{"id":34610106,"url":"https://github.com/qualcomm/qcom-actions","last_synced_at":"2025-12-24T14:06:57.249Z","repository":{"id":300079647,"uuid":"1004218966","full_name":"qualcomm/qcom-actions","owner":"qualcomm","description":"GitHub Actions information and workflows for Qualcomm","archived":false,"fork":false,"pushed_at":"2025-12-11T01:51:37.000Z","size":24,"stargazers_count":1,"open_issues_count":1,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-11T17:18:42.730Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/qualcomm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-18T09:45:38.000Z","updated_at":"2025-12-11T01:51:37.000Z","dependencies_parsed_at":"2025-06-19T19:42:19.690Z","dependency_job_id":"5ca3d94d-990f-40a8-8ea5-2d82b98b8d57","html_url":"https://github.com/qualcomm/qcom-actions","commit_stats":null,"previous_names":["qualcomm/qcom-actions"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/qualcomm/qcom-actions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qualcomm%2Fqcom-actions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qualcomm%2Fqcom-actions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qualcomm%2Fqcom-actions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qualcomm%2Fqcom-actions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/qualcomm","download_url":"https://codeload.github.com/qualcomm/qcom-actions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qualcomm%2Fqcom-actions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28003724,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-24T02:00:07.193Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-24T14:05:45.282Z","updated_at":"2025-12-24T14:06:57.239Z","avatar_url":"https://github.com/qualcomm.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Qualcomm Actions and Workflows\n\nCommon actions and workflows for Qualcomm repositories.\n\n## Workflows\n\n### Qualcomm Preflight Checks\n\n`qcom-preflight-checks` calls a [reusable-workflow](https://github.com/qualcomm/qcom-reusable-workflows/blob/main/.github/workflows/qcom-preflight-checks-reusable-workflow.yml) that runs a series of preflight checks on your proposed contribution. The checks include:\n\n| Action/Workflow  | Description  | POC |\n| ------------- | ------------- |------------- |\n| [todogroup/repolinter](https://github.com/todogroup/repolinter)| GitHub action for checking the repository for consistency and adherence to coding standards| @mynameistechno |\n| [semgrep/semgrep](https://github.com/semgrep/semgrep) | GitHub action for running Semgrep static analysis tool| @njjetha and @igibek |\n| [qualcomm/commit-emails-check-action](https://github.com/qualcomm/commit-emails-check-action) | GitHub action for checking email addresses in PR/Push commits | @quic-nasserg |\n| [qualcomm/copyright-license-checker-action](https://github.com/qualcomm/copyright-license-checker-action) | GitHub action for copyright and license issues in PR/Push commits | @targoy-qti |\n| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | Detects vulnerable dependencies and invalid licenses in PRs | @igibek |\n\nEach check can be individually disabled when not applicable to your project, however in general they should not be disabled. Create an [Issue](https://github.com/qualcomm/qcom-actions/issues) if you run into any issues.\n\n#### How To Install\n\nTo start using `qcom-preflight-checks` use one of the below options to create the workflow file in your repository:\n\n1. Copy the file [./github/workflows/qcom-preflight-checks.yml](https://github.com/qualcomm/qcom-actions/blob/main/.github/workflows/qcom-preflight-checks.yml) to your repository's `.github/workflows` directory.\n1. Repositories created using [qualcomm/qualcomm-repository-template](https://github.com/qualcomm/qualcomm-repository-template), will include the file at `./github/workflows/qcom-preflight-checks.yml`.\n1. Create the file via the **Actions** tab in the UI:\n    1. Click on Actions\n    1. If you have existing actions in the repo, click \"New workflow\", else skip to next step\n    1. Scroll to `By Qualcomm Technologies, Inc.` section and click `Configure` under `Qualcomm Preflight Checker Workflow`\n    1. Click \"Commit changes...