-
Notifications
You must be signed in to change notification settings - Fork 336
73 lines (69 loc) · 4.46 KB
/
check.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: "PR health"
on:
pull_request_target:
# !!!! Be especially careful with checkouts are we are using: pull_request_target
# See: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
types: [edited, opened, reopened, synchronize]
permissions:
contents: read
jobs:
pr-check:
timeout-minutes: 10
runs-on: ubuntu-24.04
permissions:
pull-requests: write
steps:
- name: Add checklist comment
if: github.event.pull_request.author != 'app/dependabot'
uses: marocchino/sticky-pull-request-comment@daa4a82a0a3f6c162c02b83fa44b3ab83946f7cb # v2.9.0
with:
header: PR reviewer checklist
only_create: true
message: |
## Reviewer Checklist
:mag: Each of these sections need to be checked by the reviewer of the PR :mag::
If something doesn't apply please check the box and add a justification if the reason is non obvious.
- [ ] Is the PR title satisfactory? Is this part of a larger feature and should be grouped using `> Changelog`?
- [ ] PR description is clear and complete. It [Links to relevant issue][1] as well as docs and UI issues
- [ ] This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
- [ ] IPv6 is taken into account (.e.g: no string concatenation of host port)
- [ ] Tests (Unit test, E2E tests, manual test on universal and k8s)
- Don't forget `ci/` labels to run additional/fewer tests
- [ ] Does this contain a change that needs to be notified to users? In this case, [`UPGRADE.md`](../blob/master/UPGRADE.md) should be updated.
- [ ] Does it need to be backported according to the [backporting policy](../blob/master/CONTRIBUTING.md#backporting)? ([this](https://github.com/kumahq/kuma/actions/workflows/auto-backport.yaml) GH action will add "backport" label based on these [file globs](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L6), if you want to prevent it from adding the "backport" label use [no-backport-autolabel](https://github.com/kumahq/kuma/blob/master/.github/workflows/auto-backport.yaml#L8) label)
[1]: https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword
- name: Check PR title
# Check PR title against the Conventional Commits format using commitlint.
# For more details, see: https://www.conventionalcommits.org/en/v1.0.0/
# This ensures the PR title matches the conventonal commit title format
# as it will be usead as a commit name after squashing.
# See: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#merge-message-for-a-squash-merge.
if: github.event.action != 'synchronize'
env:
# Use an intermediate environment variable to safely handle the PR title
# and avoid potential injection risks. See:
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TITLE: ${{ github.event.pull_request.title }}
run: |
# Create a temporary commitlint configuration file
cat <<EOF > commitlint.config.js
module.exports = {
extends: ["@commitlint/config-conventional"],
helpUrl: "https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#commit-message-format",
rules: {
"body-max-line-length": [0],
"footer-max-line-length": [0],
"footer-leading-blank": [0],
"header-max-length": [0],
"scope-enum": [2, "never", [
"kumacp", "kumadp", "kumacni", "kumainit", "*", "madr", "test", "ci", "perf", "policies", "tests"
]],
"scope-empty": [2, "never"]
},
};
EOF
# Install commitlint CLI and configuration
npm install -g @commitlint/[email protected] @commitlint/[email protected]
# Validate the PR title. Use the intermediate variable to safely handle the title.
# '${{ env.TITLE }}' doesn't protect against injection, so "$TITLE" must be used instead.
echo "$TITLE" | commitlint --config commitlint.config.js