Skip to content

fix: auto-create missing required labels during compliance audit #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
don-petry merged 1 commit into from
Apr 8, 2026
Merged

fix: auto-create missing required labels during compliance audit #79

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 31 additions & 5 deletions scripts/compliance-audit.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,16 @@ ISSUES_FILE="$REPORT_DIR/issues.json"

REQUIRED_WORKFLOWS=(ci.yml codeql.yml sonarcloud.yml claude.yml dependabot-automerge.yml dependency-audit.yml agent-shield.yml)

REQUIRED_LABELS=(security dependencies scorecard bug enhancement documentation in-progress)
# name:hex-color:description (color without leading #)
REQUIRED_LABEL_SPECS=(
"security:d93f0b:Security-related PRs and issues"
"dependencies:0075ca:Dependency update PRs"
"scorecard:d93f0b:OpenSSF Scorecard findings (auto-created)"
"bug:d73a4a:Bug reports"
"enhancement:a2eeef:Feature requests"
"documentation:0075ca:Documentation changes"
"in-progress:fbca04:An agent is actively working this issue"
)
Comment on lines +38 to +47
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Unify required-label metadata to a single source of truth.

REQUIRED_LABEL_SPECS is standards-aligned, but ensure_required_labels() still hardcodes a second label list with different metadata (notably scorecard description). Since ensure_required_labels() runs with --force, it can overwrite the new spec and cause drift.

Proposed refactor 
 # Create all required labels (idempotent — uses --force to update if present)
 ensure_required_labels() {
   local repo="$1"
-  # Format: "name|color|description" (pipe-delimited to avoid colon conflicts)
-  local label_configs=(
-    "security|d93f0b|Security-related PRs and issues"
-    "dependencies|0075ca|Dependency update PRs"
-    "scorecard|d93f0b|OpenSSF Scorecard findings"
-    "bug|d73a4a|Bug reports"
-    "enhancement|a2eeef|Feature requests"
-    "documentation|0075ca|Documentation changes"
-    "in-progress|fbca04|An agent is actively working this issue"
-  )
-
-  for config in "${label_configs[@]}"; do
-    IFS='|' read -r name color description <<< "$config"
+  for spec in "${REQUIRED_LABEL_SPECS[@]}"; do
+    IFS=':' read -r name color description <<< "$spec"
     gh label create "$name" \
       --repo "$ORG/$repo" \
       --description "$description" \
       --color "$color" \
       --force 2>/dev/null || true
   done
 }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@scripts/compliance-audit.sh` around lines 38 - 47, The script defines
REQUIRED_LABEL_SPECS but ensure_required_labels() uses a separate hardcoded
label list causing metadata drift (e.g., scorecard description) and --force can
overwrite the canonical spec; update ensure_required_labels() to read and parse
REQUIRED_LABEL_SPECS (not a second array) when creating/updating labels, remove
the duplicated/hardcoded label definitions inside ensure_required_labels(), and
ensure creation/update logic for label names, colors and descriptions uses the
parsed REQUIRED_LABEL_SPECS values so the spec remains the single source of
truth.


REQUIRED_SETTINGS_BOOL=(
"allow_auto_merge:true:warning:Allow auto-merge must be enabled for Dependabot workflow"
Expand Down Expand Up @@ -301,11 +310,28 @@ check_labels() {
local existing_labels
existing_labels=$(gh_api "repos/$ORG/$repo/labels" --jq '.[].name' --paginate 2>/dev/null || echo "")
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If gh_api fails (rate limit/transient error/permission), existing_labels becomes empty and the script will attempt to create (and --force update) all required labels. That can unintentionally overwrite existing label colors/descriptions based solely on a list failure. Consider treating “unable to list labels” as its own finding and skipping auto-create in that case, and/or only using --force when you’ve positively confirmed absence. Also, redirecting stderr to /dev/null removes useful diagnostics for audit logs; it would be more actionable to preserve or capture the error output when creation fails.

Copilot uses AI. Check for mistakes.

for label in "${REQUIRED_LABELS[@]}"; do
for spec in "${REQUIRED_LABEL_SPECS[@]}"; do
IFS=':' read -r label color description <<< "$spec"
Comment on lines +313 to +314
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using : as the field delimiter makes descriptions unable to contain colons (they’ll be split and truncated). Since label descriptions are freeform text, this is a brittle encoding. Consider switching to a delimiter that’s less likely to appear in descriptions (or storing specs in a more structured way, e.g., separate arrays / JSON and parsing with jq) to avoid subtle parsing bugs later.

Copilot uses AI. Check for mistakes.
if ! echo "$existing_labels" | grep -qx "$label"; then
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

grep -qx interprets $label as a regex pattern. Even though current required labels are simple, this becomes fragile if a future required label contains regex metacharacters (e.g., . or []). Use fixed-string matching (e.g., grep -F) to ensure label names are treated literally.

Copilot uses AI. Check for mistakes.
add_finding "$repo" "labels" "missing-label-$label" "warning" \
"Required label \`$label\` is missing" \
"standards/github-settings.md#labels--standard-set"
if [ "$DRY_RUN" = "true" ]; then
add_finding "$repo" "labels" "missing-label-$label" "warning" \
"Required label \`$label\` is missing" \
"standards/github-settings.md#labels--standard-set"
else
info "Auto-creating missing label '$label' on $repo"
if gh label create "$label" \
--repo "$ORG/$repo" \
--color "$color" \
--description "$description" \
--force 2>/dev/null; then
Comment on lines +322 to +326
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If gh_api fails (rate limit/transient error/permission), existing_labels becomes empty and the script will attempt to create (and --force update) all required labels. That can unintentionally overwrite existing label colors/descriptions based solely on a list failure. Consider treating “unable to list labels” as its own finding and skipping auto-create in that case, and/or only using --force when you’ve positively confirmed absence. Also, redirecting stderr to /dev/null removes useful diagnostics for audit logs; it would be more actionable to preserve or capture the error output when creation fails.

Copilot uses AI. Check for mistakes.
info "Label '$label' created successfully on $repo"
else
warn "Failed to create label '$label' on $repo — filing finding for manual remediation"
add_finding "$repo" "labels" "missing-label-$label" "warning" \
"Required label \`$label\` is missing and could not be auto-created" \
"standards/github-settings.md#labels--standard-set"
fi
fi
fi
done
}
Expand Down
Loading