Netcracker · LightlessOne · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
@@ -7,41 +7,52 @@
 # https://github.com/Netcracker/.github/blob/main/config/examples/auto-labeler-config.yaml
 
 name: Automatic PR Labeler
-
+run-name: PR #${{ github.event.pull_request.number }} - Automatic Labeler
 on:
   pull_request:
     branches: [main]
     types:
       [opened, reopened, synchronize]
 
 permissions:
-  pull-requests: write
   contents: read
-  issues: write
 
 jobs:
   assign-labels:
+    name: "Assign Labels to PR #${{ github.event.pull_request.number }}"
     if: (github.event.pull_request.merged == false) && (github.event.pull_request.user.login != 'dependabot[bot]') && (github.event.pull_request.user.login != 'github-actions[bot]')
+    permissions:
+      pull-requests: write
+      contents: read
+      issues: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: "Checkout Repository"
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
       - name: "Execute assign labels"
         id: action-assign-labels
-        uses: mauroalderete/action-assign-labels@v1
+        uses: mauroalderete/action-assign-labels@671a4ca2da0f900464c58b8b5540a1e07133e915 # v1.5.1
         with:
           pull-request-number: ${{ github.event.pull_request.number }}
           github-token: ${{ github.token }}
           conventional-commits: "./.github/auto-labeler-config.yaml"
           maintain-labels-not-matched: true
           apply-changes: ${{ github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
+
+      - name: "Set labels-next safely for PR from fork"
+        if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }}
+        run: |
+          echo "LABELS_NEXT=$(echo ${STEPS_ACTION_ASSIGN_LABELS_OUTPUTS_LABELS_NEXT} | tr -dc 'a-zA-Z0-9-,')" >> $GITHUB_ENV
+        env:
+          STEPS_ACTION_ASSIGN_LABELS_OUTPUTS_LABELS_NEXT: ${{ steps.action-assign-labels.outputs.labels-next }}
       - name: "Drop warning if PR from fork"
         if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }}
         run: |
           {
             echo "⚠️ Pull request from fork! ⚠️";
             echo "Labels will not be applied to PR. Assign them manually please.";
-            echo "Labels to assign: ${{ steps.action-assign-labels.outputs.labels-next }}";
+            echo "Labels to assign: '${LABELS_NEXT}'";
           } >> "$GITHUB_STEP_SUMMARY"
@@ -1,33 +1,35 @@
 ---
-name: Link Checker
+name: "Link Checker"
 
 on:
   push: null
   repository_dispatch: null
   workflow_dispatch: null
   pull_request:
     branches: [main]
-    types:
-      [opened, reopened, synchronize]
 permissions:
   contents: read
 jobs:
   linkChecker:
+    name: "Run Link Checker"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: "Checkout code"
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
-      - name: Restore lychee cache
-        uses: actions/cache@v4
+      - name: "Restore lychee cache"
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         id: restore-cache
         with:
           path: .lycheecache
           key: cache-lychee-${{ github.sha }}
           restore-keys: cache-lychee-
 
-      - name: Link Checker
+      - name: "Link Checker"
         id: lychee
-        uses: lycheeverse/lychee-action@v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 #v2.8.0
         with:
           args: >-
             './**/*.md'

@@ -7,25 +7,29 @@ on:
       - main
 
 permissions:
-  pull-requests: write
   contents: read
 
 jobs:
   pr-auto-assign:
+    name: "Auto-assign Reviewers to PR #${{ github.event.pull_request.number }}"
     runs-on: ubuntu-latest
-
+    permissions:
+      pull-requests: write
+      contents: read
     steps:
-      - name: Check if PR is from a fork
+      - name: "Check if PR is from a fork"
         run: |
           if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.event.pull_request.base.repo.full_name }}" ]; then
             echo "⚠️ Pull request is from a fork — skipping assignee assignment (no write permissions)."
             exit 0
           fi
 
-      - uses: actions/checkout@v5
+      - name: "Checkout Repository"
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
         with:
           persist-credentials: false
 
-      - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@b575bad3a0959c4e883bc34f9d055ff07fde2dbd #2.0.1
+      - name: "Assign Reviewers"
+        uses: netcracker/qubership-workflow-hub/actions/pr-assigner@5a557213e92e3d22d0292330c4817c82af6704d2 #2.1.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -18,6 +18,7 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v6
+      - name: "Semantic PR Title Lint"
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -15,12 +15,13 @@ permissions:
 
 jobs:
   apply-filter:
+    name: "Apply Profanity Filter"
     runs-on: ubuntu-latest
     steps:
     - name: Scan issue or pull request for profanity
       # Conditionally run the step if the actor isn't a bot
       if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' }}
-      uses: IEvangelist/profanity-filter@9.07
+      uses: IEvangelist/profanity-filter@7d6e0c79ee3d33ae09b5ed0c6e2fa04b9c512e08 #10.0
       id: profanity-filter
       with:
         token: ${{ secrets.GITHUB_TOKEN }}

@@ -29,49 +29,38 @@ permissions:
   contents: read
 
 jobs:
-  prepare-configs:
+  super-linter:
+    name: "Lint Code Base"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
     steps:
     - name: "Get the common linters configuration"
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         ref: main # fix/superlinter-config
         repository: netcracker/.github
         persist-credentials: false
+        path: common-configs
         sparse-checkout: |
           config/linters
-    - name: "Upload the common linters configuration"
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-      with:
-        name: linter-config
-        path: "${{ github.workspace }}/config"
-        include-hidden-files: true
-  run-lint:
-    needs: [prepare-configs]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
+    - name: "Move configs"
+      run: |
+        cp --update=none -vRT ./common-configs/config/linters /tmp/linters
+        rm -rf ./common-configs
       # To report GitHub Actions status checks
-      statuses: write
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: "Checkout code"
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         # Full git history is needed to get a proper list of changed files within `super-linter`
         fetch-depth: 0
         persist-credentials: false
-    - name: "Get the common linters configuration"
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-      id: download
-      with:
-        name: linter-config
-        path: /tmp/linter-config
     - name: "Apply the common linters configuration"
-      if: ${{ steps.download.outputs.download-path != '' }}
       run: |
         mkdir -p ./.github/linters
-        cp --update=none -vRT /tmp/linter-config/linters ./.github/linters
+        cp --update=none -vRT /tmp/linters ./.github/linters
 
     - name: "Load super-linter environment file"
       shell: bash
@@ -81,18 +70,17 @@ jobs:
           echo "Applying local linter environment:"
           grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#"
           grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#" >> $GITHUB_ENV
-        elif [ -f "/tmp/linter-config/linters/super-linter.env" ]; then
+        elif [ -f "/tmp/linters/super-linter.env" ]; then
           echo "::warning:: Local linter environment file .github/super-linter.env is not found"
           echo "Applying common linter environment:"
-          grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#"
-          grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#" >> $GITHUB_ENV
+          grep "\S" /tmp/linters/super-linter.env | grep -v "^#"
+          grep "\S" /tmp/linters/super-linter.env | grep -v "^#" >> $GITHUB_ENV
         fi
 
-    - name: Lint Code Base
-      uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
+    - name: "Lint Code Base"
+      uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
       env:
         VALIDATE_ALL_CODEBASE: ${{ inputs.full_scan || false }}
         # To report GitHub Actions status checks
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         DEFAULT_BRANCH: ${{ github.event.pull_request.base.ref || github.event.push.ref }}
-