened, synchronize, reopened]
+
+concurrency:
+  group: ai-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
pull_request:
types: [opened, synchronize, reopened]
on:
pull_request:
types: [opened, synchronize, reopened]
concurrency:
group: ai-review-${{ github.event.pull_request.number }}
cancel-in-progress: true
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 3-5: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-review.yml around lines 3 - 5, Add a concurrency guard
to the ai-review workflow so newer pull_request runs cancel any in-progress
superseded run. Update the workflow around the existing on.pull_request trigger
by introducing a concurrency group keyed to the pull request and enabling
cancel-in-progress, using the workflow’s concurrency settings so overlapping
synchronize runs do not execute in parallel.

Source: Linters/SAST tools


permissions:
pull-requests: write
contents: read
Comment on lines +3 to +9

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Fork PRs will fail: pull_request provides no secrets and a read-only token.

For pull requests opened from forks, the pull_request event runs with a read-only GITHUB_TOKEN (the pull-requests: write block is ignored) and repository secrets are not exposed, so OPENAI_API_KEY and GITHUB_TOKEN will be empty/insufficient and the reviewer cannot post comments. This is why the companion labeler.yml uses pull_request_target. Decide intentionally:

  • If reviews on external contributions are required, switch to pull_request_target (and be mindful of the associated checkout/security risks since untrusted code must not be executed with the elevated token).
  • If only same-repo PRs need review, keep pull_request but document that fork PRs are skipped.
🧰 Tools
🪛 zizmor (1.26.1)

[error] 8-8: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[warning] 3-5: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-review.yml around lines 3 - 9, The AI review workflow
is using pull_request, which prevents fork PRs from accessing secrets and from
getting a writable token. Update the workflow trigger in the ai-review job to
either use pull_request_target if external fork reviews should be supported, or
keep pull_request and explicitly document/skip fork PRs; make sure the ai-review
setup (including OPENAI_API_KEY/GITHUB_TOKEN usage and comment posting) matches
that choice and references the existing permissions block and workflow trigger.

Comment on lines +7 to +9

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Scope pull-requests: write to the job, not the whole workflow.

With a single job, granting write at the workflow level is broader than needed. Move the permissions block under jobs.review (and add a brief comment explaining why write is required) to satisfy least-privilege.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 8-8: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-review.yml around lines 7 - 9, The workflow-level
permissions are broader than needed; move the write access into the review job
so only the job that posts PR feedback has it. Update the ai-review workflow by
placing the permissions block under the jobs.review definition, and add a short
comment there explaining why pull-requests: write is required. Keep contents:
read as needed, and ensure the top-level workflow no longer grants write
permissions globally.

Source: Linters/SAST tools


jobs:
review:
runs-on: ubuntu-latest
if: ${{ github.event.sender.type != 'Bot' }}
steps:
- name: AI PR Review
uses: coderabbitai/openai-pr-reviewer@latest

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does the coderabbitai/openai-pr-reviewer GitHub Action have a "latest" tag and what is its current release tag?

💡 Result:

Yes, the coderabbitai/openai-pr-reviewer GitHub Action (also known as coderabbitai/ai-pr-reviewer) supports the use of a "latest" tag [1][2]. The project documentation explicitly provides examples using @latest in GitHub workflow files [1][2]. As of June 2026, the repository has been archived and is read-only [1][3]. The final release tag for the project is 1.16.2 [1][4].

Citations:


Pin this action to a commit SHA instead of @latest. @latest is a floating ref, so a SHA keeps the workflow reproducible and avoids tag drift.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-review.yml at line 17, The workflow uses
coderabbitai/openai-pr-reviewer@latest, which is a floating ref; update the
action reference to a fixed commit SHA to make the ai-review workflow
reproducible and prevent tag drift.

Source: Linters/SAST tools

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
with:
debug: false
review_simple_changes: false
review_comment_lgtm: false
38 changes: 38 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: "CodeQL Advanced"

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '30 2 * * 0'

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
packages: read
actions: read
contents: read

strategy:
fail-fast: false
matrix:
language: [ 'javascript-typescript', 'python' ]

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
Comment on lines +27 to +36

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/codeql.yml

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 928


Pin these action references to immutable commit SHAs.
actions/checkout@v4 and the github/codeql-action refs are mutable tags, so the workflow can execute different code without a repo change.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 27-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 31-31: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 27 - 36, The workflow steps in the
CodeQL job use mutable action tags, which should be replaced with immutable
commit SHAs. Update the `actions/checkout` reference and both
`github/codeql-action` references in the CodeQL workflow so the `Checkout
repository`, `Initialize CodeQL`, and `Perform CodeQL Analysis` steps all pin to
specific commits instead of version tags.

Source: Linters/SAST tools

with:
category: "/language:${{matrix.language}}"
20 changes: 20 additions & 0 deletions .github/workflows/greetings.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Greetings

on:
pull_request_target:
types: [opened]
issues:
types: [opened]

jobs:
greeting:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/first-interaction@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: 'Welcome to the repository! Thanks for opening your first issue. Our team will look into it shortly.'
pr-message: 'Welcome to the repository! Thanks for submitting your first pull request. Please make sure you have followed our contributing guidelines and all checks pass.'
Comment on lines +16 to +20

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n "actions/first-interaction@" -S .

