diff --git a/scripts/apply-repo-settings.sh b/scripts/apply-repo-settings.sh index 6b19e30..2352f70 100644 --- a/scripts/apply-repo-settings.sh +++ b/scripts/apply-repo-settings.sh @@ -38,6 +38,40 @@ usage() { exit 1 } +# Label specs: "name:color:description" (color without leading #) +REQUIRED_LABEL_SPECS=( + "security:d93f0b:Security-related PRs and issues" + "dependencies:0075ca:Dependency update PRs" + "scorecard:d93f0b:OpenSSF Scorecard findings" + "bug:d73a4a:Bug reports" + "enhancement:a2eeef:Feature requests" + "documentation:0075ca:Documentation changes" +) + +apply_labels() { + local repo="$1" + info "Ensuring required labels exist on $ORG/$repo ..." + + for spec in "${REQUIRED_LABEL_SPECS[@]}"; do + IFS=':' read -r label color description <<< "$spec" + + if [ "$DRY_RUN" = "true" ]; then + skip "DRY_RUN=true — would ensure label \`$label\` (color: #$color) exists in $repo" + continue + fi + + if gh label create "$label" \ + --repo "$ORG/$repo" \ + --color "$color" \ + --description "$description" \ + --force 2>/dev/null; then + ok " label \`$label\` ensured in $repo" + else + err " Failed to create/update label \`$label\` in $repo" + fi + done +} + apply_settings() { local repo="$1" info "Applying standard settings to $ORG/$repo ..." @@ -146,6 +180,7 @@ if [ "$1" = "--all" ]; then failed=0 for repo in $repos; do apply_settings "$repo" || failed=$((failed + 1)) + apply_labels "$repo" || true done if [ "$failed" -gt 0 ]; then @@ -156,4 +191,5 @@ if [ "$1" = "--all" ]; then ok "All repos processed successfully" else apply_settings "$1" + apply_labels "$1" fi diff --git a/scripts/compliance-audit.sh b/scripts/compliance-audit.sh index 60288d0..9f53241 100755 --- a/scripts/compliance-audit.sh +++ b/scripts/compliance-audit.sh @@ -34,7 +34,15 @@ SUMMARY_FILE="$REPORT_DIR/summary.md" REQUIRED_WORKFLOWS=(ci.yml codeql.yml sonarcloud.yml claude.yml dependabot-automerge.yml dependency-audit.yml agent-shield.yml) -REQUIRED_LABELS=(security dependencies scorecard bug enhancement documentation) +# Label specs: "name:color:description" (color without leading #) +REQUIRED_LABEL_SPECS=( + "security:d93f0b:Security-related PRs and issues" + "dependencies:0075ca:Dependency update PRs" + "scorecard:d93f0b:OpenSSF Scorecard findings" + "bug:d73a4a:Bug reports" + "enhancement:a2eeef:Feature requests" + "documentation:0075ca:Documentation changes" +) REQUIRED_SETTINGS_BOOL=( "allow_auto_merge:true:warning:Allow auto-merge must be enabled for Dependabot workflow" @@ -292,7 +300,7 @@ check_repo_settings() { } # --------------------------------------------------------------------------- -# Check: Required labels +# Check: Required labels (auto-creates missing ones) # --------------------------------------------------------------------------- check_labels() { local repo="$1" @@ -300,11 +308,29 @@ check_labels() { local existing_labels existing_labels=$(gh_api "repos/$ORG/$repo/labels" --jq '.[].name' --paginate 2>/dev/null || echo "") - for label in "${REQUIRED_LABELS[@]}"; do + for spec in "${REQUIRED_LABEL_SPECS[@]}"; do + IFS=':' read -r label color description <<< "$spec" + if ! echo "$existing_labels" | grep -qx "$label"; then - add_finding "$repo" "labels" "missing-label-$label" "warning" \ - "Required label \`$label\` is missing" \ - "standards/github-settings.md#labels--standard-set" + if [ "$DRY_RUN" = "true" ]; then + add_finding "$repo" "labels" "missing-label-$label" "warning" \ + "Required label \`$label\` is missing (dry run — skipping auto-create)" \ + "standards/github-settings.md#labels--standard-set" + continue + fi + info "Label \`$label\` missing from $repo — attempting to create it" + if gh label create "$label" \ + --repo "$ORG/$repo" \ + --color "$color" \ + --description "$description" \ + --force 2>/dev/null; then + info "Created label \`$label\` in $repo" + else + warn "Failed to create label \`$label\` in $repo — filing finding for manual remediation" + add_finding "$repo" "labels" "missing-label-$label" "warning" \ + "Required label \`$label\` is missing and could not be auto-created" \ + "standards/github-settings.md#labels--standard-set" + fi fi done }