stackforge/.github/workflows/branchbrief.yml at main · rogerchappel/stackforge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: branchbrief

on:
  pull_request:
  workflow_dispatch:

permissions:
  contents: read

jobs:
  branchbrief:
    name: Generate branchbrief
    runs-on: ubuntu-latest

    steps:
      - name: Check out repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Build branchbrief summary
        run: |
          set -euo pipefail

          base_ref="${GITHUB_BASE_REF:-main}"
          head_ref="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
          base_range="origin/$base_ref...HEAD"
          commit_range="origin/$base_ref..HEAD"

          git fetch --no-tags origin "$base_ref:refs/remotes/origin/$base_ref"

          changed_files=("")
          changed_file_count=0
          while IFS= read -r file; do
            [[ -z "$file" ]] && continue
            changed_files+=("$file")
            changed_file_count=$((changed_file_count + 1))
          done < <(git diff --name-only "$base_range" || true)

          review_files=("")
          review_file_count=0
          while IFS= read -r file; do
            [[ -z "$file" ]] && continue
            review_files+=("$file")
            review_file_count=$((review_file_count + 1))
          done < <(git diff --name-only --diff-filter=ACMRT "$base_range" || true)

          has_path() {
            local pattern="$1"
            local file

            for file in "${changed_files[@]}"; do
              [[ -z "$file" ]] && continue

              if [[ "$file" =~ $pattern ]]; then
                return 0
              fi
            done

            return 1
          }

          print_review_area() {
            local label="$1"
            local pattern="$2"

            if has_path "$pattern"; then
              echo "- $label"
            fi
          }

          {
            echo "# branchbrief"
            echo
            echo "- Base: \`$base_ref\`"
            echo "- Head: \`$head_ref\`"
            echo "- Commit: \`$GITHUB_SHA\`"
            echo
            echo "## Recent Commits"
            echo
            recent_commits="$(git log --oneline "$commit_range" || true)"

            if [[ -n "$recent_commits" ]]; then
              echo "$recent_commits"
            else
              echo "No commits found against \`$base_ref\`."
            fi
            echo
            echo "## Changed Files"
            echo
            if ((changed_file_count == 0)); then
              echo "No changed files found."
            else
              git diff --name-status "$base_range" || true
            fi
            echo
            echo "## Diff Stat"
            echo
            if ((changed_file_count == 0)); then
              echo "No diff stat available."
            else
              git diff --stat "$base_range" || true
            fi
            echo
            echo "## Likely Review Areas"
            echo
            review_areas="$(
              {
                print_review_area "CI and workflow behavior" '^\.github/workflows/|^templates/github/workflows/'
                print_review_area "Documentation accuracy" '(^|/)README\.md$|^docs/'
                print_review_area "Template scaffolding" '^templates/'
                print_review_area "Application or library code" '^(src|app|lib|packages)/'
                print_review_area "Tests and fixtures" '(^|/)(test|tests|spec|specs|__tests__|fixtures)(/|$)|\.(test|spec)\.'
                print_review_area "Build, package, or dependency metadata" '(^|/)(package\.json|package-lock\.json|pnpm-lock\.yaml|yarn\.lock|bun\.lockb|Cargo\.toml|Cargo\.lock|pyproject\.toml|requirements.*\.txt|go\.mod|go\.sum)$'
                print_review_area "Database migrations or schema changes" '(^|/)(migrations?|schema)(/|$)'
                true
              }
            )"

            if [[ -n "$review_areas" ]]; then
              echo "$review_areas"
            else
              echo "- General code review"
            fi
            echo
            echo "## Risk Keywords"
            echo
            if ((review_file_count == 0)); then
              echo "No reviewable files to scan."
            else
              risk_matches=""

              for file in "${review_files[@]}"; do
                [[ -z "$file" ]] && continue

                file_matches="$(git grep -n -I -i -E 'auth|security|billing|secrets?|migrations?|telemetry|licen[cs](e|ing)' HEAD -- "$file" || true)"
                if [[ -n "$file_matches" ]]; then
                  risk_matches="${risk_matches}${file_matches}"$'\n'
                fi
              done

              if [[ -n "$risk_matches" ]]; then
                echo "$risk_matches" | sed -E '/^$/d; s/^/- /'
              else
                echo "No configured risk keywords found in changed files."
              fi
            fi
          } > branchbrief.md

      - name: Upload branchbrief artifact
        uses: actions/upload-artifact@v7
        with:
          name: branchbrief
          path: branchbrief.md
          if-no-files-found: error