-
Notifications
You must be signed in to change notification settings - Fork 0
Autonomous Repository Management System #90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| * @NITISH-R-G |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| name: Bug Report | ||
| description: File a bug report | ||
| title: "[Bug]: " | ||
| labels: ["bug", "triage"] | ||
| body: | ||
| - type: markdown | ||
| attributes: | ||
| value: | | ||
| Thanks for taking the time to fill out this bug report! | ||
| - type: input | ||
| id: version | ||
| attributes: | ||
| label: Version | ||
| description: What version of our software are you running? | ||
| validations: | ||
| required: true | ||
| - type: textarea | ||
| id: what-happened | ||
| attributes: | ||
| label: What happened? | ||
| description: Also tell us, what did you expect to happen? | ||
| validations: | ||
| required: true |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| name: Feature Request | ||
| description: Suggest an idea for this project | ||
| title: "[Feature]: " | ||
| labels: ["enhancement", "triage"] | ||
| body: | ||
| - type: textarea | ||
| id: feature-description | ||
| attributes: | ||
| label: Description | ||
| description: A clear and concise description of what the feature is. | ||
| validations: | ||
| required: true |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| frontend: | ||
| - changed-files: | ||
| - any-glob-to-any-file: 'web/**/*' | ||
| backend: | ||
| - changed-files: | ||
| - any-glob-to-any-file: 'server/**/*' | ||
| - any-glob-to-any-file: 'ev_grid_oracle/**/*' | ||
| docs: | ||
| - changed-files: | ||
| - any-glob-to-any-file: '**/*.md' | ||
| - any-glob-to-any-file: 'docs/**/*' | ||
| tests: | ||
| - changed-files: | ||
| - any-glob-to-any-file: 'tests/**/*' | ||
| ci: | ||
| - changed-files: | ||
| - any-glob-to-any-file: '.github/**/*' | ||
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| name: AI PR Agent | ||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
| pull_request_review_comment: | ||
| types: [created] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| review: | ||
| runs-on: ubuntu-latest | ||
| if: ${{ github.event.sender.type != 'Bot' }} | ||
| steps: | ||
| - name: CodeRabbit AI PR Reviewer | ||
| uses: coderabbitai/openai-pr-reviewer@latest | ||
|
Comment on lines
+17
to
+18
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Pin Line 18 uses 🧰 Tools🪛 zizmor (1.26.1)[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} | ||
|
Comment on lines
+3
to
+21
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
git ls-files .github/workflows
printf '\n--- ai-review workflow ---\n'
cat -n .github/workflows/ai-review.yml
printf '\n--- search for similar workflow patterns ---\n'
rg -n "pull_request_target|OPENAI_API_KEY|coderabbitai/openai-pr-reviewer|github.event.sender.type" .github/workflows -SRepository: NITISH-R-G/ev-grid-oracle Length of output: 1583 🌐 Web query:
💡 Result: In GitHub Actions, workflows triggered by pull requests from forks (including pull_request_review_comment) do not have access to repository secrets [1][2]. This is a security measure to prevent untrusted code from accessing sensitive credentials [3][4]. Key points regarding secrets and forked pull requests: 1. Access Restriction: Workflows triggered by the pull_request, pull_request_review, and pull_request_review_comment events for pull requests originating from a fork are intentionally restricted [3][2][5]. They receive a read-only GITHUB_TOKEN and have no access to environment, organization, or repository secrets [3][1][2]. 2. The Role of pull_request_target: If you require a workflow to access secrets while interacting with a pull request from a fork (e.g., to post a comment or status check), you must use the pull_request_target trigger instead of pull_request [3][2][6]. Unlike standard pull_request events, pull_request_target runs in the context of the base repository and has access to secrets [3][7][8]. 