From 69c2518900f98ca523bc04b119c343165498dbf2 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Tue, 27 Jan 2026 15:12:14 +0200 Subject: [PATCH 1/3] ci: add pr formatting checks Signed-off-by: PavelSBorisov --- .../000-flow-pull-request-formatting.yaml | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/000-flow-pull-request-formatting.yaml diff --git a/.github/workflows/000-flow-pull-request-formatting.yaml b/.github/workflows/000-flow-pull-request-formatting.yaml new file mode 100644 index 00000000..12fbafff --- /dev/null +++ b/.github/workflows/000-flow-pull-request-formatting.yaml @@ -0,0 +1,55 @@ +name: "000: [FLOW] PR Formatting" +on: + pull_request_target: + types: + - assigned + - unassigned + - labeled + - unlabeled + - opened + - reopened + - edited + - converted_to_draft + - ready_for_review + - review_requested + - review_request_removed + - locked + - unlocked + - synchronize + +defaults: + run: + shell: bash + +permissions: + statuses: write + +jobs: + title-check: + name: Title Check + runs-on: network-node-linux-medium + steps: + - name: Harden Runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Check PR Title + uses: step-security/action-semantic-pull-request@bc0cf74f5be4ce34accdec1ae908dff38dc5def1 # v6.1.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + assignee-check: + name: Assignee Check + runs-on: network-node-linux-medium + steps: + - name: Harden Runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Check Assignee + if: ${{ github.event.pull_request.assignees == null || github.event.pull_request.assignees[0] == null }} + run: | + echo "Assignee is not set. Failing the workflow." + exit 1 From 5682141af399e32066b9ed3563b54d65e435372b Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Tue, 27 Jan 2026 16:36:10 +0200 Subject: [PATCH 2/3] chore: add dependabot.yaml Signed-off-by: PavelSBorisov --- .github/dependabot.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 00000000..c37e7be2 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: Apache-2.0 +version: 2 +updates: + # npm dependencies + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + + # GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 From 0edf8831c7f5e65ac6bd1a74274d3675168aae0a Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Tue, 27 Jan 2026 16:38:38 +0200 Subject: [PATCH 3/3] chore: replace action with step-security version Signed-off-by: PavelSBorisov --- .github/workflows/npm-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 40233394..14c4eb41 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -36,7 +36,7 @@ jobs: node-version: '20' - name: Setup JQ - uses: dcarbone/install-jq-action@b7ef57d46ece78760b4019dbc4080a1ba2a40b45 # v3.2.0 + uses: step-security/install-jq-action@fd50feb4e8cd2b0e1e72df42db468e62c71d58f4 # v3.2.0 with: version: 1.7