From ad6dc9f98c74b8aab49fb11844ef2465950557c9 Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 16:14:24 +0800 Subject: [PATCH] ci: migrate to reusable workflows Migrate from individual workflow definitions to organization reusable workflows. Added: build-and-coverage.yml, sast.yml, gitleaks.yml, trivy-vulnerability.yml, trivy-license.yml, check-branch-naming.yml, check-label.yml, document-gate.yml Removed: old check-label-owner.yml, label-check.yml, pr-branch-check.yml, gate-check.yml, go.yml Resolves https://github.com/opensourceways/backlog/issues/367 Related: opensourceways/agent-development-specification#9 --- .github/workflows/build-and-coverage.yml | 19 ++++++++++ .github/workflows/check-branch-naming.yml | 12 +++++++ .github/workflows/check-label-owner.yml | 40 --------------------- .github/workflows/check-label.yml | 12 +++++++ .github/workflows/document-gate.yml | 12 +++++++ .github/workflows/gate-check.yml | 43 ----------------------- .github/workflows/label-check.yml | 19 ---------- .github/workflows/pr-branch-check.yml | 36 ------------------- .github/workflows/trivy-license.yml | 13 +++++++ .github/workflows/trivy-vulnerability.yml | 15 ++++++++ 10 files changed, 83 insertions(+), 138 deletions(-) create mode 100644 .github/workflows/build-and-coverage.yml create mode 100644 .github/workflows/check-branch-naming.yml delete mode 100644 .github/workflows/check-label-owner.yml create mode 100644 .github/workflows/check-label.yml create mode 100644 .github/workflows/document-gate.yml delete mode 100644 .github/workflows/gate-check.yml delete mode 100644 .github/workflows/label-check.yml delete mode 100644 .github/workflows/pr-branch-check.yml create mode 100644 .github/workflows/trivy-license.yml create mode 100644 .github/workflows/trivy-vulnerability.yml diff --git a/.github/workflows/build-and-coverage.yml b/.github/workflows/build-and-coverage.yml new file mode 100644 index 00000000..c0ea855a --- /dev/null +++ b/.github/workflows/build-and-coverage.yml @@ -0,0 +1,19 @@ +name: build-and-coverage + +on: + push: + branches: [review] + pull_request: + branches: [review] + workflow_dispatch: + +jobs: + build: + uses: opensourceways/agent-development-specification/.github/workflows/go-reusable.yml@main + env: + GOPROXY: https://goproxy.cn,direct + with: + runs-on: linux-amd64-cpu-4 + go-version: '1.24.1' + secrets: + gh-token: ${{ secrets.GH_TOKEN }} diff --git a/.github/workflows/check-branch-naming.yml b/.github/workflows/check-branch-naming.yml new file mode 100644 index 00000000..5373d9cc --- /dev/null +++ b/.github/workflows/check-branch-naming.yml @@ -0,0 +1,12 @@ +name: check-branch-naming + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + check-branch-naming: + uses: opensourceways/agent-development-specification/.github/workflows/check-branch-naming-reusable.yml@main + with: + runs-on: linux-amd64-cpu-1 diff --git a/.github/workflows/check-label-owner.yml b/.github/workflows/check-label-owner.yml deleted file mode 100644 index efa3f972..00000000 --- a/.github/workflows/check-label-owner.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Check PR Label Owner - -on: - pull_request: - types: - - labeled # 当 PR 被添加标签时触发 -jobs: - verify-label-owner: - runs-on: self-hosted - - steps: - - name: Check if the label was added by the bot - env: - LABEL_NAME: "gate_check_pass" # 替换为需要检查的标签名称 - GITHUB_TOKEN: ${{ secrets.OWNER_TOKEN }} - TARGET_LABEL: "gate_check_pass" # 替换为需要检查的标签名称 - AUTHORIZED_USER: "opensourceways-robot" # 替换为允许添加标签的 bot 用户名 - run: | - - LABEL_NAME=${{ github.event.label.name }} - LABEL_USER=${{ github.event.sender.login }} - - # 检查是否有相关事件 - if [[ "$LABEL_NAME" != "$TARGET_LABEL" ]]; then - echo "No labeled event found for the label '$TARGET_LABEL'. Exiting." - exit 0 - fi - - # 检查最近的标签操作者是否为授权用户 - if [[ "$LABEL_USER" != "$AUTHORIZED_USER" ]]; then - echo "Label '$LABEL_NAME' was added by '$LABEL_USER', not '$AUTHORIZED_USER'. Removing it." - - # 删除标签 - curl -X DELETE \ - -H "Authorization: token ${{ secrets.OWNER_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/$TARGET_LABEL - else - echo "Label '$TARGET_LABEL' was added by the authorized user '$AUTHORIZED_USER'. No action needed." - fi \ No newline at end of file diff --git a/.github/workflows/check-label.yml b/.github/workflows/check-label.yml new file mode 100644 index 00000000..433a1dee --- /dev/null +++ b/.github/workflows/check-label.yml @@ -0,0 +1,12 @@ +name: check-label + +on: + pull_request: + types: [opened, synchronize, reopened, edited, labeled, unlabeled] + workflow_dispatch: + +jobs: + check-label: + uses: opensourceways/agent-development-specification/.github/workflows/check-label-reusable.yml@main + with: + runs-on: linux-amd64-cpu-1 diff --git a/.github/workflows/document-gate.yml b/.github/workflows/document-gate.yml new file mode 100644 index 00000000..2fa61dc2 --- /dev/null +++ b/.github/workflows/document-gate.yml @@ -0,0 +1,12 @@ +name: document-gate + +on: + pull_request: + types: [opened, synchronize, reopened, edited, labeled, unlabeled] + workflow_dispatch: + +jobs: + document-gate: + uses: opensourceways/agent-development-specification/.github/workflows/document-gate-reusable.yml@main + with: + runs-on: linux-amd64-cpu-1 diff --git a/.github/workflows/gate-check.yml b/.github/workflows/gate-check.yml deleted file mode 100644 index efa3f810..00000000 --- a/.github/workflows/gate-check.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Gate Check - -on: - pull_request: - types: [opened, synchronize, reopened] - # 在PR打开、同步、重新打开时触发 - branches: - - main - - master - - release/* - -jobs: - codearts-check: - runs-on: self-hosted - steps: - - name: Check and Remove Label - run: | - # 定义需要移除的标签 - TARGET_LABEL="gate_check_pass" - - # 调用 GitHub API 删除标签 - curl -X DELETE \ - -H "Authorization: token ${{ secrets.OWNER_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/$TARGET_LABEL - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Make script executable - run: chmod +x ./.github/script/codearts_check.sh - - - name: Post a comment to the PR - run: | - curl -X POST \ - -H "Authorization: token ${{ secrets.OWNER_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \ - -d '{"body": "开始门禁检查,等门禁检查通过后可以合入"}' - - - name: RUN CodeArts Pipeline - env: - GIT_URL: ${{ github.server_url }}/${{ github.repository }}.git - run: ./.github/script/codearts_check.sh $GITHUB_HEAD_REF ${{ github.event.pull_request.number }} ${{ secrets.CODEARTS_PASSWORD }} ${{ secrets.CODEARTS_PIPELINE }} ${{ secrets.CODEARTS_ENDPOINT_ID }} $GIT_URL ${GITHUB_REPOSITORY%/*} ${GITHUB_REPOSITORY##*/} \ No newline at end of file diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml deleted file mode 100644 index 9dc6a8f9..00000000 --- a/.github/workflows/label-check.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: PR Label Check - -on: - pull_request: - types: [labeled,unlabeled, opened, reopened, edited] - -jobs: - check-label: - runs-on: self-hosted - steps: - - name: Check PR Labels - uses: actions/github-script@v6 - with: - script: | - const requiredLabel = 'gate_check_pass'; // 替换为你的标签名称 - const labels = context.payload.pull_request.labels.map(label => label.name); - if (!labels.includes(requiredLabel)) { - throw new Error(`PR 必须包含标签: ${requiredLabel}`); - } diff --git a/.github/workflows/pr-branch-check.yml b/.github/workflows/pr-branch-check.yml deleted file mode 100644 index 0f144eb2..00000000 --- a/.github/workflows/pr-branch-check.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Check Branch Naming for PRs - -on: - pull_request: - types: [opened, synchronize, reopened] - -jobs: - check-branch-naming: - runs-on: self-hosted - - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Check PR source branch against target branch - run: | - # 获取目标分支和源分支 - TARGET_BRANCH="${{ github.base_ref }}" - SOURCE_BRANCH="${{ github.head_ref }}" - - echo "Target branch: $TARGET_BRANCH" - echo "Source branch: $SOURCE_BRANCH" - - # 检查目标分支是否是 default 分支 (main/master) - if [[ "$TARGET_BRANCH" == "${{ github.event.repository.default_branch }}" ]]; then - if [[ ! "$SOURCE_BRANCH" =~ ^release/.* ]]; then - echo "Error: The source branch must be of the form 'release/*' when merging into the default branch." - exit 1 - fi - # 检查目标分支是否是 release/* - elif [[ "$TARGET_BRANCH" =~ ^release/.* ]]; then - if [[ ! "$SOURCE_BRANCH" =~ ^(feature|bugfix)/.* ]]; then - echo "Error: The source branch must be of the form 'feature/*' or 'bugfix/*' when merging into 'release/*'." - exit 1 - fi - fi diff --git a/.github/workflows/trivy-license.yml b/.github/workflows/trivy-license.yml new file mode 100644 index 00000000..66caa115 --- /dev/null +++ b/.github/workflows/trivy-license.yml @@ -0,0 +1,13 @@ +name: trivy-license + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + trivy-license: + uses: opensourceways/agent-development-specification/.github/workflows/trivy-license-reusable.yml@main + with: + runs-on: ubuntu-latest + exit-code: '0' diff --git a/.github/workflows/trivy-vulnerability.yml b/.github/workflows/trivy-vulnerability.yml new file mode 100644 index 00000000..b5d2a873 --- /dev/null +++ b/.github/workflows/trivy-vulnerability.yml @@ -0,0 +1,15 @@ +name: trivy-vulnerability + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + trivy-vulnerability: + uses: opensourceways/agent-development-specification/.github/workflows/trivy-vulnerability-reusable.yml@main + with: + runs-on: ubuntu-latest + scanners: vuln,secret + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + exit-code: '1'