ivuorinen/.github
1
0
Fork 0
mirror of https://github.com/ivuorinen/.github.git synced 2026-02-14 22:47:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): linting, permissions and configuration

Browse Source
This commit is contained in:
Ismo Vuorinen
2025-01-29 14:27:54 +02:00
parent f3438ac285
commit 1e7b107ece
21 changed files with 275 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.cspell.json Normal file
View File

@@ -0,0 +1,7 @@
{
"ignorePaths": ["**/node_modules/**", "**/vscode-extension/**", "**/.git/**", "**/.pnpm-lock.json", ".vscode", "megalinter", "package-lock.json", "report"],
"language": "en",
"noConfigSearch": true,
"words": ["megalinter", "oxsecurity"],
"version": "0.2"
}

4
.github/renovate.json vendored
View File

@@ -1,6 +1,4 @@
{ {
"$schema": "https://docs.renovatebot.com/renovate-schema.json", "$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [ "extends": ["github>ivuorinen/renovate-config"]
"github>ivuorinen/renovate-config"
]
} }

7
.github/workflows/composer-install.yml vendored
View File

@@ -1,9 +1,6 @@
--- ---
name: Run Composer Install name: Run Composer Install
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on: on:
workflow_dispatch: workflow_dispatch:
pull_request: pull_request:
@@ -12,9 +9,9 @@ on:
- "composer.lock" - "composer.lock"
permissions: permissions:
contents: write contents: read
packages: read packages: read
statuses: write statuses: read
jobs: jobs:
ComposerInstall: ComposerInstall:

9
.github/workflows/compress-images.yml vendored
View File

@@ -3,18 +3,15 @@
# Open a Pull Request if any images can be compressed. # Open a Pull Request if any images can be compressed.
name: Compress Images on Demand name: Compress Images on Demand
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on: on:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
- cron: "00 23 * * 0" - cron: "00 23 * * 0"
permissions: permissions:
contents: write contents: read
statuses: write statuses: read
pull-requests: write pull-requests: read
jobs: jobs:
CompressOnDemandOrSchedule: CompressOnDemandOrSchedule:

3
.github/workflows/dependency-review.yml vendored
View File

@@ -10,9 +10,6 @@
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
name: "Dependency Review" name: "Dependency Review"
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on: [pull_request] on: [pull_request]
permissions: permissions:

7
.github/workflows/laravel-phpunit.yml vendored
View File

@@ -1,9 +1,6 @@
--- ---
name: Laravel Setup and Composer test name: Laravel Setup and Composer test
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on: on:
push: push:
branches: [main] branches: [main]
@@ -11,9 +8,9 @@ on:
branches: [main] branches: [main]
permissions: permissions:
contents: write contents: read
packages: read packages: read
statuses: write statuses: read
jobs: jobs:
laravel-tests: laravel-tests:

9
.github/workflows/pr-compress-images.yml vendored
View File

@@ -1,9 +1,6 @@
--- ---
name: Compress Images name: Compress Images
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on: on:
pull_request: pull_request:
# Run Image Actions when JPG, JPEG, PNG or WebP files are added or changed. # Run Image Actions when JPG, JPEG, PNG or WebP files are added or changed.
@@ -15,10 +12,10 @@ on:
- "**.webp" - "**.webp"
permissions: permissions:
contents: write contents: read
packages: read packages: read
statuses: write statuses: read
pull-requests: write pull-requests: read
jobs: jobs:
CompressInPR: CompressInPR:

252
.github/workflows/pr-lint.yml vendored
View File

@@ -1,85 +1,209 @@
# MegaLinter GitHub Action configuration file
# More info at https://megalinter.io
--- ---
################################# # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
################################# name: MegaLinter (Cupcake)
## Super Linter GitHub Actions ##
#################################
#################################
name: Lint Code Base
#
# Documentation:
# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
#
env:
MAIN_BRANCH: main
ACTIONS_ALLOW_UNSECURE_COMMAND: false
#############################
# Start the job on all push #
#############################
on: on:
push:
branches-ignore: [master, main]
# Remove the line above to run when pushing to master
pull_request: pull_request:
branches: [master, main] branches:
- main
- master
permissions: permissions:
contents: read contents: read
packages: read issues: read
statuses: write pull-requests: read
statuses: read
env:
APPLY_FIXES: all
APPLY_FIXES_EVENT: pull_request
APPLY_FIXES_MODE: commit
FILEIO_REPORTER: false # Generate file.io report
GITHUB_STATUS_REPORTER: true # Generate GitHub status report
IGNORE_GENERATED_FILES: true # Ignore generated files
JAVASCRIPT_DEFAULT_STYLE: prettier # Default style for JavaScript
PRINT_ALPACA: false # Print Alpaca logo in console
SARIF_REPORTER: true # Generate SARIF report
SHOW_ELAPSED_TIME: false # Show elapsed time at the end of MegaLinter run
SHOW_SKIPPED_LINTERS: false # Show skipped linters in MegaLinter log
# Tooling configuration
REPOSITORY_KICS_DISABLE_ERRORS: true # Show errors as warnings in KICS
# Linters that are run, but not reported on
DISABLE_ERRORS_LINTERS: REPOSITORY_DEVSKIM
# List of linters to disable. These are not typical in my repos,
# except for spelling errors and copypasta. I'm handling those
# with other tools.
DISABLE: ARM, C, CLOJURE, COFFEE, COPYPASTE, DART, GROOVY, JAVA, KOTLIN, R, SALESFORCE, SCALA, SNAKEMAKE, SPELL, SWIFT, TEKTON, VBDOTNET
DISABLE_LINTERS: REPOSITORY_DEVSKIM
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
###############
# Set the Job #
###############
jobs: jobs:
build: megalinter:
# Name the Job name: MegaLinter
name: Lint Code Base
# Set the agent to run on
runs-on: ubuntu-latest runs-on: ubuntu-latest
############################################ # Give the default GITHUB_TOKEN write permission to commit and push, comment
# Grant status permission for MULTI_STATUS # # issues, and post new Pull Requests; remove the ones you do not need
############################################
permissions: permissions:
contents: read contents: write # Required for PR creation
packages: read issues: write # Required for PR creation
statuses: write pull-requests: write # Required for PR creation
statuses: write # Required for GitHub Security tab upload
##################
# Load all steps #
##################
steps: steps:
########################## # Git Checkout
# Checkout the code base #
##########################
- name: Checkout Code - name: Checkout Code
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
# Full git history is needed to get a proper token: ${{ secrets.FIXIMUS_TOKEN || secrets.PAT || secrets.GITHUB_TOKEN }}
# list of changed files within `super-linter`
# If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
# improve performance
fetch-depth: 0 fetch-depth: 0
################################ # MegaLinter
# Run Linter against code base # - name: MegaLinter
################################
- name: Lint Code Base # You can override MegaLinter flavor used to have faster performances
uses: super-linter/super-linter/slim@v7 # More info at https://megalinter.io/latest/flavors/
uses: oxsecurity/megalinter/flavors/cupcake@v8.4.0
id: ml
# All available variables are described in documentation
# https://megalinter.io/latest/config-file/
env: env:
VALIDATE_ALL_CODEBASE: false # Validates all source when push on main, else just the git diff with
LINTER_RULES_PATH: "${DEFAULT_WORKSPACE}" # main. Override with true if you always want to lint all sources
FIX_ANSIBLE: true #
FIX_ENV: true # To validate the entire codebase, set to:
FIX_JSON: true # VALIDATE_ALL_CODEBASE: true
FIX_JSONC_PRETTIER: true #
FIX_MARKDOWN: true # To validate only diff with main, set to:
FIX_SHELL_SHFMT: true # VALIDATE_ALL_CODEBASE: >-
FIX_TERRAFORM_FMT: true # ${{
FIX_TYPESCRIPT_PRETTIER: true # github.event_name == 'push' &&
FIX_VUE_PRETTIER: true # github.ref == 'refs/heads/main'
FIX_YAML_PRETTIER: true # }}
# Change to 'master' if your main branch differs VALIDATE_ALL_CODEBASE: true
DEFAULT_BRANCH: ${{ env.MAIN_BRANCH }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Uncomment to use ApiReporter (Grafana)
# API_REPORTER: true
# API_REPORTER_URL: ${{ secrets.API_REPORTER_URL }}
# API_REPORTER_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_BASIC_AUTH_USERNAME }}
# API_REPORTER_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_BASIC_AUTH_PASSWORD }}
# API_REPORTER_METRICS_URL: ${{ secrets.API_REPORTER_METRICS_URL }}
# API_REPORTER_METRICS_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_USERNAME }}
# API_REPORTER_METRICS_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_PASSWORD }}
# API_REPORTER_DEBUG: false
# ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF
# .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
# Upload MegaLinter artifacts
- name: Archive production artifacts
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: MegaLinter reports
include-hidden-files: "true"
path: |
megalinter-reports
mega-linter.log
# Create pull request if applicable
# (for now works only on PR from same repository, not from forks)
- name: Create Pull Request with applied fixes
uses: peter-evans/create-pull-request@v6
id: cpr
if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
env.APPLY_FIXES_EVENT == github.event_name
) &&
env.APPLY_FIXES_MODE == 'pull_request' &&
(
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
commit-message: "[MegaLinter] Apply linters automatic fixes"
title: "[MegaLinter] Apply linters automatic fixes"
labels: bot
- name: Create PR output
if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
env.APPLY_FIXES_EVENT == github.event_name
) &&
env.APPLY_FIXES_MODE == 'pull_request' &&
(
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
run: |
echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
# Push new commit if applicable
# (for now works only on PR from same repository, not from forks)
- name: Prepare commit
if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
env.APPLY_FIXES_EVENT == github.event_name
) &&
env.APPLY_FIXES_MODE == 'commit' &&
github.ref != 'refs/heads/main' &&
(
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
run: sudo chown -Rc $UID .git/
- name: Commit and push applied linter fixes
uses: stefanzweifel/git-auto-commit-action@v5
if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
env.APPLY_FIXES_EVENT == github.event_name
) &&
env.APPLY_FIXES_MODE == 'commit' &&
github.ref != 'refs/heads/main' &&
(
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
with:
branch: >-
${{
github.event.pull_request.head.ref ||
github.head_ref ||
github.ref
}}
commit_message: "[MegaLinter] Apply linters fixes"
commit_user_name: fiximus
commit_user_email: github-bot@ivuorinen.net
- name: Upload MegaLinter scan results to GitHub Security tab
if: success() || failure()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "megalinter-reports/megalinter-report.sarif"

