feat(core): Add must aliasing for better cleaner application #70
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Validate PR | |
| on: | |
| pull_request_target: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| - edited | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| pr-title: | |
| runs-on: ubuntu-latest | |
| container: ubuntu:latest | |
| name: Title | |
| permissions: | |
| pull-requests: read | |
| statuses: write | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - uses: amannn/action-semantic-pull-request@v5 | |
| with: | |
| types: | | |
| chore | |
| feat | |
| fix | |
| refactor | |
| revert | |
| style | |
| test | |
| scopes: | | |
| cli | |
| rules | |
| github | |
| gitlab | |
| analyzer | |
| autobuilder | |
| core | |
| infra | |
| ci | |
| docs | |
| requireScope: true | |
| subjectPattern: ^[A-Z].+$ | |
| subjectPatternError: | | |
| The subject "{subject}" found in the pull request title "{title}" | |
| didn't match the configured pattern. Please ensure that the subject | |
| starts with an uppercase character. | |
| wip: true | |
| scope-path-check: | |
| runs-on: ubuntu-latest | |
| name: Scope-Path Check | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Validate scope matches changed paths | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_TITLE: ${{ github.event.pull_request.title }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| set -euo pipefail | |
| SCOPE=$(echo "$PR_TITLE" | sed -n 's/^[a-z]*(\([^)]*\)).*/\1/p') | |
| if [ -z "$SCOPE" ]; then | |
| echo "Could not extract scope from PR title: $PR_TITLE" | |
| exit 1 | |
| fi | |
| declare -A SCOPE_PATHS | |
| SCOPE_PATHS[cli]="^(cli/|\.github/workflows/(ci|release)-cli\.)" | |
| SCOPE_PATHS[rules]="^(rules/|\.github/workflows/(ci|release)-rules\.)" | |
| SCOPE_PATHS[github]="^(github/|\.github/workflows/(ci|release)-github\.)" | |
| SCOPE_PATHS[gitlab]="^(gitlab/|\.github/workflows/release-gitlab\.)" | |
| AUTOBUILDER_MODULES=( | |
| "opentaint-jvm-autobuilder/" | |
| "opentaint-project-model/" | |
| "opentaint-common-build/" | |
| "opentaint-utils/cli-util/" | |
| "opentaint-utils/build\.gradle\.kts" | |
| "opentaint-utils/settings\.gradle\.kts" | |
| "opentaint-utils/buildSrc/" | |
| "build\.gradle\.kts" | |
| "settings\.gradle\.kts" | |
| "buildSrc/" | |
| ) | |
| AUTOBUILDER_PATTERN=$(IFS="|"; echo "${AUTOBUILDER_MODULES[*]}") | |
| SCOPE_PATHS[autobuilder]="^(core/(${AUTOBUILDER_PATTERN})|\.github/workflows/(ci|publish)-autobuilder\.)" | |
| SCOPE_PATHS[infra]="^(infra/|\.github/workflows/publish-infra)" | |
| SCOPE_PATHS[ci]="^(\.github/|release-notes-transform\.cjs|[^/]+/\.releaserc\.cjs)" | |
| ANALYZER_MODULES=( | |
| "opentaint-jvm-sast-dataflow/" | |
| "opentaint-jvm-sast-project/" | |
| "opentaint-jvm-sast-se-api/" | |
| "opentaint-java-querylang/" | |
| "opentaint-config/" | |
| "opentaint-configuration-rules/" | |
| "opentaint-ir/" | |
| "opentaint-dataflow-core/" | |
| "opentaint-utils/common-util/" | |
| "opentaint-utils/opentaint-jvm-util/" | |
| "opentaint-utils/build\.gradle\.kts" | |
| "opentaint-utils/settings\.gradle\.kts" | |
| "opentaint-utils/buildSrc/" | |
| "build\.gradle\.kts" | |
| "settings\.gradle\.kts" | |
| "buildSrc/" | |
| "src/" | |
| "opentaint-sast-test-util/" | |
| ) | |
| ANALYZER_PATTERN=$(IFS="|"; echo "${ANALYZER_MODULES[*]}") | |
| SCOPE_PATHS[analyzer]="^(core/(${ANALYZER_PATTERN})|\.github/workflows/((ci|publish)-analyzer|ci-analyzer-owasp|ci-(dataflow|ir))\.)" | |
| SCOPE_PATHS[core]="^(core/|\.github/workflows/(pr-title|((ci|publish)-analyzer)|ci-analyzer-owasp|((ci|publish)-autobuilder)|ci-(dataflow|ir))\.)" | |
| DOCS_PATTERNS=( | |
| "docs/" | |
| "(.*/)?README\.md" | |
| "(.*/)?CHANGELOG\.md" | |
| "logos/" | |
| "(.*/)?LICENSE(\.md)?" | |
| ".*\.svg" | |
| ".*\.png" | |
| ) | |
| DOCS_PATTERN=$(IFS="|"; echo "${DOCS_PATTERNS[*]}") | |
| SCOPE_PATHS[docs]="^(${DOCS_PATTERN})" | |
| ALLOWED="${SCOPE_PATHS[$SCOPE]:-}" | |
| if [ -z "$ALLOWED" ]; then | |
| echo "Unknown scope: $SCOPE" | |
| exit 1 | |
| fi | |
| CHANGED=$(gh pr diff "$PR_NUMBER" --name-only --repo "$GITHUB_REPOSITORY") | |
| VIOLATIONS="" | |
| while IFS= read -r file; do | |
| [ -z "$file" ] && continue | |
| if ! echo "$file" | grep -qE "$ALLOWED"; then | |
| VIOLATIONS="$VIOLATIONS\n $file" | |
| fi | |
| done <<< "$CHANGED" | |
| if [ -n "$VIOLATIONS" ]; then | |
| echo "ERROR: PR scope ($SCOPE) does not match these changed files:" | |
| echo -e "$VIOLATIONS" | |
| echo "" | |
| echo "Each PR must only touch files belonging to its scope." | |
| echo "Allowed pattern for scope '$SCOPE': $ALLOWED" | |
| exit 1 | |
| fi | |
| echo "All changed files match scope '$SCOPE'" |