feat: automate and standardize repository setup#54
Merged
Conversation
- Exclude issue and template docs from .github_data - Autofix shellcheck - Autofix pymarkdown - Add license compliance check
- Added pre-commit hook for enforcing branch naming convention - Updated pre-commit configuration in the repository and workspace - Included integration tests for branch name validation - Documented cursor rules for branch naming and issue workflow
…trategy-enforcement Standardize and enforce branch names
- Introduced a comprehensive document outlining the commit message format for the repository. - Defined structure, approved types, and compliance requirements to ensure consistency and traceability. - Included guidelines for enforcing the standard in development environments and CI. Refs: #36
- Introduced a new script to validate commit messages against the project's standard. - Added a corresponding test suite to ensure the validation logic works correctly. - Added test recipe to justfile - Updated documentation to include the new validation command in the available recipes. Refs: #36
- Modified init.sh to Install git template locally during project setup Refs: #36
- Introduced a detailed guide for the Git commit workflow, outlining steps for analyzing staged changes and writing accurate commit messages. - Added rules for commit message formatting, including mandatory structure and compliance requirements to ensure consistency. Refs: #36
- Introduced a new commit-msg hook script to enforce commit message standards when committing within the development container. - Updated init.sh to ensure the new hook is executable during setup. Refs: #36
- Updated commit message guidelines to eliminate the requirement for a trailing newline at the end of the message. - Adjusted validation logic and corresponding tests to reflect this change, ensuring commit messages can be valid without a trailing newline. Refs: #36
- Added a new hook to validate commit messages during the commit-msg stage, ensuring adherence to the project's standards. - The hook executes a Python script to perform the validation. Refs: #36
…ages feat: add commit message standardization (#36)
- Introduced a new test to verify that the .venv/bin/activate script does not contain 'template-project' and is correctly renamed to 'test_project' during container initialization. - Updated the test placeholders to include the post-create.sh script in the devcontainer configuration. Refs: #34
- Added a line to replace 'template-project' with '{{SHORT_NAME}}' in the .venv/bin/activate script during container initialization.
Refs: #34
- Added 'norecursedirs' entry to prevent tests from being collected from the 'tmp' directory, which is used for integration-test workspace directories with template tests. Refs: #34
…reation feat: rename venv prompt to project name on container creation (#34)
- Install just-lsp via cargo-binstall for justfile language support - Replace promptexecution.justlang-lsp with nefrob.vscode-just-syntax - Add test for just-lsp binary Refs: #44
- Git commit sometimes requires an editor for interactive operations. - Install nano package in Containerfile - Add test to verify nano installation Refs: #37
- Updated the expected versions for 'uv' from 0.9. to 0.10. and 'ruff' from 0.14. to 0.15. to reflect the latest releases. Refs: #37
- Introduced a new test to verify that pip-licenses is installed and checks its version against the expected value. - Updated the expected versions dictionary to include pip-licenses. Refs: #43
- Call copy-host-user-conf.sh after workspace initialization - Add run_user_conf() helper for host-side setup (git, ssh, gh) - Add integration tests for .devcontainer/.conf/ directory creation - Verify expected config files and gh/ subdirectory Refs: #35
- Add setup_git_repo function to initialize git if missing - Create initial commit "chore: initial project scaffold" for new repos - Create main and dev branches automatically - Add test-install justfile recipe for running install tests - Add tests for git repo initialization, branches, and initial commit - Update README.md and CONTRIBUTE.md with new test-install recipe Refs: #35
- Implement conditional execution of BATS tests using GNU parallel for improved performance - Update justfile to check for parallel availability and run tests accordingly - Add parallel installation instructions to requirements.yaml for user convenience -Remove old QEMU requirement for multi-arch builds Refs: #35
- Consolidated Podman installation with other apt commands - Updated git initialization to set the default branch to 'main' Refs: #35
Add comprehensive BATS test suites for build, clean, init, install, and prepare-build scripts. Tests verify script structure, argument parsing, function definitions, error handling, and OS/runtime detection patterns using static analysis. Refs: #35
Add BATS (Bash Automated Testing System) support to CI workflows: - setup-env action: new install-bats input with bats-core/bats-action - test-project action: enable BATS installation and run BATS tests - test_helper.bash: support both local (node_modules) and CI (BATS_LIB_PATH) library resolution Refs: #35
Refs: #35
The bats-action installs libraries to /usr/lib but never exports BATS_LIB_PATH, causing all 216 BATS tests to fail with "Could not find library 'bats-support'". Refs: #35
