From 1e7b107eceb4960e9823fc566d3331ea8469e281 Mon Sep 17 00:00:00 2001 From: Ismo Vuorinen Date: Wed, 29 Jan 2025 14:27:54 +0200 Subject: [PATCH] fix(ci): linting, permissions and configuration --- .cspell.json | 7 + .github/renovate.json | 4 +- .github/workflows/composer-install.yml | 7 +- .github/workflows/compress-images.yml | 9 +- .github/workflows/dependency-review.yml | 3 - .github/workflows/laravel-phpunit.yml | 7 +- .github/workflows/pr-compress-images.yml | 9 +- .github/workflows/pr-lint.yml | 252 +++++++++++++----- .github/workflows/release-drafter.yml | 7 +- .github/workflows/release-monthly.yaml | 5 +- .github/workflows/reviewdog-linters.yml | 5 +- .github/workflows/stale.yml | 12 +- .../workflows/sync-labels-to-own-projects.yml | 7 +- .github/workflows/sync-labels.yml | 5 +- .gitignore | 4 +- .mega-linter.yml | 46 ++++ .pre-commit-config.yaml | 5 +- .prettierrc.json | 1 + README.md | 2 +- package-lock.json | 6 +- package.json | 3 +- 21 files changed, 275 insertions(+), 131 deletions(-) create mode 100644 .cspell.json create mode 100644 .mega-linter.yml create mode 100644 .prettierrc.json diff --git a/.cspell.json b/.cspell.json new file mode 100644 index 0000000..2a4908b --- /dev/null +++ b/.cspell.json @@ -0,0 +1,7 @@ +{ + "ignorePaths": ["**/node_modules/**", "**/vscode-extension/**", "**/.git/**", "**/.pnpm-lock.json", ".vscode", "megalinter", "package-lock.json", "report"], + "language": "en", + "noConfigSearch": true, + "words": ["megalinter", "oxsecurity"], + "version": "0.2" +} diff --git a/.github/renovate.json b/.github/renovate.json index f02f654..66f4a27 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,6 +1,4 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "github>ivuorinen/renovate-config" - ] + "extends": ["github>ivuorinen/renovate-config"] } diff --git a/.github/workflows/composer-install.yml b/.github/workflows/composer-install.yml index 2e475d6..5374e2d 100644 --- a/.github/workflows/composer-install.yml +++ b/.github/workflows/composer-install.yml @@ -1,9 +1,6 @@ --- name: Run Composer Install -env: - ACTIONS_ALLOW_UNSECURE_COMMAND: false - on: workflow_dispatch: pull_request: @@ -12,9 +9,9 @@ on: - "composer.lock" permissions: - contents: write + contents: read packages: read - statuses: write + statuses: read jobs: ComposerInstall: diff --git a/.github/workflows/compress-images.yml b/.github/workflows/compress-images.yml index 8d0ce4c..ab41970 100644 --- a/.github/workflows/compress-images.yml +++ b/.github/workflows/compress-images.yml @@ -3,18 +3,15 @@ # Open a Pull Request if any images can be compressed. name: Compress Images on Demand -env: - ACTIONS_ALLOW_UNSECURE_COMMAND: false - on: workflow_dispatch: schedule: - cron: "00 23 * * 0" permissions: - contents: write - statuses: write - pull-requests: write + contents: read + statuses: read + pull-requests: read jobs: CompressOnDemandOrSchedule: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 7404979..2545ba3 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -10,9 +10,6 @@ # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement name: "Dependency Review" -env: - ACTIONS_ALLOW_UNSECURE_COMMAND: false - on: [pull_request] permissions: diff --git a/.github/workflows/laravel-phpunit.yml b/.github/workflows/laravel-phpunit.yml index ff4b686..ba9b096 100644 --- a/.github/workflows/laravel-phpunit.yml +++ b/.github/workflows/laravel-phpunit.yml @@ -1,9 +1,6 @@ --- name: Laravel Setup and Composer test -env: - ACTIONS_ALLOW_UNSECURE_COMMAND: false - on: push: branches: [main] @@ -11,9 +8,9 @@ on: branches: [main] permissions: - contents: write + contents: read packages: read - statuses: write + statuses: read jobs: laravel-tests: diff --git a/.github/workflows/pr-compress-images.yml b/.github/workflows/pr-compress-images.yml index 3337752..cea93b5 100644 --- a/.github/workflows/pr-compress-images.yml +++ b/.github/workflows/pr-compress-images.yml @@ -1,9 +1,6 @@ --- name: Compress Images -env: - ACTIONS_ALLOW_UNSECURE_COMMAND: false - on: pull_request: # Run Image Actions when JPG, JPEG, PNG or WebP files are added or changed. @@ -15,10 +12,10 @@ on: - "**.webp" permissions: - contents: write + contents: read packages: read - statuses: write - pull-requests: write + statuses: read + pull-requests: read jobs: CompressInPR: diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 8f68e5f..641805a 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -1,85 +1,209 @@ +# MegaLinter GitHub Action configuration file +# More info