From a3489cb3dae1410b3a1033f058e29b0157dc853c Mon Sep 17 00:00:00 2001 From: Michael Szotkowski Date: Thu, 28 Aug 2025 14:32:39 +0200 Subject: [PATCH 1/6] sync (#2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # Pull Request ## Description Please describe what this PR does and why. ## Related Issues Closes # ## Checklist - [ ] Tests added - [ ] Docs updated - [ ] Follows contribution guidelines Thank you for contributing to **Selecro**! ๐Ÿงถ --------- Signed-off-by: Michael Szotkowski --- profile/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profile/README.md b/profile/README.md index 08fb398..a000256 100644 --- a/profile/README.md +++ b/profile/README.md @@ -21,7 +21,7 @@ From beginners to pros, Selecro shares patterns, tutorials, and open-source tool --- ## ๐Ÿ’ฌ Connect with Us -- Website: [https://selecro.org](https://selecro.cz) +- Website: [https://selecro.cz](https://selecro.cz) - Email: info@selecro.cz - Instagram: [@_selecro_](https://www.instagram.com/_selecro_) - Pinterest: [@selecro](https://www.pinterest.com/selecro) From 80937c1b83f752d87edd4b2b013485ccc8aa46dc Mon Sep 17 00:00:00 2001 From: Michael Szotkowski Date: Thu, 28 Aug 2025 20:29:18 +0200 Subject: [PATCH 2/6] Update LICENSE Signed-off-by: Michael Szotkowski --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 261eeb9..35f7cce 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [name of copyright owner] + Copyright 2025 Seleco Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From ead0a480e2ef5affd7dc9860afa6b1ae6dee31d9 Mon Sep 17 00:00:00 2001 From: Michael Szotkowski Date: Tue, 16 Sep 2025 14:14:19 +0200 Subject: [PATCH 3/6] Create branch-name-check.yml (#4) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # Pull Request ## Description Please describe what this PR does and why. ## Related Issues Closes # ## Checklist - [ ] Tests added - [ ] Docs updated - [ ] Follows contribution guidelines Thank you for contributing to **Selecro**! ๐Ÿงถ Signed-off-by: Michael Szotkowski --- workflows/branch-name-check.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 workflows/branch-name-check.yml diff --git a/workflows/branch-name-check.yml b/workflows/branch-name-check.yml new file mode 100644 index 0000000..e534a9e --- /dev/null +++ b/workflows/branch-name-check.yml @@ -0,0 +1,20 @@ +name: Branch Name Check + +on: + pull_request: + branches: + - dev + - main + +jobs: + check-branch-name: + runs-on: ubuntu-latest + steps: + - name: Check branch name + run: | + echo "PR branch: $GITHUB_HEAD_REF" + if [[ ! "$GITHUB_HEAD_REF" =~ ^(feature|fix|dependabot)/[a-z0-9._-]+$ ]]; then + echo "โŒ Invalid branch name. Use 'feature/*' or 'fix/*'." + exit 1 + fi + echo "โœ… Branch name is valid" From f21885f1fccefaa065262ab7f0cbc7eb4b758592 Mon Sep 17 00:00:00 2001 From: Michael Szotkowski Date: Tue, 16 Sep 2025 14:24:21 +0200 Subject: [PATCH 4/6] Branch Name Check (#6) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # Pull Request ## Description Please describe what this PR does and why. ## Related Issues Closes # ## Checklist - [ ] Tests added - [ ] Docs updated - [ ] Follows contribution guidelines Thank you for contributing to **Selecro**! ๐Ÿงถ --- .github/workflows/branch-name-check.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/branch-name-check.yml diff --git a/.github/workflows/branch-name-check.yml b/.github/workflows/branch-name-check.yml new file mode 100644 index 0000000..e534a9e --- /dev/null +++ b/.github/workflows/branch-name-check.yml @@ -0,0 +1,20 @@ +name: Branch Name Check + +on: + pull_request: + branches: + - dev + - main + +jobs: + check-branch-name: + runs-on: ubuntu-latest + steps: + - name: Check branch name + run: | + echo "PR branch: $GITHUB_HEAD_REF" + if [[ ! "$GITHUB_HEAD_REF" =~ ^(feature|fix|dependabot)/[a-z0-9._-]+$ ]]; then + echo "โŒ Invalid branch name. Use 'feature/*' or 'fix/*'." + exit 1 + fi + echo "โœ… Branch name is valid" From fbce3715796f87c8635c16000b0de9d071e8ca41 Mon Sep 17 00:00:00 2001 From: Michael Szotkowski Date: Tue, 16 Sep 2025 14:35:46 +0200 Subject: [PATCH 5/6] Update branch-name-check.yml Signed-off-by: Michael Szotkowski --- .github/workflows/branch-name-check.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/branch-name-check.yml b/.github/workflows/branch-name-check.yml index e534a9e..fc66a5a 100644 --- a/.github/workflows/branch-name-check.yml +++ b/.github/workflows/branch-name-check.yml @@ -12,9 +12,17 @@ jobs: steps: - name: Check branch name run: | - echo "PR branch: $GITHUB_HEAD_REF" + echo "PR head: $GITHUB_HEAD_REF" + echo "PR base: $GITHUB_BASE_REF" + + if [[ "$GITHUB_HEAD_REF" == "dev" && "$GITHUB_BASE_REF" == "main" ]]; then + echo "โœ… Dev to main PR โ€” skipping branch name check." + exit 0 + fi + if [[ ! "$GITHUB_HEAD_REF" =~ ^(feature|fix|dependabot)/[a-z0-9._-]+$ ]]; then - echo "โŒ Invalid branch name. Use 'feature/*' or 'fix/*'." + echo "โŒ Invalid branch name. Use 'feature/*', 'fix/*', or 'dependabot/*'." exit 1 fi + echo "โœ… Branch name is valid" From 6aa9d0d8c1491d65e7d1a7a49646e75774c53333 Mon Sep 17 00:00:00 2001 From: Michael Szotkowski Date: Wed, 4 Feb 2026 15:31:09 +0100 Subject: [PATCH 6/6] Potential fix for code scanning alert no. 1: Workflow does not contain permissions (#8) Potential fix for [https://github.com/Selecro/.github/security/code-scanning/1](https://github.com/Selecro/.github/security/code-scanning/1) In general, fix this by adding an explicit `permissions:` block to the workflow (or to the specific job) that grants only the minimal required scopes. For this branch-name check, no API access is needed: it just inspects environment variables. The safest, least-privilege configuration is to disable all default token permissions with `permissions: {}` at the job (or workflow) level. Concretely, in `.github/workflows/branch-name-check.yml`, add a `permissions: {}` block under the `check-branch-name` job (indented to align with `runs-on:`). This tells GitHub Actions to provide a `GITHUB_TOKEN` with no permissions at all, which preserves existing behavior of the script while tightening security. No imports or additional methods are needed, since this is pure YAML configuration. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ --------- Signed-off-by: Michael Szotkowski Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/branch-name-check.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/branch-name-check.yml b/.github/workflows/branch-name-check.yml index fc66a5a..c64adf9 100644 --- a/.github/workflows/branch-name-check.yml +++ b/.github/workflows/branch-name-check.yml @@ -9,6 +9,7 @@ on: jobs: check-branch-name: runs-on: ubuntu-latest + permissions: {} steps: - name: Check branch name run: |