From ae78f92a8f2597943603823ac39a00cf7990988f Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Mon, 6 Apr 2026 03:44:06 +0000 Subject: [PATCH 1/2] fix: auto-create missing required labels during compliance audit - Add REQUIRED_LABEL_SPECS array with name, color, and description for each standard label - Modify check_labels() in compliance-audit.sh to auto-create missing labels via `gh label create`, falling back to filing a finding only if creation fails - Add apply_labels() to apply-repo-settings.sh so the remediation script also ensures all standard labels exist - Remove now-unused REQUIRED_LABELS array from compliance-audit.sh Closes #47 Co-authored-by: don-petry --- scripts/apply-repo-settings.sh | 36 ++++++++++++++++++++++++++++++++++ scripts/compliance-audit.sh | 32 ++++++++++++++++++++++++------ 2 files changed, 62 insertions(+), 6 deletions(-) diff --git a/scripts/apply-repo-settings.sh b/scripts/apply-repo-settings.sh index 6b19e30..2352f70 100644 --- a/scripts/apply-repo-settings.sh +++ b/scripts/apply-repo-settings.sh @@ -38,6 +38,40 @@ usage() { exit 1 } +# Label specs: "name:color:description" (color without leading #) +REQUIRED_LABEL_SPECS=( + "security:d93f0b:Security-related PRs and issues" + "dependencies:0075ca:Dependency update PRs" + "scorecard:d93f0b:OpenSSF Scorecard findings" + "bug:d73a4a:Bug reports" + "enhancement:a2eeef:Feature requests" + "documentation:0075ca:Documentation changes" +) + +apply_labels() { + local repo="$1" + info "Ensuring required labels exist on $ORG/$repo ..." + + for spec in "${REQUIRED_LABEL_SPECS[@]}"; do + IFS=':' read -r label color description <<< "$spec" + + if [ "$DRY_RUN" = "true" ]; then + skip "DRY_RUN=true — would ensure label \`$label\` (color: #$color) exists in $repo" + continue + fi + + if gh label create "$label" \ + --repo "$ORG/$repo" \ + --color "$color" \ + --description "$description" \ + --force 2>/dev/null; then + ok " label \`$label\` ensured in $repo" + else + err " Failed to create/update label \`$label\` in $repo" + fi + done +} + apply_settings() { local repo="$1" info "Applying standard settings to $ORG/$repo ..." @@ -146,6 +180,7 @@ if [ "$1" = "--all" ]; then failed=0 for repo in $repos; do apply_settings "$repo" || failed=$((failed + 1)) + apply_labels "$repo" || true done if [ "$failed" -gt 0 ]; then @@ -156,4 +191,5 @@ if [ "$1" = "--all" ]; then ok "All repos processed successfully" else apply_settings "$1" + apply_labels "$1" fi diff --git a/scripts/compliance-audit.sh b/scripts/compliance-audit.sh index 60288d0..5c65f78 100755 --- a/scripts/compliance-audit.sh +++ b/scripts/compliance-audit.sh @@ -34,7 +34,15 @@ SUMMARY_FILE="$REPORT_DIR/summary.md" REQUIRED_WORKFLOWS=(ci.yml codeql.yml sonarcloud.yml claude.yml dependabot-automerge.yml dependency-audit.yml agent-shield.yml) -REQUIRED_LABELS=(security dependencies scorecard bug enhancement documentation) +# Label specs: "name:color:description" (color without leading #) +REQUIRED_LABEL_SPECS=( + "security:d93f0b:Security-related PRs and issues" + "dependencies:0075ca:Dependency update PRs" + "scorecard:d93f0b:OpenSSF Scorecard findings" + "bug:d73a4a:Bug reports" + "enhancement:a2eeef:Feature requests" + "documentation:0075ca:Documentation changes" +) REQUIRED_SETTINGS_BOOL=( "allow_auto_merge:true:warning:Allow auto-merge must be enabled for Dependabot workflow" @@ -292,7 +300,7 @@ check_repo_settings() { } # --------------------------------------------------------------------------- -# Check: Required labels +# Check: Required labels (auto-creates missing ones) # --------------------------------------------------------------------------- check_labels() { local repo="$1" @@ -300,11 +308,23 @@ check_labels() { local existing_labels existing_labels=$(gh_api "repos/$ORG/$repo/labels" --jq '.[].name' --paginate 2>/dev/null || echo "") - for label in "${REQUIRED_LABELS[@]}"; do + for spec in "${REQUIRED_LABEL_SPECS[@]}"; do + IFS=':' read -r label color description <<< "$spec" + if ! echo "$existing_labels" | grep -qx "$label"; then - add_finding "$repo" "labels" "missing-label-$label" "warning" \ - "Required label \`$label\` is missing" \ - "standards/github-settings.md#labels--standard-set" + info "Label \`$label\` missing from $repo — attempting to create it" + if gh label create "$label" \ + --repo "$ORG/$repo" \ + --color "$color" \ + --description "$description" \ + --force 2>/dev/null; then + info "Created label \`$label\` in $repo" + else + warn "Failed to create label \`$label\` in $repo — filing finding for manual remediation" + add_finding "$repo" "labels" "missing-label-$label" "warning" \ + "Required label \`$label\` is missing and could not be auto-created" \ + "standards/github-settings.md#labels--standard-set" + fi fi done } From e8503cc9c6175521262f0732055630248a88c4e6 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Mon, 6 Apr 2026 03:44:57 +0000 Subject: [PATCH 2/2] fix: skip label auto-create during dry run in compliance-audit.sh When DRY_RUN=true, check_labels() should not modify the repository. Instead, file a finding (as before) so dry run output still shows what would be changed. Co-authored-by: don-petry --- scripts/compliance-audit.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/compliance-audit.sh b/scripts/compliance-audit.sh index 5c65f78..9f53241 100755 --- a/scripts/compliance-audit.sh +++ b/scripts/compliance-audit.sh @@ -312,6 +312,12 @@ check_labels() { IFS=':' read -r label color description <<< "$spec" if ! echo "$existing_labels" | grep -qx "$label"; then + if [ "$DRY_RUN" = "true" ]; then + add_finding "$repo" "labels" "missing-label-$label" "warning" \ + "Required label \`$label\` is missing (dry run — skipping auto-create)" \ + "standards/github-settings.md#labels--standard-set" + continue + fi info "Label \`$label\` missing from $repo — attempting to create it" if gh label create "$label" \ --repo "$ORG/$repo" \