3. Critical Security Warning: Using pull_request_target creates a severe security risk if the workflow checks out and executes untrusted code from the pull request (a pattern known as a pwn request) [4][6][8]. To operate safely, workflows using pull_request_target should: - Never check out the head commit of the pull request [4][6][8]. - Only operate on code from the base repository's default branch [3][8]. - If you must use external code, ensure it is only used for non-executable tasks (like labeling or commenting), or implement strict validation and manual approval workflows before execution [3][7][6][9]. 4. Checkout Protection: As of June 2026, actions/checkout v7 includes built-in protections that refuse to fetch fork pull request code in pull_request_target workflows to prevent these common vulnerabilities [4]. If you have a legitimate, hardened use case that requires checking out fork code, you must explicitly opt out by setting allow-unsafe-pr-checkout: true on the actions/checkout step [3][4]. Citations:
Fork PRs won’t get AI review with this trigger/secret setup. 🧰 Tools🪛 zizmor (1.26.1)[error] 10-10: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level (excessive-permissions) [error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [warning] 10-10: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment (undocumented-permissions) [info] 13-13: workflow or action definition without a name (anonymous-definition): this job (anonymous-definition) 🤖 Prompt for AI Agents |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| name: CI | ||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| branches: [ "main" ] | ||
|
|
||
| jobs: | ||
| test: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| lfs: true | ||
|
Comment on lines
+1
to
+14
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Lock down the CI token. This workflow never writes back to the repo, but it currently inherits the repository default 🧰 Tools🪛 YAMLlint (1.37.1)[warning] 2-2: truthy value should be one of [false, true] (truthy) [error] 4-4: too many spaces inside brackets (brackets) [error] 4-4: too many spaces inside brackets (brackets) [error] 6-6: too many spaces inside brackets (brackets) [error] 6-6: too many spaces inside brackets (brackets) 🪛 zizmor (1.26.1)[warning] 12-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [warning] 1-29: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block (excessive-permissions) [error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [info] 9-9: workflow or action definition without a name (anonymous-definition): this job (anonymous-definition) [warning] 2-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting (concurrency-limits) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.12' | ||
|
Comment on lines
+12
to
+19
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
printf '\n## .github/workflows/ci.yml\n'
nl -ba .github/workflows/ci.yml | sed -n '1,120p'
printf '\n## repo files mentioning zizmor or action pinning\n'
rg -n --hidden --glob '!.git' -e 'zizmor|immutable SHA|pin.*SHA|actions/checkout@|actions/setup-python@|uses:' .github README* . || true
printf '\n## workflow-related files\n'
git ls-files '.github/**' | sed -n '1,200p'Repository: NITISH-R-G/ev-grid-oracle Length of output: 232 🏁 Script executed: #!/bin/bash
set -euo pipefail
printf '\n## .github/workflows/ci.yml\n'
cat -n .github/workflows/ci.yml | sed -n '1,120p'
printf '\n## search for zizmor / pinning policy\n'
rg -n --hidden --glob '!.git' -e 'zizmor|immutable SHA|pin.*SHA|pinned to immutable|actions/checkout@v4|actions/setup-python@v5' .github README* . || true
printf '\n## workflow files\n'
git ls-files '.github/**' | sed -n '1,200p'Repository: NITISH-R-G/ev-grid-oracle Length of output: 3584 Pin these actions to immutable SHAs. 🧰 Tools🪛 zizmor (1.26.1)[warning] 12-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
|
|
||
| - name: Install uv | ||
| run: pip install uv | ||
|
|
||
| - name: Install dependencies | ||
| run: uv pip install --system -e ".[dev,demo]" | ||
|
|
||
| - name: Run Python Tests | ||
| run: uv run pytest tests/ | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| name: Greetings | ||
| on: | ||
| pull_request_target: | ||
| types: [opened] | ||
| issues: | ||
| types: [opened] | ||
|
|
||
| permissions: | ||
| issues: write | ||
| pull-requests: write | ||
|
Comment on lines
+3
to
+10
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect the workflow file and its exact action reference.
