diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..383e82a --- /dev/null +++ b/.editorconfig @@ -0,0 +1,12 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +indent_style = tab +indent_size = 4 + +[*.{md,yml,yaml,json,toml}] +indent_style = space +indent_size = 2 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..7bde2fb --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +* text=auto +*.go text eol=lf +*.md text eol=lf +*.toml text eol=lf +*.yml text eol=lf +*.yaml text eol=lf diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..fc19136 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,11 @@ +# Protect ownership and automation rules. +/.github/CODEOWNERS @openclaw/openclaw-secops +/.github/dependabot.yml @openclaw/openclaw-secops +/.github/workflows/ @openclaw/openclaw-secops + +# Release and package integrity surfaces. +/.goreleaser.yaml @openclaw/openclaw-secops +/go.mod @openclaw/openclaw-secops +/go.sum @openclaw/openclaw-secops +/scripts/*release* @openclaw/openclaw-secops +/scripts/*publish* @openclaw/openclaw-secops diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..e1b6fae --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 10 + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 10 diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml new file mode 100644 index 0000000..835e307 --- /dev/null +++ b/.github/workflows/secret-scan.yml @@ -0,0 +1,63 @@ +name: "Security Gate: Secret Scanning" + +on: + push: + branches: ["**"] + pull_request: + branches: [main, master] + +permissions: {} + +jobs: + trufflehog: + name: Scan for Verified Secrets + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Resolve scan range + id: scan_range + env: + EVENT_NAME: ${{ github.event_name }} + PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + PUSH_BASE_SHA: ${{ github.event.before }} + PUSH_HEAD_SHA: ${{ github.sha }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + run: | + set -euo pipefail + zero_sha="0000000000000000000000000000000000000000" + + if [[ "$EVENT_NAME" == "pull_request" ]]; then + base="$PR_BASE_SHA" + head="$PR_HEAD_SHA" + else + base="$PUSH_BASE_SHA" + head="$PUSH_HEAD_SHA" + if [[ -z "$base" || "$base" == "$zero_sha" ]]; then + base="origin/$DEFAULT_BRANCH" + fi + fi + + echo "base=$base" >> "$GITHUB_OUTPUT" + echo "head=$head" >> "$GITHUB_OUTPUT" + + - name: TruffleHog OSS + id: trufflehog + uses: trufflesecurity/trufflehog@v3.95.2 + with: + path: ./ + base: ${{ steps.scan_range.outputs.base }} + head: ${{ steps.scan_range.outputs.head }} + extra_args: --only-verified --debug + + - name: Notify on failure + if: steps.trufflehog.outcome == 'failure' + run: | + echo "::error::Verified secrets found. Rotate the credential before merging." + exit 1 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 0000000..74ad25c --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,86 @@ +name: Stale + +on: + schedule: + - cron: "21 4 * * *" + workflow_dispatch: + +permissions: {} + +jobs: + stale: + permissions: + issues: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Mark stale unassigned issues and pull requests + uses: actions/stale@v10 + with: + days-before-issue-stale: 14 + days-before-issue-close: 7 + days-before-pr-stale: 14 + days-before-pr-close: 7 + stale-issue-label: stale + stale-pr-label: stale + exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale + exempt-pr-labels: maintainer,no-stale + operations-per-run: 1000 + ascending: true + exempt-all-assignees: true + remove-stale-when-updated: true + stale-issue-message: | + This issue has been automatically marked as stale due to inactivity. + Please add updated gitcrawl details or it will be closed. + stale-pr-message: | + This pull request has been automatically marked as stale due to inactivity. + Please update it or it will be closed. + close-issue-message: | + Closing due to inactivity. + If this still affects gitcrawl, open a new issue with current reproduction details. + close-issue-reason: not_planned + close-pr-message: | + Closing due to inactivity. + If this PR should be revived, reopen it with current context and validation. + + - name: Mark stale assigned issues + uses: actions/stale@v10 + with: + days-before-issue-stale: 30 + days-before-issue-close: 10 + days-before-pr-stale: -1 + days-before-pr-close: -1 + stale-issue-label: stale + exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale + operations-per-run: 1000 + ascending: true + include-only-assigned: true + remove-stale-when-updated: true + stale-issue-message: | + This assigned issue has been automatically marked as stale after 30 days of inactivity. + Please add an update or it will be closed. + close-issue-message: | + Closing due to inactivity. + If this still affects gitcrawl, reopen or file a new issue with current evidence. + close-issue-reason: not_planned + + - name: Mark stale assigned pull requests + uses: actions/stale@v10 + with: + days-before-issue-stale: -1 + days-before-issue-close: -1 + days-before-pr-stale: 27 + days-before-pr-close: 7 + stale-pr-label: stale + exempt-pr-labels: maintainer,no-stale + operations-per-run: 1000 + ascending: true + include-only-assigned: true + ignore-pr-updates: true + remove-stale-when-updated: true + stale-pr-message: | + This assigned pull request has been automatically marked as stale after being open for 27 days. + Please add an update or it will be closed. + close-pr-message: | + Closing due to inactivity. + If this PR should be revived, reopen it with current context and validation.