-
Notifications
You must be signed in to change notification settings - Fork 0
feat: add org-level commit-check.toml and dogfooding workflow #19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| name: Commit Check | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: 'main' | ||
| types: [opened, synchronize, reopened, edited] | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| commit-check: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v7.0.0 | ||
| with: | ||
| fetch-depth: 0 # Required for merge-base checks | ||
| - uses: commit-check/commit-check-action@v2.10.0 | ||
| with: | ||
| message: true | ||
| branch: true | ||
| job-summary: true | ||
| pr-comments: true | ||
| pr-title: true | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| # ============================================================================ | ||
| # commit-check — org-level base configuration | ||
| # | ||
| # Repos within the commit-check org can inherit this config by placing the | ||
| # following directive at the top of their own commit-check.toml: | ||
| # | ||
| # inherit_from = "github:commit-check/.github:commit-check.toml" | ||
| # | ||
| # Local settings override the inherited values (shallow merge per section). | ||
| # See https://github.com/commit-check/commit-check for full documentation. | ||
| # ============================================================================ | ||
|
|
||
| [commit] | ||
| # https://www.conventionalcommits.org | ||
| conventional_commits = true | ||
| subject_capitalized = false | ||
| subject_imperative = true | ||
| subject_max_length = 100 | ||
| subject_min_length = 5 | ||
| allow_commit_types = ["feat", "fix", "docs", "style", "refactor", "test", "chore", "ci"] | ||
| allow_merge_commits = true | ||
| allow_revert_commits = true | ||
| allow_empty_commits = false | ||
| allow_fixup_commits = true | ||
| allow_wip_commits = false | ||
| require_body = false | ||
| require_signed_off_by = false | ||
| ignore_authors = ["dependabot[bot]", "copilot[bot]", "pre-commit-ci[bot]", "coderabbitai[bot]"] | ||
|
|
||
| [branch] | ||
| # https://conventional-branch.github.io/ | ||
| conventional_branch = true | ||
| allow_branch_types = ["feature", "bugfix", "hotfix", "release", "chore", "feat", "fix", "ai", "claude", "codex", "copilot", "cursor"] | ||
| ignore_authors = ["dependabot[bot]", "copilot[bot]", "pre-commit-ci[bot]", "shenxianpeng"] | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win Restore Line 35 diverges from both Line 28 and the stated shared-policy objective: 🤖 Prompt for AI Agents |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major
Pin
commit-check-actionto a full commit SHA.Line 19 uses the mutable tag
v2.10.0. Since this job haspull-requests: writepermission (lines 12–14), using a mutable reference weakens supply-chain security. Pincommit-check-actionto the specific commit SHA corresponding tov2.10.0to ensure reproducible and secure execution, matching the pattern used foractions/checkouton line 16.🧰 Tools
🪛 zizmor (1.26.1)
[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents