Skip to content

ci(security): resolve security alerts from scorecard #17914

ci(security): resolve security alerts from scorecard

ci(security): resolve security alerts from scorecard #17914

Workflow file for this run

name: "PR health"
on:
pull_request:
types:
- edited
- opened
- reopened
- synchronize
permissions:
contents: read
pull-requests: write
jobs:
commit-lint:
timeout-minutes: 10
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Check PR title
# This job checks the PR title using
# https://github.com/conventional-changelog/commitlint
# for the conventional commit format at
# https://www.conventionalcommits.org/en/v1.0.0/
# See also /.github/commitlint.config.js for more details
# We only need to check the PR title because it will end up being the
# (default) commit title when doing squash merges with Github.
# See
# https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#merge-message-for-a-squash-merge
# for more info. We have "Default to PR title for squash merge commits" enabled.
if: github.event.action != 'synchronize'
# Inject as env variable to escape properly
env:
TITLE: ${{ github.event.pull_request.title }}
run: |
npm install -g @commitlint/[email protected] @commitlint/[email protected]
commitlint --config .github/commitlint.config.js --edit=<(echo "${TITLE}")
- name: Maybe add backport label
if: github.event.action == 'synchronize' && false # disable until https://github.com/kumahq/kuma/issues/9482
env:
GITHUB_TOKEN: ${{ github.token }}
PREDEFINED_GLOBS: ".github/**/*,Makefile,mk/**/*,tools/**/*,.golangci.yml,.kube-linter.yaml"
LABEL_TO_ADD: backport
NO_BACKPORT_AUTOLABEL: no-backport-autolabel
run: |
tools/ci/needs_backporting.sh "${{ github.repository }}" "${{ github.event.pull_request.number }}" "origin/${{ github.base_ref }}" "HEAD" "$PREDEFINED_GLOBS" "$LABEL_TO_ADD" "$NO_BACKPORT_AUTOLABEL"