chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,7 @@
|
||||
* @aws/agent-toolkit-admins
|
||||
|
||||
## Alphabetical listing of Agent Plugins
|
||||
/plugins/aws-agents @aws/agent-toolkit-admins @aws/agentcore-devex-devs @aws/agentcore-devex-pms
|
||||
/plugins/aws-agents-for-devsecops @aws/agent-toolkit-admins @aws/aws-agentic-devsecops @coffeencoke @tipuq @HuiSF @ljainiaz @adthiru @AhmetAhunbayAWS
|
||||
/plugins/aws-core @aws/agent-toolkit-admins
|
||||
/plugins/aws-data-analytics @aws/agent-toolkit-admins @npmajisha @risears @mitczach @harshabattapady @shoukasg @sanjolia @dhruvyadav2007 @mukeshsahay
|
||||
@@ -0,0 +1,72 @@
|
||||
---
|
||||
name: "Bug Report"
|
||||
description: Report a bug
|
||||
title: "(plugin name): (short issue description)"
|
||||
labels: [bug, needs-triage]
|
||||
assignees: []
|
||||
body:
|
||||
- type: textarea
|
||||
id: description
|
||||
attributes:
|
||||
label: Describe the bug
|
||||
description: What is the problem? A clear and concise description of the bug.
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: expected
|
||||
attributes:
|
||||
label: Expected Behavior
|
||||
description: What did you expect to happen?
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: current
|
||||
attributes:
|
||||
label: Current Behavior
|
||||
description: |
|
||||
What actually happened?
|
||||
|
||||
Please include full errors, uncaught exceptions, stack traces, and relevant logs.
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: reproduction
|
||||
attributes:
|
||||
label: Reproduction Steps
|
||||
description: |
|
||||
Provide a self-contained, concise snippet of code that can be used to reproduce the issue.
|
||||
validations:
|
||||
required: true
|
||||
- type: input
|
||||
id: plugin-version
|
||||
attributes:
|
||||
label: Plugin Version
|
||||
validations:
|
||||
required: true
|
||||
- type: input
|
||||
id: ai-assistant
|
||||
attributes:
|
||||
label: AI Assistant
|
||||
description: E.g. Claude Code | Codex | Kiro | Cursor
|
||||
validations:
|
||||
required: true
|
||||
- type: input
|
||||
id: ai-assistant-version
|
||||
attributes:
|
||||
label: AI Assistant Version
|
||||
validations:
|
||||
required: true
|
||||
- type: input
|
||||
id: operating-system
|
||||
attributes:
|
||||
label: OS
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: other
|
||||
attributes:
|
||||
label: Other information
|
||||
description: |
|
||||
e.g. detailed explanation, related issues, suggestions how to fix, links for context
|
||||
validations:
|
||||
required: false
|
||||
@@ -0,0 +1,8 @@
|
||||
blank_issues_enabled: false
|
||||
contact_links:
|
||||
- name: Security vulnerability
|
||||
url: https://aws.amazon.com/security/vulnerability-reporting/
|
||||
about: Please report security vulnerabilities through AWS Security, not as a public GitHub issue.
|
||||
- name: Documentation
|
||||
url: https://docs.aws.amazon.com/agent-toolkit/latest/userguide/
|
||||
about: Setup, configuration, and reference documentation for the Agent Toolkit for AWS.
|
||||
@@ -0,0 +1,47 @@
|
||||
---
|
||||
name: Feature Request
|
||||
description: Suggest an idea for this project
|
||||
title: "(plugin name): (short issue description)"
|
||||
labels: [feature-request, needs-triage]
|
||||
assignees: []
|
||||
body:
|
||||
- type: textarea
|
||||
id: description
|
||||
attributes:
|
||||
label: Describe the feature
|
||||
description: A clear and concise description of the feature you are proposing.
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: use-case
|
||||
attributes:
|
||||
label: Use Case
|
||||
description: |
|
||||
Why do you need this feature? For example: "I'm always frustrated when..."
