HumanSignal
diff --git a/‎.github/autolabeler.yml
Lines changed: 32 additions & 0 deletions b/‎.github/autolabeler.yml
Lines changed: 32 additions & 0 deletions
diff --git a/‎.github/pr-title-checker-config.json
Lines changed: 28 additions & 0 deletions b/‎.github/pr-title-checker-config.json
Lines changed: 28 additions & 0 deletions
diff --git a/‎.github/workflows/bandit.yml
Lines changed: 57 additions & 0 deletions b/‎.github/workflows/bandit.yml
Lines changed: 57 additions & 0 deletions
diff --git a/‎.github/workflows/cancel_cicd_pipeline.yml
Lines changed: 21 additions & 0 deletions b/‎.github/workflows/cancel_cicd_pipeline.yml
Lines changed: 21 additions & 0 deletions
diff --git a/‎.github/workflows/cicd_pipeline.yml
Lines changed: 152 additions & 0 deletions b/‎.github/workflows/cicd_pipeline.yml
Lines changed: 152 additions & 0 deletions
@@ -0,0 +1,32 @@
+template: "Mandatory field" #https://github.com/release-drafter/release-drafter/blob/master/bin/generate-schema.js#L15
+autolabeler:
+  - label: 'breaking'
+    body:
+      - '/BREAKING CHANGE/i'
+  - label: 'fix'
+    title:
+      - '/^fix:/'
+  - label: 'feat'
+    title:
+      - '/^feat:/'
+  - label: 'docs'
+    title:
+      - '/^docs:/'
+  - label: 'chore'
+    title:
+      - '/^chore:/'
+  - label: 'ci'
+    title:
+      - '/^ci:/'
+  - label: 'perf'
+    title:
+      - '/^perf:/'
+  - label: 'refactor'
+    title:
+      - '/^refactor:/'
+  - label: 'style'
+    title:
+      - '/^style:/'
+  - label: 'test'
+    title:
+      - '/^test:/'
@@ -0,0 +1,28 @@
+{
+  "LABEL": {
+    "name": "title needs formatting",
+    "color": "EEEEEE"
+  },
+  "CHECKS": {
+    "prefixes": [
+      "fix: ",
+      "feat: ",
+      "docs: ",
+      "chore: ",
+      "ci: ",
+      "perf: ",
+      "refactor: ",
+      "style: ",
+      "test: "
+    ],
+    "ignoreLabels": [
+      "skip-changelog",
+      "skip-ci"
+    ]
+  },
+  "MESSAGES": {
+    "success": "PR title is valid",
+    "failure": "PR title is invalid",
+    "notice": "Valid prefixes are: fix, feat, docs, chore, ci, perf, refactor, style, test."
+  }
+}
@@ -0,0 +1,57 @@
+name: "Bandit"
+
+on:
+  workflow_call:
+    inputs:
+      head_sha:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+        default: heartexlabs/label-studio
+
+env:
+  BANDIT_VERSION: 1.7.4
+  PROJECT_PATH: 'label_studio/'
+  REPORT_PATH: 'bandit_results/bandit_security_report.txt'
+  ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'
+
+jobs:
+  bandit:
+    name: "Bandit"
+    timeout-minutes: 2
+    runs-on: ubuntu-latest
+    steps:
+      - uses: hmarr/[email protected]
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          repository: ${{ inputs.repo }}
+          ref: ${{ inputs.head_sha }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.7'
+
+      - name: Install Bandit
+        run: |
+          pip install bandit==$BANDIT_VERSION
+
+      - name: Run Bandit
+        run: |
+          mkdir -p bandit_results
+          touch ${{ env.REPORT_PATH }}
+          bandit -r $PROJECT_PATH -o ${{ env.REPORT_PATH }} -f 'txt' -ll
+
+      - name: Print scan results
+        if: always()
+        run: cat ${{ env.REPORT_PATH }}
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: Security check results
+          path: ${{ env.REPORT_PATH }}
@@ -0,0 +1,21 @@
+name: "Cancel PR CI/CD pipeline"
+
+on:
+  pull_request_target:
+    types:
+      - closed
+      - converted_to_draft
+      - locked
+    branches:
+      - develop
+
+concurrency:
+  group: CI/CD Pipeline-${{ github.event.pull_request.number || github.event.pull_request.head.ref || github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  cancel:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: hmarr/[email protected]
+      - run: echo CI/CD Pipeline-${{ github.event.pull_request.number || github.event.pull_request.head.ref || github.ref_name }}
@@ -0,0 +1,152 @@
+name: "CI/CD Pipeline"
+
+on:
+  push:
+    branches:
+      - develop
+      - 'ls-release/**'
+    paths:
+      - deploy/**
+      - label_studio/**
+      - setup.py
+      - .github/workflows/cicd_pipeline.yml
+      - .github/workflows/pr-labeler.yml
+      - .github/workflows/submodules-validator.yml
+      - .github/workflows/gitleaks.yml
+      - .github/workflows/bandit.yml
+      - .github/workflows/docker-build.yml
+      - .github/workflows/tests.yml
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+    branches:
+      - develop
