From 747326a2df6cc5d1e692484941b40a4a78b753e2 Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 08:51:48 +0800 Subject: [PATCH 1/5] ci: migrate to reusable workflows Migrate from individual workflow definitions to organization reusable workflows: - build-and-coverage: go-reusable.yml (build + coverage with incremental analysis) - sast: sast-reusable.yml (static analysis) - gitleaks: gitleaks-reusable.yml (secret scanning) - trivy-vulnerability: trivy-vulnerability-reusable.yml (vulnerability + secret scan) - trivy-license: trivy-license-reusable.yml (license scanning) - check-branch-naming: branch naming validation (PR only) - check-label: PR label validation (PR only) - document-gate: documentation gate (PR only) Related: opensourceways/agent-development-specification#9 --- .github/workflows/build-and-coverage.yml | 15 +++++++++++++++ .github/workflows/check-branch-naming.yml | 12 ++++++++++++ .github/workflows/check-label.yml | 12 ++++++++++++ .github/workflows/document-gate.yml | 12 ++++++++++++ .github/workflows/gitleaks.yml | 14 ++++++++++++++ .github/workflows/sast.yml | 12 ++++++++++++ .github/workflows/trivy-license.yml | 13 +++++++++++++ .github/workflows/trivy-vulnerability.yml | 15 +++++++++++++++ 8 files changed, 105 insertions(+) create mode 100644 .github/workflows/build-and-coverage.yml create mode 100644 .github/workflows/check-branch-naming.yml create mode 100644 .github/workflows/check-label.yml create mode 100644 .github/workflows/document-gate.yml create mode 100644 .github/workflows/gitleaks.yml create mode 100644 .github/workflows/sast.yml create mode 100644 .github/workflows/trivy-license.yml create mode 100644 .github/workflows/trivy-vulnerability.yml diff --git a/.github/workflows/build-and-coverage.yml b/.github/workflows/build-and-coverage.yml new file mode 100644 index 00000000..6b575af1 --- /dev/null +++ b/.github/workflows/build-and-coverage.yml @@ -0,0 +1,15 @@ +name: build-and-coverage + +on: + push: + branches: [review] + workflow_dispatch: + +jobs: + build: + uses: opensourceways/agent-development-specification/.github/workflows/go-reusable.yml@main + env: + GOPROXY: https://goproxy.cn,direct + with: + runs-on: ubuntu-latest + go-version: '1.23.0' diff --git a/.github/workflows/check-branch-naming.yml b/.github/workflows/check-branch-naming.yml new file mode 100644 index 00000000..133ff98b --- /dev/null +++ b/.github/workflows/check-branch-naming.yml @@ -0,0 +1,12 @@ +name: check-branch-naming + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + check-branch-naming: + uses: opensourceways/agent-development-specification/.github/workflows/check-branch-naming-reusable.yml@main + with: + runs-on: ubuntu-latest diff --git a/.github/workflows/check-label.yml b/.github/workflows/check-label.yml new file mode 100644 index 00000000..f03669cf --- /dev/null +++ b/.github/workflows/check-label.yml @@ -0,0 +1,12 @@ +name: check-label + +on: + pull_request: + types: [opened, synchronize, reopened, edited, labeled, unlabeled] + workflow_dispatch: + +jobs: + check-label: + uses: opensourceways/agent-development-specification/.github/workflows/check-label-reusable.yml@main + with: + runs-on: ubuntu-latest diff --git a/.github/workflows/document-gate.yml b/.github/workflows/document-gate.yml new file mode 100644 index 00000000..fa0a6850 --- /dev/null +++ b/.github/workflows/document-gate.yml @@ -0,0 +1,12 @@ +name: document-gate + +on: + pull_request: + types: [opened, synchronize, reopened, edited, labeled, unlabeled] + workflow_dispatch: + +jobs: + document-gate: + uses: opensourceways/agent-development-specification/.github/workflows/document-gate-reusable.yml@main + with: + runs-on: ubuntu-latest diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 00000000..b82a3266 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,14 @@ +name: gitleaks + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + gitleaks: + uses: opensourceways/agent-development-specification/.github/workflows/gitleaks-reusable.yml@main + with: + runs-on: ubuntu-latest + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml new file mode 100644 index 00000000..3a014130 --- /dev/null +++ b/.github/workflows/sast.yml @@ -0,0 +1,12 @@ +name: sast + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + sast: + uses: opensourceways/agent-development-specification/.github/workflows/sast-reusable.yml@main + with: + runs-on: ubuntu-latest diff --git a/.github/workflows/trivy-license.yml b/.github/workflows/trivy-license.yml new file mode 100644 index 00000000..66caa115 --- /dev/null +++ b/.github/workflows/trivy-license.yml @@ -0,0 +1,13 @@ +name: trivy-license + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + trivy-license: + uses: opensourceways/agent-development-specification/.github/workflows/trivy-license-reusable.yml@main + with: + runs-on: ubuntu-latest + exit-code: '0' diff --git a/.github/workflows/trivy-vulnerability.yml b/.github/workflows/trivy-vulnerability.yml new file mode 100644 index 00000000..b5d2a873 --- /dev/null +++ b/.github/workflows/trivy-vulnerability.yml @@ -0,0 +1,15 @@ +name: trivy-vulnerability + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + trivy-vulnerability: + uses: opensourceways/agent-development-specification/.github/workflows/trivy-vulnerability-reusable.yml@main + with: + runs-on: ubuntu-latest + scanners: vuln,secret + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + exit-code: '1' From 6d2447fa8dcc6192dec7992eaec0688e0c6c8e93 Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 09:38:29 +0800 Subject: [PATCH 2/5] fix: remove gitleaks and sast workflows from public repo --- .github/workflows/gitleaks.yml | 14 -------------- .github/workflows/sast.yml | 12 ------------ 2 files changed, 26 deletions(-) delete mode 100644 .github/workflows/gitleaks.yml delete mode 100644 .github/workflows/sast.yml diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml deleted file mode 100644 index b82a3266..00000000 --- a/.github/workflows/gitleaks.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: gitleaks - -on: - pull_request: - types: [opened, synchronize, reopened] - workflow_dispatch: - -jobs: - gitleaks: - uses: opensourceways/agent-development-specification/.github/workflows/gitleaks-reusable.yml@main - with: - runs-on: ubuntu-latest - secrets: - github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml deleted file mode 100644 index 3a014130..00000000 --- a/.github/workflows/sast.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: sast - -on: - pull_request: - types: [opened, synchronize, reopened] - workflow_dispatch: - -jobs: - sast: - uses: opensourceways/agent-development-specification/.github/workflows/sast-reusable.yml@main - with: - runs-on: ubuntu-latest From 478e72859cb12e8dbca940bd38d2fc293e8e5877 Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 09:42:50 +0800 Subject: [PATCH 3/5] fix: add pull_request trigger to build-and-coverage workflow --- .github/workflows/build-and-coverage.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-coverage.yml b/.github/workflows/build-and-coverage.yml index 6b575af1..3764e75c 100644 --- a/.github/workflows/build-and-coverage.yml +++ b/.github/workflows/build-and-coverage.yml @@ -3,6 +3,8 @@ name: build-and-coverage on: push: branches: [review] + pull_request: + branches: [review] workflow_dispatch: jobs: @@ -12,4 +14,6 @@ jobs: GOPROXY: https://goproxy.cn,direct with: runs-on: ubuntu-latest - go-version: '1.23.0' + go-version: '1.24.1' + secrets: + gh-token: ${{ secrets.GH_TOKEN }} From 6257fb27b82deacd4c2308fa29d3ae94b938ea6a Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 13:11:11 +0800 Subject: [PATCH 4/5] ci: re-trigger workflows after trivy curl fix From 0e11374a8ad6d6e1ebdeacb94a8f763f0fbc670c Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 16:08:27 +0800 Subject: [PATCH 5/5] ci: remove old workflow files replaced by reusable workflows Removed: check-label-owner.yml,label-check.yml,pr-branch-check.yml,gate-check.yml --- .github/workflows/check-label-owner.yml | 40 ----------------------- .github/workflows/gate-check.yml | 43 ------------------------- .github/workflows/label-check.yml | 19 ----------- .github/workflows/pr-branch-check.yml | 36 --------------------- 4 files changed, 138 deletions(-) delete mode 100644 .github/workflows/check-label-owner.yml delete mode 100644 .github/workflows/gate-check.yml delete mode 100644 .github/workflows/label-check.yml delete mode 100644 .github/workflows/pr-branch-check.yml diff --git a/.github/workflows/check-label-owner.yml b/.github/workflows/check-label-owner.yml deleted file mode 100644 index efa3f972..00000000 --- a/.github/workflows/check-label-owner.