feat: Add GitHub workflows for stale issues, label generation, dependency review, and semantic PR checks

Signed-off-by: Gabryel Nóbrega <gabryelster@gmail.com>

Author: see7e

.github/ci-scripts/labeler.js

@@ -0,0 +1,86 @@
+// module.exports = async ({ github, context }) => {
+/**
+ * GitHub Action to automatically label pull requests based on modified files.
+ *
+ * @param {Object} params - The parameters for the action.
+ * @param {Object} params.github - The GitHub API object.
+ * @param {Object} params.context - The context of the GitHub Action.
+ * @param {Object} params.context.repo - The repository context.
+ * @param {string} params.context.repo.owner - The owner of the repository.
+ * @param {string} params.context.repo.repo - The name of the repository.
+ * @param {Object} params.context.issue - The issue context.
+ * @param {number} params.context.issue.number - The pull request number.
+ *
+ * @returns {Promise<void>} A promise that resolves when the action is complete.
+ */
+export default async ({ github, context }) => {
+    let newCompLbls = new Set(); // Set of new label strings
+
+    // Fetch files modified in the PR
+    const pulledFiles = await github.rest.pulls.listFiles({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        pull_number: context.issue.number,
+    });
+
+    // Identify labels based on file paths
+    for (const f of pulledFiles.data) {
+        switch (true) {
+            case /^ci-scripts\/.*/.test(f.filename):
+                console.log("CI-related file changed: " + f.filename);
+                newCompLbls.add("component: ci");
+                newCompLbls.add("component: ci-scripts");
+                break;
+
+            case /^\.github\/workflows\/.*/.test(f.filename):
+                console.log("CI-related file changed: " + f.filename);
+                newCompLbls.add("component: ci");
+                newCompLbls.add("component: workflows");
+                break;
+            
+            case /^third_party\/build\/.*/.test(f.filename):
+                console.log("Third party file changed: " + f.filename);
+                newCompLbls.add("component: orc8r");
+                break;
+
+            case /^docs\/.*/.test(f.filename):
+                console.log("Docs-related file changed: " + f.filename);
+                newCompLbls.add("component: docs");
+                break;
+        }
+    }
+
+    const curLblObjs = await github.rest.issues.listLabelsOnIssue({
+        issue_number: context.issue.number,
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+    });
+
+    // Remove outdated labels and keep only new ones
+    for (const l of curLblObjs.data) {
+        if (l.name.startsWith("component: ")) {
+            if (newCompLbls.has(l.name)) {
+                newCompLbls.delete(l.name);
+            } else {
+                await github.rest.issues.removeLabel({
+                    issue_number: context.issue.number,
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    name: l.name,
+                });
+            }
+        }
+    }
+
+    if (newCompLbls.size > 0) {
+        let uniqLbls = Array.from(newCompLbls);
+        await github.rest.issues.addLabels({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            labels: uniqLbls,
+        });
+    } else {
+        console.log("No new component files changed in this PR.");
+    }
+};

.github/workflows/codeql.yml

@@ -0,0 +1,97 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '27 2 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+      # Use `c-cpp` to analyze code written in C, C++ or both
+      # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+      # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+      # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+      # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+      # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+      # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+
+      # matrix:
+        # include:
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,39 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable
+# packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency review'
+on:
+  pull_request:
+    branches: [ "main" ]
+
+# If using a dependency submission action in this workflow this permission will need to be set to:
+#
+# permissions:
+#   contents: write
+#
+# https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
+permissions:
+  contents: read
+  # Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
+        # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
+        with:
+          comment-summary-in-pr: always
+        #   fail-on-severity: moderate
+        #   deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later
+        #   retry-on-snapshot-warnings: true

.github/workflows/label.yml

@@ -0,0 +1,28 @@
+name: PR Generate Labels
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  AutoLabelPR:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Apply Labels Based on File Paths
+        uses: actions/labeler@v4
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Apply Labels Dynamically with GitHub Script
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const labeler = require('./.github/ci-scripts/labeler.js');
+            await labeler({ github, context });

.github/workflows/semantic.yaml

@@ -0,0 +1,78 @@
+name: PR Check Title Or Commit Message
+
+on:
+  # Semantic PR module only works with pull_request_target
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+      - ready_for_review
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  check-semantic-pr:
+    runs-on: ubuntu-latest
+    steps:
+
+      - uses: amannn/action-semantic-pull-request@v5
+        id: semantic-pr
+        if: ${{ ! startsWith(github.event.pull_request.title, 'Revert ') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Configure which types are allowed.
+          # Default: https://github.com/commitizen/conventional-commit-types
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+          # Configure which scopes are allowed.
+          scopes: |
+            api
+            cli
+            core
+            docs
+            infra
+            plugins
+            tests
+          # Configure that a scope must always be provided.
+          requireScope: false
+          # For work-in-progress PRs you can typically use draft pull requests
+          # from GitHub. However, private repositories on the free plan don't have
+          # this option and therefore this action allows you to opt in to using the
+          # special "[WIP]" prefix to indicate this state. This will avoid the
+          # validation of the PR title and the pull request checks remain pending.
+          # Note that a second check will be reported if this is enabled.
+          wip: true
+          # When using "Squash and merge" on a PR with only one commit, GitHub
+          # will suggest using that commit message instead of the PR title for the
+          # merge commit, and it's easy to commit this by mistake. Enable this option
+          # to also validate the commit message for one commit PRs.
+          validateSingleCommit: true
+
+      - uses: actions/checkout@v4
+        if: always()
+
+      - uses: ./.github/workflows/composite/comment-on-pr
+        if: always()
+        env:
+          check-type: Semantic PR check
+          check-documentation: |
+            See instructions on [development process](https://github.com/see7e/github-templates/wiki/03-Development-Process).
+        with:
+          check-type: ${{ env.check-type }}
+          check-documentation: ${{ env.check-documentation }}
+          job-status: ${{ steps.semantic-pr.outcome }}

.github/workflows/stale.yml

@@ -0,0 +1,27 @@
+# This workflow warns and then closes issues and PRs that have had no activity for a specified amount of time.
+#
+# You can adjust the behavior by modifying this file.
+# For more information, see:
+# https://github.com/actions/stale
+name: Mark stale issues and pull requests
+
+on:
+  schedule:
+  - cron: '25 6 * * *'
+
+jobs:
+  stale:
+
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+
+    steps:
+    - uses: actions/stale@v5
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'Stale issue message'
+        stale-pr-message: 'Stale pull request message'
+        stale-issue-label: 'no-issue-activity'
+        stale-pr-label: 'no-pr-activity'

README.md

@@ -1,6 +1,3 @@
-# TODO
-- [ ] Add Action Workflows
-
 # References
 > If I forgot to add any reference, please contact me so I can fix it.