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
id: solution
|
||||
attributes:
|
||||
label: Proposed Solution
|
||||
description: |
|
||||
Suggest how to implement the addition or change.
|
||||
validations:
|
||||
required: false
|
||||
- type: textarea
|
||||
id: other
|
||||
attributes:
|
||||
label: Other Information
|
||||
description: |
|
||||
Any alternative solutions or features you considered, links for context, etc.
|
||||
validations:
|
||||
required: false
|
||||
- type: checkboxes
|
||||
id: ack
|
||||
attributes:
|
||||
label: Acknowledgements
|
||||
options:
|
||||
- label: I may be able to implement this feature request
|
||||
required: false
|
||||
- label: This feature might incur a breaking change
|
||||
required: false
|
||||
@@ -0,0 +1,28 @@
|
||||
# Dependabot configuration.
|
||||
#
|
||||
# Covers the only automated dependency surface in this repo: the pinned
|
||||
# action SHAs in .github/workflows/. Mise-managed tools (node, gitleaks,
|
||||
# markdownlint-cli2) are bumped manually via `mise upgrade`.
|
||||
#
|
||||
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: github-actions
|
||||
directory: /
|
||||
schedule:
|
||||
interval: weekly
|
||||
day: monday
|
||||
time: "09:00"
|
||||
timezone: Etc/UTC
|
||||
open-pull-requests-limit: 5
|
||||
commit-message:
|
||||
prefix: chore
|
||||
include: scope
|
||||
labels:
|
||||
- dependencies
|
||||
- github-actions
|
||||
groups:
|
||||
# Group all action SHA bumps into a single PR per week to reduce noise.
|
||||
actions:
|
||||
patterns:
|
||||
- "*"
|
||||
@@ -0,0 +1,20 @@
|
||||
## Description
|
||||
|
||||
<!-- Describe the changes in this PR -->
|
||||
|
||||
## Type of Change
|
||||
|
||||
- [ ] New plugin
|
||||
- [ ] New skill
|
||||
- [ ] Bug fix
|
||||
- [ ] Documentation update
|
||||
- [ ] CI/CD change
|
||||
- [ ] Other
|
||||
|
||||
## Checklist
|
||||
|
||||
- [ ] I have read the [CONTRIBUTING](../CONTRIBUTING.md) guide
|
||||
- [ ] My changes pass `python3 tools/validate.py`
|
||||
- [ ] I have updated relevant documentation
|
||||
|
||||
*By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.*
|
||||
@@ -0,0 +1,52 @@
|
||||
name: Build
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
branches: [main]
|
||||
merge_group:
|
||||
workflow_dispatch:
|
||||
|
||||
# Cancel superseded PR runs; let push/merge_group runs complete.
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
||||
|
||||
# Default to no permissions; grant minimally at the job level.
|
||||
permissions:
|
||||
actions: none
|
||||
attestations: none
|
||||
checks: none
|
||||
contents: none
|
||||
deployments: none
|
||||
discussions: none
|
||||
id-token: none
|
||||
issues: none
|
||||
models: none
|
||||
packages: none
|
||||
pages: none
|
||||
pull-requests: none
|
||||
repository-projects: none
|
||||
security-events: none
|
||||
statuses: none
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 10
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
|
||||
- uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d # v4.2.0
|
||||
|
||||
- name: Lint markdown
|
||||
run: mise run lint:md
|
||||
|
||||
- name: Validate manifests and skills
|
||||
run: mise run lint:manifests
|
||||
|
||||
- name: Security scan (gitleaks)
|
||||
run: mise run security
|
||||
@@ -0,0 +1,64 @@
|
||||
name: CodeQL
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
branches: [main]
|
||||
schedule:
|
||||
# Weekly on Wednesday at 14:23 UTC (arbitrary off-peak time)
|
||||
- cron: "23 14 * * 3"
|
||||
workflow_dispatch: {}
|
||||
|
||||
# Default to no permissions; grant minimally at the job level.
|
||||
permissions:
|
||||
actions: none
|
||||
attestations: none
|
||||
checks: none
|
||||
contents: none
|
||||
deployments: none
|
||||
discussions: none
|
||||
id-token: none
|
||||
issues: none
|
||||
models: none
|
||||
packages: none
|
||||
pages: none
|
||||
pull-requests: none
|
||||
repository-projects: none
|
||||
security-events: none
|
||||
statuses: none
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
name: Analyze (${{ matrix.language }})
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
permissions:
|
||||
security-events: write # upload SARIF to code scanning
|
||||
packages: read # fetch internal CodeQL packs (no-op for public repos)
|
||||
actions: read
|
||||
contents: read
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
include:
|
||||
# Scans workflow YAML for GitHub Actions security pitfalls
|
||||
# (script injection, untrusted checkout patterns, over-broad tokens).
|
||||
- language: actions
|
||||
build-mode: none
|
||||
# Scans Python helpers (e.g. tools/validate.py).
|
||||
- language: python
|
||||
build-mode: none
|
||||
steps:
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
build-mode: ${{ matrix.build-mode }}
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
|
||||
with:
|
||||
category: "/language:${{ matrix.language }}"
|
||||
@@ -0,0 +1,40 @@
|
||||
name: Dependency Review
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [main]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Default to no permissions; grant minimally at the job level.
