{"id":39818441,"url":"https://github.com/linear-b/gitstream-github-action","last_synced_at":"2026-04-13T10:01:35.895Z","repository":{"id":57764844,"uuid":"523764152","full_name":"linear-b/gitstream-github-action","owner":"linear-b","description":"/:\\ gitStream - Workflow GitHub Action","archived":false,"fork":false,"pushed_at":"2026-04-12T12:50:23.000Z","size":140142,"stargazers_count":6,"open_issues_count":12,"forks_count":11,"subscribers_count":4,"default_branch":"develop","last_synced_at":"2026-04-12T14:25:58.762Z","etag":null,"topics":["automation","ci-cd","cm-ci-cd","github","githubaction-workflow","productivity"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/linear-b.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-08-11T14:56:26.000Z","updated_at":"2026-04-04T09:26:01.000Z","dependencies_parsed_at":"2025-11-28T03:08:57.449Z","dependency_job_id":null,"html_url":"https://github.com/linear-b/gitstream-github-action","commit_stats":{"total_commits":73,"total_committers":7,"mean_commits":"10.428571428571429","dds":0.410958904109589,"last_synced_commit":"36f5cacaa6f5abdb33f637672867d117cc7a455f"},"previous_names":[],"tags_count":283,"template":false,"template_full_name":null,"purl":"pkg:github/linear-b/gitstream-github-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linear-b%2Fgitstream-github-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linear-b%2Fgitstream-github-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linear-b%2Fgitstream-github-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linear-b%2Fgitstream-github-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/linear-b","download_url":"https://codeload.github.com/linear-b/gitstream-github-action/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linear-b%2Fgitstream-github-action/sbom","scorecard":{"id":351085,"data":{"date":"2025-08-11","repo":{"name":"github.com/linear-b/gitstream-github-action","commit":"38537bbd23182763b82152a48ecce1173ba76636"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.2,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":8,"reason":"Found 4/5 approved changesets -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/bump-gitstream-core.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/check-dist.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:12","Warn: topLevel 'checks' permission set to 'write': .github/workflows/codeql-analysis.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:16","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql-analysis.yml:17","Info: topLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:14","Warn: no topLevel permission defined: .github/workflows/create-tag-on-merge.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bump-gitstream-core.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/bump-gitstream-core.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check-dist.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/check-dist.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check-dist.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/check-dist.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check-dist.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/check-dist.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/ci.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/ci.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-tag-on-merge.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/create-tag-on-merge.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-tag-on-merge.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/create-tag-on-merge.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-tag-on-merge.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/linear-b/gitstream-github-action/create-tag-on-merge.yml/develop?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/bump-gitstream-core.yml:58","Info:   0 out of  13 GitHub-owned GitHubAction dependencies pinned","Info:   2 out of   3 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 10 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T08:19:21.689Z","repository_id":57764844,"created_at":"2025-08-18T08:19:21.689Z","updated_at":"2025-08-18T08:19:21.689Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31747178,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-13T09:16:15.125Z","status":"ssl_error","status_checked_at":"2026-04-13T09:16:05.023Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","ci-cd","cm-ci-cd","github","githubaction-workflow","productivity"],"created_at":"2026-01-18T12:53:36.441Z","updated_at":"2026-04-13T10:01:35.889Z","avatar_url":"https://github.com/linear-b.png","language":"JavaScript","readme":"# gitStream GitHub Action\n\nThis GitHub Action enables you to use the gitStream Continuous Merge (CM) script\nin your repositories to automate code review workflows. The gitStream CM script\nallows you to define custom automations that run whenever someone opens a new\npull request (PR) or makes changes to an existing PR.\n\n## How gitStream Works\n\ngitStream can be configured through one or more CM files inside your git\nrepository or GitHub/GitLab organization. These CM files, ending with a `.cm`\nextension, contain YAML and Jinja2 code that outlines the rules for triggering\nand executing automations. The \"if this, then that\" approach combined with\ntemplating and gitStream-specific functions offers a highly flexible framework\nfor building custom CM automations.\n\n## Next Steps\n\nIf you're ready to start writing automations, check out our guide:\n[Write Your First Automation](https://docs.gitstream.cm/quick-start/).\n\n## Reporting Issues\n\nIf you encounter any issues with gitStream or these documentation, please check\nthe [gitStream issues page](https://github.com/linear-b/gitstream/issues) and\ncreate a new issue if it doesn't already exist. We appreciate your feedback and\nhelp in improving gitStream!\n\n## Syntax Highlighting\n\nTo add support for `.cm` files in your code editor, see our\n[FAQ](https://docs.gitstream.cm/faq/#is-there-cm-syntax-highlighting).\n\n## Managing Dependencies\n\n### Action dependencies (`package.json` → `dependencies`)\n\nImported by the action's source code. Must be listed in `package.json` for build time.\n\nTo add:\n\n1. `npm install \u003cpackage\u003e` and import it in `src/`\n2. If it can't be bundled by ncc (WASM, native addons), add `--external \u003cpackage\u003e` to the `package` script and add it to `vendor-plugins` as well\n\n### Plugin dependencies (`vendor-plugins` script in `package.json`)\n\nPackages that user plugins can `require()` at runtime. Installed into `dist/node_modules/` at build time and committed to the repo.\n\nTo add:\n\n1. Add with a pinned version to the `vendor-plugins` script in `package.json`\n2. Run `npm run package` and commit the updated `dist/node_modules/`\n\n## License\n\nThe gitStream GitHub Action is licensed under the Apache License. See\n[LICENSE](LICENSE) for more details.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinear-b%2Fgitstream-github-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flinear-b%2Fgitstream-github-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinear-b%2Fgitstream-github-action/lists"}