at https://megalinter.io --- -################################# -################################# -## Super Linter GitHub Actions ## -################################# -################################# -name: Lint Code Base +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json +name: MegaLinter (Cupcake) -# -# Documentation: -# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions -# - -env: - MAIN_BRANCH: main - ACTIONS_ALLOW_UNSECURE_COMMAND: false - -############################# -# Start the job on all push # -############################# on: - push: - branches-ignore: [master, main] - # Remove the line above to run when pushing to master pull_request: - branches: [master, main] + branches: + - main + - master permissions: contents: read - packages: read - statuses: write + issues: read + pull-requests: read + statuses: read + +env: + APPLY_FIXES: all + APPLY_FIXES_EVENT: pull_request + APPLY_FIXES_MODE: commit + FILEIO_REPORTER: false # Generate file.io report + GITHUB_STATUS_REPORTER: true # Generate GitHub status report + IGNORE_GENERATED_FILES: true # Ignore generated files + JAVASCRIPT_DEFAULT_STYLE: prettier # Default style for JavaScript + PRINT_ALPACA: false # Print Alpaca logo in console + SARIF_REPORTER: true # Generate SARIF report + SHOW_ELAPSED_TIME: false # Show elapsed time at the end of MegaLinter run + SHOW_SKIPPED_LINTERS: false # Show skipped linters in MegaLinter log + # Tooling configuration + REPOSITORY_KICS_DISABLE_ERRORS: true # Show errors as warnings in KICS + # Linters that are run, but not reported on + DISABLE_ERRORS_LINTERS: REPOSITORY_DEVSKIM + # List of linters to disable. These are not typical in my repos, + # except for spelling errors and copypasta. I'm handling those + # with other tools. + DISABLE: ARM, C, CLOJURE, COFFEE, COPYPASTE, DART, GROOVY, JAVA, KOTLIN, R, SALESFORCE, SCALA, SNAKEMAKE, SPELL, SWIFT, TEKTON, VBDOTNET + DISABLE_LINTERS: REPOSITORY_DEVSKIM + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true -############### -# Set the Job # -############### jobs: - build: - # Name the Job - name: Lint Code Base - # Set the agent to run on + megalinter: + name: MegaLinter runs-on: ubuntu-latest - ############################################ - # Grant status permission for MULTI_STATUS # - ############################################ + # Give the default GITHUB_TOKEN write permission to commit and push, comment + # issues, and post new Pull Requests; remove the ones you do not need permissions: - contents: read - packages: read - statuses: write + contents: write # Required for PR creation + issues: write # Required for PR creation + pull-requests: write # Required for PR creation + statuses: write # Required for GitHub Security tab upload - ################## - # Load all steps # - ################## steps: - ########################## - # Checkout the code base # - ########################## + # Git Checkout - name: Checkout Code uses: actions/checkout@v4 with: - # Full git history is needed to get a proper - # list of changed files within `super-linter` + token: ${{ secrets.FIXIMUS_TOKEN || secrets.PAT || secrets.GITHUB_TOKEN }} + + # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to + # improve performance fetch-depth: 0 - ################################ - # Run Linter against code base # - ################################ - - name: Lint Code Base - uses: super-linter/super-linter/slim@v7 + # MegaLinter + - name: MegaLinter + + # You can override MegaLinter flavor used to have faster performances + # More info at https://megalinter.io/latest/flavors/ + uses: oxsecurity/megalinter/flavors/cupcake@v8.4.0 + + id: ml + + # All available variables are described in documentation + # https://megalinter.io/latest/config-file/ env: - VALIDATE_ALL_CODEBASE: false - LINTER_RULES_PATH: "${DEFAULT_WORKSPACE}" - FIX_ANSIBLE: true - FIX_ENV: true - FIX_JSON: true - FIX_JSONC_PRETTIER: true - FIX_MARKDOWN: true - FIX_SHELL_SHFMT: true - FIX_TERRAFORM_FMT: true - FIX_TYPESCRIPT_PRETTIER: true - FIX_VUE_PRETTIER: true - FIX_YAML_PRETTIER: true - # Change to 'master' if your main branch differs - DEFAULT_BRANCH: ${{ env.MAIN_BRANCH }} + # Validates all source when push on main, else just the git diff with + # main. Override with true if you always want to lint all sources + # + # To validate the entire codebase, set to: + # VALIDATE_ALL_CODEBASE: true + # + # To validate only diff with main, set to: + # VALIDATE_ALL_CODEBASE: >- + # ${{ + # github.event_name == 