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 163


🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/greetings.yml
wc -l .github/workflows/greetings.yml
cat -n .github/workflows/greetings.yml | sed -n '1,120p'

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 991


Pin actions/first-interaction to a full commit SHA. Line 16 still uses the mutable @v1 tag in a pull_request_target workflow with write permissions, which leaves a supply-chain risk open.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/greetings.yml around lines 16 - 20, Update the
actions/first-interaction reference in the greetings workflow from the mutable
v1 tag to a full commit SHA, since this runs in a pull_request_target context
with write permissions. Keep the existing issue-message and pr-message inputs
intact, and only change the action identifier to the pinned commit so the
workflow is no longer exposed to tag-based supply-chain drift.

Source: Linters/SAST tools

16 changes: 16 additions & 0 deletions .github/workflows/labeler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: "Pull Request Labeler"
on:
pull_request_target:
types: [opened, synchronize, reopened]

jobs:
labeler:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v5
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
sync-labels: true
Comment on lines +13 to +16

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== search for other workflow action pinning patterns ==\n'
rg -n 'uses: .*`@v`[0-9]+' .github/workflows || true
printf '\n== search for pinned SHAs in workflows ==\n'
rg -n 'uses: .*@[0-9a-f]{40}' .github/workflows || true

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 1949


🏁 Script executed:

#!/bin/bash
set -euo pipefail

cat -n .github/workflows/labeler.yml

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 614


Pin actions/labeler to a full commit SHA. .github/workflows/labeler.yml:13 runs on pull_request_target with pull-requests: write, so actions/labeler@v5 should not use a mutable tag.

Suggested fix
-    - uses: actions/labeler@v5
+    - uses: actions/labeler@<full-length-commit-sha>
🧰 Tools
🪛 zizmor (1.26.1)

[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/labeler.yml around lines 13 - 16, The labeler workflow
uses a mutable tag for actions/labeler in the job that runs on
pull_request_target with write permissions, so update the labeler step to pin
the action to a full commit SHA instead of v5. Keep the existing step structure
in the labeler job and replace the version reference in the actions/labeler
invocation with an immutable commit hash to ensure the workflow cannot drift.

Source: Linters/SAST tools

65 changes: 65 additions & 0 deletions .github/workflows/repo-maintenance.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: Repository Maintenance Automation

on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
- cron: '0 2 * * *' # Run daily at 2 AM

permissions:
contents: write
pull-requests: write
Comment on lines +13 to +15

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Scope write permissions to the job that needs them.

contents: write and pull-requests: write are granted at the workflow level, so every step (including dependency install of PR code via uv pip install -e) runs with a write-capable token. Move these to the maintenance job and keep the workflow default minimal. An explanatory comment on each elevated scope also addresses the linter hint.

🛠️ Proposed fix
-permissions:
-  contents: write
-  pull-requests: write
+permissions:
+  contents: read
 
 jobs:
   maintenance:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write       # auto-commit generated artifacts back to the branch
+      pull-requests: write  # update PR with maintenance changes
     if: github.repository == github.event.pull_request.head.repo.full_name || github.event_name != 'pull_request'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: write
pull-requests: write
permissions:
contents: read
jobs:
maintenance:
runs-on: ubuntu-latest
permissions:
contents: write # auto-commit generated artifacts back to the branch
pull-requests: write # update PR with maintenance changes
🧰 Tools
🪛 zizmor (1.26.1)

[error] 14-14: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[error] 15-15: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[warning] 14-14: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/repo-maintenance.yml around lines 13 - 15, The
workflow-level permissions are too broad in the repo-maintenance workflow, so
scope the write access only to the maintenance job and keep the top-level
permissions minimal. Update the workflow around the maintenance job definition
so `contents` and `pull-requests` write scopes are set on that job instead of
globally, and add brief explanatory comments for each elevated permission to
satisfy the linter hint.

Source: Linters/SAST tools


jobs:
maintenance:
runs-on: ubuntu-latest
Comment on lines +3 to +19

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Add a concurrency group to prevent racing auto-commits.

This workflow can run on push, pull_request, and the daily schedule simultaneously. Two concurrent runs targeting the same branch (e.g. a scheduled run overlapping a push to main) can race on the auto-commit/push and fail or clobber each other. Add a concurrency group keyed on the ref.

🛠️ Proposed fix
 on:
   push:
     branches:
       - main
   pull_request:
     branches:
       - main
   schedule:
     - cron: '0 2 * * *' # Run daily at 2 AM
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
- cron: '0 2 * * *' # Run daily at 2 AM
permissions:
contents: write
pull-requests: write
jobs:
maintenance:
runs-on: ubuntu-latest
on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
- cron: '0 2 * * *' # Run daily at 2 AM
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: false
permissions:
contents: write
pull-requests: write
jobs:
maintenance:
runs-on: ubuntu-latest
🧰 Tools
🪛 zizmor (1.26.1)

[error] 14-14: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[error] 15-15: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[warning] 14-14: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 18-18: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 3-11: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/repo-maintenance.yml around lines 3 - 19, Add a
workflow-level concurrency setting in repo-maintenance.yml so overlapping runs
of the maintenance job cannot auto-commit at the same time. Use a concurrency
group keyed on the ref for the workflow triggers, and configure cancellation of
in-progress runs if appropriate; place it alongside the existing
on/permissions/jobs sections so it applies to the maintenance job consistently.

Source: Linters/SAST tools

if: github.repository == github.event.pull_request.head.repo.full_name || github.event_name != 'pull_request'
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 0
lfs: true
ref: ${{ github.head_ref || github.ref }}

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: 'pip'

- name: Install dependencies
run: |
python -m pip install --upgrade pip uv
uv pip install --system -e ".[dev]"
uv pip install --system pydeps cyclonedx-bom

- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y xdg-utils graphviz

- name: Generate Architecture Diagrams
run: |
mkdir -p docs/architecture
pydeps ev_grid_oracle --output docs/architecture/ev_grid_oracle.svg --no-show || true
pydeps server --output docs/architecture/server.svg --no-show || true

- name: Generate SBOM
run: |
cyclonedx-py environment -o sbom.json

- name: Auto-fix linting and formatting
run: |
uv run --with ruff ruff check --fix . || true
uv run --with ruff ruff format . || true

- name: Commit and Push Changes
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "Auto-generated repo maintenance artifacts [skip ci]"
branch: ${{ github.head_ref || github.ref }}
Comment on lines +61 to +65

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

git-auto-commit-action branch input expects branch name or full ref refs/heads

💡 Result:

The branch input for stefanzweifel/git-auto-commit-action expects a branch name rather than a full Git reference (e.g., refs/heads/branch-name) [1][2][3]. According to the official documentation and usage examples, you should provide the short name of the branch (e.g., branch: feature-123) [1][3]. If this input is omitted, the action defaults to the current branch [1][4]. If you intend to push to a branch that does not yet exist, you should also set the create_branch input to true [4][3].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow around the referenced lines and its triggers.
git ls-files .github/workflows/repo-maintenance.yml
wc -l .github/workflows/repo-maintenance.yml
sed -n '1,120p' .github/workflows/repo-maintenance.yml

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 2087


Use a short branch name here

git-auto-commit-action expects a branch name, not refs/heads/.... On push and schedule, github.head_ref is empty, so this falls back to github.ref (refs/heads/main) and can misroute or fail the push. Use github.ref_name (or omit branch entirely).

Proposed fix
       - name: Commit and Push Changes
         uses: stefanzweifel/git-auto-commit-action@v5
         with:
           commit_message: "Auto-generated repo maintenance artifacts [skip ci]"
-          branch: ${{ github.head_ref || github.ref }}
+          branch: ${{ github.head_ref || github.ref_name }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Commit and Push Changes
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "Auto-generated repo maintenance artifacts [skip ci]"
branch: ${{ github.head_ref || github.ref }}
- name: Commit and Push Changes
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "Auto-generated repo maintenance artifacts [skip ci]"
branch: ${{ github.head_ref || github.ref_name }}
🧰 Tools
🪛 zizmor (1.26.1)

[error] 62-62: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 62-62: action functionality is already included by the runner (superfluous-actions): use git add, git commit, and git push in a script step

(superfluous-actions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/repo-maintenance.yml around lines 61 - 65, The Commit and
Push Changes step in repo-maintenance.yml is passing a ref string instead of a
branch name to git-auto-commit-action, which can break pushes on push and
schedule events. Update the branch input in that action to use a short branch
name source such as github.ref_name, or remove the branch override entirely, so
the action always targets the correct branch regardless of github.head_ref being
empty.

20 changes: 20 additions & 0 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Close Stale Issues

on:
schedule:
- cron: '0 0 * * *'

jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/stale@v9
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.'
stale-pr-message: 'This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.'
days-before-stale: 60
days-before-close: 7
44 changes: 44 additions & 0 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Contributor Covenant Code of Conduct

## Our Pledge

We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, caste, color, religion, or sexual
identity and orientation.

We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.

## Our Standards

Examples of behavior that contributes to a positive environment for our
community include:

* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the
overall community

Examples of unacceptable behavior include:

* The use of sexualized language or imagery, and sexual attention or
advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting

## Enforcement Responsibilities

Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
11 changes: 11 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Contributing

When contributing to this repository, please first discuss the change you wish to make via issue, email, or any other method with the owners of this repository before making a change.

Please note we have a code of conduct, please follow it in all your interactions with the project.

## Pull Request Process

1. Ensure your code passes all linting and test rules by running `./validate-submission.sh`.
2. Update the README.md with details of changes to the interfaces or features.
3. Your Pull Request will be automatically analyzed by our AI Reviewer and other autonomous maintainer systems. Please address their feedback.
Loading