Skip to content

🌱 ci: Use centralized reusable workflows from infra repo #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
clubanderson merged 1 commit into from
Jan 12, 2026
Merged

🌱 ci: Use centralized reusable workflows from infra repo #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 5 additions & 35 deletions .github/workflows/add-help-wanted.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,43 +1,13 @@
name: Add Help Wanted, Good First Issue, or Hacktober Fest Labels
name: Add Help Wanted Labels

on:
issue_comment:
types: [created]

permissions:
issues: write
contents: read

jobs:
label-on-comment:
if: github.event.comment.body == '/help-wanted' || github.event.comment.body == '/good-first-issue' || github.event.comment.body == '/hacktober-fest'
runs-on: ubuntu-latest
steps:
- name: Add label based on comment
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
with:
script: |
const comment = context.payload.comment.body.trim().toLowerCase();
const issue_number = context.payload.issue.number;
const owner = context.repo.owner;
const repo = context.repo.repo;

let label = null;
if (comment === '/help-wanted') {
label = 'help wanted';
} else if (comment === '/good-first-issue') {
label = 'good first issue';
} else if (comment === '/hacktober-fest') {
label = 'hacktober-fest';
}

if (label) {
await github.rest.issues.addLabels({
owner,
repo,
issue_number,
labels: [label],
});
console.log(`Added label: ${label}`);
} else {
console.log('No matching label to apply.');
}
label:
uses: kubestellar/infra/.github/workflows/reusable-add-help-wanted.yml@main
secrets: inherit
25 changes: 5 additions & 20 deletions .github/workflows/feedback.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,10 @@ on:
pull_request:
types: [closed]

permissions:
contents: read

jobs:
feedback:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
permissions:
pull-requests: write
issues: write
contents: read

steps:
- name: Comment feedback request
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9
with:
token: ${{ secrets.GITHUB_TOKEN }}
issue-number: ${{ github.event.pull_request.number }}
body: |
🎉 Thank you for your contribution! Your PR has been successfully merged.

We’d love to hear your thoughts to help improve KubeStellar.
Please take a moment to fill out our short feedback survey:

https://kubestellar.io/survey
uses: kubestellar/infra/.github/workflows/reusable-feedback.yml@main
secrets: inherit
24 changes: 3 additions & 21 deletions .github/workflows/greetings.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,24 +10,6 @@ permissions:
contents: read

jobs:
greeting:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: |
Thank you for contributing your first Issue to KubeStellar. We are delighted to have you in our Universe!
To assign yourself to this issue, please use the slash command:
```
/assign
```
This will automatically assign the issue to you via our Prow bot. You can also use `/unassign` to remove yourself from an issue.
Thank you for your interest in contributing to KubeStellar!
pr-message: "Thank you for submitting your first Pull Request to KubeStellar. We are delighted to have you in our Universe!"
greet:
uses: kubestellar/infra/.github/workflows/reusable-greetings.yml@main
secrets: inherit
17 changes: 3 additions & 14 deletions .github/workflows/pr-verifier.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,6 @@
types: [opened, edited, reopened, synchronize]

jobs:
verify-pr:
name: verify PR contents
# Skip verification for dependabot PRs - they use different title conventions
if: github.actor != 'dependabot[bot]'
permissions:
checks: write
pull-requests: read
runs-on: ubuntu-latest
steps:
- name: Verifier action
id: verifier
uses: kubernetes-sigs/kubebuilder-release-tools@v0.4.3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
verify:
uses: kubestellar/infra/.github/workflows/reusable-pr-verifier.yml@main
secrets: inherit
Comment on lines +9 to +10

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

In general, the fix is to add an explicit permissions section that restricts the GITHUB_TOKEN to the minimum necessary scopes. This can be done either at the top (root) of the workflow so it applies to all jobs, or within the verify job. Since this workflow only defines one job and calls a reusable workflow, the cleanest fix with minimal functional impact is to add a root-level permissions block granting only read access to repository contents (a safe baseline for most verification jobs). If the reusable verifier needs more, it can request additional scoped permissions within its own definition.

Concretely, in .github/workflows/pr-verifier.yml, insert a permissions: block between the on: section and the jobs: section. A conservative minimal configuration is contents: read, which allows the job to read the repository’s code but not write to it or perform privileged operations. No imports or additional methods are required; this is purely a YAML configuration change within the existing workflow file and does not alter the logical flow of the job.

