Skip to content

Commit 1fac512

Browse files
author
Адель
committed
docs: prepare public beta GitHub workflow
1 parent ce0cc37 commit 1fac512

22 files changed

Lines changed: 5959 additions & 4682 deletions

.github/CODEOWNERS

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
# Replace @OWNER with the GitHub username or team that maintains DirectPilot before publishing.
2+
# Example:
3+
# * @OWNER
4+
# /app/yandex_*.py @OWNER
5+
# /app/config.py @OWNER
6+
# /.github/ @OWNER
7+
# /skills/ @OWNER
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
name: Bug report
2+
description: Report a reproducible DirectPilot bug
3+
title: "bug: "
4+
labels: [bug, needs-triage]
5+
body:
6+
- type: markdown
7+
attributes:
8+
value: |
9+
Do not paste secrets, OAuth tokens, `.env` files, real customer data, or private campaign exports.
10+
- type: textarea
11+
id: summary
12+
attributes:
13+
label: Summary
14+
description: What happened?
15+
validations:
16+
required: true
17+
- type: textarea
18+
id: reproduce
19+
attributes:
20+
label: Steps to reproduce
21+
description: Use redacted sample data.
22+
validations:
23+
required: true
24+
- type: dropdown
25+
id: mode
26+
attributes:
27+
label: Runtime mode
28+
options:
29+
- mock
30+
- sandbox
31+
- live_readonly
32+
- live_write
33+
- unknown
34+
validations:
35+
required: true
36+
- type: textarea
37+
id: expected
38+
attributes:
39+
label: Expected behavior
40+
validations:
41+
required: true
42+
- type: textarea
43+
id: logs
44+
attributes:
45+
label: Relevant logs or output
46+
description: Redact all secrets before posting.
47+
render: text

.github/ISSUE_TEMPLATE/config.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
blank_issues_enabled: false
2+
contact_links:
3+
- name: Security policy
4+
url: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities
5+
about: Do not post secrets in public issues. Use private vulnerability reporting if enabled after publishing.
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
name: Feature request
2+
description: Suggest a DirectPilot improvement
3+
title: "feat: "
4+
labels: [enhancement, needs-triage]
5+
body:
6+
- type: textarea
7+
id: problem
8+
attributes:
9+
label: Problem
10+
description: What user problem does this solve?
11+
validations:
12+
required: true
13+
- type: textarea
14+
id: proposal
15+
attributes:
16+
label: Proposal
17+
description: Describe the proposed behavior.
18+
validations:
19+
required: true
20+
- type: dropdown
21+
id: risk
22+
attributes:
23+
label: Safety impact
24+
options:
25+
- docs only
26+
- read-only API behavior
27+
- write-path behavior
28+
- budget/campaign-impacting behavior
29+
- unsure
30+
validations:
31+
required: true
32+
- type: textarea
33+
id: alternatives
34+
attributes:
35+
label: Alternatives considered
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
name: Security issue
2+
description: Request private handling for a security concern
3+
title: "security: "
4+
labels: [security, needs-private-review]
5+
body:
6+
- type: markdown
7+
attributes:
8+
value: |
9+
Do not include secrets or exploit details in public issues. If private vulnerability reporting is enabled, use it instead.
10+
- type: textarea
11+
id: summary
12+
attributes:
13+
label: Redacted summary
14+
description: Keep this high-level and do not include secrets.
15+
validations:
16+
required: true
17+
- type: dropdown
18+
id: impact
19+
attributes:
20+
label: Potential impact
21+
options:
22+
- credential exposure
23+
- unauthorized read
24+
- unauthorized write
25+
- budget/campaign impact
26+
- dependency/supply-chain
27+
- other
28+
validations:
29+
required: true

.github/PULL_REQUEST_TEMPLATE.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
## Summary
2+
3+
<!-- What changed and why? -->
4+
5+
## Type of change
6+
7+
- [ ] Docs only
8+
- [ ] Read-only API behavior
9+
- [ ] Write-path behavior
10+
- [ ] Tests
11+
- [ ] CI / security / repository governance
12+
- [ ] Dependency change
13+
14+
## Safety impact
15+
16+
- [ ] Default `live_readonly` behavior is preserved
17+
- [ ] No write gate was weakened or removed
18+
- [ ] `dry_run=true` remains non-mutating
19+
- [ ] No secrets, tokens, raw `.env`, or private customer data are included
20+
- [ ] OpenAPI was updated or verified unchanged
21+
22+
## Checks run
23+
24+
```text
25+
paste real command output here
26+
```
27+
28+
## Notes for reviewers
29+
30+
<!-- Mention high-risk files, Yandex API behavior, or migration concerns. -->

.github/dependabot.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: "github-actions"
4+
directory: "/"
5+
schedule:
6+
interval: "weekly"
7+
8+
# Python dependency updates are intentionally not automated through Dependabot
9+
# during beta: this project uses uv.lock and CI runs `uv sync --frozen`.
10+
# Update Python packages manually with `uv lock --upgrade-package <name>` so
11+
# pyproject.toml and uv.lock stay synchronized in the same PR.

.github/workflows/ci.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
name: CI
2+
3+
on:
4+
pull_request:
5+
push:
6+
branches: [master, main]
7+
8+
permissions:
9+
contents: read
10+
11+
jobs:
12+
test:
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@v4
16+
- uses: astral-sh/setup-uv@v5
17+
- uses: actions/setup-python@v5
18+
with:
19+
python-version: "3.11"
20+
- name: Install dependencies
21+
run: uv sync --frozen
22+
- name: Compile Python files
23+
run: uv run python -m compileall app tests scripts
24+
- name: Run tests
25+
run: uv run pytest -q
26+
- name: Check OpenAPI snapshot
27+
run: uv run python scripts/check_openapi_sync.py
28+
- name: Check repository for obvious secrets
29+
run: uv run python scripts/check_no_secrets_in_git.py

.github/workflows/security.yml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
name: Security
2+
3+
on:
4+
pull_request:
5+
push:
6+
branches: [master, main]
7+
schedule:
8+
- cron: "17 3 * * 1"
9+
10+
permissions:
11+
contents: read
12+
security-events: write
13+
14+
jobs:
15+
secret-scan:
16+
runs-on: ubuntu-latest
17+
steps:
18+
- uses: actions/checkout@v4
19+
with:
20+
fetch-depth: 0
21+
- uses: gitleaks/gitleaks-action@v2
22+
env:
23+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
24+
25+
dependency-audit:
26+
runs-on: ubuntu-latest
27+
steps:
28+
- uses: actions/checkout@v4
29+
- uses: astral-sh/setup-uv@v5
30+
- uses: actions/setup-python@v5
31+
with:
32+
python-version: "3.11"
33+
- name: Audit Python dependencies
34+
run: uvx pip-audit

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,5 +5,6 @@
55
__pycache__/
66
.pytest_cache/
77
.ruff_cache/
8+
.hermes/
89
*.pyc
910
.DS_Store

0 commit comments

Comments
 (0)