75f3dd141c
CI and Release / e2e-verification-agent (push) Blocked by required conditions
CI and Release / test-backend (push) Blocked by required conditions
CI and Release / build-dev-image (push) Waiting to run
CI and Release / push-dev-image (push) Blocked by required conditions
CI and Release / build-image (push) Blocked by required conditions
CI and Release / build-verification-image (push) Blocked by required conditions
CI and Release / determine-version (push) Blocked by required conditions
CI and Release / push-image (push) Blocked by required conditions
CI and Release / push-verification-image (12) (push) Blocked by required conditions
CI and Release / push-verification-image (18) (push) Blocked by required conditions
CI and Release / release (push) Blocked by required conditions
CI and Release / publish-helm-chart (push) Blocked by required conditions
CI and Release / lint-backend (push) Waiting to run
CI and Release / lint-frontend (push) Waiting to run
CI and Release / dockerfile-scan (push) Waiting to run
CI and Release / test-frontend (push) Blocked by required conditions
CI and Release / lint-verification-agent (push) Waiting to run
CI and Release / test-verification-agent (push) Blocked by required conditions
CI and Release / push-verification-image (13) (push) Blocked by required conditions
CI and Release / push-verification-image (14) (push) Blocked by required conditions
CI and Release / push-verification-image (15) (push) Blocked by required conditions
CI and Release / push-verification-image (16) (push) Blocked by required conditions
CI and Release / push-verification-image (17) (push) Blocked by required conditions
CodeQL / Analyze (go) (push) Has been cancelled
CodeQL / Analyze (actions) (push) Has been cancelled
CodeQL / Analyze (javascript-typescript) (push) Has been cancelled
77 lines
2.4 KiB
YAML
77 lines
2.4 KiB
YAML
language: en-US
|
|
|
|
reviews:
|
|
profile: chill
|
|
request_changes_workflow: false
|
|
high_level_summary: false
|
|
poem: false
|
|
review_status: false
|
|
commit_status: false
|
|
collapse_walkthrough: true
|
|
changed_files_summary: false
|
|
sequence_diagrams: false
|
|
estimate_code_review_effort: false
|
|
assess_linked_issues: false
|
|
related_issues: false
|
|
related_prs: false
|
|
suggested_labels: false
|
|
auto_apply_labels: false
|
|
suggested_reviewers: false
|
|
auto_assign_reviewers: false
|
|
|
|
auto_review:
|
|
enabled: true
|
|
auto_incremental_review: true
|
|
drafts: false
|
|
|
|
finishing_touches:
|
|
docstrings:
|
|
enabled: false
|
|
|
|
path_filters:
|
|
- "!**/*.lock"
|
|
- "!**/node_modules/**"
|
|
- "!**/dist/**"
|
|
- "!**/build/**"
|
|
- "!**/*.pb.go"
|
|
- "!**/*_gen.go"
|
|
- "!backend/docs/**"
|
|
|
|
path_instructions:
|
|
- path: ".github/workflows/**"
|
|
instructions: |
|
|
Security-critical workflow review:
|
|
- All third-party actions must be pinned to a full commit SHA, with a "# vX.Y.Z" tag comment. Flag floating tags (@v4, @main, @master).
|
|
- Top-level "permissions:" must exist and default to least privilege (contents: read). Flag missing or overly broad top-level permissions.
|
|
- Jobs that don't write should not have write scope. Flag contents: write, packages: write, id-token: write that aren't justified by the job's purpose.
|
|
- Untrusted PR input (github.event.pull_request.title, body, head.ref) must not be substituted directly into "run:" scripts (workflow injection). Flag and recommend env-var indirection.
|
|
- "pull_request_target" with secrets exposed to fork PRs is a serious risk. Flag and require justification.
|
|
|
|
- path: "**/Dockerfile*"
|
|
instructions: |
|
|
Docker security:
|
|
- Pin base images to a specific version tag and ideally a digest. Flag floating tags like ":latest" or bare ":alpine" without a version.
|
|
- Avoid running as root in the final image; flag missing USER directive in production stages.
|
|
- Don't embed secrets in build args or COPY. Flag suspicious literal-looking secrets, keys, or tokens.
|
|
|
|
tools:
|
|
gitleaks:
|
|
enabled: true
|
|
semgrep:
|
|
enabled: true
|
|
ast-grep:
|
|
essential_rules: false
|
|
actionlint:
|
|
enabled: false
|
|
hadolint:
|
|
enabled: false
|
|
shellcheck:
|
|
enabled: false
|
|
languagetool:
|
|
enabled: false
|
|
markdownlint:
|
|
enabled: false
|
|
|
|
chat:
|
|
auto_reply: true
|