Suggested changeset 1
.github/workflows/pr-verifier.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr-verifier.yml b/.github/workflows/pr-verifier.yml
--- a/.github/workflows/pr-verifier.yml
+++ b/.github/workflows/pr-verifier.yml
@@ -4,6 +4,9 @@
   pull_request_target:
     types: [opened, edited, reopened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   verify:
     uses: kubestellar/infra/.github/workflows/reusable-pr-verifier.yml@main
EOF
@@ -4,6 +4,9 @@
pull_request_target:
types: [opened, edited, reopened, synchronize]

permissions:
contents: read

jobs:
verify:
uses: kubestellar/infra/.github/workflows/reusable-pr-verifier.yml@main
Copilot is powered by AI and may make mistakes. Always verify output.
13 changes: 13 additions & 0 deletions .github/workflows/pr-verify-title.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: "PR Title Verifier"

on:
pull_request:
types: [opened, edited, synchronize, reopened]

permissions:
contents: read

jobs:
verify:
uses: kubestellar/infra/.github/workflows/reusable-pr-verify-title.yml@main
secrets: inherit
14 changes: 14 additions & 0 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: OpenSSF Scorecard

on:
branch_protection_rule:
schedule:
- cron: '0 6 * * 1'
push:
branches: [ "main" ]
workflow_dispatch:

jobs:
analysis:
uses: kubestellar/infra/.github/workflows/reusable-scorecard.yml@main
secrets: inherit
Comment on lines +13 to +14

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

Generally, the fix is to add an explicit permissions block to the workflow (either at the root level, applying to all jobs, or directly under the analysis job) that limits the GITHUB_TOKEN to the minimal privileges required. For the OpenSSF Scorecard analysis workflow, the recommended baseline is read-only access to repository contents, which is typically sufficient (contents: read) since the action only needs to inspect the repo and not modify it.

The best targeted fix without changing existing functionality is to add a root-level permissions block below the on: section, so it applies to the analysis job (which uses the reusable workflow) unless that reusable workflow overrides it. GitHub’s own Scorecard documentation recommends permissions: contents: read for the caller workflow. Concretely, in .github/workflows/scorecard.yml, add:

permissions:
  contents: read

between the on: block (line 3–9) and the jobs: block (line 11). No additional imports or methods are needed—this is pure GitHub Actions YAML configuration.

Suggested changeset 1
.github/workflows/scorecard.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -8,6 +8,9 @@
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analysis:
     uses: kubestellar/infra/.github/workflows/reusable-scorecard.yml@main
EOF
@@ -8,6 +8,9 @@
branches: [ "main" ]
workflow_dispatch:

permissions:
contents: read

jobs:
analysis:
uses: kubestellar/infra/.github/workflows/reusable-scorecard.yml@main
Copilot is powered by AI and may make mistakes. Always verify output.
28 changes: 2 additions & 26 deletions .github/workflows/stale.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,29 +7,5 @@

jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e
with:
days-before-issue-stale: 90
days-before-issue-close: 90
stale-issue-label: lifecycle/stale
stale-pr-label: lifecycle/stale
stale-issue-message: >-
This issue has been automatically marked as stale because it has not had recent activity.
It will be closed in 90 days if no further activity occurs. If this is still relevant,
please add a comment to keep it open.
close-issue-message: >-
Closing this issue due to prolonged inactivity after being marked as stale. If this remains
an active concern, feel free to reopen or create a new issue with updated details.
close-issue-label: lifecycle/auto-closed
days-before-pr-stale: -1
days-before-pr-close: -1
exempt-issue-labels: >-
security,bug,enhancement,good first issue,help wanted,hacktober-fest,
lifecycle/frozen
exempt-pr-labels: >-
security,lifecycle/frozen
exempt-all-assignees: true
uses: kubestellar/infra/.github/workflows/reusable-stale.yml@main
secrets: inherit
Comment on lines +10 to +11

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

In general, you should explicitly declare permissions in the workflow (either at the top level or per job) to restrict the GITHUB_TOKEN to the minimal scopes required. For a stale-issues workflow, typical needs are issues: write (to label/comment/close issues) and, if it also handles PRs, pull-requests: write. If the reusable workflow expects these scopes, granting them at the caller level is appropriate.

The minimal and least-disruptive fix here is to add a permissions block to the stale job, since that’s the job CodeQL flagged. We’ll keep the existing functionality by granting contents: read (safe default for most workflows) and issues: write (and optionally pull-requests: write if PR handling is expected). Because we only see a stale issues workflow name and not full behavior of the reusable workflow, a conservative but still minimal configuration is:

permissions:
  contents: read
  issues: write

This should be added directly under the stale job definition, before uses:. No imports or additional files are required; only .github/workflows/stale.yml is changed.

Suggested changeset 1
.github/workflows/stale.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,5 +7,8 @@
 
 jobs:
   stale:
+    permissions:
+      contents: read
+      issues: write
     uses: kubestellar/infra/.github/workflows/reusable-stale.yml@main
     secrets: inherit
EOF
@@ -7,5 +7,8 @@

jobs:
stale:
permissions:
contents: read
issues: write
uses: kubestellar/infra/.github/workflows/reusable-stale.yml@main
secrets: inherit
Copilot is powered by AI and may make mistakes. Always verify output.
Loading