'push' && + # github.ref == 'refs/heads/main' + # }} + VALIDATE_ALL_CODEBASE: true + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Uncomment to use ApiReporter (Grafana) + # API_REPORTER: true + # API_REPORTER_URL: ${{ secrets.API_REPORTER_URL }} + # API_REPORTER_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_BASIC_AUTH_USERNAME }} + # API_REPORTER_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_BASIC_AUTH_PASSWORD }} + # API_REPORTER_METRICS_URL: ${{ secrets.API_REPORTER_METRICS_URL }} + # API_REPORTER_METRICS_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_USERNAME }} + # API_REPORTER_METRICS_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_PASSWORD }} + # API_REPORTER_DEBUG: false + + # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF + # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY + + # Upload MegaLinter artifacts + - name: Archive production artifacts + uses: actions/upload-artifact@v4 + if: success() || failure() + with: + name: MegaLinter reports + include-hidden-files: "true" + path: | + megalinter-reports + mega-linter.log + + # Create pull request if applicable + # (for now works only on PR from same repository, not from forks) + - name: Create Pull Request with applied fixes + uses: peter-evans/create-pull-request@v6 + id: cpr + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') + with: + token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} + commit-message: "[MegaLinter] Apply linters automatic fixes" + title: "[MegaLinter] Apply linters automatic fixes" + labels: bot + + - name: Create PR output + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') + run: | + echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}" + echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}" + + # Push new commit if applicable + # (for now works only on PR from same repository, not from forks) + - name: Prepare commit + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + github.ref != 'refs/heads/main' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') + run: sudo chown -Rc $UID .git/ + + - name: Commit and push applied linter fixes + uses: stefanzweifel/git-auto-commit-action@v5 + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + github.ref != 'refs/heads/main' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') + with: + branch: >- + ${{ + github.event.pull_request.head.ref || + github.head_ref || + github.ref + }} + commit_message: "[MegaLinter] Apply linters fixes" + commit_user_name: fiximus + commit_user_email: github-bot@ivuorinen.net + + - name: Upload MegaLinter scan results to GitHub Security tab + if: success() || failure() + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "megalinter-reports/megalinter-report.sarif" diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index e4539ce..ca8de7d 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,15 +1,12 @@ --- name: Release Drafter -env: - ACTIONS_ALLOW_UNSECURE_COMMAND=false - on: workflow_call: permissions: - contents: write - statuses: write + contents: read + statuses: read packages: read jobs: diff --git a/.github/workflows/release-monthly.yaml b/.github/workflows/release-monthly.yaml index 4e31299..465bf10 100644 --- a/.github/workflows/release-monthly.yaml +++ b/.github/workflows/release-monthly.yaml @@ -2,16 +2,13 @@ # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Release" -env: - ACTIONS_ALLOW_UNSECURE_COMMAND=false - on: workflow_dispatch: schedule: - cron: "0 0 1 * *" # 1st of every month at midnight permissions: - contents: write + contents: read packages: read statuses: read diff --git a/.github/workflows/reviewdog-linters.yml b/.github/workflows/reviewdog-linters.yml index 8916585..8124a22 100644 --- a/.github/workflows/reviewdog-linters.yml +++ b/.github/workflows/reviewdog-linters.yml @@ -3,13 +3,10 @@ name: Reviewdog Linters on: [pull_request] -env: - ACTIONS_ALLOW_UNSECURE_COMMAND: false - permissions: contents: read packages: read - statuses: write + statuses: read jobs: linters: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index e423ea5..882d1a2 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,9 +1,7 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Stale -env: - ACTIONS_ALLOW_UNSECURE_COMMAND: false - on: schedule: - cron: "0 8 * * *" @@ -11,11 +9,9 @@ on: workflow_dispatch: permissions: - contents: write # only for delete-branch option - issues: write - pull-requests: write - statuses: read - packages: read + contents: read + issues: read + pull-requests: read jobs: stale: diff --git a/.github/workflows/sync-labels-to-own-projects.yml b/.github/workflows/sync-labels-to-own-projects.yml index 25c3ad2..617d181 100644 --- a/.github/workflows/sync-labels-to-own-projects.yml +++ b/.github/workflows/sync-labels-to-own-projects.yml @@ -1,9 +1,6 @@ --- name: Sync labels to other repositories -env: - ACTIONS_ALLOW_UNSECURE_COMMAND: false - on: push: branches: @@ -16,8 +13,8 @@ on: - cron: "0 0 * * *" # Every day at midnight permissions: - contents: write - statuses: write + contents: read + statuses: read jobs: sync-labels: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 5552daf..873ae8d 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -2,9 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Sync labels -env: - ACTIONS_ALLOW_UNSECURE_COMMAND: false - on: push: branches: @@ -17,7 +14,7 @@ on: workflow_dispatch: permissions: - issues: write + issues: read contents: read statuses: read packages: read diff --git a/.gitignore b/.gitignore index 3c3629e..b366d43 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -node_modules +.idea/ +node_modules/ +megalinter-reports/ diff --git a/.mega-linter.yml b/.mega-linter.yml new file mode 100644 index 0000000..2715690 --- /dev/null +++ b/.mega-linter.yml @@ -0,0 +1,46 @@ +# Configuration file for MegaLinter +# +# See all available variables at https://megalinter.io/latest/config-file/ and in +# linters documentation + +APPLY_FIXES: all # Apply fixes automatically +FILEIO_REPORTER: false # Generate file.io report +GITHUB_STATUS_REPORTER: true # Generate GitHub status report +IGNORE_GENERATED_FILES: true # Ignore generated files +JAVASCRIPT_DEFAULT_STYLE: prettier # Default style for JavaScript +PRINT_ALPACA: false # Print Alpaca logo in console +SARIF_REPORTER: true # Generate SARIF report +SHOW_ELAPSED_TIME: false # Show elapsed time at the end of MegaLinter run +SHOW_SKIPPED_LINTERS: false # Show skipped linters in MegaLinter log + +# Tooling configuration +REPOSITORY_KICS_DISABLE_ERRORS: true # Show errors as warnings in KICS + +# Linters that are run, but not reported on +DISABLE_ERRORS_LINTERS: + - REPOSITORY_DEVSKIM + +# List of linters to disable. These are not typical in my repos, +# except for spelling errors and copypasta. I'm handling those +# with other tools. +DISABLE: + - ARM + - C + - CLOJURE + - COFFEE + - COPYPASTE + - DART + - GROOVY + - JAVA + - KOTLIN + - R + - SALESFORCE + - SCALA + - SNAKEMAKE + - SPELL + - SWIFT + - TEKTON + - VBDOTNET + +DISABLE_LINTERS: + - REPOSITORY_DEVSKIM diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2bd0206..9bef48e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -53,8 +53,7 @@ repos: - id: renovate-config-validator - repo: https://github.com/bridgecrewio/checkov.git - rev: '3.2.354' + rev: 3.2.354 hooks: - id: checkov - args: - - '--quiet' + args: [--quiet] diff --git a/.prettierrc.json b/.prettierrc.json new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/.prettierrc.json @@ -0,0 +1 @@ +{} diff --git a/README.md b/README.md index c5321be..4032966 100644 --- a/README.md +++ b/README.md @@ -37,5 +37,5 @@ the following snippet as `.github/renovate.json`. ``` [reusable]: https://docs.github.com/en/actions/using-workflows/reusing-workflows#calling-a-reusable-workflow -[jobs]: https://docs.github.com/en/actions/using-workflows/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses +[jobs]: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses [onboarding]: https://docs.renovatebot.com/getting-started/installing-onboarding diff --git a/package-lock.json b/package-lock.json index 28071f1..a1a7f93 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13,9 +13,9 @@ } }, "node_modules/prettier": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.3.3.tgz", - "integrity": "sha512-i2tDNA0O5IrMO757lfrdQZCc2jPNDVntV0m/+4whiDfWaTKfMNgR7Qz0NAeGz/nRqF4m5/6CLzbP4/liHt12Ew==", + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.4.2.tgz", + "integrity": "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ==", "dev": true, "license": "MIT", "bin": { diff --git a/package.json b/package.json index b7e0b31..1b3bb2f 100644 --- a/package.json +++ b/package.json @@ -4,7 +4,8 @@ "private": true, "description": "My Shared GitHub Actions & Configurations.", "scripts": { - "test": "echo \"Error: no test specified\" && exit 1" + "lint": "npx mega-linter-runner --flavor cupcake", + "test": "echo \"Error: no test specified\" && exit 0" }, "author": "Ismo Vuorinen ", "license": "MIT",