Skip to content

Prince/Add shiftai workflows #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 16 commits into from
Closed

Prince/Add shiftai workflows #25

wants to merge 16 commits into from

Conversation

prince-deriv
Copy link
Collaborator

No description provided.

@prince-deriv
Add ShiftAI workflows: AI code analysis and dashboard tracker
77c58f9 
- AI Code Analysis: Analyzes AI-generated code in PRs with workflow_call support
- AI Dashboard: Tracks merged PRs and maintains AI usage dashboard
- Self-contained with included generate-dashboard.js script
- Comprehensive security validations and reusable inputs
@prince-deriv
Fix workflow structure: Move to top-level workflows directory
17cd338 
- Move ai-code-analysis.yml to .github/workflows/ (required by GitHub)
- Move ai-dashboard.yml to .github/workflows/ (required by GitHub)
- Move scripts to .github/scripts/ (correct path)
- Fixes: workflows must be defined at the top level of .github/workflows/
@prince-deriv
fix: workflow issues
4d85a30
@prince-deriv
Fix workflows: Use proper secrets architecture
b83fd69 
- Move tokens from inputs to secrets section (GitHub requirement)
- PERSONAL_ACCESS_TOKEN now properly handled as secret
- GITHUB_TOKEN and SHIFTAI_TOKEN use secrets context
- Simplified inputs to only essential customizations
- Follows GitHub's security best practices
@prince-deriv
Fix reserved secret name collision
3fa96a9 
- Rename GITHUB_TOKEN to GH_TOKEN (GitHub reserves GITHUB_TOKEN)
- Fixes error: secret name GITHUB_TOKEN within workflow_call collides with system reserved name
- Maintains same functionality with non-reserved secret name
@prince-deriv
Optimize for secrets: inherit pattern
d1d309c 
- Remove explicit secret definitions that aren't needed with inherit
- Use original GITHUB_TOKEN name (works with inherit)
- Cleaner calling syntax: just 'secrets: inherit'
- Maintains compatibility with explicit secret passing
@prince-deriv
Final fix: Use github.token directly for inherited secrets
56816be 
- Remove undefined secrets.GITHUB_TOKEN references
- Use github.token which is always available
- Add test file with AI code blocks for testing
- Ready for production use with 'secrets: inherit'
@prince-deriv
DEBUG: Temporarily disable workflow_call to isolate error
15524bb 
- Remove workflow_call section entirely
- Let's see what the actual error is now
- Will add back with proper fix once we identify root cause
@prince-deriv
FIXED: Restore workflow_call with proper GITHUB_TOKEN handling
b57464c 
- Restore workflow_call section after debugging
- Only define PERSONAL_ACCESS_TOKEN in secrets
- Use github.token directly, no secrets.GITHUB_TOKEN reference
- Should fix Invalid secret GITHUB_TOKEN is not defined error
@prince-deriv
Add GITHUB_TOKEN as optional secret for inherit compatibility
c4bd4f4 
- Define GITHUB_TOKEN as optional secret to support secrets: inherit
- Required when caller uses secrets: inherit with GITHUB_TOKEN
- Should fix persistent Invalid secret GITHUB_TOKEN not defined error
@prince-deriv
FINAL FIX: Remove GITHUB_TOKEN from secrets to avoid reserved name co…
75ef8d6 
…llision

- Remove GITHUB_TOKEN from workflow_call secrets (GitHub reserved name)
- Keep only PERSONAL_ACCESS_TOKEN as required secret
- Use github.token directly in workflow (always available)
- Breaks the catch-22 loop - ready for production
@prince-deriv
BREAKTHROUGH: Make GITHUB_TOKEN an input instead of secret
0e65572 
- Add github_token as optional input to avoid reserved name collision
- Use inputs.github_token || github.token pattern
- Should finally resolve the persistent GITHUB_TOKEN validation error
- Avoids GitHub's secret reserved name restrictions
@prince-deriv
Add simple test workflow for debugging
1278e54 
- Minimal reusable workflow to test basic functionality
- No complex logic, just echo statements
- Will help isolate if issue is workflow complexity or basic setup
@prince-deriv
Remove test workflow - debugging complete
c330c07 
- Simple test workflow worked, confirming basic setup is fine
- Issue was specific to our complex AI workflow
- Ready to test actual AI workflow now
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 1, 2025
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/ai-code-analysis.yml

PackageVersionLicenseIssue Type
deriv-com/shared-actions/.github/actions/verify_user_in_organization3.*.*NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 11bd71901bbe5b1630ceea73d27597364c9af683 🟢 5.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
SAST🟢 8SAST tool detected but not run on all commits
Vulnerabilities⚠️ 010 existing vulnerabilities detected
actions/actions/github-script 60a0d83039c74a4aee543508d2ffcb1c3799cdea 🟢 6.9
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Maintained🟢 45 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
SAST🟢 10SAST tool is run on all commits
Vulnerabilities🟢 46 existing vulnerabilities detected
actions/actions/setup-node 1e60f620b9541d16bece96c5465dc8ee9832be0b 🟢 5.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 9binaries present in source code
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
Vulnerabilities🟢 64 existing vulnerabilities detected
actions/deriv-com/shared-actions/.github/actions/verify_user_in_organization 3.*.* UnknownUnknown
actions/actions/checkout 11bd71901bbe5b1630ceea73d27597364c9af683 🟢 5.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
SAST🟢 8SAST tool detected but not run on all commits
Vulnerabilities⚠️ 010 existing vulnerabilities detected
actions/actions/github-script 60a0d83039c74a4aee543508d2ffcb1c3799cdea 🟢 6.9
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Maintained🟢 45 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
SAST🟢 10SAST tool is run on all commits
Vulnerabilities🟢 46 existing vulnerabilities detected
actions/actions/setup-node 1e60f620b9541d16bece96c5465dc8ee9832be0b 🟢 5.3
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 9binaries present in source code
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
Vulnerabilities🟢 64 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/ai-code-analysis.yml
.github/workflows/ai-dashboard.yml

prince-deriv and others added 2 commits August 1, 2025 11:34
@prince-deriv
Fix: Embed dashboard script inline to solve 404 error
1f47c06 
- Replace external script download with inline script creation
- Fixes 404 error when workflow tries to download from non-existent repo
- Remove separate .github/scripts/generate-dashboard.js file (no longer needed)
- Now works correctly in reusable workflow context
@prince-deriv
Merge pull request #27 from prince-deriv/add-shiftai-workflows
d15dd02 
Fix: Embed dashboard script inline to solve 404 error
@prince-deriv prince-deriv deleted the add-shiftai-workflows branch August 1, 2025 11:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@prince-deriv