\", select \"Commit directly to the main branch\" (or feel free to create a new branch and start a PR), ensure your Qualcomm email is selected under \"Commit Email\", and then click \"Sign off and commit changes\"\n    1. This will create a GitHub Action config file in your repo under the path `.github/workflows/qcom-preflight-checks.yml`\n    1. Adjust it as needed, e.g. the qcom-preflight-checks workflow is configured to run on Push and Pull Requests into the default branch (typically main), but you may want to further adjust when it runs.\n\n#### How to Configure\n\nIf you need to disable individual checks, open `./github/workflows/qcom-preflight-checks.yml` in your repository and set the check to `false`. E.g. if you want to disable `semgrep`, you can set `semgrep: false` in the `with` section of the workflow. Default value is `true` for all checkers.\n\n## Versioning Workflows and Actions\n\nAfter updating your workflow or action, ensure you tag it following [SemVer](https://semver.org/):\n\n```\nGiven a version number MAJOR.MINOR.PATCH, increment the:\n\nMAJOR version when you make incompatible API changes\nMINOR version when you add functionality in a backward compatible manner\nPATCH version when you make backward compatible bug fixes\n```\n\nUse GitHub's \"Create a new release\" in the Releases section. Click the \"Generate release notes\" to pre-populate a list of merged PRs in the diff, updating as needed.\n\n### Why you should not use main or a moving branch\n\nUsing main (or any branch) to reference an action or a reusable workflow seems convenient, but it introduces three classes of risk:\n\n#### Supply‑chain risk\n\nThe upstream maintainer can force‑push unreviewed code or accidentally merge code that adds a malicious step. Your workflow will pick it up automatically the next run.\n\n#### Breaking changes \u0026 reproducibility loss\n\nA minor upstream change (inputs/outputs, environment assumptions) can silently change behavior and break builds.\n\n#### Incident blast radius\n\nWhen many repositories reference main, a single upstream change can fail all pipelines at once.\n\n### Alternatives to using a branch\n\nTo ensure callers of workflow files and actions have the latest, below are some alternatives.\n\n#### Dependabot\n\n* Dependabot can automatically open PRs when a new version of a referenced workflow or action is published\n* [qualcomm-repository-template](https://github.com/qualcomm/qualcomm-repository-template) already includes the [dependabot config](https://github.com/qualcomm/qualcomm-repository-template/blob/main/.github/dependabots.yaml) required for this to work for GitHub Actions/Workflow files. If you didn't use the template repo when creating your project, you can manually create it.\n* Maintainers that want to strictly control dependency upgrades may prefer this approach\n\n#### Floating tags e.g. @v1\n\n* Some projects create a major version tag (e.g., v1) and then move that tag forward as they release new minor or patch versions (v1.1.0, v1.2.3, etc.).\n* This allows consumers to get updates without changing their workflow file every time.\n* This approach has similar risks to using a branch. However, some maintainers prefer this approach and are OK with the potential reproducibility loss and other issues related to tag mutation\n* Some projects leverage workflows to automate moving major version tags forward whenever a minor or patch release is made. E.g. [actions/update-major-version-tag](https://github.com/marketplace/actions/update-major-version-tag) or a [simple gist example](https://gist.github.com/cicirello/ade1d559a89104140557389365154bc1).\n\n## GitHub Rulesets\n\nRulesets can be used to require workflows to pass prior to merge. Some workflows are required for all repos and managed at an organization level. Individual repositories can also require workflows and checks to pass prior to merge. See [About Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) for more information.\n\n## Contributing to qcom-actions\n\n### Branches\n\n**main**: Primary development branch. Contributors should develop submissions based on this branch, and submit pull requests to this branch.\n\n### Getting in Contact\n\n* [Report an Issue on GitHub](../../issues)\n\n## License\n\n**qcom-actions** is licensed under the [BSD-3-clause License](https://spdx.org/licenses/BSD-3-Clause.html). See [LICENSE.txt](LICENSE.txt) for the full license text.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqualcomm%2Fqcom-actions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqualcomm%2Fqcom-actions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqualcomm%2Fqcom-actions/lists"}