diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..2ba36cb --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,72 @@ +# This file is managed by the repo-content-updater project. Manual changes here will result in a PR to bring back +# inline with the upstream template, unless you remove the dependabot managed file property from the repo + +version: 2 +updates: + - package-ecosystem: "gomod" + directory: / + schedule: + interval: "weekly" + day: "tuesday" + open-pull-requests-limit: 10 + rebase-strategy: auto + labels: + - dependencies + - go + - "Changed" + reviewers: ["cmmarslender", "starttoaster"] + groups: + global: + patterns: + - "*" + + - package-ecosystem: "pip" + directory: / + schedule: + interval: "weekly" + day: "tuesday" + open-pull-requests-limit: 10 + rebase-strategy: auto + labels: + - dependencies + - python + - "Changed" + reviewers: ["emlowe", "altendky"] + + - package-ecosystem: "github-actions" + directories: ["/", ".github/actions/*"] + schedule: + interval: "weekly" + day: "tuesday" + open-pull-requests-limit: 10 + rebase-strategy: auto + labels: + - dependencies + - github_actions + - "Changed" + reviewers: ["cmmarslender", "Starttoaster", "pmaslana"] + + - package-ecosystem: "npm" + directory: / + schedule: + interval: "weekly" + day: "tuesday" + open-pull-requests-limit: 10 + rebase-strategy: auto + labels: + - dependencies + - javascript + - "Changed" + reviewers: ["cmmarslender", "ChiaMineJP"] + + - package-ecosystem: cargo + directory: / + schedule: + interval: "weekly" + day: "tuesday" + open-pull-requests-limit: 10 + rebase-strategy: auto + labels: + - dependencies + - rust + - "Changed" diff --git a/.github/workflows/check-commit-signing.yml b/.github/workflows/check-commit-signing.yml new file mode 100644 index 0000000..fa34811 --- /dev/null +++ b/.github/workflows/check-commit-signing.yml @@ -0,0 +1,29 @@ +name: 🚨 Check commit signing + +on: + push: + branches: + - long_lived/** + - main + - release/** + pull_request: + branches: + - "**" + +concurrency: + group: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.workflow_ref, github.event.pull_request.number) || github.run_id }} + cancel-in-progress: true + +jobs: + check-commit-signing: + name: Check commit signing + runs-on: [ubuntu-latest] + timeout-minutes: 5 + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: chia-network/actions/check-commit-signing@main diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..53b8c12 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,25 @@ +# Managed by repo-content-updater +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: "🚨 Dependency Review" +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: "Checkout Repository" + uses: actions/checkout@v4 + + - name: "Dependency Review" + uses: actions/dependency-review-action@v4 + with: + allow-dependencies-licenses: pkg:pypi/pyinstaller + deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later