|
||||
permissions:
|
||||
actions: none
|
||||
attestations: none
|
||||
checks: none
|
||||
contents: none
|
||||
deployments: none
|
||||
discussions: none
|
||||
id-token: none
|
||||
issues: none
|
||||
models: none
|
||||
packages: none
|
||||
pages: none
|
||||
pull-requests: none
|
||||
repository-projects: none
|
||||
security-events: none
|
||||
statuses: none
|
||||
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 5
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
|
||||
with:
|
||||
# Shared Amazon OSPO dependency-review config used across awslabs/aws repos.
|
||||
config-file: amazon-ospo/dependency-review-config/default/dependency-review-config.yml@8e4c9fdde54d2b7c6a3a28b97eddd26c4cd90a66 # main
|
||||
@@ -0,0 +1,124 @@
|
||||
---
|
||||
# Prevents unintentional merges beyond what branch rulesets can express.
|
||||
#
|
||||
# Two independent gates:
|
||||
# 1. Label gate — a PR labelled with `do-not-merge` (or `vars.DO_NOT_MERGE_LABEL`)
|
||||
# is blocked until the label is removed.
|
||||
# 2. Global gate — the `HALT_MERGES` repo variable blocks all merges when set:
|
||||
# HALT_MERGES=0 → gate disabled (default)
|
||||
# HALT_MERGES=<N> → only PR #N is allowed to merge
|
||||
# HALT_MERGES=-1 → all merges blocked
|
||||
#
|
||||
# Both gates are cheap escape hatches for incident response; they are not a
|
||||
# replacement for branch protection rules.
|
||||
name: Merge Prevention
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types:
|
||||
- opened
|
||||
- reopened
|
||||
- synchronize
|
||||
- edited
|
||||
- labeled
|
||||
- unlabeled
|
||||
merge_group:
|
||||
types:
|
||||
- checks_requested
|
||||
|
||||
# Cancel superseded PR runs; never cancel merge_group runs (they gate a queued merge).
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
||||
|
||||
# Default to no permissions; grant minimally at the job level.
|
||||
permissions:
|
||||
actions: none
|
||||
attestations: none
|
||||
checks: none
|
||||
contents: none
|
||||
deployments: none
|
||||
discussions: none
|
||||
id-token: none
|
||||
issues: none
|
||||
models: none
|
||||
packages: none
|
||||
pages: none
|
||||
pull-requests: none
|
||||
repository-projects: none
|
||||
security-events: none
|
||||
statuses: none
|
||||
|
||||
env:
|
||||
DO_NOT_MERGE_LABEL: ${{ vars.DO_NOT_MERGE_LABEL || 'do-not-merge' }}
|
||||
HALT_MERGES: ${{ vars.HALT_MERGES || '0' }}
|
||||
|
||||
jobs:
|
||||
get-pr-info:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 5
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
outputs:
|
||||
pr_number: ${{ steps.get-pr.outputs.pr-number }}
|
||||
pr_labels: ${{ steps.get-pr.outputs.pr-labels }}
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
PR_LABELS_JSON: ${{ toJson(github.event.pull_request.labels.*.name) }}
|
||||
steps:
|
||||
- name: Get PR info
|
||||
id: get-pr
|
||||
run: |
|
||||
if [ "${{ github.event_name }}" = "merge_group" ]; then
|
||||
PR_NUMBER=$(echo "${{ github.ref }}" | grep -oP '(?<=/pr-)\d+' || echo "")
|
||||
PR_LABELS=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUMBER" | jq -c '[.labels[].name] // []')
|
||||
else
|
||||
PR_NUMBER="${{ github.event.pull_request.number }}"
|
||||
PR_LABELS=$(echo "$PR_LABELS_JSON" | jq -c '.')
