build(repo): Add Github Actions integrations #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Branch Protection Enforcement" | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| checks: read | |
| jobs: | |
| # Validate that required checks are configured | |
| validate-protection: | |
| name: Validate Branch Protection | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Check required status checks | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const { owner, repo } = context.repo; | |
| const branch = 'main'; | |
| try { | |
| // Get branch protection rules | |
| const protection = await github.rest.repos.getBranchProtection({ | |
| owner, | |
| repo, | |
| branch | |
| }); | |
| const requiredChecks = protection.data.required_status_checks?.contexts || []; | |
| const requiredChecksV2 = protection.data.required_status_checks?.checks || []; | |
| console.log('Required status checks:', requiredChecks); | |
| console.log('Required checks (v2):', requiredChecksV2); | |
| // Define expected checks | |
| const expectedChecks = [ | |
| 'ci-success', | |
| 'CodeQL', | |
| 'Secret Scanning', | |
| 'Go Vulnerability Scan', | |
| 'Container Security Scan' | |
| ]; | |
| // Validate that critical checks are required | |
| const missingChecks = expectedChecks.filter(check => | |
| !requiredChecks.includes(check) && | |
| !requiredChecksV2.some(c => c.context === check) | |
| ); | |
| if (missingChecks.length > 0) { | |
| core.setFailed(`Missing required status checks: ${missingChecks.join(', ')}`); | |
| return; | |
| } | |
| // Validate other protection settings | |
| const settings = protection.data; | |
| if (!settings.required_pull_request_reviews) { | |
| core.setFailed('Pull request reviews are not required'); | |
| return; | |
| } | |
| if (!settings.enforce_admins) { | |
| console.log('⚠️ Admin enforcement is disabled'); | |
| } | |
| if (!settings.required_linear_history) { | |
| console.log('⚠️ Linear history is not enforced'); | |
| } | |
| console.log('✅ Branch protection is properly configured'); | |
| } catch (error) { | |
| if (error.status === 404) { | |
| core.setFailed('Branch protection is not configured for main branch'); | |
| } else { | |
| core.setFailed(`Error checking branch protection: ${error.message}`); | |
| } | |
| } | |
| - name: Validate PR requirements | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| if (context.eventName !== 'pull_request') return; | |
| const pr = context.payload.pull_request; | |
| // Check if PR is from a fork | |
| const isFork = pr.head.repo.full_name !== pr.base.repo.full_name; | |
| // Check if PR has required labels (optional) | |
| const hasTypeLabel = pr.labels.some(label => | |
| label.name.startsWith('type:') || | |
| label.name.startsWith('kind:') | |
| ); | |
| // Check if PR has description | |
| const hasDescription = pr.body && pr.body.trim().length > 10; | |
| let warnings = []; | |
| if (isFork) { | |
| console.log('ℹ️ PR is from a fork - some checks may be limited'); | |
| } | |
| if (!hasTypeLabel) { | |
| warnings.push('PR is missing a type label (type:bug, type:feature, etc.)'); | |
| } | |
| if (!hasDescription) { | |
| warnings.push('PR has minimal or no description'); | |
| } | |
| if (warnings.length > 0) { | |
| console.log('⚠️ PR Quality Warnings:'); | |
| warnings.forEach(warning => console.log(` - ${warning}`)); | |
| // Comment on PR with warnings (optional) | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: pr.number, | |
| body: `## PR Quality Check\n\n⚠️ **Warnings:**\n${warnings.map(w => `- ${w}`).join('\n')}\n\nWhile these don't block the PR, addressing them improves code review quality.` | |
| }); | |
| } | |
| console.log('✅ PR validation completed'); | |
| # NOTE: Merge gate logic removed - relying on GitHub's native branch protection | |
| # GitHub branch protection rules handle status check enforcement natively | |
| # This eliminates potential failure points and uses the platform's robust mechanism |