copy-host-user-conf.sh only creates .gh_token, SSH key, allowed-signers, and gh/ when the corresponding tools are configured on the host. In CI these preconditions are not met, causing a hard assertion failure. Split expected files into required (git config, always created) and optional (warn instead of fail when missing). Refs: #35
Allow GHSA-wvrr-2x4r-394v (bats-file false positive) via a new exceptions file that mirrors .trivyignore conventions. A validation step parses expiration dates and fails CI when exceptions expire, forcing periodic review. Refs: #37
Refs: #37
The bats-core/bats-action step output was not being correctly captured, causing all 216 BATS tests to fail with "Could not find library 'bats-support'". Manually construct BATS_LIB_PATH pointing to standard installation directories since the libraries are consistently installed to /usr/lib paths. Refs: #37
Added exception for GHSA-fjxv-7rqg-78g4 (CVE-2025-7783) affecting form-data@2.3.3. This is a transitive dependency through unmaintained legacy packages (verbose, reconnect, request). Risk is limited to CI/test environment; exploit requires active MITM + attacker control of request field. Expiration set to 2026-05-17 to force periodic review and investigation of BATS alternatives. Refs: #37
Added entry documenting the GHSA-fjxv-7rqg-78g4 (CVE-2025-7783) exception with risk assessment, dependency chain, and expiration details. Refs: #37
…encies Add GHSA-h4j5-c7cj-74xg (xmlhttprequest@1.5.0 arbitrary code injection) to dependency review exceptions. This vulnerability appears only in unmaintained legacy test dependencies (bats-assert → verbose → engine.io-client@0.7.12 → xmlhttprequest@1.5.0) and is isolated to CI-only usage with no execution of untrusted code. Part of ongoing BATS framework modernization efforts. Refs: #37
The test helper was failing to load BATS support libraries in GitHub Actions because it relied on bats_load_library, which requires BATS internal functions to be fully initialized. These functions may not be available when the test helper loads during the setup phase. Changed the library resolution to use absolute paths for system-installed libraries (/usr/lib/bats-*) before falling back to bats_load_library. This ensures libraries are found in CI environments where bats-core/bats-action installs them to standard system paths. Library resolution order: 1. Local node_modules (development mode) 2. System /usr/lib paths (CI mode via bats-core/bats-action) 3. bats_load_library (fallback using BATS_LIB_PATH) Fixes: All 216 BATS tests failing with "Could not find library 'bats-support'" Refs: #37
- Update CHANGELOG - Documented risk assessments and mitigations in SECURITY.md d Refs: #37
There was a problem hiding this comment.
Pull request overview
This PR implements comprehensive repository setup automation for medical-device compliance, consolidating work from issues #36, #38, #48, #50, and #52. It establishes commit message standardization, branch naming enforcement, automated release cycles, CI/CD infrastructure, security hardening, and code coverage measurement.
Changes:
- Commit message standardization with validation hooks and documentation
- Branch naming enforcement via pre-commit hooks and Cursor integration
- Automated release workflow with CHANGELOG management and GitHub Actions
- Reusable composite GitHub Actions for CI/CD (setup-env, build-image, test-image, test-integration, test-project)
- Security hardening: SHA-pinned actions, digest-pinned Containerfile, Dependabot, SECURITY.md, CODEOWNERS
- Code coverage integration with 50% threshold and expanded unit tests
- Additional tooling: nano, just-lsp, pip-licenses, vig-utils package, BATS shell tests
Reviewed changes
Copilot reviewed 90 out of 93 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| justfile | Updated release commands, fixed TEST_REGISTRY usage (CRITICAL BUG) |
| justfile.podman | Standardized output formatting (minor text duplication bugs) |
| Containerfile | Digest-pinned base image, SHA256 checksums, minisign verification |
| .github/workflows/* | New workflows: ci.yml, security-scan.yml, scorecard.yml, codeql.yml, post-release.yml |
| .github/actions/* | Composite actions for CI reusability |
| scripts/* | New: prepare-changelog.py, check_action_pins.py; Updated: prepare-build.sh, build.sh |
| packages/vig-utils/* | New Python package with CLI tools (validate-commit-msg, check-action-pins, prepare-changelog) |
| tests/* | Expanded pytest tests, new BATS shell tests |
| docs/* | New: COMMIT_MESSAGE_STANDARD.md, CONTAINER_SECURITY.md, SECURITY.md |
| .pre-commit-config.yaml | SHA-pinned repos, branch naming enforcement, commit-msg validation |
| pyproject.toml | Coverage config, vig-utils dependency |
| install.sh | --org flag, git repo setup, host user config |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Eliminated shell injection vulnerability in install.sh by:
1. Sanitizing ORG_NAME using the existing sanitize_name function to strip shell metacharacters
2. Refactoring command construction from string interpolation to bash array
3. Replacing eval execution with safe array expansion "${CMD[@]}"
This prevents attackers from injecting arbitrary shell commands via crafted --org argument values.
