Skip to content

RFC: Centralized community files and automated OWNERS sync#5

Open
fishman wants to merge 6 commits into
Project-HAMi:mainfrom
fishman:community-file-sync
Open

RFC: Centralized community files and automated OWNERS sync#5
fishman wants to merge 6 commits into
Project-HAMi:mainfrom
fishman:community-file-sync

Conversation

@fishman

@fishman fishman commented Jul 7, 2026

Copy link
Copy Markdown

Title: RFC: Centralized community files and automated OWNERS, and CONTRIBUTING sync

Summary:

This PR introduces a centralized workflow to manage community files (LICENSE, CODE_OF_CONDUCT, CONTRIBUTING, SECURITY) and OWNERS files across all active Project-HAMi repositories. Instead of maintaining copies in each repo and relying on manual PRs to update them, we define them once in .project and sync them automatically. Given that we currently are adjusting the CONTRIBUTING.md and will probably be tuning it this makes sense.

Changes:

  1. .github/repo-file-sync.yml – Configuration for repo-file-sync-action that mirrors LICENSE, CODE_OF_CONDUCT.md, CONTRIBUTING.md, and SECURITY.md to 15 repositories.

  2. .github/workflows/sync-community.yml – GitHub Actions workflow triggered on pushes to main (when any of the source files change) or manually. Contains two jobs:

    • sync-static – runs the file sync action to push the four community files.
    • sync-owners – runs a Python script (sync-owners.py) that reads maintainers.yaml, generates per-repo OWNERS files, and pushes them via the GitHub API.
  3. sync-owners.py – Generates OWNERS files under generated/<project_id>/OWNERS with approvers and reviewers lists extracted from maintainers.yaml. The workflow then pushes each one to the corresponding repo.

  4. maintainers.yaml – Expanded to cover all repos (HAMi, HAMi-core, volcano-vgpu-device-plugin, ascend-device-plugin, k8s-dra-driver, etc.) with per-repo maintainer and reviewer teams.

  5. Standard community files – LICENSE (Apache 2.0), CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md added to this repository as the single source of truth.

  6. .gitignore – Added generated/ to ignore locally generated OWNERS files.

What this accomplishes:

  • No more manual PRs to each repo for policy updates (e.g., the AI assistance disclosure policy in CONTRIBUTING.md). Update it here, and it propagates.
  • OWNERS files become synchronised from a single maintainers.yaml. Add/remove a maintainer or reviewer here, and the workflow updates the corresponding repo’s OWNERS automatically.
  • Visibility – The workflow runs on push, so a change to maintainers.yaml will trigger a sync within minutes.

Next stage: making files read-only:

Once the sync is proven, we can flag these files as read-only in each repository’s settings (branch protection rules or .github/CODEOWNERS). This ensures no one can bypass the centralised workflow by editing a community file directly in a downstream repo. The sync action will overwrite any local changes, effectively enforcing the singleton source of truth.

Usage:

To add a new repo to the sync:

  1. Add the repo name to repos: in .github/repo-file-sync.yml.
  2. Add a project_id entry in maintainers.yaml.
  3. The workflow will handle the rest.

Open questions:

  • Should the sync also push to repos that are currently private? (Currently only public repos are listed.)
  • When making files read-only, we need to ensure the workflow’s PAT has bypass permissions.
  • I noticed that the maintainers.yaml is different from the project-hami/hami/owners file, was that intentional?

Summary by CodeRabbit

  • New Features
    • Added automation to sync shared community documents across active repositories.
    • Added automated generation and updating of per-repository OWNERS and CONTRIBUTING.md based on the expanded maintainer roster.
  • Documentation
    • Updated LICENSE, CODE_OF_CONDUCT.md, CONTRIBUTING.md, and SECURITY.md with clearer community, security, and contribution guidance (including AI assistance disclosure requirements).
  • Chores
    • Added repository sync workflows (manual trigger) and a generator script; ignored generated outputs in version control.
  • Bug Fixes
    • Ensured ownership and contributing updates can be created or updated reliably across repositories.

@hami-robot

hami-robot Bot commented Jul 7, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fishman

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hami-robot hami-robot Bot added the size/XL label Jul 7, 2026
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds workflow automation for syncing community files and generating per-repository OWNERS files from maintainer data, along with new governance documents and a maintained repository roster.

