Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @NITISH-R-G
23 changes: 23 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Bug Report
description: File a bug report
title: "[Bug]: "
labels: ["bug", "triage"]
body:
- type: markdown
attributes:
value: |
Thanks for taking the time to fill out this bug report!
- type: input
id: version
attributes:
label: Version
description: What version of our software are you running?
validations:
required: true
- type: textarea
id: what-happened
attributes:
label: What happened?
description: Also tell us, what did you expect to happen?
validations:
required: true
12 changes: 12 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Feature Request
description: Suggest an idea for this project
title: "[Feature]: "
labels: ["enhancement", "triage"]
body:
- type: textarea
id: feature-description
attributes:
label: Description
description: A clear and concise description of what the feature is.
validations:
required: true
17 changes: 17 additions & 0 deletions .github/labeler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
frontend:
- changed-files:
- any-glob-to-any-file: 'web/**/*'
backend:
- changed-files:
- any-glob-to-any-file: 'server/**/*'
- any-glob-to-any-file: 'ev_grid_oracle/**/*'
Comment on lines +4 to +7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Include the new Python tooling in the backend matcher.

The stack context for this PR adds tools/generate_knowledge_graph.py and tools/docs_sync.py, but this rule only matches server/**/* and ev_grid_oracle/**/*. PRs that touch only repo tooling will miss the backend label, which weakens the automated triage this PR is introducing.

Suggested change
 backend:
   - changed-files:
     - any-glob-to-any-file: 'server/**/*'
     - any-glob-to-any-file: 'ev_grid_oracle/**/*'
+    - any-glob-to-any-file: 'tools/**/*'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
backend:
- changed-files:
- any-glob-to-any-file: 'server/**/*'
- any-glob-to-any-file: 'ev_grid_oracle/**/*'
backend:
- changed-files:
- any-glob-to-any-file: 'server/**/*'
- any-glob-to-any-file: 'ev_grid_oracle/**/*'
- any-glob-to-any-file: 'tools/**/*'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/labeler.yml around lines 4 - 7, The backend label rule in the
labeler config only matches the existing server and ev_grid_oracle paths, so
repo tooling changes are not getting classified. Update the backend matcher to
include the new Python tooling paths used by this PR, specifically the tools
scripts handled by the labeler rule, and keep the change within the backend
entry so PRs touching those files still receive the backend label.

docs:
- changed-files:
- any-glob-to-any-file: '**/*.md'
- any-glob-to-any-file: 'docs/**/*'
tests:
- changed-files:
- any-glob-to-any-file: 'tests/**/*'
ci:
- changed-files:
- any-glob-to-any-file: '.github/**/*'
27 changes: 0 additions & 27 deletions .github/workflows/ai-insights.yml

This file was deleted.

21 changes: 21 additions & 0 deletions .github/workflows/ai-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: AI PR Agent
on:
pull_request:
types: [opened, synchronize, reopened]
pull_request_review_comment:
types: [created]

permissions:
contents: read
pull-requests: write

jobs:
review:
runs-on: ubuntu-latest
if: ${{ github.event.sender.type != 'Bot' }}
steps:
- name: CodeRabbit AI PR Reviewer
uses: coderabbitai/openai-pr-reviewer@latest
Comment on lines +17 to +18

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin coderabbitai/openai-pr-reviewer to a commit SHA

Line 18 uses @latest, which is a mutable third-party reference in a PR workflow. Pin it to an immutable commit SHA before merging.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-review.yml around lines 17 - 18, The workflow step for
CodeRabbit AI PR Reviewer is using a mutable third-party reference via the
openai-pr-reviewer action. Update the uses entry in the ai-review workflow to
pin coderabbitai/openai-pr-reviewer to an immutable commit SHA instead of
`@latest` so the action version is fixed and reproducible.