7
.github/workflows/release-drafter.yml vendored
View File

@@ -1,15 +1,12 @@
--- ---
name: Release Drafter name: Release Drafter
env:
ACTIONS_ALLOW_UNSECURE_COMMAND=false
on: on:
workflow_call: workflow_call:
permissions: permissions:
contents: write contents: read
statuses: write statuses: read
packages: read packages: read
jobs: jobs:

5
.github/workflows/release-monthly.yaml vendored
View File

@@ -2,16 +2,13 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "Release" name: "Release"
env:
ACTIONS_ALLOW_UNSECURE_COMMAND=false
on: on:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
- cron: "0 0 1 * *" # 1st of every month at midnight - cron: "0 0 1 * *" # 1st of every month at midnight
permissions: permissions:
contents: write contents: read
packages: read packages: read
statuses: read statuses: read

5
.github/workflows/reviewdog-linters.yml vendored
View File

@@ -3,13 +3,10 @@ name: Reviewdog Linters
on: [pull_request] on: [pull_request]
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
permissions: permissions:
contents: read contents: read
packages: read packages: read
statuses: write statuses: read
jobs: jobs:
linters: linters:

12
.github/workflows/stale.yml vendored
View File

@@ -1,9 +1,7 @@
--- ---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Stale name: Stale
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on: on:
schedule: schedule:
- cron: "0 8 * * *" - cron: "0 8 * * *"
@@ -11,11 +9,9 @@ on:
workflow_dispatch: workflow_dispatch:
permissions: permissions:
contents: write # only for delete-branch option contents: read
issues: write issues: read
pull-requests: write pull-requests: read
statuses: read
packages: read
jobs: jobs:
stale: stale:

7
.github/workflows/sync-labels-to-own-projects.yml vendored
View File

@@ -1,9 +1,6 @@
--- ---
name: Sync labels to other repositories name: Sync labels to other repositories
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on: on:
push: push:
branches: branches:
@@ -16,8 +13,8 @@ on:
- cron: "0 0 * * *" # Every day at midnight - cron: "0 0 * * *" # Every day at midnight
permissions: permissions:
contents: write contents: read
statuses: write statuses: read
jobs: jobs:
sync-labels: sync-labels:

5
.github/workflows/sync-labels.yml vendored
View File

@@ -2,9 +2,6 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Sync labels name: Sync labels
env:
ACTIONS_ALLOW_UNSECURE_COMMAND: false
on: on:
push: push:
branches: branches:
@@ -17,7 +14,7 @@ on:
workflow_dispatch: workflow_dispatch:
permissions: permissions:
issues: write issues: read
contents: read contents: read
statuses: read statuses: read
packages: read packages: read

4
.gitignore vendored
View File

@@ -1 +1,3 @@
node_modules .idea/
node_modules/
megalinter-reports/

46
.mega-linter.yml Normal file
View File

@@ -0,0 +1,46 @@
# Configuration file for MegaLinter
#
# See all available variables at https://megalinter.io/latest/config-file/ and in
# linters documentation
APPLY_FIXES: all # Apply fixes automatically
FILEIO_REPORTER: false # Generate file.io report
GITHUB_STATUS_REPORTER: true # Generate GitHub status report
IGNORE_GENERATED_FILES: true # Ignore generated files
JAVASCRIPT_DEFAULT_STYLE: prettier # Default style for JavaScript
PRINT_ALPACA: false # Print Alpaca logo in console
SARIF_REPORTER: true # Generate SARIF report
SHOW_ELAPSED_TIME: false # Show elapsed time at the end of MegaLinter run
SHOW_SKIPPED_LINTERS: false # Show skipped linters in MegaLinter log
# Tooling configuration
REPOSITORY_KICS_DISABLE_ERRORS: true # Show errors as warnings in KICS
# Linters that are run, but not reported on
DISABLE_ERRORS_LINTERS:
- REPOSITORY_DEVSKIM
# List of linters to disable. These are not typical in my repos,
# except for spelling errors and copypasta. I'm handling those
# with other tools.
DISABLE:
- ARM
- C
- CLOJURE
- COFFEE
- COPYPASTE
- DART
- GROOVY
- JAVA
- KOTLIN
- R
- SALESFORCE
- SCALA
- SNAKEMAKE
- SPELL
- SWIFT
- TEKTON
- VBDOTNET
DISABLE_LINTERS:
- REPOSITORY_DEVSKIM

5
.pre-commit-config.yaml
View File

@@ -53,8 +53,7 @@ repos:
- id: renovate-config-validator - id: renovate-config-validator
- repo: https://github.com/bridgecrewio/checkov.git - repo: https://github.com/bridgecrewio/checkov.git
rev: '3.2.354' rev: 3.2.354
hooks: hooks:
- id: checkov - id: checkov
args: args: [--quiet]
- '--quiet'

1
.prettierrc.json Normal file
View File

@@ -0,0 +1 @@
{}

2
README.md
View File

@@ -37,5 +37,5 @@ the following snippet as `.github/renovate.json`.
``` ```
[reusable]: https://docs.github.com/en/actions/using-workflows/reusing-workflows#calling-a-reusable-workflow [reusable]: https://docs.github.com/en/actions/using-workflows/reusing-workflows#calling-a-reusable-workflow
[jobs]: https://docs.github.com/en/actions/using-workflows/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses [jobs]: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
[onboarding]: https://docs.renovatebot.com/getting-started/installing-onboarding [onboarding]: https://docs.renovatebot.com/getting-started/installing-onboarding

6
package-lock.json generated
View File

@@ -13,9 +13,9 @@
} }
}, },
"node_modules/prettier": { "node_modules/prettier": {
"version": "3.3.3", "version": "3.4.2",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.3.3.tgz", "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.4.2.tgz",
"integrity": "sha512-i2tDNA0O5IrMO757lfrdQZCc2jPNDVntV0m/+4whiDfWaTKfMNgR7Qz0NAeGz/nRqF4m5/6CLzbP4/liHt12Ew==", "integrity": "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"bin": { "bin": {

3
package.json
View File

@@ -4,7 +4,8 @@
"private": true, "private": true,
"description": "My Shared GitHub Actions & Configurations.", "description": "My Shared GitHub Actions & Configurations.",
"scripts": { "scripts": {
"test": "echo \"Error: no test specified\" && exit 1" "lint": "npx mega-linter-runner --flavor cupcake",
"test": "echo \"Error: no test specified\" && exit 0"
}, },
"author": "Ismo Vuorinen <https://github.com/ivuorinen>", "author": "Ismo Vuorinen <https://github.com/ivuorinen>",
"license": "MIT", "license": "MIT",