git ls-files .github/workflows/greetings.yml
echo '---'
wc -l .github/workflows/greetings.yml
echo '---'
cat -n .github/workflows/greetings.ymlRepository: NITISH-R-G/ev-grid-oracle Length of output: 977 Pin
🧰 Tools🪛 zizmor (1.26.1)[error] 9-9: overly broad permissions (excessive-permissions): issues: write is overly broad at the workflow level (excessive-permissions) [error] 10-10: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level (excessive-permissions) [warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment (undocumented-permissions) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
|
|
||
| jobs: | ||
| greeting: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/first-interaction@v1 | ||
| with: | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
| issue-message: "Welcome to the repository! Thank you for opening your first issue. A maintainer or our AI system will be with you shortly." | ||
| pr-message: "Welcome to the repository! Thank you for opening your first pull request. Our CI and AI reviewer will take a look." | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| name: "Pull Request Labeler" | ||
| on: | ||
| pull_request_target: | ||
| types: [opened, synchronize, reopened] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
Comment on lines
+3
to
+8
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Pin This workflow runs under Suggested change- - uses: actions/labeler@v5
+ - uses: actions/labeler@<full-length-commit-sha> # v5🧰 Tools🪛 zizmor (1.26.1)[error] 8-8: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level (excessive-permissions) [warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment (undocumented-permissions) 🤖 Prompt for AI Agents |
||
|
|
||
| jobs: | ||
| triage: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/labeler@v5 | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| name: GitHub Pages | ||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pages: write | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| deploy: | ||
| environment: | ||
| name: github-pages | ||
| url: ${{ steps.deployment.outputs.page_url }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| lfs: true | ||
|
Comment on lines
+6
to
+20
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Scope Pages permissions to the deploy job and disable checkout credential persistence. Lines 6-9 grant 🧰 Tools🪛 zizmor (1.26.1)[warning] 18-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 8-8: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level (excessive-permissions) [error] 9-9: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level (excessive-permissions) [error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment (undocumented-permissions) [info] 12-12: workflow or action definition without a name (anonymous-definition): this job (anonymous-definition) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| - name: Setup Pages | ||
| uses: actions/configure-pages@v4 | ||
| - name: Upload artifact | ||
| uses: actions/upload-pages-artifact@v3 | ||
| with: | ||
| path: './docs' | ||
| - name: Deploy to GitHub Pages | ||
| id: deployment | ||
| uses: actions/deploy-pages@v4 | ||
|
Comment on lines
+1
to
+29
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win Serialize Pages deployments. Without a 🧰 Tools🪛 YAMLlint (1.37.1)[warning] 2-2: truthy value should be one of [false, true] (truthy) [error] 4-4: too many spaces inside brackets (brackets) [error] 4-4: too many spaces inside brackets (brackets) 🪛 zizmor (1.26.1)[warning] 18-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 8-8: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level (excessive-permissions) [error] 9-9: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level (excessive-permissions) [error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment (undocumented-permissions) [info] 12-12: workflow or action definition without a name (anonymous-definition): this job (anonymous-definition) [warning] 2-4: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting (concurrency-limits) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,68 @@ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| name: Repository Maintenance | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| push: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| branches: [ "main" ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| branches: [ "main" ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| contents: write | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| maintain: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+1
to
+13
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win Add per-ref concurrency before this job auto-pushes. This workflow mutates the same branch it runs on. Without a concurrency group, two runs on the same ref can both create maintenance commits, and the loser is silently dropped by 🔧 Suggested change name: Repository Maintenance
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
+
+concurrency:
+ group: repo-maintenance-${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.ref }}
+ cancel-in-progress: true
permissions:
contents: write📝 Committable suggestion
Suggested change
🧰 Tools🪛 YAMLlint (1.37.1)[warning] 2-2: truthy value should be one of [false, true] (truthy) [error] 4-4: too many spaces inside brackets (brackets) [error] 4-4: too many spaces inside brackets (brackets) [error] 6-6: too many spaces inside brackets (brackets) [error] 6-6: too many spaces inside brackets (brackets) 🪛 zizmor (1.26.1)[error] 9-9: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level (excessive-permissions) [warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment (undocumented-permissions) [info] 12-12: workflow or action definition without a name (anonymous-definition): this job (anonymous-definition) [warning] 2-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting (concurrency-limits) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - uses: actions/checkout@v4 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ref: ${{ github.head_ref || github.ref }} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| fetch-depth: 0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| lfs: true | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Set up Python | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| uses: actions/setup-python@v5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+16
to
+23
