feat(github-action): update oxsecurity/megalinter (v8.6.0 → v8.7.0) (#28)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.cspell.json

@@ -0,0 +1,7 @@
+{
+  "ignorePaths": ["**/node_modules/**", "**/vscode-extension/**", "**/.git/**", "**/.pnpm-lock.json", ".vscode", "megalinter", "package-lock.json", "report"],
+  "language": "en",
+  "noConfigSearch": true,
+  "words": ["megalinter", "oxsecurity"],
+  "version": "0.2"
+}

.envrc

@@ -0,0 +1 @@
+use asdf

.github/renovate.json

@@ -1,4 +1,4 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>ivuorinen/.github:renovate-config"]
+  "extends": ["github>ivuorinen/renovate-config"]
 }

.github/renovate/autoMerge.json5

@@ -1,21 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "packageRules": [
-    {
-      "description": ["Auto-merge container digests updates for trusted containers"],
-      "matchDatasources": ["docker"],
-      "automerge": true,
-      "automergeType": "branch",
-      "matchUpdateTypes": ["digest"],
-      "matchPackagePatterns": ["ghcr.io/bjw-s", "ghcr.io/onedr0p"]
-    },
-    {
-      "description": ["Auto-merge GitHub Actions for minor and patch"],
-      "matchManagers": ["github-actions"],
-      "matchDatasources": ["github-tags"],
-      "automerge": true,
-      "automergeType": "branch",
-      "matchUpdateTypes": ["minor", "patch"]
-    }
-  ]
-}

.github/renovate/commitMessage.json5

@@ -1,16 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "commitMessageTopic": "{{depName}}",
-  "commitMessageExtra": "to {{newVersion}}",
-  "commitMessageSuffix": "",
-  "packageRules": [
-    {
-      "matchDatasources": ["helm"],
-      "commitMessageTopic": "chart {{depName}}"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "commitMessageTopic": "image {{depName}}"
-    }
-  ]
-}

.github/renovate/labels.json5

@@ -1,49 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "packageRules": [
-    {
-      "matchUpdateTypes": ["major"],
-      "labels": ["type/major"]
-    },
-    {
-      "matchUpdateTypes": ["minor"],
-      "labels": ["type/minor"]
-    },
-    {
-      "matchUpdateTypes": ["patch"],
-      "labels": ["type/patch"]
-    },
-    {
-      "matchUpdateTypes": ["digest"],
-      "labels": ["type/digest"]
-    },
-    {
-      "matchDatasources": ["docker"],
-      "addLabels": ["renovate/container"]
-    },
-    {
-      "matchDatasources": ["helm"],
-      "addLabels": ["renovate/helm"]
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "addLabels": ["renovate/ansible"]
-    },
-    {
-      "matchDatasources": ["terraform-provider"],
-      "addLabels": ["renovate/terraform"]
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "addLabels": ["renovate/github-release"]
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "addLabels": ["renovate/github-action"]
-    },
-    {
-      "matchDatasources": ["pypi"],
-      "addLabels": ["renovate/pip"]
-    }
-  ]
-}

.github/renovate/semanticCommits.json5

@@ -1,151 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "packageRules": [
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(container)!: ",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": " ( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "container",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "container",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["digest"],
-      "semanticCommitType": "chore",
-      "semanticCommitScope": "container",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentDigestShort}} → {{newDigestShort}} )"
-    },
-    {
-      "matchDatasources": ["helm"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(helm)!: ",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["helm"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "helm",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["helm"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "helm",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(ansible)!: ",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "ansible",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "ansible",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["terraform-provider"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(terraform)!: ",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["terraform-provider"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "terraform",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["terraform-provider"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "terraform",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(github-release)!: ",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "github-release",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "github-release",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(github-action)!: ",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "github-action",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "github-action",
-      "commitMessageTopic": "{{depName}}",
-      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )"
-    }
-  ]
-}

