AOSSIE-Org · kpj2006 · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026 · coderabbitai
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,60 @@
+# EditorConfig helps maintain consistent coding styles across different editors and IDEs
+# Documentation: https://editorconfig.org/
+
+# Top-most EditorConfig file
+root = true
+
+# Universal settings for all files
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 4
+
+# Markdown files
+[*.md]
+# Trailing whitespace is significant in Markdown (two spaces = line break)
+trim_trailing_whitespace = false
+
+# JavaScript / TypeScript / Web / Config files (2-space indentation)
+[*.{js,jsx,ts,tsx,json,yml,yaml}]
+indent_size = 2
+
+# Shell scripts (2 spaces common practice)
+[*.sh]
+indent_size = 2
+
+# Makefiles (must use tabs)
+[{Makefile,*.mk}]
+indent_style = tab
+tab_width = 4
+
+
+
+# For full list of Supported Editors: https://editorconfig.org/#pre-installed
+#
+# Common Properties:
+# ------------------
+# - indent_style: "space" or "tab"
+# - indent_size: number of columns for each indentation level
+# - end_of_line: "lf", "cr", or "crlf"
+# - charset: "utf-8", "utf-16be", "utf-16le", "latin1"
+# - trim_trailing_whitespace: true or false
+# - insert_final_newline: true or false
+# - max_line_length: number (not supported by all editors)
+#
+# File Pattern Matching:
+# ----------------------
+# - *              : matches any string of characters (except path separator)
+# - **             : matches any string of characters
+# - ?              : matches any single character
+# - [name]         : matches any single character in name
+# - [!name]        : matches any single character not in name
+# - {s1,s2,s3}     : matches any of the strings given (comma-separated)
+#
+# For more information and queries:
+# - Official Documentation: https://editorconfig.org/
+# - Specification: https://github.com/editorconfig/editorconfig/wiki/EditorConfig-Properties
+# - Plugin Downloads: https://editorconfig.org/#download
diff --git a/.github/workflow/dependency-review-action.yml b/.github/workflow/dependency-review-action.yml
@@ -0,0 +1,153 @@
+# Automatically scans every PR for newly added dependencies
+# Blocks merges if a dependency license is NOT in the allow-list
+# Flags CVEs with moderate+ severity
+# Docs: https://github.com/actions/dependency-review-action
+
+
+name: Dependency Review
+
+on:
+  pull_request:
+    branches:
+      - main
+      - master
+      - develop
+    # Only re-run when dependency manifests actually change
+    paths:
+      # JavaScript / TypeScript / Node
+      - "**/package.json"
+      - "**/package-lock.json"
+      - "**/yarn.lock"
+      - "**/pnpm-lock.yaml"
+      # Python
+      - "**/requirements*.txt"
+      - "**/Pipfile.lock"
+      - "**/pyproject.toml"
+      - "**/poetry.lock"
+      # Rust
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      # Go
+      - "**/go.mod"
+      - "**/go.sum"
+      # Java / Kotlin / Android
+      - "**/pom.xml"
+      - "**/build.gradle"
+      - "**/build.gradle.kts"
+      - "**/*.gradle"
+      # Ruby
+      - "**/Gemfile.lock"
+      # Docker / Infrastructure
+      - "**/Dockerfile"
+      - "**/docker-compose*.yml"
+      - "**/docker-compose*.yaml"
+      # GitHub Actions themselves
+      - ".github/workflows/*.yml"
+      - ".github/workflows/*.yaml"
+
+permissions:
+  contents: read          # Required to read the repo content
+# pull-requests: write    # Required to post review comments on the PR
+
+jobs:
+  dependency-review:
+    name: Dependency & License Review
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Run Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          # ── VULNERABILITY SETTINGS ──────────────────────────
+          # Fail if any newly added dependency has a CVE at this
+          # severity level or above. Options: low | moderate | high | critical
+          fail-on-severity: moderate
+
+          # Which dependency scopes to check for vulnerabilities
+          # Options: runtime | development | unknown (comma-separated)
+          fail-on-scopes: runtime
+
+          # ── LICENSE ENFORCEMENT ─────────────────────────────
+          # ALLOW: Only these licenses are permitted in new dependencies.
+          # PRs introducing any other license will fail automatically.
+          # Full SPDX list: https://spdx.org/licenses/
+          allow-licenses: >-
+            MIT,
+            Apache-2.0,
+            BSD-2-Clause,
+            BSD-3-Clause,
+            ISC,
+            CC0-1.0,
+            Unlicense,
+            GPL-2.0-only,
+            GPL-2.0-or-later,
+            GPL-3.0-only,
+            GPL-3.0-or-later,
+            LGPL-2.0-only,
+            LGPL-2.0-or-later,
+            LGPL-2.1-only,
+            LGPL-2.1-or-later,
+            LGPL-3.0-only,
+            LGPL-3.0-or-later,
+            AGPL-3.0-only,
+            AGPL-3.0-or-later,
+            MPL-2.0,
+            EUPL-1.2,
+            Python-2.0,
+            PSF-2.0
+
+          # PER-PACKAGE EXCEPTIONS: Packages excluded from license checks entirely.
+          # Use for packages with unrecognized/non-standard license declarations.
+          # Format: "pkg:npm/name, pkg:pypi/name, pkg:githubactions/owner/repo@version"
+          # ── Edit this list when adding approved exceptions ──
+          # allow-dependencies-licenses: >-
+          #   pkg:npm/example-package,
+          #   pkg:pypi/example-package
+
+          # ── SCOPE FILTERING ─────────────────────────────────
+          # Skip dev-only dependencies (test frameworks, linters, etc.)
+          # They are not shipped to production so risk is lower.
+          # Set to "all" to also scan devDependencies.
+          # Options: runtime | development | all
+          # Using "runtime" keeps noise low in template repos
+          # where dev deps vary wildly by project type.
+          # Uncomment the line below to enforce on devDeps too:
+          # fail-on-scopes: runtime, development
+          allow-ghsas: ""   # Leave empty to block all known GHSAs
+
+          # ── OUTPUT & COMMENTS ────────────────────────────────
+          # Post a detailed summary comment directly on the PR
+          # comment-summary-in-pr: always
+
+          # Fail (don't just warn) on license violations.
+          # Change to "true" to only warn without failing.
+          warn-only: false
+
+          # ── VULNERABILITY DATABASE ───────────────────────────
+          # Use the GitHub Advisory Database (GHSA) as the source.
+          # This is the default; listed explicitly for clarity.
+          # vulnerability-check: true   # default
+          # Add explicitly so teams know it's active
+          show-openssf-scorecard: true
+          warn-on-openssf-scorecard-level: 3
+
+  #  Post a status summary badge to PR 
+  # summarize:
+  #   name: Post Review Summary
+  #   runs-on: ubuntu-latest
+  #   needs: dependency-review
+  #   if: always()
+
+  #   steps:
+  #     - name: 📋 Summarize Result
+  #       run: |
+  #         if [ "${{ needs.dependency-review.result }}" == "success" ]; then
+  #           echo "✅ Dependency review passed — no license violations or CVEs found."
+  #         else
+  #           echo "❌ Dependency review failed — check the PR comment for details."
+  #           echo ""
+  #           echo "Common fixes:"
+  #           echo "  • Replace dependencies using licenses not in allow-licenses"
+  #           echo "  • Upgrade vulnerable packages to patched versions"
+  #           echo "  • Add an explicit exception to allow-dependencies-licenses if intentional"
+  #         fi
diff --git a/.github/workflow/label-merge-conflicts.yml b/.github/workflow/label-merge-conflicts.yml
@@ -0,0 +1,29 @@
+name: Label Merge Conflicts
+
+on:
+  push:
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  label-conflicts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Label PRs with merge conflicts
+        uses: eps1lon/actions-label-merge-conflict@v3
+        with:
+          dirtyLabel: "PR has merge conflicts"
+          repoToken: "${{ secrets.GITHUB_TOKEN }}"
+          commentOnDirty: |
+            ⚠️ **This PR has merge conflicts.**
+
+            Please resolve the merge conflicts before review.
+
+            Your PR will only be reviewed by a maintainer after all conflicts have been resolved.
+
+            📺 Watch this video to understand why conflicts occur and how to resolve them:
+            https://www.youtube.com/watch?v=Sqsz1-o7nXk
diff --git a/.github/workflow/release-drafter.yml b/.github/workflow/release-drafter.yml