|
||||
fi
|
||||
|
||||
echo "pr-number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
|
||||
echo "pr-labels=$PR_LABELS" >> "$GITHUB_OUTPUT"
|
||||
|
||||
check-halt-merges:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 5
|
||||
needs: get-pr-info
|
||||
if: always()
|
||||
steps:
|
||||
- name: Enforce HALT_MERGES gate
|
||||
env:
|
||||
PR_NUMBER: ${{ needs.get-pr-info.outputs.pr_number }}
|
||||
run: |
|
||||
# Default to 0 (allow all) if not set
|
||||
if [ -z "$HALT_MERGES" ]; then
|
||||
HALT_MERGES=0
|
||||
fi
|
||||
|
||||
if [ "$HALT_MERGES" = "0" ]; then
|
||||
echo "::debug::All merges allowed (HALT_MERGES=0)"
|
||||
exit 0
|
||||
elif [ "$HALT_MERGES" = "$PR_NUMBER" ]; then
|
||||
echo "::debug::PR #$PR_NUMBER is explicitly allowed"
|
||||
exit 0
|
||||
else
|
||||
if [ "$HALT_MERGES" -lt 0 ] 2>/dev/null; then
|
||||
echo "::error::All merges are blocked (HALT_MERGES=$HALT_MERGES)"
|
||||
else
|
||||
echo "::warning::Only PR #$HALT_MERGES is allowed to merge"
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
|
||||
check-do-not-merge-label:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 5
|
||||
needs: get-pr-info
|
||||
if: always()
|
||||
steps:
|
||||
- name: Block when PR has the "${{ env.DO_NOT_MERGE_LABEL }}" label
|
||||
if: contains(needs.get-pr-info.outputs.pr_labels, env.DO_NOT_MERGE_LABEL)
|
||||
run: |
|
||||
echo "::error::The label \"${{ env.DO_NOT_MERGE_LABEL }}\" is used to prevent merging."
|
||||
exit 1
|
||||
@@ -0,0 +1,52 @@
|
||||
name: PR Lint
|
||||
|
||||
on:
|
||||
pull_request_target:
|
||||
types: [opened, edited, synchronize, reopened]
|
||||
branches: [main]
|
||||
|
||||
# Key on PR number because pull_request_target's github.ref is the base branch.
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Default to no permissions; grant minimally at the job level.
|
||||
permissions:
|
||||
actions: none
|
||||
attestations: none
|
||||
checks: none
|
||||
contents: none
|
||||
deployments: none
|
||||
discussions: none
|
||||
id-token: none
|
||||
issues: none
|
||||
models: none
|
||||
packages: none
|
||||
pages: none
|
||||
pull-requests: none
|
||||
repository-projects: none
|
||||
security-events: none
|
||||
statuses: none
|
||||
|
||||
jobs:
|
||||
pr-title:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 5
|
||||
permissions:
|
||||
pull-requests: read
|
||||
steps:
|
||||
- uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
types: |
|
||||
feat
|
||||
fix
|
||||
docs
|
||||
style
|
||||
refactor
|
||||
perf
|
||||
test
|
||||
chore
|
||||
ci
|
||||
requireScope: false
|
||||
@@ -0,0 +1,50 @@
|
||||
name: Scorecard Analysis
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
schedule:
|
||||
# Weekly on Mondays at 11:00 UTC (03:00 Pacific)
|
||||
- cron: "0 11 * * 1"
|
||||
workflow_dispatch: {}
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
analysis:
|
||||
name: Scorecard analysis
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 10
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write # upload SARIF to code scanning
|
||||
id-token: write # publish results to OSSF
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: Run analysis
|
||||
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
|
||||
with:
|
||||
results_file: scorecard-results.sarif
|
||||
results_format: sarif
|
||||
# Scorecard team runs a weekly scan of public GitHub repos
|
||||
# (https://github.com/ossf/scorecard#public-data). Setting
|
||||
# `publish_results: true` lets the OSSF reuse our workflow output
|
||||
# instead of scanning us independently.
|
||||
publish_results: true
|
||||
|
||||
- name: Upload SARIF artifact
|
||||
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
||||
with:
|
||||
name: SARIF file
|
||||
path: scorecard-results.sarif
|
||||
retention-days: 14
|
||||
|
||||
- name: Upload to code scanning
|
||||
uses: github/codeql-action/upload-sarif@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
|
||||
with:
|
||||
sarif_file: scorecard-results.sarif
|
||||
@@ -0,0 +1,111 @@
|
||||
name: Skill Frontmatter Check
|
||||
|
||||
on:
|
||||
pull_request_target:
|
||||
types: [opened, synchronize]
|
||||
branches: [main]
|
||||
paths:
|
||||
- "**/SKILL.md"
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
check-frontmatter:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- name: Check SKILL.md frontmatter via API
|
||||
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
|
||||
with:
|
||||
retries: 3
|
||||
script: |
|
||||
const DISALLOWED_FIELDS = new Set(['stages']);
|
||||
const DISALLOWED_PREFIXES = ['owner_'];
|
||||
|
||||
const files = await github.paginate(
|
||||
github.rest.pulls.listFiles,
|
||||
{
|
||||
owner: context.repo.owner,
|
||||
repo: context.repo.repo,
|
||||
pull_number: context.payload.pull_request.number,
|
||||
per_page: 100
|
||||
}
|
||||
);
|
||||
|
||||
const skillFiles = files
|
||||
.filter(f => f.filename.endsWith('SKILL.md') && f.status !== 'removed');
|
||||
|
||||
if (skillFiles.length === 0) {
|
||||
core.info('No SKILL.md files changed.');
|
||||
return;
|
||||
}
|
||||
|
||||
const violations = [];
|
||||
|
||||
for (const file of skillFiles) {
|
||||
const { data } = await github.rest.repos.getContent({
|
||||
owner: context.payload.pull_request.head.repo.owner.login,
|
||||
repo: context.payload.pull_request.head.repo.name,
|
||||
path: file.filename,
|
||||
ref: context.payload.pull_request.head.sha
|
||||
});
|
||||
|
||||
const content = Buffer.from(data.content, 'base64').toString('utf-8');
|
||||
const lines = content.split('\n');
|
||||
|
||||
if (lines[0] !== '---') continue;
|
||||
|
||||
const disallowed = [];
|
||||
for (let i = 1; i < lines.length; i++) {
|
||||
if (lines[i] === '---') break;
|
||||
const match = lines[i].match(/^([a-zA-Z_][a-zA-Z0-9_-]*):/);
|
||||
if (match && (DISALLOWED_FIELDS.has(match[1]) || DISALLOWED_PREFIXES.some(p => match[1].startsWith(p)))) {
|
||||
disallowed.push(match[1]);
|
||||
}
|
||||
}
|
||||
|
||||
if (disallowed.length > 0) {
|
||||
violations.push({ path: file.filename, fields: disallowed });
|
||||
}
|
||||
}
|
||||
|
||||
if (violations.length === 0) {
|
||||
core.info('All SKILL.md files pass frontmatter check.');
|
||||
return;
|
||||
}
|
||||
|
||||
const list = violations
|
||||
.map(v => `- \`${v.path}\`: ${v.fields.map(f => '`' + f + '`').join(', ')}`)
|
||||
.join('\n');
|
||||
|
||||
const body = [
|
||||
'⚠️ **PR closed automatically.**',
|
||||
'',
|
||||
'SKILL.md frontmatter contains fields that are not permitted in this public repository:',
|
||||
'',
|
||||
list,
|
||||
'',
|
||||
'Please remove these fields and reopen the PR.'
|
||||
].join('\n');
|
||||
|
||||
await github.rest.issues.createComment({
|
||||
owner: context.repo.owner,
|
||||
repo: context.repo.repo,
|
||||
issue_number: context.payload.pull_request.number,
|
||||
body
|
||||
});
|
||||
|
||||
await github.rest.pulls.update({
|
||||
owner: context.repo.owner,
|
||||
repo: context.repo.repo,
|
||||
pull_number: context.payload.pull_request.number,
|
||||
state: 'closed'
|
||||
});
|
||||
|
||||
core.setFailed('SKILL.md files contained disallowed frontmatter fields.');
|
||||
@@ -0,0 +1,43 @@
|
||||
name: Stale
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: "0 0 * * *"
|
||||
workflow_dispatch:
|
||||
|
||||
# Default to no permissions; grant minimally at the job level.
|
||||
permissions:
|
||||
actions: none
|
||||
attestations: none
|
||||
checks: none
|
||||
contents: none
|
||||
deployments: none
|
||||
discussions: none
|
||||
id-token: none
|
||||
issues: none
|
||||
models: none
|
||||
packages: none
|
||||
pages: none
|
||||
pull-requests: none
|
||||
repository-projects: none
|
||||
security-events: none
|
||||
statuses: none
|
||||
|
||||
jobs:
|
||||
stale:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 10
|
||||
permissions:
|
||||
issues: write
|
||||
pull-requests: write
|
||||
steps:
|
||||
- uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
|
||||
with:
|
||||
stale-pr-message: "This PR has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs."
|
||||
stale-issue-message: "This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs."
|
||||
days-before-pr-stale: 14
|
||||
days-before-pr-close: 7
|
||||
days-before-issue-stale: 60
|
||||
days-before-issue-close: 14
|
||||
stale-pr-label: stale
|
||||
stale-issue-label: stale
|
||||
Reference in New Issue
Block a user