ci: create a new action to update custom properties in a repo (#8)

Signed-off-by: Andrew Brandt <andrew.brandt@hashgraph.com>
Co-authored-by: Roger Barker <roger.barker@swirldslabs.com>

Author: andrewb1269hg

.github/SECURITY.md

@@ -0,0 +1,36 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We take the security of update-custom-properties seriously. If you believe you have found a security vulnerability, please report it to us as described below.
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them via email to:
+
+```
+maintainers@pandaswhocode.com
+```
+
+You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
+
+Please include the following information in your report:
+
+- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit it
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+- We will respond to your report within 48 hours with our evaluation and expected resolution time
+- If you have followed the instructions above, we will not take legal action against you in regard to your report
+- We will keep you informed of the progress towards resolving the issue
+- Once the issue is resolved, we will publicly acknowledge your responsible disclosure, if you wish

action.yaml

@@ -0,0 +1,90 @@
+name: 'Custom Properties Update Action'
+description: 'Updates the custom properties for all repos in an org to values in org/governance/repo-properties.yaml'
+author: 'Andrew Brandt <andrew.brandt@hashgraph.com>'
+organization: 'PandasWhoCode'
+branding:
+  icon: 'check-circle'
+  color: 'purple'
+
+inputs:
+  token:
+    description: 'Personal Access Token'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install yq (mikefarah's version)
+      shell: bash
+      run: |
+        sudo wget --quiet https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
+        sudo chmod +x /usr/bin/yq
+        yq --version  # confirm installed
+
+    - name: Convert from JSON to YAML
+      shell: bash
+      run: |
+        REPO_NAME=${{ github.event.repository.name }}
+        YAML_FILE="repo-properties.yaml"
+        
+        # Convert the YAML file to JSON for parsing
+        yq eval -o=json repo-properties.yaml > repo-properties.json
+
+    - name: Create list of repo names
+      shell: bash
+      run: jq -r '.repositories[].name' repo-properties.json > repo-names.txt
+
+    - name: Set custom properties in repos
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+      run: |
+        # Input files
+        REPO_NAMES_FILE="repo-names.txt"
+        JSON_FILE="repo-properties.json"
+        
+        # Extract the org name once
+        ORG_NAME=$(jq -r '.org' "$JSON_FILE")
+        echo "Org Name: ${ORG_NAME}"
+        
+        # Loop over each repo name
+        while IFS= read -r REPO_NAME; do
+          echo "Processing repo: ${REPO_NAME}"
+          
+          # Check if the repo exists
+          if ! gh api "/repos/${ORG_NAME}/${REPO_NAME}" --silent > /dev/null 2>&1; then
+            echo "  Repository '${ORG_NAME}/${REPO_NAME}' does not exist. Skipping..."
+            continue
+          fi
+          
+          # Extract matching repository object without the 'name' field
+          repo_props=$(jq -r --arg name "${REPO_NAME}" '
+            .repositories[]
+            | select(.name == $name)
+            | del(.name)
+            ' "$JSON_FILE")
+          
+          # Check if a match was found
+          if [[ "$repo_props" == "null" || -z "$repo_props" ]]; then
+            echo "No matching data found for ${REPO_NAME}, skipping..."
+            continue
+          fi
+          
+          # Iterate over key-value pairs and set custom properties
+          echo "$repo_props" | jq -r 'to_entries[] | "\(.key)=\(.value)"' | while IFS="=" read -r key value; do
+            echo "    Setting property '${key}' = '${value}' on ${ORG_NAME}/${REPO_NAME}"
+            # check to see if date here
+            if [[ "${key}" == *"-date"* || "${key}" == "date-"* ]]; then
+              if [[ ! "${value}" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ && -n "${value}" ]]; then
+                echo "Repo name is: ${REPO_NAME}"
+                echo "Property name is: ${key}"
+                echo "Date Value is: ${value}"
+                echo "Invalid date format: Date needs to be formatted [YYYY-MM-DD]"
+                exit 1
+              fi
+            fi
+            # API Call here
+            gh api --method PATCH -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${ORG_NAME}/${REPO_NAME}/properties/values -f "properties[][property_name]=${key}" -f "properties[][value]=${value}"
+          done
+        done < "${REPO_NAMES_FILE}"
+        echo "Successfully set custom properties!"

repo-properties.yaml

@@ -0,0 +1,15 @@
+# Place this file in the governance repo at the root level to run on the whole organization
+org: PandasWhoCode
+teams:
+  - pandas
+  - reviewers
+  - admins
+repositories:
+  - name: my-example-repo
+    last-date-modified: ""
+    initial-ci-review-by-team: "pandas"
+    initial-ci-review-date: "2025-04-07"
+    initial-security-review-by-team: "admins"
+    initial-security-review-date: "2025-04-15"
+    last-security-review-by-team: "reviewers"
+    last-security-review-date: "2025-05-01"