Refs: #37
Refs: #37
- Change FORCE flag comparison from equality to existence check (better for string vars) - Replace multi-line array printing with explicit full command output in dry-run mode - Ensure --force flag is properly appended only when present Refs: #37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fully automate and standardize the repository setup for the devcontainer template. This PR delivers the complete infrastructure for commit message validation, branch naming enforcement, automated release cycles, CI/CD pipelines, security hardening, and code coverage — establishing a reproducible, audit-ready starting point for all projects.
Related Issue(s)
Closes #37
Related to #36, #38, #48, #50, #52
Type of Change
Changes Made
Commit Message Standardization (#36)
type(scope)!: subject) with mandatoryRefs: #<issue>linedocs/COMMIT_MESSAGE_STANDARD.mddefining format, approved types, and traceability requirementsscripts/validate_commit_msg.pyvalidation script with.githooks/commit-msghook.gitmessagetemplate, and Cursor rules/commandschorecommits may omitRefs:when no issue is directly relatedassets/workspace/Branch Naming Enforcement (#38)
<type>/<issue>-<summary>naming convention.cursor/rules/branch-naming.mdc) for branch naming workflow andgh issue developintegrationAutomated Release Cycle (#48)
prepare-releaseandfinalize-releasejustfile commands triggering GitHub Actions workflowsprepare-changelog.pywith prepare, validate, reset, and finalize commandsprepare-release.ymlworkflow: validates semantic version, creates release branch, prepares CHANGELOGrelease.ymlpipeline: validate → finalize → build/test → publish → rollbackpost-release.ymlworkflow for post-merge cleanupdocs/RELEASE_CYCLE.mddocumentationCI/CD Infrastructure (#48)
ci.ymlworkflow replacingtest.ymlwith streamlined project checkssetup-env,build-image,test-image,test-integration,test-projectsetup-python-uvwith flexiblesetup-envcomposite actionSecurity Hardening (#50)
scripts/check_action_pins.pyenforcement script with pre-commit hook and CI checkSECURITY.mdwith vulnerability reporting proceduresCODEOWNERSfor automated review assignmentdependabot.ymlfor automated dependency update PRsscorecard.yml) and CodeQL analysis (codeql.yml) workflowsCode Coverage (#52)
utils.py,validate_commit_msg.py, andprepare_changelog.pyAdditional Improvements
--orgflag for install script ([FEATURE] Add option to set ORG name when executing the curl install.sh pipeline #33)nano,just-lsp,pip-licensesadded to devcontainer imageprepare-build.shintobuild.shsync-prs-issues.shscriptactions/create-github-app-tokento v2, pinned@devcontainers/clito 0.81.1Testing
just test)Checklist
[Unreleased]sectionAdditional Notes
This is a large feature branch (70 files changed, ~10,300 insertions, ~1,800 deletions) that consolidates work from multiple sub-issues (#36, #38, #48, #50, #52) into the umbrella issue #37. The branch includes all infrastructure needed to make the devcontainer template self-enforcing and audit-ready from day one, targeting medical-device compliance (IEC 62304 / ISO 13485).
Key files added/changed
docs/COMMIT_MESSAGE_STANDARD.md,scripts/validate_commit_msg.py,.githooks/commit-msg.cursor/rules/branch-naming.mdc,.pre-commit-config.yamldocs/RELEASE_CYCLE.md,scripts/prepare-changelog.py,.github/workflows/release.yml,prepare-release.yml,post-release.yml.github/workflows/ci.yml,.github/actions/{setup-env,build-image,test-image,test-integration,test-project}/action.ymlSECURITY.md,.github/CODEOWNERS,.github/dependabot.yml,scripts/check_action_pins.py,.github/workflows/{codeql,scorecard}.ymltests/test_validate_commit_msg.py,tests/test_check_action_pins.py,tests/test_prepare_changelog.py,tests/test_utils.py,tests/test_integration.py