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
Comment on lines +3 to +21

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows
printf '\n--- ai-review workflow ---\n'
cat -n .github/workflows/ai-review.yml

printf '\n--- search for similar workflow patterns ---\n'
rg -n "pull_request_target|OPENAI_API_KEY|coderabbitai/openai-pr-reviewer|github.event.sender.type" .github/workflows -S

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 1583


🌐 Web query:

GitHub Actions workflow secrets from forked pull requests pull_request_review_comment docs

💡 Result:

In GitHub Actions, workflows triggered by pull requests from forks (including pull_request_review_comment) do not have access to repository secrets [1][2]. This is a security measure to prevent untrusted code from accessing sensitive credentials [3][4]. Key points regarding secrets and forked pull requests: 1. Access Restriction: Workflows triggered by the pull_request, pull_request_review, and pull_request_review_comment events for pull requests originating from a fork are intentionally restricted [3][2][5]. They receive a read-only GITHUB_TOKEN and have no access to environment, organization, or repository secrets [3][1][2]. 2. The Role of pull_request_target: If you require a workflow to access secrets while interacting with a pull request from a fork (e.g., to post a comment or status check), you must use the pull_request_target trigger instead of pull_request [3][2][6]. Unlike standard pull_request events, pull_request_target runs in the context of the base repository and has access to secrets [3][7][8]. 3. Critical Security Warning: Using pull_request_target creates a severe security risk if the workflow checks out and executes untrusted code from the pull request (a pattern known as a pwn request) [4][6][8]. To operate safely, workflows using pull_request_target should: - Never check out the head commit of the pull request [4][6][8]. - Only operate on code from the base repository's default branch [3][8]. - If you must use external code, ensure it is only used for non-executable tasks (like labeling or commenting), or implement strict validation and manual approval workflows before execution [3][7][6][9]. 4. Checkout Protection: As of June 2026, actions/checkout v7 includes built-in protections that refuse to fetch fork pull request code in pull_request_target workflows to prevent these common vulnerabilities [4]. If you have a legitimate, hardened use case that requires checking out fork code, you must explicitly opt out by setting allow-unsafe-pr-checkout: true on the actions/checkout step [3][4].

Citations:


Fork PRs won’t get AI review with this trigger/secret setup. pull_request and pull_request_review_comment workflows from forks don’t receive secrets.OPENAI_API_KEY, so the main OSS contribution path will miss this automation. Gate the job on the secret, or move to a hardened pull_request_target flow if fork coverage is required.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 10-10: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 10-10: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 13-13: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-review.yml around lines 3 - 21, The AI review job in
the workflow currently relies on OPENAI_API_KEY under
pull_request/pull_request_review_comment, which means forked PRs will not have
the secret and the reviewer will not run. Update the review job in ai-review.yml
to either explicitly gate execution on the presence of OPENAI_API_KEY or switch
to a hardened pull_request_target-based approach if fork coverage is required,
and make sure the job condition and secret usage are aligned with the chosen
trigger.

28 changes: 28 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: CI
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
lfs: true
Comment on lines +1 to +14

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Lock down the CI token.

This workflow never writes back to the repo, but it currently inherits the repository default GITHUB_TOKEN scope and Line 12 persists that token into the checkout config. Add an explicit top-level permissions: { contents: read } and set persist-credentials: false on actions/checkout so test dependencies cannot reuse a write-scoped token.

🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 2-2: truthy value should be one of [false, true]

(truthy)


[error] 4-4: too many spaces inside brackets

(brackets)


[error] 4-4: too many spaces inside brackets

(brackets)


[error] 6-6: too many spaces inside brackets

(brackets)


[error] 6-6: too many spaces inside brackets

(brackets)

🪛 zizmor (1.26.1)

[warning] 12-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[warning] 1-29: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 9-9: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 2-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 1 - 14, The CI workflow currently
leaves the default GITHUB_TOKEN permissions too broad and lets actions/checkout
persist credentials, which is unnecessary for the test job. Update the workflow
by adding a top-level permissions block that limits contents to read, and adjust
the actions/checkout step to disable credential persistence so no write-scoped
token is stored for later steps.

