Files
wehub-resource-sync 75f3dd141c
CI and Release / e2e-verification-agent (push) Blocked by required conditions
CI and Release / test-backend (push) Blocked by required conditions
CI and Release / build-dev-image (push) Waiting to run
CI and Release / push-dev-image (push) Blocked by required conditions
CI and Release / build-image (push) Blocked by required conditions
CI and Release / build-verification-image (push) Blocked by required conditions
CI and Release / determine-version (push) Blocked by required conditions
CI and Release / push-image (push) Blocked by required conditions
CI and Release / push-verification-image (12) (push) Blocked by required conditions
CI and Release / push-verification-image (18) (push) Blocked by required conditions
CI and Release / release (push) Blocked by required conditions
CI and Release / publish-helm-chart (push) Blocked by required conditions
CI and Release / lint-backend (push) Waiting to run
CI and Release / lint-frontend (push) Waiting to run
CI and Release / dockerfile-scan (push) Waiting to run
CI and Release / test-frontend (push) Blocked by required conditions
CI and Release / lint-verification-agent (push) Waiting to run
CI and Release / test-verification-agent (push) Blocked by required conditions
CI and Release / push-verification-image (13) (push) Blocked by required conditions
CI and Release / push-verification-image (14) (push) Blocked by required conditions
CI and Release / push-verification-image (15) (push) Blocked by required conditions
CI and Release / push-verification-image (16) (push) Blocked by required conditions
CI and Release / push-verification-image (17) (push) Blocked by required conditions
CodeQL / Analyze (go) (push) Has been cancelled
CodeQL / Analyze (actions) (push) Has been cancelled
CodeQL / Analyze (javascript-typescript) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:11:07 +08:00

77 lines
2.4 KiB
YAML

language: en-US
reviews:
profile: chill
request_changes_workflow: false
high_level_summary: false
poem: false
review_status: false
commit_status: false
collapse_walkthrough: true
changed_files_summary: false
sequence_diagrams: false
estimate_code_review_effort: false
assess_linked_issues: false
related_issues: false
related_prs: false
suggested_labels: false
auto_apply_labels: false
suggested_reviewers: false
auto_assign_reviewers: false
auto_review:
enabled: true
auto_incremental_review: true
drafts: false
finishing_touches:
docstrings:
enabled: false
path_filters:
- "!**/*.lock"
- "!**/node_modules/**"
- "!**/dist/**"
- "!**/build/**"
- "!**/*.pb.go"
- "!**/*_gen.go"
- "!backend/docs/**"
path_instructions:
- path: ".github/workflows/**"
instructions: |
Security-critical workflow review:
- All third-party actions must be pinned to a full commit SHA, with a "# vX.Y.Z" tag comment. Flag floating tags (@v4, @main, @master).
- Top-level "permissions:" must exist and default to least privilege (contents: read). Flag missing or overly broad top-level permissions.
- Jobs that don't write should not have write scope. Flag contents: write, packages: write, id-token: write that aren't justified by the job's purpose.
- Untrusted PR input (github.event.pull_request.title, body, head.ref) must not be substituted directly into "run:" scripts (workflow injection). Flag and recommend env-var indirection.
- "pull_request_target" with secrets exposed to fork PRs is a serious risk. Flag and require justification.
- path: "**/Dockerfile*"
instructions: |
Docker security:
- Pin base images to a specific version tag and ideally a digest. Flag floating tags like ":latest" or bare ":alpine" without a version.
- Avoid running as root in the final image; flag missing USER directive in production stages.
- Don't embed secrets in build args or COPY. Flag suspicious literal-looking secrets, keys, or tokens.
tools:
gitleaks:
enabled: true
semgrep:
enabled: true
ast-grep:
essential_rules: false
actionlint:
enabled: false
hadolint:
enabled: false
shellcheck:
enabled: false
languagetool:
enabled: false
markdownlint:
enabled: false
chat:
auto_reply: true