From d0de5a3ef2f9c9b4995acb75d26acf6c9b0ced14 Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 08:51:35 +0800 Subject: [PATCH 1/4] ci: migrate to reusable workflows Migrate from individual workflow definitions to organization reusable workflows: - build-and-coverage: go-reusable.yml (build + coverage with incremental analysis) - sast: sast-reusable.yml (static analysis) - gitleaks: gitleaks-reusable.yml (secret scanning) - trivy-vulnerability: trivy-vulnerability-reusable.yml (vulnerability + secret scan) - trivy-license: trivy-license-reusable.yml (license scanning) - check-branch-naming: branch naming validation (PR only) - check-label: PR label validation (PR only) - document-gate: documentation gate (PR only) Related: opensourceways/agent-development-specification#9 --- .github/workflows/build-and-coverage.yml | 15 +++++++++++++++ .github/workflows/check-branch-naming.yml | 12 ++++++++++++ .github/workflows/check-label.yml | 12 ++++++++++++ .github/workflows/document-gate.yml | 12 ++++++++++++ .github/workflows/gitleaks.yml | 14 ++++++++++++++ .github/workflows/sast.yml | 12 ++++++++++++ .github/workflows/trivy-license.yml | 13 +++++++++++++ .github/workflows/trivy-vulnerability.yml | 15 +++++++++++++++ 8 files changed, 105 insertions(+) create mode 100644 .github/workflows/build-and-coverage.yml create mode 100644 .github/workflows/check-branch-naming.yml create mode 100644 .github/workflows/check-label.yml create mode 100644 .github/workflows/document-gate.yml create mode 100644 .github/workflows/gitleaks.yml create mode 100644 .github/workflows/sast.yml create mode 100644 .github/workflows/trivy-license.yml create mode 100644 .github/workflows/trivy-vulnerability.yml diff --git a/.github/workflows/build-and-coverage.yml b/.github/workflows/build-and-coverage.yml new file mode 100644 index 00000000..1d69a916 --- /dev/null +++ b/.github/workflows/build-and-coverage.yml @@ -0,0 +1,15 @@ +name: build-and-coverage + +on: + push: + branches: [master] + workflow_dispatch: + +jobs: + build: + uses: opensourceways/agent-development-specification/.github/workflows/go-reusable.yml@main + env: + GOPROXY: https://goproxy.cn,direct + with: + runs-on: ubuntu-latest + go-version: '1.21' diff --git a/.github/workflows/check-branch-naming.yml b/.github/workflows/check-branch-naming.yml new file mode 100644 index 00000000..133ff98b --- /dev/null +++ b/.github/workflows/check-branch-naming.yml @@ -0,0 +1,12 @@ +name: check-branch-naming + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + check-branch-naming: + uses: opensourceways/agent-development-specification/.github/workflows/check-branch-naming-reusable.yml@main + with: + runs-on: ubuntu-latest diff --git a/.github/workflows/check-label.yml b/.github/workflows/check-label.yml new file mode 100644 index 00000000..f03669cf --- /dev/null +++ b/.github/workflows/check-label.yml @@ -0,0 +1,12 @@ +name: check-label + +on: + pull_request: + types: [opened, synchronize, reopened, edited, labeled, unlabeled] + workflow_dispatch: + +jobs: + check-label: + uses: opensourceways/agent-development-specification/.github/workflows/check-label-reusable.yml@main + with: + runs-on: ubuntu-latest diff --git a/.github/workflows/document-gate.yml b/.github/workflows/document-gate.yml new file mode 100644 index 00000000..fa0a6850 --- /dev/null +++ b/.github/workflows/document-gate.yml @@ -0,0 +1,12 @@ +name: document-gate + +on: + pull_request: + types: [opened, synchronize, reopened, edited, labeled, unlabeled] + workflow_dispatch: + +jobs: + document-gate: + uses: opensourceways/agent-development-specification/.github/workflows/document-gate-reusable.yml@main + with: + runs-on: ubuntu-latest diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 00000000..b82a3266 --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,14 @@ +name: gitleaks + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + gitleaks: + uses: opensourceways/agent-development-specification/.github/workflows/gitleaks-reusable.yml@main + with: + runs-on: ubuntu-latest + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml new file mode 100644 index 00000000..3a014130 --- /dev/null +++ b/.github/workflows/sast.yml @@ -0,0 +1,12 @@ +name: sast + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + sast: + uses: opensourceways/agent-development-specification/.github/workflows/sast-reusable.yml@main + with: + runs-on: ubuntu-latest diff --git a/.github/workflows/trivy-license.yml b/.github/workflows/trivy-license.yml new file mode 100644 index 00000000..66caa115 --- /dev/null +++ b/.github/workflows/trivy-license.yml @@ -0,0 +1,13 @@ +name: trivy-license + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + trivy-license: + uses: opensourceways/agent-development-specification/.github/workflows/trivy-license-reusable.yml@main + with: + runs-on: ubuntu-latest + exit-code: '0' diff --git a/.github/workflows/trivy-vulnerability.yml b/.github/workflows/trivy-vulnerability.yml new file mode 100644 index 00000000..b5d2a873 --- /dev/null +++ b/.github/workflows/trivy-vulnerability.yml @@ -0,0 +1,15 @@ +name: trivy-vulnerability + +on: + pull_request: + types: [opened, synchronize, reopened] + workflow_dispatch: + +jobs: + trivy-vulnerability: + uses: opensourceways/agent-development-specification/.github/workflows/trivy-vulnerability-reusable.yml@main + with: + runs-on: ubuntu-latest + scanners: vuln,secret + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + exit-code: '1' From 5f62463baacc7a09ea40b5cb3f929c08fcff1c2b Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 09:38:25 +0800 Subject: [PATCH 2/4] fix: remove gitleaks and sast workflows from public repo --- .github/workflows/gitleaks.yml | 14 -------------- .github/workflows/sast.yml | 12 ------------ 2 files changed, 26 deletions(-) delete mode 100644 .github/workflows/gitleaks.yml delete mode 100644 .github/workflows/sast.yml diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml deleted file mode 100644 index b82a3266..00000000 --- a/.github/workflows/gitleaks.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: gitleaks - -on: - pull_request: - types: [opened, synchronize, reopened] - workflow_dispatch: - -jobs: - gitleaks: - uses: opensourceways/agent-development-specification/.github/workflows/gitleaks-reusable.yml@main - with: - runs-on: ubuntu-latest - secrets: - github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml deleted file mode 100644 index 3a014130..00000000 --- a/.github/workflows/sast.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: sast - -on: - pull_request: - types: [opened, synchronize, reopened] - workflow_dispatch: - -jobs: - sast: - uses: opensourceways/agent-development-specification/.github/workflows/sast-reusable.yml@main - with: - runs-on: ubuntu-latest From 20a47d7be88d55aefad4063789eadc5ebbb7a613 Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 09:42:45 +0800 Subject: [PATCH 3/4] fix: add pull_request trigger to build-and-coverage workflow --- .github/workflows/build-and-coverage.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-coverage.yml b/.github/workflows/build-and-coverage.yml index 1d69a916..e4f0a625 100644 --- a/.github/workflows/build-and-coverage.yml +++ b/.github/workflows/build-and-coverage.yml @@ -3,6 +3,8 @@ name: build-and-coverage on: push: branches: [master] + pull_request: + branches: [master] workflow_dispatch: jobs: @@ -12,4 +14,6 @@ jobs: GOPROXY: https://goproxy.cn,direct with: runs-on: ubuntu-latest - go-version: '1.21' + go-version: '1.20' + secrets: + gh-token: ${{ secrets.GH_TOKEN }} From 4d4986b287d62b195607d972c53a34aca1d8c643 Mon Sep 17 00:00:00 2001 From: lichaoran Date: Sun, 17 May 2026 13:11:29 +0800 Subject: [PATCH 4/4] ci: re-trigger workflows after trivy curl fix