Source: Linters/SAST tools


- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
Comment on lines +12 to +19

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## .github/workflows/ci.yml\n'
nl -ba .github/workflows/ci.yml | sed -n '1,120p'

printf '\n## repo files mentioning zizmor or action pinning\n'
rg -n --hidden --glob '!.git' -e 'zizmor|immutable SHA|pin.*SHA|actions/checkout@|actions/setup-python@|uses:' .github README* . || true

printf '\n## workflow-related files\n'
git ls-files '.github/**' | sed -n '1,200p'

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 232


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## .github/workflows/ci.yml\n'
cat -n .github/workflows/ci.yml | sed -n '1,120p'

printf '\n## search for zizmor / pinning policy\n'
rg -n --hidden --glob '!.git' -e 'zizmor|immutable SHA|pin.*SHA|pinned to immutable|actions/checkout@v4|actions/setup-python@v5' .github README* . || true

printf '\n## workflow files\n'
git ls-files '.github/**' | sed -n '1,200p'

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 3584


Pin these actions to immutable SHAs. actions/checkout@v4 and actions/setup-python@v5 are mutable tags, so this workflow can drift as upstream releases change.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 12-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 12 - 19, The workflow uses mutable
action tags for actions/checkout and actions/setup-python, so update the
checkout and Python setup steps to reference immutable commit SHAs instead of
version tags. Keep the existing step names and with settings intact, but replace
the tagged uses values in the CI workflow with pinned SHA references for those
two actions.

Source: Linters/SAST tools


- name: Install uv
run: pip install uv

- name: Install dependencies
run: uv pip install --system -e ".[dev,demo]"

- name: Run Python Tests
run: uv run pytest tests/
20 changes: 20 additions & 0 deletions .github/workflows/greetings.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Greetings
on:
pull_request_target:
types: [opened]
issues:
types: [opened]

permissions:
issues: write
pull-requests: write
Comment on lines +3 to +10

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow file and its exact action reference.
git ls-files .github/workflows/greetings.yml
echo '---'
wc -l .github/workflows/greetings.yml
echo '---'
cat -n .github/workflows/greetings.yml

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 977


Pin actions/first-interaction to a commit SHA.

pull_request_target runs with the repository token, and this workflow grants issues: write and pull-requests: write. Using the mutable @v1 tag here leaves a write-scoped workflow dependent on an upstream ref that can move.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 9-9: overly broad permissions (excessive-permissions): issues: write is overly broad at the workflow level

(excessive-permissions)


[error] 10-10: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/greetings.yml around lines 3 - 10, The greetings workflow
uses the mutable actions/first-interaction@v1 in a write-scoped
pull_request_target job, so update the first-interaction step in the greetings
workflow to reference a fixed commit SHA instead of the tag. Keep the existing
permissions and triggers unchanged, and verify the action reference is pinned
wherever actions/first-interaction is invoked.

Source: Linters/SAST tools


jobs:
greeting:
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@v1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: "Welcome to the repository! Thank you for opening your first issue. A maintainer or our AI system will be with you shortly."
pr-message: "Welcome to the repository! Thank you for opening your first pull request. Our CI and AI reviewer will take a look."
14 changes: 14 additions & 0 deletions .github/workflows/labeler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: "Pull Request Labeler"
on:
pull_request_target:
types: [opened, synchronize, reopened]

permissions:
contents: read
pull-requests: write
Comment on lines +3 to +8

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin actions/labeler to a full commit SHA

This workflow runs under pull_request_target with write permissions, so leaving a third-party action on the mutable v5 tag exposes it to upstream tag retargeting or compromise.

Suggested change
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@<full-length-commit-sha> # v5
🧰 Tools
🪛 zizmor (1.26.1)

[error] 8-8: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/labeler.yml around lines 3 - 8, Pin the third-party action
used by the labeler workflow to an immutable full commit SHA instead of a
mutable version tag. Update the `actions/labeler` reference in the workflow so
the `pull_request_target` job with write permissions cannot be affected by
upstream tag retargeting; keep the rest of the workflow unchanged.


jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v5
29 changes: 29 additions & 0 deletions .github/workflows/pages.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: GitHub Pages
on:
push:
branches: [ "main" ]

permissions:
contents: read
pages: write
id-token: write

jobs:
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
lfs: true
Comment on lines +6 to +20

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Scope Pages permissions to the deploy job and disable checkout credential persistence.