Changes

Community file and OWNERS sync automation

Layer / File(s) Summary
Static file sync configuration
.github/repo-file-sync.yml, .gitignore, .github/workflows/sync-community.yml
Adds repo-file-sync mappings for community documents, ignores generated output, and defines the workflow trigger plus static sync job.
Maintainer roster data
maintainers.yaml
Restructures the maintainer roster into per-project entries with project-maintainers and reviewers teams across multiple Project-HAMi repositories.
OWNERS generation script
sync-owners.py
Reads maintainers.yaml, builds OWNERS content per project, and writes files under generated/<project_id>/.
OWNERS generation and push workflow job
.github/workflows/sync-community.yml
Sets up Python, runs sync-owners.py, and pushes generated OWNERS files to each repo through the GitHub API.

Community governance documents

Layer / File(s) Summary
Governance and contribution documents
LICENSE, CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md
Adds Apache 2.0 license text, a Code of Conduct pointer, a contribution guide, and a security reporting policy.

Estimated code review effort: 2 (Simple) | ~15 minutes

Poem

A rabbit hopped through YAML fields so neat,
Syncing community files with a brisk little beat.
LICENSE, CONTRIBUTING, and SECURITY too,
Then OWNERS files sprang up in a tidy new queue. 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: centralizing community files and automating OWNERS synchronization.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Nitpick comments (4)
.github/workflows/sync-community.yml (3)

20-20: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Third-party action pinned to a mutable tag.

BetaHuhn/repo-file-sync-action@v1 is pinned to a floating tag rather than a commit SHA. Since it runs with secrets.ORG_PAT (broad write access across many repos), pinning to a full commit SHA reduces supply-chain risk if the tag is ever repointed.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sync-community.yml at line 20, The workflow step using
BetaHuhn/repo-file-sync-action@v1 is pinned to a mutable tag; update that action
reference to a full commit SHA in the sync-community workflow so the third-party
action is locked to an immutable version, especially since it runs with
secrets.ORG_PAT.

3-13: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Trigger paths miss the sync config itself.

Path filters list maintainers.yaml, sync-owners.py, and the community docs, but not .github/repo-file-sync.yml. Editing the sync config alone (e.g., adding/removing a target repo) won't trigger this workflow on push; contributors would need to remember workflow_dispatch.

♻️ Suggested addition
     paths:
+      - '.github/repo-file-sync.yml'
       - 'maintainers.yaml'
       - 'sync-owners.py'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sync-community.yml around lines 3 - 13, The push trigger
in the sync workflow is missing the sync configuration file itself, so edits to
the repo-file sync setup will not automatically run the job. Update the path
filter in the workflow’s on.push.paths list to include the sync config used by
the repository sync process, alongside maintainers.yaml and sync-owners.py, so
changes to that configuration also trigger the workflow on push.

19-19: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Checkout doesn't disable credential persistence.

Neither actions/checkout@v4 step sets persist-credentials: false. Since the checked-out git credentials aren't needed after checkout (writes happen via GH_TOKEN/GH_PAT), disable persistence to reduce blast radius per zizmor's artipacked finding.

🔒 Suggested fix (apply to both steps)
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

Also applies to: 28-28

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sync-community.yml at line 19, The workflow’s two
actions/checkout uses still persist git credentials unnecessarily. Update both
checkout steps in the sync-community workflow to set persist-credentials to
false so the temporary checkout token is not retained after cloning, and keep
using GH_TOKEN/GH_PAT for any later write operations.

Source: Linters/SAST tools

sync-owners.py (1)

41-41: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Log summary uses index-based team access instead of name-based lookup.

gen_owners correctly resolves teams by name (project-maintainers/reviewers) regardless of order. This log line instead assumes teams[0] is maintainers and teams[1] is reviewers — it'll misreport counts (or raise IndexError if teams are ever missing/reordered) even though the generated OWNERS file itself stays correct.

