fixed multiple security vulnerabilities #73
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: GitMesh Steward Bot | |
| # ⚠️ LOOP PREVENTION: | |
| # This workflow has multiple safeguards to prevent infinite PR loops: | |
| # 1. paths-ignore on push events excludes 'governance/**' | |
| # 2. Job-level 'if' condition filters out commits by github-actions[bot] | |
| # 3. Job-level 'if' condition filters out PRs with title matching bot's pattern | |
| # 4. Commit message includes [skip ci] marker as additional safety | |
| # 5. Workflow checks for existing open PRs before creating new ones | |
| on: | |
| schedule: | |
| - cron: '0 0 * * *' | |
| pull_request: | |
| types: [closed] | |
| paths: | |
| - 'governance/contributors.yaml' | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - 'governance/**' | |
| - '.github/workflows/gov-sync.yml' | |
| workflow_dispatch: # Allow manual trigger | |
| jobs: | |
| sync-engine: | |
| # Run on schedule, manual trigger, push to main, or merged PR | |
| # IMPORTANT: Skip if triggered by the bot's own commits or PRs to prevent infinite loops | |
| if: | | |
| (github.event_name == 'schedule' || | |
| github.event_name == 'workflow_dispatch' || | |
| github.event_name == 'push' || | |
| (github.event_name == 'pull_request' && github.event.pull_request.merged == true)) && | |
| (github.event.head_commit.author.email != '41898282+github-actions[bot]@users.noreply.github.com' || | |
| github.event.head_commit.author.email == null) && | |
| (github.event.pull_request.title != 'chore(gov): automated governance registry & history sync' || | |
| github.event.pull_request.title == null) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }} | |
| - name: Setup Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: Install Dependencies | |
| run: pip install PyYAML requests | |
| - name: Execute Governance Logic | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }} | |
| run: python .github/scripts/governance_engine.py | |
| # Create a PR with updates instead of pushing directly to main | |
| - name: Commit and Create/Update PR | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }} | |
| run: | | |
| git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git config --local user.name "github-actions[bot]" | |
| # Explicitly set remote with token to ensure write access | |
| git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" | |
| git add governance/ | |
| # Check if there are changes | |
| if git diff --quiet && git diff --staged --quiet; then | |
| echo "No changes to governance files" | |
| exit 0 | |
| fi | |
| # Export GITHUB_TOKEN for gh cli | |
| export GITHUB_TOKEN=$GH_TOKEN | |
| # Check if an open governance sync PR already exists (search by title pattern) | |
| EXISTING_PR=$(gh pr list --base main --state open --json number,title --jq '.[] | select(.title | startswith("chore(gov): auto-sync")) | .number' | head -1 || echo "") | |
| if [ -n "$EXISTING_PR" ]; then | |
| echo "An open governance sync PR already exists (PR #$EXISTING_PR). Skipping PR creation." | |
| exit 0 | |
| fi | |
| # Create a unique branch for governance updates | |
| BRANCH_NAME="governance-sync-$(date +%Y%m%d-%H%M%S)" | |
| git checkout -b "$BRANCH_NAME" | |
| git commit -s -m "chore(gov): auto-sync activity and history logs [skip ci]" \ | |
| -m "Auto-generated governance update triggered by workflow run." \ | |
| -m "Automated by: github-actions[bot]" | |
| git push origin "$BRANCH_NAME" | |
| # Extract Code Owners from .github/CODEOWNERS for notification | |
| CODE_OWNERS="" | |
| if [ -f ".github/CODEOWNERS" ]; then | |
| # Find line matching governance/contributors.yaml and extract @usernames | |
| CODE_OWNERS=$(grep "governance/contributors.yaml" .github/CODEOWNERS | grep -o "@[a-zA-Z0-9-]*" | tr '\n' ' ') | |
| fi | |
| # Create PR using GitHub CLI | |
| PR_TITLE="chore(gov): automated governance registry & history sync" | |
| PR_BODY="## 🤖 GitMesh Steward Bot Report | |
| **Automated Governance Sync** | |
| This PR contains automated updates to the **GitMesh Community Edition** governance registry and history logs. | |
| ### 🔄 Updates Included | |
| - **Activity Sync**: Updated contributor activity status based on recent GitHub events. | |
| - **History Log**: Synced recent contributions (PRs, reviews, comments) to the immutable ledger. | |
| - **Role Management**: Processed any pending role changes or promotions. | |
| - **Audit Trail**: Maintained historical records in \`governance/history/\`. | |
| ### 🔔 Attention Code Owners | |
| cc: $CODE_OWNERS | |
| Please review the changes to ensure accuracy. This system is designed to support transparent and auditable governance. | |
| _Generated automatically by the GitMesh Steward Bot._" | |
| # Create PR without labels to avoid permission issues | |
| gh pr create \ | |
| --title "$PR_TITLE" \ | |
| --body "$PR_BODY" \ | |
| --base main \ | |
| --head "$BRANCH_NAME" |