Lines 6-9 grant pages: write and id-token: write at workflow scope, and Line 18 keeps the token in the local git config. Move the write permissions under jobs.deploy.permissions and add persist-credentials: false on checkout so the only job that needs deployment credentials gets them, and the workspace does not retain them.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 18-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 8-8: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level

(excessive-permissions)


[error] 9-9: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level

(excessive-permissions)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 12-12: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pages.yml around lines 6 - 20, The Pages workflow
currently grants deployment permissions at the workflow level and keeps checkout
credentials persisted, which is broader than needed. Move the pages and id-token
permissions into the deploy job’s permissions block on deploy, and update the
actions/checkout step in that same job to disable credential persistence with
persist-credentials set to false. Use the deploy job and checkout step as the
targets for the change.

Source: Linters/SAST tools

- name: Setup Pages
uses: actions/configure-pages@v4
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
path: './docs'
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
Comment on lines +1 to +29

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Serialize Pages deployments.

Without a concurrency group, two quick pushes to main can race and an older run can finish last, redeploying stale ./docs content. Add a workflow/job concurrency group with cancel-in-progress: true so only the newest documentation publish wins.

🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 2-2: truthy value should be one of [false, true]

(truthy)


[error] 4-4: too many spaces inside brackets

(brackets)


[error] 4-4: too many spaces inside brackets

(brackets)

🪛 zizmor (1.26.1)

[warning] 18-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 8-8: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level

(excessive-permissions)


[error] 9-9: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level

(excessive-permissions)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 12-12: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 2-4: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pages.yml around lines 1 - 29, Add concurrency control to
the GitHub Pages workflow so only the latest publish from main can deploy.
Update the GitHub Pages workflow by introducing a workflow or deploy-job
concurrency group for the deploy job, with cancel-in-progress enabled, so
overlapping runs from quick pushes cannot finish out of order and redeploy stale
./docs content.

Source: Linters/SAST tools

68 changes: 68 additions & 0 deletions .github/workflows/repo-maintenance.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Repository Maintenance
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

permissions:
contents: write

jobs:
maintain:
if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
Comment on lines +1 to +13

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Add per-ref concurrency before this job auto-pushes.

This workflow mutates the same branch it runs on. Without a concurrency group, two runs on the same ref can both create maintenance commits, and the loser is silently dropped by git push ... || true, leaving generated artifacts stale.

🔧 Suggested change
 name: Repository Maintenance
 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
+
+concurrency:
+  group: repo-maintenance-${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
name: Repository Maintenance
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
permissions:
contents: write
jobs:
maintain:
if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
name: Repository Maintenance
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
concurrency:
group: repo-maintenance-${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.ref }}
cancel-in-progress: true
permissions:
contents: write
jobs:
maintain:
if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 2-2: truthy value should be one of [false, true]

(truthy)


[error] 4-4: too many spaces inside brackets

(brackets)


[error] 4-4: too many spaces inside brackets

(brackets)


[error] 6-6: too many spaces inside brackets

(brackets)


[error] 6-6: too many spaces inside brackets

(brackets)

🪛 zizmor (1.26.1)

[error] 9-9: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 12-12: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 2-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/repo-maintenance.yml around lines 1 - 13, Add a per-ref
concurrency group to the Repository Maintenance workflow before the maintain job
runs so only one run can mutate a given branch at a time. Use the maintain job
and the workflow trigger context to define concurrency keyed by the ref (for
example, the branch or PR ref), and make sure parallel runs on the same ref are
canceled or serialized before any auto-push happens.

