Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/copilot-instructions.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# mss-boot-io GitHub Operations Instructions

This repository hosts organization-wide community health files, reusable
workflow guidance, and governance notes for `mss-boot-io`.

When working here:

- Keep changes small, reviewable, and suitable for public open source
collaboration.
- Prefer GitHub-native automation before adding external bots or services.
- Do not store secrets, account credentials, private endpoints, or personal
data in repository files, issue templates, workflows, or examples.
- Treat Copilot code review, issue drafting, Dependabot, CodeQL, Scorecard,
PR Guard, Docs Drift, and weekly digest workflows as advisory automation.
Maintainers still decide scope, security risk, release timing, and merges.
- Frontend Cloudflare alpha, beta, and prod deployments must stay manual.
Do not convert Cloudflare workflows into automatic PR or push deploys.
- Durable organization memory belongs in `mss-boot-docs/aigc` or the local
repository `aigc/prompts/` directory. Use lowercase kebab-case filenames.
- Use neutral, verifiable language and include reproducible validation steps
when changing governance, workflow, or release process files.
14 changes: 14 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
groups:
github-actions:
patterns:
- "*"
labels:
- "area/devops"
- "type/security"
42 changes: 42 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: CodeQL

on:
push:
branches:
- main
- "codex/**"
pull_request:
branches:
- main
schedule:
- cron: "17 20 * * 0"
workflow_dispatch:

permissions:
actions: read
contents: read
packages: read
security-events: write

jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"
38 changes: 38 additions & 0 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: OpenSSF Scorecard

on:
branch_protection_rule:
push:
branches:
- main
schedule:
- cron: "23 20 * * 0"
workflow_dispatch:

permissions: read-all

jobs:
scorecard:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
id-token: write
security-events: write
Comment on lines +12 to +21
steps:
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false

- name: Run Scorecard
uses: ossf/scorecard-action@v2.4.3
with:
results_file: scorecard-results.sarif
results_format: sarif
publish_results: true

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: scorecard-results.sarif
25 changes: 25 additions & 0 deletions aigc/prompts/github-ai-handoff-2026-06-05.zh-CN.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# GitHub AI Handoff

日期:2026-06-05

## 背景

组织希望尽量把可自动化的开源运营、代码审查、依赖更新、问题整理和
流水线检查交给 GitHub 原生能力承接,降低个人维护者成本。

## 已落地

- 在组织 `.github` 仓库新增 `.github/copilot-instructions.md`,让 GitHub
Copilot Code Review、Copilot Chat 和 Copilot coding agent 在处理组织治理
文件时优先遵守开源、低成本、低噪音和手动发布边界。
- 在组织 `.github` 仓库新增 Dependabot、CodeQL 和 OpenSSF Scorecard 自检,
让 reusable workflows、issue templates 和组织社区健康文件也进入 GitHub
原生安全/供应链检查。

## 约束

- 前端 Cloudflare alpha/beta/prod 发布必须保持人工触发。
- Copilot、CodeQL、Dependabot、Scorecard、PR Guard、Docs Drift 和周报类
自动化只提供建议与检查,最终合并、发布和安全判断仍由维护者确认。
- 任何涉及外部账号、付费计划、组织权限和安全策略的配置先记录,等待维护者
在 GitHub 后台启用。