Conversation
pablo-schmeiser
requested review from
Copilot
and removed request for
mfbehrens
There was a problem hiding this comment.
Pull request overview
This PR adds a set of GitHub Actions workflows and configs to automate CI quality/security checks (linting, dependency review, security scanning), plus a Django “integrity” check pipeline that also updates README badges based on supported Python versions.
Changes:
- Added Django integrity CI with a reusable “extract Python versions” workflow and a script to update README integrity badges.
- Added CI workflows for super-linting, OWASP Noir analysis (with PR commenting), dependency review, and AI-generated PR detection.
- Added commitlint configuration intended to enforce conventional commits.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/check_integrity.yml |
Runs Django checks across a Python matrix; auto-updates README integrity badges. |
.github/workflows/extract_python_versions.yml |
Reusable workflow to parse supported Python versions from pyproject.toml. |
.github/workflows/update_integrity_badges.py |
Updates README between markers with Python version badges. |
.github/workflows/super-linter.yml |
Runs Super-Linter on pushes/PRs. |
.github/workflows/owasp-noir.yml |
Runs OWASP Noir analysis and comments results on PRs. |
.github/workflows/check_dependencies.yml |
Runs GitHub dependency review on PRs. |
.github/workflows/detect_ai.yml |
Uses pr406 to detect AI-generated PRs on pull_request_target. |
.github/pr406.yml |
Configuration for the AI-detection action (threshold/label/dry-run). |
.commitlintrc.js |
Commitlint rules for conventional commit messages. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/detect_ai.yml
Outdated
| issues: write | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| ref: ${{ github.event.pull_request.base.ref }} | ||
| - uses: lu-zhengda/pr406@v0.1.1 |
There was a problem hiding this comment.
Using pull_request_target with a third-party action and a write-scoped GITHUB_TOKEN can be a supply-chain risk (the workflow runs with base-repo permissions on PRs from forks). Mitigations: pin lu-zhengda/pr406 to a commit SHA (not just a tag), restrict permissions to only what the action needs (likely pull-requests: write), and consider running on pull_request instead if you don’t need base-repo token access.
| issues: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| - uses: lu-zhengda/pr406@v0.1.1 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| - uses: lu-zhengda/pr406@2b6c0c0d3b5e9d0d9f7b1f75e1b2c7a1f3e4d5c # TODO: replace with the actual commit SHA for v0.1.1 |
There was a problem hiding this comment.
I am not sure if this is an issue, but I will remove the unneeded permission in a force push of an altered version of the original commit
| "", | ||
| }; | ||
|
|
||
| export default Configuration; |
There was a problem hiding this comment.
This file uses ESM syntax (export default) but the repo has no package.json indicating type: module. In a default Node/commitlint setup, this will be parsed as CommonJS and fail to load. Consider switching to CommonJS (module.exports = …) or renaming to .commitlintrc.cjs (or adding the necessary Node module configuration).
| export default Configuration; | |
| module.exports = Configuration; |
There was a problem hiding this comment.
I honestly don't understand this. The docs for the commitlint config were honestly pretty bad.
Checks whether PRs will change dependencies to introduce vulnerabilities or use licenses not allowed in this project.
OWASP Noir is an advanced security analysis tool, capable of scanning, analyzing and annotating a codebase.
pablo-schmeiser
force-pushed
the
ci/add-ci
branch
from
f6024f0 to
647f9df
Compare
This pull request introduces several new GitHub Actions workflows and related configuration files to automate quality, security, and compliance checks for the project. The main focus is on improving CI/CD processes, enforcing commit message standards, automating integrity and dependency checks, and enhancing security analysis. Below are the most significant changes:
CI/CD Automation and Quality Checks:
.github/workflows/check_integrity.ymlto automatically build the project, run Django integrity checks across supported Python versions, and update integrity badges in theREADME.md. This workflow uses a new helper script.github/workflows/update_integrity_badges.pyand a shared workflow.github/workflows/extract_python_versions.ymlto dynamically extract supported Python versions frompyproject.toml..github/workflows/super-linter.ymlto run a wide range of classic and advanced linters (including Trivy, GitLeaks, codespell, and more) on every push and pull request, helping to catch code quality and security issues early.Security and Dependency Management:
.github/workflows/owasp-noir.ymlto perform automated OWASP Noir security analysis on the codebase, upload results as artifacts, and comment reports on pull requests..github/workflows/check_dependencies.ymlto automatically review dependencies on pull requests using GitHub's dependency review action, helping to identify vulnerable or unwanted packages.AI-generated Content Detection:
.github/workflows/detect_ai.ymland its configuration file.github/pr406.ymlto detect AI-generated pull requests using thepr406action, labeling suspicious PRs and running in dry-run mode as suggested by its developer (for now).Commit Message Enforcement:
.commitlintrc.jsto enforce conventional commit message standards, ensuring more consistent and meaningful commit history.