♻️ Suggested fix
-        print(f"  {repo}: maintainers={len(entry['teams'][0].get('members',[]))}, reviewers={len(entry['teams'][1].get('members',[])) if len(entry['teams'])>1 else 0}")
+        teams = {t["name"]: t.get("members", []) for t in entry.get("teams", [])}
+        print(f"  {repo}: maintainers={len(teams.get('project-maintainers', []))}, reviewers={len(teams.get('reviewers', []))}")
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sync-owners.py` at line 41, The summary print in gen_owners is still using
positional access on entry['teams'], which can misreport maintainers/reviewers
or fail if the order changes. Update that log line to resolve the
project-maintainers and project-reviewers teams by name, matching the lookup
logic already used in gen_owners, and then count members from those named team
objects instead of relying on teams[0] and teams[1].
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/repo-file-sync.yml:
- Around line 6-14: The repo-file sync mapping is using the wrong governance
filename for the code of conduct, so the sync action will not find the source
file. Update the file mapping in the repo-file sync configuration to use the
same underscore-based name as the workflow trigger and generated doc, and verify
the affected entries in the sync config stay consistent with the actual source
filenames used by BetaHuhn/repo-file-sync-action.

In @.github/workflows/sync-community.yml:
- Around line 44-47: The push/update command in the sync loop is swallowing
failures because the fallback echo after the gh api call does not fail the step,
so broken updates can still report success. Update the logic around the OWNERS
push in the workflow so failures from the repository update path are surfaced as
a non-zero exit for the step/job, and keep the error handling tied to the
existing sync loop and gh api/branch=main command so any auth, 404, or sha
conflict stops the workflow instead of only printing a message.
- Around line 16-23: Add an explicit least-privilege permissions block to the
workflow jobs so the default GITHUB_TOKEN is not granted broad access. Update
the sync jobs in sync-community.yml, including the sync-static job and the other
affected job(s) in the workflow, to declare only the permissions needed for
actions/checkout and the repo-file-sync action; keep using secrets.ORG_PAT for
actual write operations. Use the job definitions and
BetaHuhn/repo-file-sync-action configuration as the anchor points when updating
the workflow.
- Around line 38-46: The OWNERS sync step always passes a sha to gh api in the
update/create request, which breaks file creation when OWNERS does not exist.
Update the generated/* loop in sync-community.yml so the gh api call only
includes the sha field when the existing file lookup for
repos/Project-HAMi/$repo/contents/OWNERS succeeds; keep the PUT path and
branch/message/content handling in the same block, and use the existing repo/dir
flow to detect whether to omit sha for new files.

In `@CONTRIBUTING.md`:
- Around line 124-129: The contributor workflow example still references the old
base branch name, so update the branch example in the workflow section to use
the repository’s current main branch instead of master. Adjust the wording in
the contributor guidance so it aligns with the main-based workflow and keeps new
contributors from following the wrong starting branch.
- Around line 22-24: The Code of Conduct link in the CONTRIBUTING content points
to a repo-local path that may break in mirrored copies if the synced filename
differs. Update the markdown link in the Code of Conduct section to use the
canonical community URL, or otherwise align the synced filename and link target
so the reference remains valid across replicas; use the existing Code of Conduct
section anchor in CONTRIBUTING.md as the place to make this change.

---

Nitpick comments:
In @.github/workflows/sync-community.yml:
- Line 20: The workflow step using BetaHuhn/repo-file-sync-action@v1 is pinned
to a mutable tag; update that action reference to a full commit SHA in the
sync-community workflow so the third-party action is locked to an immutable
version, especially since it runs with secrets.ORG_PAT.
- Around line 3-13: The push trigger in the sync workflow is missing the sync
configuration file itself, so edits to the repo-file sync setup will not
automatically run the job. Update the path filter in the workflow’s
on.push.paths list to include the sync config used by the repository sync
process, alongside maintainers.yaml and sync-owners.py, so changes to that
configuration also trigger the workflow on push.
- Line 19: The workflow’s two actions/checkout uses still persist git
credentials unnecessarily. Update both checkout steps in the sync-community
workflow to set persist-credentials to false so the temporary checkout token is
not retained after cloning, and keep using GH_TOKEN/GH_PAT for any later write
operations.

In `@sync-owners.py`:
- Line 41: The summary print in gen_owners is still using positional access on
entry['teams'], which can misreport maintainers/reviewers or fail if the order
changes. Update that log line to resolve the project-maintainers and
project-reviewers teams by name, matching the lookup logic already used in
gen_owners, and then count members from those named team objects instead of
relying on teams[0] and teams[1].
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3060a656-5b0a-40a3-bd7b-5c8b0fda3ff3

📥 Commits

Reviewing files that changed from the base of the PR and between 586b315 and 04fba1e.

