Dependency Dashboard #972
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Fro Bot | |
| on: | |
| issue_comment: | |
| types: [created] | |
| pull_request_review_comment: | |
| types: [created] | |
| discussion_comment: | |
| types: [created] | |
| issues: | |
| types: [opened, edited] | |
| pull_request: | |
| types: [synchronize, ready_for_review, reopened, review_requested] | |
| schedule: | |
| - cron: '0 0 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| prompt: | |
| description: Custom prompt for the Fro Bot agent | |
| required: true | |
| workflow_call: | |
| inputs: | |
| prompt: | |
| description: Prompt passed by reusable caller workflow | |
| required: true | |
| type: string | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: >- | |
| fro-bot-${{ | |
| github.event.issue.number || | |
| github.event.pull_request.number || | |
| github.event.discussion.number || | |
| github.run_id | |
| }} | |
| cancel-in-progress: false | |
| env: | |
| PR_REVIEW_PROMPT: | | |
| You are a skeptical reviewer for fro-bot/.github (org control center). | |
| Focus on correctness, security, and automation safety. Prefer false positives | |
| over false negatives for security issues. | |
| Scope: | |
| - Workflow/CI changes: pin actions to full commit SHA where possible; avoid | |
| pull_request_target unless explicitly justified; prevent workflow injection | |
| (untrusted input in run: blocks or shell eval); minimal permissions; no | |
| secrets in logs. | |
| - Repo rules: no `any`; no `@ts-ignore`/`@ts-expect-error`; avoid ES6 classes; | |
| explicit function return types; use `consola` instead of `console`. | |
| - Dependencies: identify direct additions/updates; flag known advisories; | |
| avoid unnecessary or duplicate deps; ensure license compatibility. | |
| - Tests: verify new/changed behavior has tests covering happy path, errors, | |
| and boundaries. If tests aren't needed, explain why. | |
| Hard boundaries: | |
| - Review only. Do NOT push commits, modify files, create branches, or open PRs. | |
| - Do NOT use labels, assignments, or milestone changes. | |
| - Use inline comments for file-specific findings. Use review body for summary only. | |
| - Do NOT speculate. If uncertain, state what evidence is missing. | |
| Do NOT comment on formatting, lint, or style nits handled by CI. | |
| Output: | |
| ## Verdict: PASS / CONDITIONAL / REJECT | |
| ### Blocking issues | |
| ### Non-blocking concerns | |
| ### Missing tests | |
| ### Risk assessment (LOW/MED/HIGH) + rationale | |
| Requirements: | |
| - Include every heading exactly once and in the order above. | |
| - Write "None" under headings with no findings. | |
| - Keep findings actionable: file path, impact, and concrete remediation. | |
| SCHEDULE_PROMPT: | | |
| Create a single issue titled "Daily Org Oversight Report — YYYY-MM-DD (UTC)" | |
| in this repository. | |
| Scope: all repositories in the fro-bot GitHub organization. | |
| Do NOT comment on or modify individual issues/PRs. Do NOT apply labels. | |
| Do NOT open PRs. This run must produce ONE summary issue only. | |
| Summarize with links only (no full content duplication). Keep it concise | |
| and actionable. | |
| Include sections: | |
| - Summary metrics (new issues, open PRs, stale issues/PRs, failing main | |
| checks, security alerts) | |
| - Critical items (security alerts, main branch failing, broken release | |
| pipelines) with repo, link, and recommended action | |
| - Aging PRs (no activity >7 days; stale >14 days) | |
| - Stale issues (no activity >30 days; recommend next step) | |
| - Unassigned bugs or high-signal issues (label bug, no assignee) | |
| - Repo hotspots (top 3 repos by open PRs or stale items) | |
| - Recommended actions (bulleted checklist) | |
| If any data source is unavailable, note "data unavailable" in that section. | |
| jobs: | |
| fro-bot: | |
| name: Fro Bot | |
| runs-on: ubuntu-latest | |
| if: >- | |
| ( | |
| github.event.pull_request == null || | |
| ( | |
| !github.event.pull_request.head.repo.fork && | |
| !endsWith(github.event.pull_request.user.login || '', '[bot]') | |
| ) | |
| ) && ( | |
| ( | |
| github.event_name == 'issues' && | |
| !endsWith(github.event.issue.user.login || '', '[bot]') && | |
| (github.event.issue.user.login || '') != 'fro-bot' | |
| ) || | |
| ( | |
| github.event_name == 'pull_request' && | |
| !endsWith(github.event.pull_request.user.login || '', '[bot]') && | |
| (github.event.pull_request.user.login || '') != 'fro-bot' | |
| ) || | |
| github.event_name == 'schedule' || | |
| github.event_name == 'workflow_dispatch' || | |
| inputs.prompt != '' || | |
| ( | |
| (github.event_name == 'issue_comment' || | |
| github.event_name == 'pull_request_review_comment' || | |
| github.event_name == 'discussion_comment') && | |
| contains(github.event.comment.body || '', '@fro-bot') && | |
| (github.event.comment.user.login || '') != 'fro-bot' && | |
| contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association || '') | |
| ) | |
| ) | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.FRO_BOT_PAT }} | |
| - name: 📦 Setup | |
| uses: ./.github/actions/setup | |
| - name: Run Fro Bot | |
| uses: fro-bot/agent@1d4ad4841cab3a8bbeb3f72e335ddc5b36b15072 # v0.30.6 | |
| env: | |
| OPENCODE_PROMPT_ARTIFACT: 'true' | |
| PROMPT: >- | |
| ${{ | |
| (github.event_name == 'workflow_dispatch' && (github.event.inputs.prompt || '')) | |
| || inputs.prompt | |
| || (github.event_name == 'schedule' && env.SCHEDULE_PROMPT) | |
| || (github.event_name == 'pull_request' && env.PR_REVIEW_PROMPT) | |
| || '' | |
| }} | |
| with: | |
| github-token: ${{ secrets.FRO_BOT_PAT }} | |
| auth-json: ${{ secrets.OPENCODE_AUTH_JSON }} | |
| model: ${{ vars.FRO_BOT_MODEL }} | |
| omo-providers: ${{ secrets.OMO_PROVIDERS }} | |
| prompt: ${{ env.PROMPT }} |