From 50cdb5721617afa595b61be826a1aac96ba4f243 Mon Sep 17 00:00:00 2001 From: Ashish Bhatia Date: Wed, 8 Jan 2025 22:18:32 -0800 Subject: [PATCH] ci: add GitHub Actions linter --- .github/workflows/lint-github-actions.yaml | 74 ++++++++++++++++++++++ .github/workflows/lint-markdown.yaml | 2 + .github/workflows/lint-shell-script.yaml | 2 + .github/workflows/lint-yaml.yaml | 3 + .github/workflows/validate-links.yml | 2 + 5 files changed, 83 insertions(+) create mode 100644 .github/workflows/lint-github-actions.yaml diff --git a/.github/workflows/lint-github-actions.yaml b/.github/workflows/lint-github-actions.yaml new file mode 100644 index 0000000..4f91395 --- /dev/null +++ b/.github/workflows/lint-github-actions.yaml @@ -0,0 +1,74 @@ +# Generated by Gabo (https://github.com/ashishb/gabo) +--- +# Run this locally with act - https://github.com/nektos/act +# act -j lintGitHubActions +name: Lint GitHub Actions + +on: # yamllint disable-line rule:truthy + push: + branches: [master, main] + paths: + - ".github/workflows/**.yml" + - ".github/workflows/**.yaml" + pull_request: + branches: [master, main] + paths: + - ".github/workflows/**.yml" + - ".github/workflows/**.yaml" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + lintGitHubActionsWithActionLint: + runs-on: ubuntu-latest + timeout-minutes: 15 + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + sparse-checkout: | + .github/workflows + sparse-checkout-cone-mode: false + + - name: Lint GitHub Actions + uses: reviewdog/action-actionlint@v1 + + - name: Check GitHub Actions with 'actionlint' + # Ref: https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions + # shellcheck is too noisy and disabled + run: | + bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) + ./actionlint -color -shellcheck= + shell: bash + + + lintGitHubActionsForSecurity: + runs-on: ubuntu-latest + timeout-minutes: 15 + + permissions: + security-events: write + contents: read + actions: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + sparse-checkout: | + .github/workflows + sparse-checkout-cone-mode: false + + - name: Setup Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + + - name: Install zizmor + run: cargo install zizmor + + - name: Run zizmor on GitHub Actions + run: zizmor .github/workflows/* diff --git a/.github/workflows/lint-markdown.yaml b/.github/workflows/lint-markdown.yaml index fc267e3..1940a4d 100644 --- a/.github/workflows/lint-markdown.yaml +++ b/.github/workflows/lint-markdown.yaml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Ruby # See https://github.com/ruby/setup-ruby#versioning diff --git a/.github/workflows/lint-shell-script.yaml b/.github/workflows/lint-shell-script.yaml index 9d4992a..db8f292 100644 --- a/.github/workflows/lint-shell-script.yaml +++ b/.github/workflows/lint-shell-script.yaml @@ -30,6 +30,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Run ShellCheck uses: ludeeus/action-shellcheck@2.0.0 diff --git a/.github/workflows/lint-yaml.yaml b/.github/workflows/lint-yaml.yaml index e140120..14b7cab 100644 --- a/.github/workflows/lint-yaml.yaml +++ b/.github/workflows/lint-yaml.yaml @@ -31,6 +31,9 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Check YAML files with linter uses: ibiqlik/action-yamllint@v3 with: diff --git a/.github/workflows/validate-links.yml b/.github/workflows/validate-links.yml index b7de400..89f75fa 100644 --- a/.github/workflows/validate-links.yml +++ b/.github/workflows/validate-links.yml @@ -30,6 +30,8 @@ jobs: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/cache@v4 with: