Skip to content

ci(gha): update codeql workflow to set checks during scheduled runs #17963

ci(gha): update codeql workflow to set checks during scheduled runs

ci(gha): update codeql workflow to set checks during scheduled runs #17963

Workflow file for this run

name: "PR health"
on:
pull_request:
types: [edited, opened, reopened, synchronize]
permissions:
contents: read
jobs:
pr-check:
timeout-minutes: 10
runs-on: ubuntu-24.04
permissions:
pull-requests: write
steps:
- name: Check PR title
# Check PR title against the Conventional Commits format using commitlint.
# For more details, see: https://www.conventionalcommits.org/en/v1.0.0/
# This ensures the PR title matches the conventonal commit title format
# as it will be usead as a commit name after squashing.
# See: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#merge-message-for-a-squash-merge.
if: github.event.action != 'synchronize'
env:
# Use an intermediate environment variable to safely handle the PR title
# and avoid potential injection risks. See:
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TITLE: ${{ github.event.pull_request.title }}
run: |
# Create a temporary commitlint configuration file
cat <<EOF > commitlint.config.js
module.exports = {
extends: ["@commitlint/config-conventional"],
helpUrl: "https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#commit-message-format",
rules: {
"body-max-line-length": [0],
"footer-max-line-length": [0],
"footer-leading-blank": [0],
"header-max-length": [0],
"scope-enum": [2, "never", [
"kumacp", "kumadp", "kumacni", "kumainit", "*", "madr", "test", "ci", "perf", "policies", "tests"
]],
"scope-empty": [2, "never"]
},
};
EOF
# Install commitlint CLI and configuration
npm install -g @commitlint/[email protected] @commitlint/[email protected]
# Validate the PR title. Use the intermediate variable to safely handle the title.
# '${{ env.TITLE }}' doesn't protect against injection, so "$TITLE" must be used instead.
echo "$TITLE" | commitlint --config commitlint.config.js