Source: Linters/SAST tools

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref || github.ref }}
fetch-depth: 0
lfs: true

- name: Set up Python
uses: actions/setup-python@v5
Comment on lines +16 to +23

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin these actions to commit SHAs. actions/checkout and actions/setup-python are mutable tags; use exact commit SHAs instead.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 16-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/repo-maintenance.yml around lines 16 - 23, Pin the GitHub
Actions used in the workflow to immutable commit SHAs instead of mutable version
tags. Update the uses entries for actions/checkout and actions/setup-python in
the repo maintenance workflow to reference their exact commit hashes, keeping
the existing checkout/setup configuration intact while only changing the action
identifiers.

with:
python-version: '3.12'

- name: Install dependencies
run: |
pip install uv
uv pip install --system -e ".[dev,demo]"
uv pip install --system cyclonedx-bom cyclonedx-py pydeps
sudo apt-get update && sudo apt-get install -y xdg-utils graphviz

- name: Autofix Code Quality
run: |
uv run --with ruff ruff check --fix . || true
uv run --with ruff ruff format . || true

- name: Generate Architecture Diagrams
run: |
mkdir -p docs/architecture
pydeps ev_grid_oracle --output docs/architecture/ev_grid_oracle.svg --no-show || true

- name: Generate Knowledge Graph
run: |
mkdir -p docs/knowledge
python tools/generate_knowledge_graph.py


- name: Docs Sync
run: |
python tools/docs_sync.py
mkdir -p docs


- name: Generate SBOM
run: |
cyclonedx-py environment -o bom.json || true

- name: Commit and Push Changes
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add .
git commit -m "chore: autonomous repository maintenance [skip ci]" || echo "No changes to commit"
# Avoid using the actual push command in testing script to not block session
# We'll write the script that GH Actions runs
git push origin ${{ github.head_ref || github.ref }} || true
19 changes: 19 additions & 0 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: Mark stale issues and pull requests
on:
schedule:
- cron: '30 1 * * *'

permissions:
issues: write
pull-requests: write

jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9
Comment on lines +6 to +14

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/stale.yml
wc -l .github/workflows/stale.yml
cat -n .github/workflows/stale.yml

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 855


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import pathlib, re
p = pathlib.Path('.github/workflows/stale.yml')
text = p.read_text()
m = re.search(r'uses:\s*actions/stale@([^\s#]+)', text)
print("match:", m.group(1) if m else "none")
PY

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 173


Pin actions/stale to an immutable SHA.

This scheduled workflow runs with write permissions; using actions/stale@v9 leaves it vulnerable to a tag retarget executing on the repo token.

Suggested change
-      - uses: actions/stale@v9
+      - uses: actions/stale@<full-length-commit-sha> # v9
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
issues: write
pull-requests: write
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9
permissions:
issues: write
pull-requests: write
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@<full-length-commit-sha> # v9
🧰 Tools
🪛 zizmor (1.26.1)

[error] 7-7: overly broad permissions (excessive-permissions): issues: write is overly broad at the workflow level

(excessive-permissions)


[error] 8-8: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 7-7: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 11-11: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/stale.yml around lines 6 - 14, The stale workflow uses a
mutable actions tag with write permissions, so update the actions/stale
reference in the stale job to a pinned immutable commit SHA instead of v9. Keep
the existing stale job structure and permissions, and only replace the action
identifier in the uses step so the workflow remains functionally the same but is
locked to a specific revision.

Source: Linters/SAST tools

with:
stale-issue-message: 'This issue is stale because it has been open 30 days with no activity.'
stale-pr-message: 'This PR is stale because it has been open 30 days with no activity.'
days-before-stale: 30
days-before-close: 7
13 changes: 13 additions & 0 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Contributor Covenant Code of Conduct

## Our Pledge

We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, religion, or sexual identity
and orientation.

We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
13 changes: 13 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Contributing

Thank you for investing your time in contributing to our project!

Read our [Code of Conduct](./CODE_OF_CONDUCT.md) to keep our community approachable and respectable.

## Getting Started

1. Fork the repository
2. Create your feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add some amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request
Loading