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Pin these actions to commit SHAs. 🧰 Tools🪛 zizmor (1.26.1)[warning] 16-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| python-version: '3.12' | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Install dependencies | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| pip install uv | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| uv pip install --system -e ".[dev,demo]" | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| uv pip install --system cyclonedx-bom cyclonedx-py pydeps | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| sudo apt-get update && sudo apt-get install -y xdg-utils graphviz | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Autofix Code Quality | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| uv run --with ruff ruff check --fix . || true | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| uv run --with ruff ruff format . || true | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Generate Architecture Diagrams | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| mkdir -p docs/architecture | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| pydeps ev_grid_oracle --output docs/architecture/ev_grid_oracle.svg --no-show || true | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Generate Knowledge Graph | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| mkdir -p docs/knowledge | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| python tools/generate_knowledge_graph.py | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Docs Sync | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| python tools/docs_sync.py | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| mkdir -p docs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Generate SBOM | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| cyclonedx-py environment -o bom.json || true | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| - name: Commit and Push Changes | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| git config --global user.name "github-actions[bot]" | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| git add . | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| git commit -m "chore: autonomous repository maintenance [skip ci]" || echo "No changes to commit" | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # Avoid using the actual push command in testing script to not block session | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # We'll write the script that GH Actions runs | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| git push origin ${{ github.head_ref || github.ref }} || true | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,19 @@ | ||||||||||||||||||||||||||||||||||||||
| name: Mark stale issues and pull requests | ||||||||||||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||||||||||||
| schedule: | ||||||||||||||||||||||||||||||||||||||
| - cron: '30 1 * * *' | ||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||||||||||||||||
| issues: write | ||||||||||||||||||||||||||||||||||||||
| pull-requests: write | ||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||||||||||||
| stale: | ||||||||||||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||||||||||||||
| - uses: actions/stale@v9 | ||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+6
to
+14
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
git ls-files .github/workflows/stale.yml
wc -l .github/workflows/stale.yml
cat -n .github/workflows/stale.ymlRepository: NITISH-R-G/ev-grid-oracle Length of output: 855 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
import pathlib, re
p = pathlib.Path('.github/workflows/stale.yml')
text = p.read_text()
m = re.search(r'uses:\s*actions/stale@([^\s#]+)', text)
print("match:", m.group(1) if m else "none")
PYRepository: NITISH-R-G/ev-grid-oracle Length of output: 173 Pin This scheduled workflow runs with write permissions; using Suggested change- - uses: actions/stale@v9
+ - uses: actions/stale@<full-length-commit-sha> # v9📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.26.1)[error] 7-7: overly broad permissions (excessive-permissions): issues: write is overly broad at the workflow level (excessive-permissions) [error] 8-8: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level (excessive-permissions) [error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [warning] 7-7: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment (undocumented-permissions) [info] 11-11: workflow or action definition without a name (anonymous-definition): this job (anonymous-definition) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||||||||
| stale-issue-message: 'This issue is stale because it has been open 30 days with no activity.' | ||||||||||||||||||||||||||||||||||||||
| stale-pr-message: 'This PR is stale because it has been open 30 days with no activity.' | ||||||||||||||||||||||||||||||||||||||
| days-before-stale: 30 | ||||||||||||||||||||||||||||||||||||||
| days-before-close: 7 | ||||||||||||||||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # Contributor Covenant Code of Conduct | ||
|
|
||
| ## Our Pledge | ||
|
|
||
| We as members, contributors, and leaders pledge to make participation in our | ||
| community a harassment-free experience for everyone, regardless of age, body | ||
| size, visible or invisible disability, ethnicity, sex characteristics, gender | ||
| identity and expression, level of experience, education, socio-economic status, | ||
| nationality, personal appearance, race, religion, or sexual identity | ||
| and orientation. | ||
|
|
||
| We pledge to act and interact in ways that contribute to an open, welcoming, | ||
| diverse, inclusive, and healthy community. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # Contributing | ||
|
|
||
| Thank you for investing your time in contributing to our project! | ||
|
|
||
| Read our [Code of Conduct](./CODE_OF_CONDUCT.md) to keep our community approachable and respectable. | ||
|
|
||
| ## Getting Started | ||
|
|
||
| 1. Fork the repository | ||
| 2. Create your feature branch (`git checkout -b feature/amazing-feature`) | ||
| 3. Commit your changes (`git commit -m 'Add some amazing feature'`) | ||
| 4. Push to the branch (`git push origin feature/amazing-feature`) | ||
| 5. Open a Pull Request |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Include the new Python tooling in the backend matcher.
The stack context for this PR adds
tools/generate_knowledge_graph.pyandtools/docs_sync.py, but this rule only matchesserver/**/*andev_grid_oracle/**/*. PRs that touch only repo tooling will miss the backend label, which weakens the automated triage this PR is introducing.Suggested change
backend: - changed-files: - any-glob-to-any-file: 'server/**/*' - any-glob-to-any-file: 'ev_grid_oracle/**/*' + - any-glob-to-any-file: 'tools/**/*'📝 Committable suggestion
🤖 Prompt for AI Agents