📒 Files selected for processing (9)
  • .github/repo-file-sync.yml
  • .github/workflows/sync-community.yml
  • .gitignore
  • CODE_OF_CONDUCT.md
  • CONTRIBUTING.md
  • LICENSE
  • SECURITY.md
  • maintainers.yaml
  • sync-owners.py

Comment thread .github/repo-file-sync.yml
Comment thread .github/workflows/sync-community.yml
Comment thread .github/workflows/sync-community.yml Outdated
Comment thread .github/workflows/sync-community.yml Outdated
Comment thread CONTRIBUTING.md
Comment thread CONTRIBUTING.md Outdated
@fishman fishman force-pushed the community-file-sync branch 2 times, most recently from 5e1e109 to a126f51 Compare July 7, 2026 07:39

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
sync-owners.py (1)

29-31: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

project_id used unvalidated as a path component.

Static analysis flags open(MAINTAINERS_FILE) for path traversal; the more relevant instance is repo_dir = GENERATED_DIR / repo where repo = entry["project_id"] comes straight from maintainers.yaml. Since the workflow only triggers on pushes to main (already reviewed/merged content), risk is low, but a stray .. in project_id would still let it write outside generated/.

Also applies to: 36-39

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sync-owners.py` around lines 29 - 31, `main` and the `repo_dir =
GENERATED_DIR / repo` path construction use `entry["project_id"]` directly as a
filesystem component, so sanitize or validate `project_id` before using it to
build paths. Update the logic around `main` and the per-entry processing near
the `repo_dir` assignment to reject absolute paths, `..`, and path separators,
or normalize to a safe slug, then only allow writes inside `GENERATED_DIR`.

Source: Linters/SAST tools

.github/workflows/sync-community.yml (1)

19-19: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on checkout steps.

Neither job needs the checked-out credential to persist (pushes go through gh api/GH_PAT), so leaving the default risks credential leakage via workspace/artifacts.

🔒 Suggested fix
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

Also applies to: 28-28

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sync-community.yml at line 19, The checkout steps in the
sync-community workflow are leaving Git credentials persisted by default, which
should be disabled. Update the `actions/checkout` usages in the workflow jobs to
set `persist-credentials: false`, since the pushes are handled separately
through `gh api`/`GH_PAT`; make the change on each checkout step referenced by
the workflow.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@sync-owners.py`:
- Around line 35-41: The logging in sync-owners.py is using fragile positional
access on entry['teams'], which can crash or report wrong counts when team order
or length differs. Update the print logic to use the same name-based lookup
approach as gen_owners, retrieving project-maintainers and reviewers from a dict
(or equivalent safe lookup) before counting members, and fall back to 0 when a
team is missing.

---

Nitpick comments:
In @.github/workflows/sync-community.yml:
- Line 19: The checkout steps in the sync-community workflow are leaving Git
credentials persisted by default, which should be disabled. Update the
`actions/checkout` usages in the workflow jobs to set `persist-credentials:
false`, since the pushes are handled separately through `gh api`/`GH_PAT`; make
the change on each checkout step referenced by the workflow.

In `@sync-owners.py`:
- Around line 29-31: `main` and the `repo_dir = GENERATED_DIR / repo` path
construction use `entry["project_id"]` directly as a filesystem component, so
sanitize or validate `project_id` before using it to build paths. Update the
logic around `main` and the per-entry processing near the `repo_dir` assignment
to reject absolute paths, `..`, and path separators, or normalize to a safe
slug, then only allow writes inside `GENERATED_DIR`.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1ca8d5b4-84dd-4743-bbda-163c5d45cccb

📥 Commits

Reviewing files that changed from the base of the PR and between 04fba1e and a126f51.

📒 Files selected for processing (10)
  • .github/repo-file-sync.yml
  • .github/workflows/sync-community.yml
  • .gitignore
  • CODE_OF_CONDUCT.md
  • CONTRIBUTING.md
  • LICENSE
  • SECURITY.md
  • maintainers.yaml
  • project.yaml
  • sync-owners.py
✅ Files skipped from review due to trivial changes (6)
  • SECURITY.md
  • LICENSE
  • .github/repo-file-sync.yml
  • CODE_OF_CONDUCT.md
  • .gitignore
  • maintainers.yaml

Comment thread sync-owners.py Outdated
@fishman

fishman commented Jul 7, 2026

Copy link
Copy Markdown
Author

I removed the fix for the validate-metadata from this PR. It's handled by #6

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
sync-owners.py (2)

14-22: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Minor: empty OWNERS content when no members present.