+      - 'ls-release/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.pull_request.head.ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  changed_files:
+    name: "Changed files"
+    runs-on: ubuntu-latest
+    outputs:
+      src: ${{ steps.changes.outputs.src }}
+      frontend: ${{ steps.changes.outputs.frontend }}
+      docker: ${{ steps.changes.outputs.docker }}
+      commit-message: ${{ steps.commit-details.outputs.message }}
+    timeout-minutes: 5
+    steps:
+      - uses: hmarr/[email protected]
+
+      - name: Checkout
+        if: github.event_name == 'push'
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.ref }}
+
+      - uses: dorny/paths-filter@v2
+        id: changes
+        with:
+          filters: |
+            src:
+              - 'label_studio/!(frontend)/**'
+              - 'deploy/requirements**'
+              - 'setup.py'
+            frontend:
+              - 'label_studio/frontend/**'
+            docker:
+              - 'label_studio/**'
+              - 'deploy/**'
+              - 'Dockerfile**'
+              - 'setup.py'
+              - '.github/workflows/cicd_pipeline.yml'
+              - '.github/workflows/docker-build.yml'
+
+      - uses: actions/github-script@v6
+        id: commit-details
+        with:
+          github-token: ${{ secrets.GIT_PAT }}
+          script: |
+            const { repo, owner } = context.repo;
+            const { data: commit } = await github.rest.repos.getCommit({
+                owner,
+                repo,
+                ref: '${{ github.event.pull_request.head.sha || github.event.after }}'
+            });
+            core.setOutput("message", commit.commit.message);
+
+  pr_labeler:
+    name: "Validate"
+    if: github.event_name == 'pull_request_target'
+    uses: heartexlabs/label-studio/.github/workflows/pr-labeler.yml@develop
+    secrets: inherit
+
+  validate_submodules:
+    name: "Validate"
+    uses: heartexlabs/label-studio/.github/workflows/submodules-validator.yml@develop
+    with:
+      repo: ${{ github.event.pull_request.head.repo.full_name || github.event.repo.name || github.repository }}
+      head_sha: ${{ github.event.pull_request.head.sha || github.event.after }}
+      base_sha: ${{ github.event.pull_request.base.sha || github.event.before }}
+      target_branch: ${{ github.event.pull_request.base.ref || github.event.ref }}
+    secrets: inherit
+
+  gitleaks:
+    name: "Linter"
+    if: github.event_name == 'pull_request_target'
+    uses: heartexlabs/label-studio/.github/workflows/gitleaks.yml@develop
+    with:
+      repo: ${{ github.event.pull_request.head.repo.full_name || github.event.repo.name || github.repository }}
+      head_sha: ${{ github.event.pull_request.head.sha || github.event.after }}
+      base_sha: ${{ github.event.pull_request.base.sha || github.event.before }}
+    secrets: inherit
+
+  bandit:
+    name: "Linter"
+    needs:
+      - changed_files
+    if: needs.changed_files.outputs.src == 'true'
+    uses: heartexlabs/label-studio/.github/workflows/bandit.yml@develop
+    with:
+      repo: ${{ github.event.pull_request.head.repo.full_name || github.event.repo.name || github.repository }}
+      head_sha: ${{ github.event.pull_request.head.sha || github.event.after }}
+    secrets: inherit
+
+  frontend-build:
+    name: "Build"
+    needs:
+      - changed_files
+    if: |
+      github.event_name == 'pull_request_target' &&
+      needs.changed_files.outputs.frontend == 'true' &&
+      needs.changed_files.outputs.commit-message != 'Build frontend'
+    uses: heartexlabs/label-studio/.github/workflows/frontend-build.yml@develop
+    with:
+      ref: ${{ github.event.pull_request.head.ref || github.ref }}
+    secrets: inherit
+
+  build:
+    name: "Build"
+    needs:
+      - changed_files
+    if: github.event_name == 'push' && github.ref == 'refs/heads/develop' && needs.changed_files.outputs.docker == 'true'
+    uses: heartexlabs/label-studio/.github/workflows/docker-build.yml@develop
+    with:
+      ref: ${{ github.event.pull_request.head.ref || github.ref }}
+    secrets: inherit
+
+  pytest:
+    name: "Tests"
+    needs:
+      - changed_files
+    if: needs.changed_files.outputs.src == 'true'
+    uses: heartexlabs/label-studio/.github/workflows/tests.yml@develop
+    with:
+      repo: ${{ github.event.pull_request.head.repo.full_name || github.event.repo.name || github.repository }}
+      ref: ${{ github.event.pull_request.head.ref || github.ref }}
+    secrets: inherit