diff --git a/.github/README.md b/.github/README.md new file mode 100644 index 00000000..2d77ccbc --- /dev/null +++ b/.github/README.md @@ -0,0 +1,23 @@ +# GitHub Actions Workflows + +## PR Labeler + +The PR Labeler workflow automatically applies labels to pull requests based on the files changed. + +### Security Considerations + +This implementation addresses security concerns identified in similar workflows: + +1. **Uses `pull_request` instead of `pull_request_target`**: The workflow uses the `pull_request` event to avoid security risks associated with running untrusted code from PRs with elevated permissions. This is the recommended approach for labeling workflows. + +2. **No checkout of untrusted code**: By using the `pull_request` event, the workflow automatically checks out the base branch, avoiding the security risk of executing potentially malicious code from PRs. + +3. **Fork compatibility**: Works correctly with PRs from forked repositories without requiring special configuration. + +### Configuration + +Labels are automatically applied based on file patterns defined in `.github/labeler.yml`. The configuration uses the actions/labeler@v5 schema with array matchers. + +Available labels: +- Module labels: `api`, `bloom-filter`, `config`, `consensus`, `core`, `crypto`, `distributed-ledger`, `erasure-code`, `network`, `protocol`, `shared-resources`, `trie`, `util` +- Functional labels: `documentation`, `ci`, `docker`, `build`, `tests` diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 00000000..e6e7721a --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,92 @@ +# GitHub Actions Labeler configuration for actions/labeler@v5 +# This configuration uses the v5 schema with array matchers + +# Module-specific labels +api: + - changed-files: + - any-glob-to-any-file: 'adrestus-api/**/*' + +bloom-filter: + - changed-files: + - any-glob-to-any-file: 'adrestus-bloom-filter/**/*' + +config: + - changed-files: + - any-glob-to-any-file: 'adrestus-config/**/*' + +consensus: + - changed-files: + - any-glob-to-any-file: 'adrestus-consensus/**/*' + +core: + - changed-files: + - any-glob-to-any-file: 'adrestus-core/**/*' + +crypto: + - changed-files: + - any-glob-to-any-file: 'adrestus-crypto/**/*' + +distributed-ledger: + - changed-files: + - any-glob-to-any-file: 'adrestus-distributed-ledger/**/*' + +erasure-code: + - changed-files: + - any-glob-to-any-file: 'adrestus-erasure-code/**/*' + +network: + - changed-files: + - any-glob-to-any-file: 'adrestus-network/**/*' + +protocol: + - changed-files: + - any-glob-to-any-file: 'adrestus-protocol/**/*' + +shared-resources: + - changed-files: + - any-glob-to-any-file: 'adrestus-shared-resources/**/*' + +trie: + - changed-files: + - any-glob-to-any-file: 'adrestus-trie/**/*' + +util: + - changed-files: + - any-glob-to-any-file: 'adrestus-util/**/*' + +# Documentation labels +documentation: + - changed-files: + - any-glob-to-any-file: + - '**/*.md' + - 'docs/**/*' + +# CI/CD labels +ci: + - changed-files: + - any-glob-to-any-file: + - '.github/**/*' + - '.circleci/**/*' + - 'appveyor.yml' + +# Docker labels +docker: + - changed-files: + - any-glob-to-any-file: + - 'Dockerfile*' + - 'docker-compose.yml' + - '.dockerignore' + +# Build configuration labels +build: + - changed-files: + - any-glob-to-any-file: + - 'pom.xml' + - '**/pom.xml' + - 'makefile' + - '*.sh' + +# Test labels +tests: + - changed-files: + - any-glob-to-any-file: '**/src/test/**/*' diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml new file mode 100644 index 00000000..edcdd053 --- /dev/null +++ b/.github/workflows/pr-labeler.yml @@ -0,0 +1,29 @@ +name: PR Labeler +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + +permissions: + contents: read + pull-requests: write + +jobs: + label: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Print labeler config + run: | + echo "=== .github/labeler.yml ===" + # Print only the first 200 lines to avoid log overflow in CI output + sed -n '1,200p' .github/labeler.yml + + - uses: actions/labeler@v5 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + configuration-path: .github/labeler.yml + sync-labels: true + dot: true