From f78454543293bc04a32a59bc7b87120254d742d2 Mon Sep 17 00:00:00 2001 From: linwenxiang Date: Fri, 5 Jun 2026 13:49:10 +0800 Subject: [PATCH] ci: add github ai handoff checks --- .github/copilot-instructions.md | 21 ++++++++++ .github/dependabot.yml | 14 +++++++ .github/workflows/codeql.yml | 42 +++++++++++++++++++ .github/workflows/scorecard.yml | 38 +++++++++++++++++ .../github-ai-handoff-2026-06-05.zh-CN.md | 25 +++++++++++ 5 files changed, 140 insertions(+) create mode 100644 .github/copilot-instructions.md create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 aigc/prompts/github-ai-handoff-2026-06-05.zh-CN.md diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 0000000..5369de6 --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,21 @@ +# mss-boot-io GitHub Operations Instructions + +This repository hosts organization-wide community health files, reusable +workflow guidance, and governance notes for `mss-boot-io`. + +When working here: + +- Keep changes small, reviewable, and suitable for public open source + collaboration. +- Prefer GitHub-native automation before adding external bots or services. +- Do not store secrets, account credentials, private endpoints, or personal + data in repository files, issue templates, workflows, or examples. +- Treat Copilot code review, issue drafting, Dependabot, CodeQL, Scorecard, + PR Guard, Docs Drift, and weekly digest workflows as advisory automation. + Maintainers still decide scope, security risk, release timing, and merges. +- Frontend Cloudflare alpha, beta, and prod deployments must stay manual. + Do not convert Cloudflare workflows into automatic PR or push deploys. +- Durable organization memory belongs in `mss-boot-docs/aigc` or the local + repository `aigc/prompts/` directory. Use lowercase kebab-case filenames. +- Use neutral, verifiable language and include reproducible validation steps + when changing governance, workflow, or release process files. diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..9a441a2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + groups: + github-actions: + patterns: + - "*" + labels: + - "area/devops" + - "type/security" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..f3b6585 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,42 @@ +name: CodeQL + +on: + push: + branches: + - main + - "codex/**" + pull_request: + branches: + - main + schedule: + - cron: "17 20 * * 0" + workflow_dispatch: + +permissions: + actions: read + contents: read + packages: read + security-events: write + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..abd8e18 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,38 @@ +name: OpenSSF Scorecard + +on: + branch_protection_rule: + push: + branches: + - main + schedule: + - cron: "23 20 * * 0" + workflow_dispatch: + +permissions: read-all + +jobs: + scorecard: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + id-token: write + security-events: write + steps: + - name: Checkout + uses: actions/checkout@v6 + with: + persist-credentials: false + + - name: Run Scorecard + uses: ossf/scorecard-action@v2.4.3 + with: + results_file: scorecard-results.sarif + results_format: sarif + publish_results: true + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: scorecard-results.sarif diff --git a/aigc/prompts/github-ai-handoff-2026-06-05.zh-CN.md b/aigc/prompts/github-ai-handoff-2026-06-05.zh-CN.md new file mode 100644 index 0000000..a817561 --- /dev/null +++ b/aigc/prompts/github-ai-handoff-2026-06-05.zh-CN.md @@ -0,0 +1,25 @@ +# GitHub AI Handoff + +日期:2026-06-05 + +## 背景 + +组织希望尽量把可自动化的开源运营、代码审查、依赖更新、问题整理和 +流水线检查交给 GitHub 原生能力承接,降低个人维护者成本。 + +## 已落地 + +- 在组织 `.github` 仓库新增 `.github/copilot-instructions.md`,让 GitHub + Copilot Code Review、Copilot Chat 和 Copilot coding agent 在处理组织治理 + 文件时优先遵守开源、低成本、低噪音和手动发布边界。 +- 在组织 `.github` 仓库新增 Dependabot、CodeQL 和 OpenSSF Scorecard 自检, + 让 reusable workflows、issue templates 和组织社区健康文件也进入 GitHub + 原生安全/供应链检查。 + +## 约束 + +- 前端 Cloudflare alpha/beta/prod 发布必须保持人工触发。 +- Copilot、CodeQL、Dependabot、Scorecard、PR Guard、Docs Drift 和周报类 + 自动化只提供建议与检查,最终合并、发布和安全判断仍由维护者确认。 +- 任何涉及外部账号、付费计划、组织权限和安全策略的配置先记录,等待维护者 + 在 GitHub 后台启用。