Skip to content

fix: auto-create missing required labels during compliance audit #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
claude wants to merge 2 commits into from
Closed

fix: auto-create missing required labels during compliance audit #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ae78f92
fix: auto-create missing required labels during compliance audit
github-actions[bot] Apr 6, 2026
e8503cc
fix: skip label auto-create during dry run in compliance-audit.sh
github-actions[bot] Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions scripts/apply-repo-settings.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,40 @@ usage() {
exit 1
}

# Label specs: "name:color:description" (color without leading #)
REQUIRED_LABEL_SPECS=(
"security:d93f0b:Security-related PRs and issues"
"dependencies:0075ca:Dependency update PRs"
"scorecard:d93f0b:OpenSSF Scorecard findings"
"bug:d73a4a:Bug reports"
"enhancement:a2eeef:Feature requests"
"documentation:0075ca:Documentation changes"
)

apply_labels() {
local repo="$1"
info "Ensuring required labels exist on $ORG/$repo ..."

for spec in "${REQUIRED_LABEL_SPECS[@]}"; do
IFS=':' read -r label color description <<< "$spec"

if [ "$DRY_RUN" = "true" ]; then
skip "DRY_RUN=true — would ensure label \`$label\` (color: #$color) exists in $repo"
continue
fi

if gh label create "$label" \
--repo "$ORG/$repo" \
--color "$color" \
--description "$description" \
--force 2>/dev/null; then
ok " label \`$label\` ensured in $repo"
else
err " Failed to create/update label \`$label\` in $repo"
fi
done
}

apply_settings() {
local repo="$1"
info "Applying standard settings to $ORG/$repo ..."
Expand Down Expand Up @@ -146,6 +180,7 @@ if [ "$1" = "--all" ]; then
failed=0
for repo in $repos; do
apply_settings "$repo" || failed=$((failed + 1))
apply_labels "$repo" || true
done

if [ "$failed" -gt 0 ]; then
Expand All @@ -156,4 +191,5 @@ if [ "$1" = "--all" ]; then
ok "All repos processed successfully"
else
apply_settings "$1"
apply_labels "$1"
fi
38 changes: 32 additions & 6 deletions scripts/compliance-audit.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,15 @@ SUMMARY_FILE="$REPORT_DIR/summary.md"

REQUIRED_WORKFLOWS=(ci.yml codeql.yml sonarcloud.yml claude.yml dependabot-automerge.yml dependency-audit.yml agent-shield.yml)

REQUIRED_LABELS=(security dependencies scorecard bug enhancement documentation)
# Label specs: "name:color:description" (color without leading #)
REQUIRED_LABEL_SPECS=(
"security:d93f0b:Security-related PRs and issues"
"dependencies:0075ca:Dependency update PRs"
"scorecard:d93f0b:OpenSSF Scorecard findings"
"bug:d73a4a:Bug reports"
"enhancement:a2eeef:Feature requests"
"documentation:0075ca:Documentation changes"
)

REQUIRED_SETTINGS_BOOL=(
"allow_auto_merge:true:warning:Allow auto-merge must be enabled for Dependabot workflow"
Expand Down Expand Up @@ -292,19 +300,37 @@ check_repo_settings() {
}

# ---------------------------------------------------------------------------
# Check: Required labels
# Check: Required labels (auto-creates missing ones)
# ---------------------------------------------------------------------------
check_labels() {
local repo="$1"

local existing_labels
existing_labels=$(gh_api "repos/$ORG/$repo/labels" --jq '.[].name' --paginate 2>/dev/null || echo "")

for label in "${REQUIRED_LABELS[@]}"; do
for spec in "${REQUIRED_LABEL_SPECS[@]}"; do
IFS=':' read -r label color description <<< "$spec"

if ! echo "$existing_labels" | grep -qx "$label"; then
add_finding "$repo" "labels" "missing-label-$label" "warning" \
"Required label \`$label\` is missing" \
"standards/github-settings.md#labels--standard-set"
if [ "$DRY_RUN" = "true" ]; then
add_finding "$repo" "labels" "missing-label-$label" "warning" \
"Required label \`$label\` is missing (dry run — skipping auto-create)" \
"standards/github-settings.md#labels--standard-set"
continue
fi
info "Label \`$label\` missing from $repo — attempting to create it"
if gh label create "$label" \
--repo "$ORG/$repo" \
--color "$color" \
--description "$description" \
--force 2>/dev/null; then
info "Created label \`$label\` in $repo"
else
warn "Failed to create label \`$label\` in $repo — filing finding for manual remediation"
add_finding "$repo" "labels" "missing-label-$label" "warning" \
"Required label \`$label\` is missing and could not be auto-created" \
"standards/github-settings.md#labels--standard-set"
fi
fi
done
}
Expand Down
Loading