ci: add CI, security workflows and VERSION file#1
Merged
Conversation
Introduce a root VERSION file (1.0.0, matching the latest v1.0.0 tag and src/pg-sync SCRIPT_VERSION) as the semver source of truth, since this repo has no package manifest. Add standardized GitHub workflows: - ci.yml: ShellCheck + make check/test on push/PR to main - version-check.yml: enforce VERSION bump on every PR - scorecard.yml: OpenSSF Scorecard supply-chain analysis - stale.yml: auto-mark/close inactive issues and PRs - labeler.yml + .github/labeler.yml: path-based PR auto-labels Kept the existing tag-triggered release.yml (builds artifacts and publishes GitHub releases); did not add versionfile-release.yml to avoid two competing release workflows. Skipped dependency-review (no dep manifest).
The CI ShellCheck step ran at the action's default severity, which surfaces note-level style suggestions (SC2012, SC2015) and fails the build. The repo's own `make lint` runs `shellcheck -S warning`, so align CI with that established convention rather than rewriting the scripts. At warning level the tree is clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds standardized GitHub workflows and a root
VERSIONfile.What's added
1.0.0), matching the latestv1.0.0tag andsrc/pg-syncSCRIPT_VERSION. Acts as the manifest-less source of truth.make check/make teston push/PR tomain.VERSIONbump on every PR (treats a missing base VERSION as0.0.0).Release workflow
Kept the existing tag-triggered
release.yml(builds artifacts, publishes GitHub releases viasoftprops/action-gh-release). Did not addversionfile-release.ymlto avoid two competing release workflows. Skippeddependency-review(no dependency manifest in a shell repo).🤖 Generated with Claude Code