ivuorinen/.github
1
0
Fork 0
mirror of https://github.com/ivuorinen/.github.git synced 2026-01-31 03:40:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): linting, permissions and configuration

Browse Source
This commit is contained in:
Ismo Vuorinen
2025-01-29 14:27:54 +02:00
parent f3438ac285
commit 1e7b107ece
21 changed files with 275 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/renovate.json vendored
View File

@@ -1,6 +1,4 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"github>ivuorinen/renovate-config"
]
"extends": ["github>ivuorinen/renovate-config"]
}

7
.github/workflows/composer-install.yml vendored
View File

@@ -1,9 +1,6 @@
---
name: Run Composer Install
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on:
workflow_dispatch:
pull_request:
@@ -12,9 +9,9 @@ on:
- "composer.lock"
permissions:
contents: write
contents: read
packages: read
statuses: write
statuses: read
jobs:
ComposerInstall:

9
.github/workflows/compress-images.yml vendored
View File

@@ -3,18 +3,15 @@
# Open a Pull Request if any images can be compressed.
name: Compress Images on Demand
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on:
workflow_dispatch:
schedule:
- cron: "00 23 * * 0"
permissions:
contents: write
statuses: write
pull-requests: write
contents: read
statuses: read
pull-requests: read
jobs:
CompressOnDemandOrSchedule:

3
.github/workflows/dependency-review.yml vendored
View File

@@ -10,9 +10,6 @@
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
name: "Dependency Review"
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on: [pull_request]
permissions:

7
.github/workflows/laravel-phpunit.yml vendored
View File

@@ -1,9 +1,6 @@
---
name: Laravel Setup and Composer test
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on:
push:
branches: [main]
@@ -11,9 +8,9 @@ on:
branches: [main]
permissions:
contents: write
contents: read
packages: read
statuses: write
statuses: read
jobs:
laravel-tests:

9
.github/workflows/pr-compress-images.yml vendored
View File

@@ -1,9 +1,6 @@
---
name: Compress Images
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on:
pull_request:
# Run Image Actions when JPG, JPEG, PNG or WebP files are added or changed.
@@ -15,10 +12,10 @@ on:
- "**.webp"
permissions:
contents: write
contents: read
packages: read
statuses: write
pull-requests: write
statuses: read
pull-requests: read
jobs:
CompressInPR:

252
.github/workflows/pr-lint.yml vendored
View File

@@ -1,85 +1,209 @@
# MegaLinter GitHub Action configuration file
# More info at https://megalinter.io
---
#################################
#################################
## Super Linter GitHub Actions ##
#################################
#################################
name: Lint Code Base
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: MegaLinter (Cupcake)
#
# Documentation:
# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
#
env:
MAIN_BRANCH: main
ACTIONS_ALLOW_UNSECURE_COMMAND: false
#############################
# Start the job on all push #
#############################
on:
push:
branches-ignore: [master, main]
# Remove the line above to run when pushing to master
pull_request:
branches: [master, main]
branches:
- main
- master
permissions:
contents: read
packages: read
statuses: write
issues: read
pull-requests: read
statuses: read
env:
APPLY_FIXES: all
APPLY_FIXES_EVENT: pull_request
APPLY_FIXES_MODE: commit
FILEIO_REPORTER: false # Generate file.io report
GITHUB_STATUS_REPORTER: true # Generate GitHub status report
IGNORE_GENERATED_FILES: true # Ignore generated files
JAVASCRIPT_DEFAULT_STYLE: prettier # Default style for JavaScript
PRINT_ALPACA: false # Print Alpaca logo in console
SARIF_REPORTER: true # Generate SARIF report
SHOW_ELAPSED_TIME: false # Show elapsed time at the end of MegaLinter run
SHOW_SKIPPED_LINTERS: false # Show skipped linters in MegaLinter log
# Tooling configuration
REPOSITORY_KICS_DISABLE_ERRORS: true # Show errors as warnings in KICS
# Linters that are run, but not reported on
DISABLE_ERRORS_LINTERS: REPOSITORY_DEVSKIM
# List of linters to disable. These are not typical in my repos,
# except for spelling errors and copypasta. I'm handling those
# with other tools.
DISABLE: ARM, C, CLOJURE, COFFEE, COPYPASTE, DART, GROOVY, JAVA, KOTLIN, R, SALESFORCE, SCALA, SNAKEMAKE, SPELL, SWIFT, TEKTON, VBDOTNET
DISABLE_LINTERS: REPOSITORY_DEVSKIM
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
###############
# Set the Job #
###############
jobs:
build:
# Name the Job
name: Lint Code Base
# Set the agent to run on
megalinter:
name: MegaLinter
runs-on: ubuntu-latest
############################################
# Grant status permission for MULTI_STATUS #
############################################
# Give the default GITHUB_TOKEN write permission to commit and push, comment
# issues, and post new Pull Requests; remove the ones you do not need
permissions:
contents: read
packages: read
statuses: write
contents: write # Required for PR creation
issues: write # Required for PR creation
pull-requests: write # Required for PR creation
statuses: write # Required for GitHub Security tab upload
##################
# Load all steps #
##################
steps:
##########################
# Checkout the code base #
##########################
# Git Checkout
- name: Checkout Code
uses: actions/checkout@v4
with:
# Full git history is needed to get a proper
# list of changed files within `super-linter`
token: ${{ secrets.FIXIMUS_TOKEN || secrets.PAT || secrets.GITHUB_TOKEN }}
# If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
# improve performance
fetch-depth: 0
################################
# Run Linter against code base #
################################
- name: Lint Code Base
uses: super-linter/super-linter/slim@v7
# MegaLinter
- name: MegaLinter
# You can override MegaLinter flavor used to have faster performances
# More info at https://megalinter.io/latest/flavors/
uses: oxsecurity/megalinter/flavors/cupcake@v8.4.0
id: ml
# All available variables are described in documentation
# https://megalinter.io/latest/config-file/
env:
VALIDATE_ALL_CODEBASE: false
LINTER_RULES_PATH: "${DEFAULT_WORKSPACE}"
FIX_ANSIBLE: true
FIX_ENV: true
FIX_JSON: true
FIX_JSONC_PRETTIER: true
FIX_MARKDOWN: true
FIX_SHELL_SHFMT: true
FIX_TERRAFORM_FMT: true
FIX_TYPESCRIPT_PRETTIER: true
FIX_VUE_PRETTIER: true
FIX_YAML_PRETTIER: true
# Change to 'master' if your main branch differs
DEFAULT_BRANCH: ${{ env.MAIN_BRANCH }}
# Validates all source when push on main, else just the git diff with
# main. Override with true if you always want to lint all sources
#
# To validate the entire codebase, set to:
# VALIDATE_ALL_CODEBASE: true
#
# To validate only diff with main, set to:
# VALIDATE_ALL_CODEBASE: >-
# ${{
# github.event_name == 'push' &&
# github.ref == 'refs/heads/main'
# }}
VALIDATE_ALL_CODEBASE: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Uncomment to use ApiReporter (Grafana)
# API_REPORTER: true
# API_REPORTER_URL: ${{ secrets.API_REPORTER_URL }}
# API_REPORTER_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_BASIC_AUTH_USERNAME }}
# API_REPORTER_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_BASIC_AUTH_PASSWORD }}
# API_REPORTER_METRICS_URL: ${{ secrets.API_REPORTER_METRICS_URL }}
# API_REPORTER_METRICS_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_USERNAME }}
# API_REPORTER_METRICS_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_PASSWORD }}
# API_REPORTER_DEBUG: false
# ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF
# .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
# Upload MegaLinter artifacts
- name: Archive production artifacts
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: MegaLinter reports
include-hidden-files: "true"
path: |
megalinter-reports
mega-linter.log
# Create pull request if applicable
# (for now works only on PR from same repository, not from forks)
- name: Create Pull Request with applied fixes
uses: peter-evans/create-pull-request@v6
id: cpr
if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
env.APPLY_FIXES_EVENT == github.event_name
) &&
env.APPLY_FIXES_MODE == 'pull_request' &&
(
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
commit-message: "[MegaLinter] Apply linters automatic fixes"
title: "[MegaLinter] Apply linters automatic fixes"
labels: bot
- name: Create PR output
if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
env.APPLY_FIXES_EVENT == github.event_name
) &&
env.APPLY_FIXES_MODE == 'pull_request' &&
(
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
run: |
echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
# Push new commit if applicable
# (for now works only on PR from same repository, not from forks)
- name: Prepare commit
if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
env.APPLY_FIXES_EVENT == github.event_name
) &&
env.APPLY_FIXES_MODE == 'commit' &&
github.ref != 'refs/heads/main' &&
(
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
run: sudo chown -Rc $UID .git/
- name: Commit and push applied linter fixes
uses: stefanzweifel/git-auto-commit-action@v5
if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
env.APPLY_FIXES_EVENT == github.event_name
) &&
env.APPLY_FIXES_MODE == 'commit' &&
github.ref != 'refs/heads/main' &&
(
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
with:
branch: >-
${{
github.event.pull_request.head.ref ||
github.head_ref ||
github.ref
}}
commit_message: "[MegaLinter] Apply linters fixes"
commit_user_name: fiximus
commit_user_email: github-bot@ivuorinen.net
- name: Upload MegaLinter scan results to GitHub Security tab
if: success() || failure()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "megalinter-reports/megalinter-report.sarif"

7
.github/workflows/release-drafter.yml vendored
View File

@@ -1,15 +1,12 @@
---
name: Release Drafter
env:
ACTIONS_ALLOW_UNSECURE_COMMAND=false
on:
workflow_call:
permissions:
contents: write
statuses: write
contents: read
statuses: read
packages: read
jobs:

5
.github/workflows/release-monthly.yaml vendored
View File

@@ -2,16 +2,13 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "Release"
env:
ACTIONS_ALLOW_UNSECURE_COMMAND=false
on:
workflow_dispatch:
schedule:
- cron: "0 0 1 * *" # 1st of every month at midnight
permissions:
contents: write
contents: read
packages: read
statuses: read

5
.github/workflows/reviewdog-linters.yml vendored
View File

@@ -3,13 +3,10 @@ name: Reviewdog Linters
on: [pull_request]
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
permissions:
contents: read
packages: read
statuses: write
statuses: read
jobs:
linters:

12
.github/workflows/stale.yml vendored
View File

@@ -1,9 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Stale
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on:
schedule:
- cron: "0 8 * * *"
@@ -11,11 +9,9 @@ on:
workflow_dispatch:
permissions:
contents: write # only for delete-branch option
issues: write
pull-requests: write
statuses: read
packages: read
contents: read
issues: read
pull-requests: read
jobs:
stale:

7
.github/workflows/sync-labels-to-own-projects.yml vendored
View File

@@ -1,9 +1,6 @@
---
name: Sync labels to other repositories
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on:
push:
branches:
@@ -16,8 +13,8 @@ on:
- cron: "0 0 * * *" # Every day at midnight
permissions:
contents: write
statuses: write
contents: read
statuses: read
jobs:
sync-labels:

5
.github/workflows/sync-labels.yml vendored
View File

@@ -2,9 +2,6 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Sync labels
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on:
push:
branches:
@@ -17,7 +14,7 @@ on:
workflow_dispatch:
permissions:
issues: write
issues: read
contents: read
statuses: read
packages: read