@gemini-cli /review

.github/dependabot.yml

@@ -1,4 +1,6 @@
-version: 2
+'daily'
+
+: 2
 updates:
   - package-ecosystem: 'npm'
     directory: '/'
@@ -16,3 +18,5 @@ updates:
     rebase-strategy: 'disabled'
     schedule:
       interval: 'daily'
+- name: Run Gemini CLI
+  uses: google-github-actions/[email protected]

.github/workflows/blank.yml

@@ -0,0 +1,166 @@
+# Copyright The Conforma Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+name: Release
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 9 * * 3' # every Wednesday
+
+permissions:
+  contents: read
+
+env:
+  TRACKED_PATHS: "acceptance/ policy/"
+
+jobs:
+
+  get_info:
+
+    runs-on: ubuntu-latest
+    outputs:
+      latest_tag: ${{ steps.get_info.outputs.latest_tag }}
+      latest_tag_sha: ${{ steps.get_info.outputs.latest_tag_sha }}
+      changed: ${{ steps.get_info.outputs.changed }}
+      next_version: ${{ steps.get_info.outputs.next_version }}
+
+    steps:
+
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Get info
+        id: get_info
+        run: |
+          set -e
+          git fetch --tags
+          source hack/derive-version.sh $TRACKED_PATHS
+
+          echo latest_tag=$LATEST_TAG | tee -a "$GITHUB_OUTPUT"
+          echo latest_tag_sha=$LATEST_TAG_SHA | tee -a "$GITHUB_OUTPUT"
+          echo changed=$HAVE_CHANGED | tee -a "$GITHUB_OUTPUT"
+          echo next_version=$NEXT_VERSION | tee -a "$GITHUB_OUTPUT"
+
+  generate_release_notes:
+
+    needs: get_info
+    if: needs.get_info.outputs.changed == 'true'
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Fetch tags
+        id: fetch_tags
+        run: |
+          git fetch --tags
+
+      - name: Generate release notes
+        uses: google-github-actions/run-gemini-cli@v0
+        with:
+          gemini_api_key: ${{ secrets.GEMINI_API_KEY }}
+          settings: |-
+            {
+              "sandbox": true,
+              "autoAccept": true
+            }
+          prompt: |
+            Make a release notes based on all notable changes since the tag
+            ${{needs.get_info.outputs.latest_tag}}.
+            Categorize it nicely with emojis, output as Markdown.
+            For each change that you mention in the release notes:
+              - Summarize the change in one line
+              - Put jira link in the beginning of the line, if the change has a
+                jira link in the commit message
+            Include all changes that have jira link in the commit message.
+            Don't create a title for the release.
+            Preface the release notes with a brief summary of the release.
+            The summary should also refer to changes in policies and policy rules.
+            Also save the release notes in a file named "release-notes.md".
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-notes
+          path: release-notes.md
+          if-no-files-found: error
+
+
+  create_release:
+    needs: [get_info, generate_release_notes]
+    if: ${{ needs.get_info.outputs.changed == 'true' && needs.generate_release_notes.result == 'success'}}
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+
+    steps:
+
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Tag
+        run: |
+          set -e
+          git fetch --tags
+          git config --local user.email "[email protected]"
+          git config --local user.name "GitHub Action"          
+
+          source hack/add-auto-tag.sh
+          git push -f --tags
+
+      - name: Download artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: release-notes
+
+      - name: Create a release
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        with:
+          name: ${{ needs.get_info.outputs.next_version }}
+          tag_name: ${{ needs.get_info.outputs.next_version }}
+          body_path: "release-notes.md"
+          make_latest: false
+          generate_release_notes: false

.gitignore

@@ -68,3 +68,8 @@ gha-creds-*.json
 
 # Ignore local secrets file for act
 .secrets
+# gemini-cli settings
+.gemini/
+
+# GitHub App credentials
+gha-creds-*.json