If both approvers and reviewers lists are empty for a project, gen_owners returns just "\n", writing a near-empty OWNERS file that GitHub may reject or treat as invalid. Consider skipping the write (or logging a warning) when no roles are populated.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sync-owners.py` around lines 14 - 22, The gen_owners function currently
returns a near-empty OWNERS body when both approvers and reviewers are absent,
so update the sync flow to detect that case before writing the file. Use
gen_owners and the teams/ROLE_MAP data to check whether any role entries were
added, and if none were, skip creating/updating OWNERS (or emit a warning)
instead of writing just a newline.

31-37: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

No validation of project_id before use as a path/repo name.

entry["project_id"] is used directly to build repo_dir and (per the workflow) the target repo path for the GitHub API push. A malformed or unexpected project_id (e.g., containing / or ..) would silently write into an unintended nested/parent directory. Since maintainers.yaml is repo-controlled, this is low risk today, but a simple sanity check would harden against future misconfiguration.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sync-owners.py` around lines 31 - 37, The sync-owners flow uses
entry["project_id"] directly as both the repository identifier and the directory
name, so add a sanity check in the loop in sync-owners.py before creating
repo_dir or writing OWNERS. Validate that project_id is a safe single path/repo
segment (for example, reject values containing separators or traversal-like
components) and skip or fail fast on invalid entries, keeping the existing logic
in the maintainer processing block and gen_owners path unchanged for valid
repos.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@sync-owners.py`:
- Around line 14-22: The gen_owners function currently returns a near-empty
OWNERS body when both approvers and reviewers are absent, so update the sync
flow to detect that case before writing the file. Use gen_owners and the
teams/ROLE_MAP data to check whether any role entries were added, and if none
were, skip creating/updating OWNERS (or emit a warning) instead of writing just
a newline.
- Around line 31-37: The sync-owners flow uses entry["project_id"] directly as
both the repository identifier and the directory name, so add a sanity check in
the loop in sync-owners.py before creating repo_dir or writing OWNERS. Validate
that project_id is a safe single path/repo segment (for example, reject values
containing separators or traversal-like components) and skip or fail fast on
invalid entries, keeping the existing logic in the maintainer processing block
and gen_owners path unchanged for valid repos.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 6bf88443-03b3-42a2-b1df-cc796672cac8

📥 Commits

Reviewing files that changed from the base of the PR and between a126f51 and af34111.

📒 Files selected for processing (1)
  • sync-owners.py

Comment thread maintainers.yaml
- project_id: "HAMi"
org: "Project-HAMi"
teams:
- name: "project-maintainers"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please change that to 'approvers'

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current way this works currently is that project-maintainers are translated to approvers in the OWNERS file. I wonder if the incorrect project_id is why the landscape is not updated. But should we separate project-maintainers from approvers and reviewers across the board? I'll check the .project CNCF spec again

fishman and others added 6 commits July 8, 2026 17:50
…ration

Signed-off-by: Reza Jelveh <fishmangit@dynamia.ai>
Signed-off-by: Reza Jelveh <fishmangit@dynamia.ai>
- Set `contents: read` at workflow and job levels for security
- Refactor `sync-owners` to onditionally create or update OWNERS files

Signed-off-by: Reza Jelveh <fishmangit@dynamia.ai>
…t URLs

Replace the static sync of `CONTRIBUTING.md` via repo-file-sync with
per-repo generation from a template using `sync-owners.py`. The template
references `Project-HAMi/.project` and gets injected with the correct
org and repo for each project. Update the workflow to push both `OWNERS`
and `CONTRIBUTING.md` files to each target repository.

Signed-off-by: Reza Jelveh <fishmangit@dynamia.ai>
…files

- Add `persist-credentials: false` to checkout steps in workflows.
- Skip writing OWNERS file when no approvers or reviewers are present.

Signed-off-by: Reza Jelveh <fishmangit@dynamia.ai>
Replace the version tag `@v1` with its resolved commit hash to
prevent the action from silently updating and reduce blast radius
per zizmor's unpinned-action finding.

Signed-off-by: Reza Jelveh <fishmangit@dynamia.ai>
@fishman fishman force-pushed the community-file-sync branch from f4223fc to 4d8b062 Compare July 8, 2026 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants