Files
Reza Rezvani dd6a6c24d7 feat(ci): implement comprehensive CI/CD workflows and quality gates
Phase 1: Core GitHub Workflows Implementation

Composite Actions (4):
- setup-python-deps: Cache Python dependencies for faster runs
- fork-safety: Detect fork PRs and prevent malicious write operations
- rate-limit-check: Circuit breaker pattern for GitHub API exhaustion
- quality-gates: Python syntax, Markdown lint, Bash validation, secret scanning

Workflows (5):
- bootstrap.yml: One-time repository setup (labels, milestones, settings)
- reusable-pr-checks.yml: DRY quality gate orchestrator
- pr-into-dev.yml: Feature PR validation (branch names, conventional commits, linked issues)
- dev-to-main.yml: Release gate validation (source branch, CHANGELOG, production readiness)
- release.yml: Manual release creation with GitHub releases and auto-generated notes

Branch Strategy: Standard (feature/* → dev → main)
Quality Gates: Python, Markdown, Bash, Secrets
Release Trigger: Manual via /release command or workflow_dispatch

Implements comprehensive CI/CD system adapted from blueprint:
- Fork safety and rate limiting for security
- Conventional commits enforcement
- Automated quality validation
- Production release gates
- GitHub release automation

Next: Phase 2 (templates, CODEOWNERS, dependabot)
2025-11-12 12:51:48 +01:00

94 lines
3.1 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
name: 'Fork Safety Check'
description: 'Detect fork PRs to skip write operations and maintain security'
author: 'ClaudeForge'
branding:
icon: 'shield'
color: 'blue'
inputs:
github-token:
description: 'GitHub token for API access (usually secrets.GITHUB_TOKEN)'
required: false
default: ${{ github.token }}
outputs:
is-fork:
description: 'Boolean indicating if the PR is from a fork (true/false)'
value: ${{ steps.check-fork.outputs.is-fork }}
should-skip-writes:
description: 'Boolean indicating if write operations should be skipped (true/false)'
value: ${{ steps.check-fork.outputs.should-skip-writes }}
source-repo:
description: 'Full name of the source repository (owner/repo)'
value: ${{ steps.check-fork.outputs.source-repo }}
base-repo:
description: 'Full name of the base repository (owner/repo)'
value: ${{ steps.check-fork.outputs.base-repo }}
runs:
using: 'composite'
steps:
- name: Check if PR is from fork
id: check-fork
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
run: |
echo "::group::Fork Safety Check"
# Initialize outputs
IS_FORK="false"
SHOULD_SKIP_WRITES="false"
SOURCE_REPO="unknown"
BASE_REPO="unknown"
# Check if this is a pull request event
if [[ "${{ github.event_name }}" == "pull_request"* ]]; then
echo "📋 Event: Pull Request detected"
# Get fork status from event context
FORK_STATUS="${{ github.event.pull_request.head.repo.fork }}"
SOURCE_REPO="${{ github.event.pull_request.head.repo.full_name }}"
BASE_REPO="${{ github.event.pull_request.base.repo.full_name }}"
echo "🔍 Source Repository: $SOURCE_REPO"
echo "🎯 Base Repository: $BASE_REPO"
if [[ "$FORK_STATUS" == "true" ]]; then
IS_FORK="true"
SHOULD_SKIP_WRITES="true"
echo "⚠️ Fork PR detected - Write operations should be skipped"
echo "🔒 Security: Preventing potential malicious actions from forked PR"
else
echo "✅ Same-repository PR - Write operations allowed"
fi
else
echo "️ Not a pull request event - treating as safe (non-fork)"
echo "📌 Event type: ${{ github.event_name }}"
fi
# Set outputs
echo "is-fork=$IS_FORK" >> $GITHUB_OUTPUT
echo "should-skip-writes=$SHOULD_SKIP_WRITES" >> $GITHUB_OUTPUT
echo "source-repo=$SOURCE_REPO" >> $GITHUB_OUTPUT
echo "base-repo=$BASE_REPO" >> $GITHUB_OUTPUT
# Summary
echo ""
echo "📊 Fork Safety Check Results:"
echo " - Is Fork: $IS_FORK"
echo " - Skip Writes: $SHOULD_SKIP_WRITES"
echo " - Source: $SOURCE_REPO"
echo " - Base: $BASE_REPO"
echo "::endgroup::"
- name: Log fork detection result
shell: bash
run: |
if [[ "${{ steps.check-fork.outputs.is-fork }}" == "true" ]]; then
echo "::warning::This PR is from a fork. Write operations will be skipped for security."
fi