ci: add PR size and title checks, configure commitizen#4638
ci: add PR size and title checks, configure commitizen#4638greysonlalonde wants to merge 1 commit intomainfrom
Conversation
Add two new GitHub Actions workflows: - pr-size.yml: auto-labels PRs by size and fails CI on PRs over 500 lines - pr-title.yml: enforces conventional commit format on PR titles Configure commitizen in pyproject.toml with strict schema pattern matching for conventional commits.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: amannn/action-semantic-pull-request@v5 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| with: | ||
| types: | | ||
| feat | ||
| fix | ||
| refactor | ||
| perf | ||
| test | ||
| docs | ||
| chore | ||
| ci | ||
| style | ||
| revert | ||
| requireScope: false | ||
| subjectPattern: ^[a-z].+[^.]$ | ||
| subjectPatternError: > | ||
| The PR title "{title}" does not follow conventional commit format. | ||
|
|
||
| Expected: <type>(<scope>): <lowercase description without trailing period> | ||
|
|
||
| Examples: | ||
| feat(memory): add lancedb storage backend | ||
| fix(agents): resolve deadlock in concurrent execution | ||
| chore(deps): bump pydantic to 2.11.9 | ||
|
|
||
| See RELEASE_PROCESS.md for the full commit message convention. |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 22 hours ago
To fix the problem, explicitly declare a minimal permissions block in the workflow so that the GITHUB_TOKEN has only the rights needed. This job reads pull request information to validate the title and does not need to write to the repo, so contents: read and pull-requests: read are sufficient and follow the principle of least privilege.
The best fix without changing existing functionality is to add a permissions section at the workflow root (top level), so it applies to all jobs, right below the name: or on: block. Concretely, edit .github/workflows/pr-title.yml to insert:
permissions:
contents: read
pull-requests: readbetween the on: block (ending at line 5) and the jobs: block (line 7), or directly after name: if you prefer. No imports or other definitions are needed; GitHub Actions interprets this permissions key natively.
| @@ -4,6 +4,10 @@ | ||
| pull_request: | ||
| types: [opened, edited, synchronize, reopened] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
||
| jobs: | ||
| pr-title: | ||
| runs-on: ubuntu-latest |
1 participant
Summary
pr-size.ymlworkflow that auto-labels PRs by size and blocks merging PRs over 500 linespr-title.ymlworkflow that enforces conventional commit format on PR titlespyproject.tomlwith strict schema pattern for conventional commitsDetails
These enforce the conventions defined in
RELEASE_PROCESS.md:<type>(<scope>): <description>with allowed types: feat, fix, refactor, perf, test, docs, chore, ci, style, revert. Lowercase description, no trailing period.Both
pr-sizeandpr-titleshould be added as required status checks onmainonce they run for the first time.Test plan
pr-titlecheck failspr-sizecheck fails and labels assize/XL