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Check PR Label Owner - -on: - pull_request: - types: - - labeled # 当 PR 被添加标签时触发 -jobs: - verify-label-owner: - runs-on: self-hosted - - steps: - - name: Check if the label was added by the bot - env: - LABEL_NAME: "gate_check_pass" # 替换为需要检查的标签名称 - GITHUB_TOKEN: ${{ secrets.OWNER_TOKEN }} - TARGET_LABEL: "gate_check_pass" # 替换为需要检查的标签名称 - AUTHORIZED_USER: "opensourceways-robot" # 替换为允许添加标签的 bot 用户名 - run: | - - LABEL_NAME=${{ github.event.label.name }} - LABEL_USER=${{ github.event.sender.login }} - - # 检查是否有相关事件 - if [[ "$LABEL_NAME" != "$TARGET_LABEL" ]]; then - echo "No labeled event found for the label '$TARGET_LABEL'. Exiting." - exit 0 - fi - - # 检查最近的标签操作者是否为授权用户 - if [[ "$LABEL_USER" != "$AUTHORIZED_USER" ]]; then - echo "Label '$LABEL_NAME' was added by '$LABEL_USER', not '$AUTHORIZED_USER'. Removing it." - - # 删除标签 - curl -X DELETE \ - -H "Authorization: token ${{ secrets.OWNER_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/$TARGET_LABEL - else - echo "Label '$TARGET_LABEL' was added by the authorized user '$AUTHORIZED_USER'. No action needed." - fi \ No newline at end of file diff --git a/.github/workflows/gate-check.yml b/.github/workflows/gate-check.yml deleted file mode 100644 index efa3f810..00000000 --- a/.github/workflows/gate-check.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Gate Check - -on: - pull_request: - types: [opened, synchronize, reopened] - # 在PR打开、同步、重新打开时触发 - branches: - - main - - master - - release/* - -jobs: - codearts-check: - runs-on: self-hosted - steps: - - name: Check and Remove Label - run: | - # 定义需要移除的标签 - TARGET_LABEL="gate_check_pass" - - # 调用 GitHub API 删除标签 - curl -X DELETE \ - -H "Authorization: token ${{ secrets.OWNER_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/$TARGET_LABEL - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Make script executable - run: chmod +x ./.github/script/codearts_check.sh - - - name: Post a comment to the PR - run: | - curl -X POST \ - -H "Authorization: token ${{ secrets.OWNER_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \ - -d '{"body": "开始门禁检查,等门禁检查通过后可以合入"}' - - - name: RUN CodeArts Pipeline - env: - GIT_URL: ${{ github.server_url }}/${{ github.repository }}.git - run: ./.github/script/codearts_check.sh $GITHUB_HEAD_REF ${{ github.event.pull_request.number }} ${{ secrets.CODEARTS_PASSWORD }} ${{ secrets.CODEARTS_PIPELINE }} ${{ secrets.CODEARTS_ENDPOINT_ID }} $GIT_URL ${GITHUB_REPOSITORY%/*} ${GITHUB_REPOSITORY##*/} \ No newline at end of file diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml deleted file mode 100644 index 9dc6a8f9..00000000 --- a/.github/workflows/label-check.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: PR Label Check - -on: - pull_request: - types: [labeled,unlabeled, opened, reopened, edited] - -jobs: - check-label: - runs-on: self-hosted - steps: - - name: Check PR Labels - uses: actions/github-script@v6 - with: - script: | - const requiredLabel = 'gate_check_pass'; // 替换为你的标签名称 - const labels = context.payload.pull_request.labels.map(label => label.name); - if (!labels.includes(requiredLabel)) { - throw new Error(`PR 必须包含标签: ${requiredLabel}`); - } diff --git a/.github/workflows/pr-branch-check.yml b/.github/workflows/pr-branch-check.yml deleted file mode 100644 index 0f144eb2..00000000 --- a/.github/workflows/pr-branch-check.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Check Branch Naming for PRs - -on: - pull_request: - types: [opened, synchronize, reopened] - -jobs: - check-branch-naming: - runs-on: self-hosted - - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Check PR source branch against target branch - run: | - # 获取目标分支和源分支 - TARGET_BRANCH="${{ github.base_ref }}" - SOURCE_BRANCH="${{ github.head_ref }}" - - echo "Target branch: $TARGET_BRANCH" - echo "Source branch: $SOURCE_BRANCH" - - # 检查目标分支是否是 default 分支 (main/master) - if [[ "$TARGET_BRANCH" == "${{ github.event.repository.default_branch }}" ]]; then - if [[ ! "$SOURCE_BRANCH" =~ ^release/.* ]]; then - echo "Error: The source branch must be of the form 'release/*' when merging into the default branch." - exit 1 - fi - # 检查目标分支是否是 release/* - elif [[ "$TARGET_BRANCH" =~ ^release/.* ]]; then - if [[ ! "$SOURCE_BRANCH" =~ ^(feature|bugfix)/.* ]]; then - echo "Error: The source branch must be of the form 'feature/*' or 'bugfix/*' when merging into 'release/*'." - exit 1 - fi - fi