fspiers/ENT-3334/incremental-sync-batch-1 (#33)

Author: ixxeL2097

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -56,6 +56,7 @@ body:
         - universal
         - clusterpirate
         - common
+        - etcd
         - ghost
         - keycloak
         - mariadb
@@ -68,6 +69,7 @@ body:
         - redis
         - timescaledb
         - valkey
+        - wordpress
         - zookeeper
     validations:
       required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -45,6 +45,7 @@ body:
         - universal
         - clusterpirate
         - common
+        - etcd
         - ghost
         - keycloak
         - mariadb
@@ -57,4 +58,5 @@ body:
         - redis
         - timescaledb
         - valkey
+        - wordpress
         - zookeeper

.github/PULL_REQUEST_TEMPLATE.md

@@ -4,6 +4,9 @@
  - Describe the scope of your change - i.e. what the change does.
  - Describe any known limitations with your change.
  - Please run any tests or examples that can exercise your modified code.
+ - Labels are automatically applied when they are inside the square brackets of your PR title on opening. Examples:
+   - [redis]: adds `redis` label
+   - [redis, valkey] Adds `redis` and `valkey` labels
 
  Thank you for contributing! We will try to test and integrate the change as soon as we can.
  -->
@@ -23,6 +26,7 @@
 ### Applicable issues
 
 <!-- Enter any applicable Issues here (You can reference an issue using #) -->
+
 - fixes #
 
 ### Additional information
@@ -33,6 +37,6 @@
 
 <!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->
 
-- [ ] Chart version bumped in `Chart.yaml` according to [semver](http://semver.org/). This is *not necessary* when the changes only affect README.md files.
+- [ ] Chart version bumped in `Chart.yaml` according to [semver](http://semver.org/). This is _not necessary_ when the changes only affect README.md files.
 - [ ] Variables are documented in the values.yaml and added to the `README.md`
 - [ ] Title of the pull request follows this pattern [<name_of_the_chart>] Descriptive title

.github/dependabot.yml

@@ -0,0 +1,22 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    open-pull-requests-limit: 10
+    assignees:
+      - "CloudPirates-io/maintainers"
+    # Group all GitHub Actions updates into a single PR
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/auto-label.yaml

@@ -2,23 +2,44 @@ name: Auto-label issues
 on:
   issues:
     types: [opened]
+  pull_request:
+    types: [opened]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number }}
+  cancel-in-progress: true
 
 jobs:
   label:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       issues: write
+      pull-requests: write
     steps:
       - name: Apply labels
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
-            const labels = (context.payload.issue.body.split(/### Affected Helm charts/)[1] || "")
+            let content = "";
+            if (context.payload.pull_request) {
+              const parsedTitle = context.payload.pull_request.title.match(/^\[([a-z_-]+(?:, [a-z_-]+)*)\].+$/);
+              content = parsedTitle ? parsedTitle[1] : "";
+            } else {
+              content = context.payload.issue.body.split(/### Affected Helm charts/)[1] || "";
+            }
+            const { data } = await github.rest.issues.listLabelsForRepo({
+              ...context.repo,
+              per_page: 100,
+            });
+            const existingLabels = new Set(data.map((label) => label.name));
+            const labels = content
               .trim()
               .split(",")
               .map((s) => s.trim())
-              .filter((s) => s && s !== "_No response_");
+              .filter((s) => s && existingLabels.has(s));
             if (labels.length) {
+              console.log(`Adding ${labels.length} labels: ${labels.join(', ')}`)
               await github.rest.issues.addLabels({
                 ...context.repo,
                 issue_number: context.issue.number,

.github/workflows/check-signed-commits.yaml

@@ -0,0 +1,75 @@
+name: Check signed commits in PR
+on: pull_request_target
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  check-signed-commits:
+    name: Check signed commits in PR
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Check for bot commits
+        id: check-bots
+        run: |
+          # Get all commits in the PR
+          git fetch origin ${{ github.event.pull_request.base.ref }}
+          COMMITS=$(git log origin/${{ github.event.pull_request.base.ref }}..HEAD --format="%an")
+
+          echo "Commits in PR:"
+          echo "$COMMITS"
+
+          # Check if any commits are NOT from bots
+          # grep -v returns 0 (true) if it finds lines NOT matching the pattern
+          # grep -v returns 1 (false) if all lines match the pattern (all are bots)
+          if echo "$COMMITS" | grep -qv '\[bot\]'; then
+            echo "Found human commits"
+            echo "has_human_commits=true" >> $GITHUB_OUTPUT
+          else
+            echo "All commits are from bots"
+            echo "has_human_commits=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check signed commits in PR
+        if: steps.check-bots.outputs.has_human_commits == 'true'
+        continue-on-error: true
+        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1.2.0
+        with:
+          comment: |
+            ## ⚠️ Unsigned Commits Detected
+
+            This pull request contains unsigned commits.
+
+            ### What does this mean?
+
+            Signed commits help ensure the authenticity and traceability of contributions. They allow us to verify that commits actually came from the stated author, even if GitHub accounts are deleted or modified in the future.
+
+            ### Current Policy (Grace Period)
+
+            **This is currently a warning only.** We are in a transition period to give all contributors time to set up commit signing.
+
+            After this grace period, **all commits will be required to be signed** before PRs can be merged.
+
+            ### How to sign your commits
+
+            Please see our [Contributing Guide](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment) for detailed instructions on setting up commit signing.
+
+            ### Resources
+
+            - [Contributing Guide: Development Setup](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment)
+            - [GitHub Docs: About Commit Signature Verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
+
+            ---
+
+            _This check will become mandatory in the future. Please start signing your commits now to avoid issues later._