.github/workflows/composer-install.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Run Composer Install
 
 on:
@@ -9,24 +10,30 @@ on:
       - "composer.lock"
 
 permissions:
-  contents: write
-  statuses: write
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   ComposerInstall:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      packages: read
+      statuses: write
+
     strategy:
       matrix:
         operating-system: ["ubuntu-latest"]
-        php: ["8.0", "8.1", "8.2"]
+        php: ["8.1", "8.2", "8.3", "8.4"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Cache Composer packages
         id: composer-cache
-        uses: actions/cache@v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
         with:
           path: vendor
           key: ${{ runner.os }}-php-${{ matrix.php }}-${{ hashFiles('**/composer.json') }}
@@ -35,7 +42,7 @@ jobs:
             ${{ runner.os }}-php-
 
       - name: Composer (PHP ${{ matrix.php }})
-        uses: php-actions/composer@v6
+        uses: php-actions/composer@8a65f0d3c6a1d17ca4800491a40b5756a4c164f3 # v6
         with:
           php_version: ${{ matrix.php }}
           args: --no-progress --prefer-dist --optimize-autoloader

.github/workflows/compress-images.yml

@@ -1,4 +1,6 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+#
 # Compress images on demand (workflow_dispatch), and at 11pm every Sunday (schedule).
 # Open a Pull Request if any images can be compressed.
 name: Compress Images on Demand
@@ -9,17 +11,24 @@ on:
     - cron: "00 23 * * 0"
 
 permissions:
-  contents: write
-  statuses: write
-  pull-requests: write
+  contents: read
+  statuses: read
+  pull-requests: read
 
 jobs:
   CompressOnDemandOrSchedule:
     name: calibreapp/image-actions
+
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      statuses: write
+      pull-requests: write
+
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Compress Images
         id: calibre
@@ -30,7 +39,7 @@ jobs:
 
       - name: Create New Pull Request If Needed
         if: steps.calibre.outputs.markdown != ''
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7
         with:
           title: Compressed Images Nightly
           branch-suffix: timestamp

.github/workflows/dependency-review.yml

@@ -1,4 +1,6 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+#
 # Dependency Review Action
 #
 # This Action will scan dependency manifest files that change as part of a Pull Request,
@@ -14,13 +16,19 @@ on: [pull_request]
 
 permissions:
   contents: read
+  packages: read
+  statuses: read
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      statuses: read
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4

.github/workflows/laravel-phpunit.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Laravel Setup and Composer test
 
 on:
@@ -8,23 +9,29 @@ on:
     branches: [main]
 
 permissions:
-  contents: write
-  statuses: write
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   laravel-tests:
     runs-on: ubuntu-latest
 
-    steps:
-      - uses: shivammathur/setup-php@v2
-        with:
-          php-version: "8.1"
+    permissions:
+      contents: write
+      packages: read
+      statuses: write
 
-      - uses: actions/checkout@v4
+    steps:
+      - uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2
+        with:
+          php-version: "8.3"
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: "Check file existence"
         id: check_files
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "package.json, artisan"
 

.github/workflows/pr-compress-images.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Compress Images
 
 on:
@@ -12,9 +13,10 @@ on:
       - "**.webp"
 
 permissions:
-  contents: write
-  statuses: write
-  pull-requests: write
+  contents: read
+  packages: read
+  statuses: read
+  pull-requests: read
 
 jobs:
   CompressInPR:
@@ -22,9 +24,16 @@ jobs:
     if: github.event.pull_request.head.repo.full_name == github.repository
     name: calibreapp/image-actions
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      packages: read
+      statuses: write
+      pull-requests: write
+
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Compress Images
         uses: calibreapp/image-actions@main

.github/workflows/pr-lint.yml

@@ -1,68 +1,210 @@
+# MegaLinter GitHub Action configuration file
+# More info at https://megalinter.io
 ---
-#################################
-#################################
-## Super Linter GitHub Actions ##
-#################################
-#################################
-name: Lint Code Base
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: MegaLinter (Cupcake)
 
-#
-# Documentation:
-# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
-#
-
-env:
-  MAIN_BRANCH: main
-
-#############################
-# Start the job on all push #
-#############################
 on:
-  push:
-    branches-ignore: [master, main]
-    # Remove the line above to run when pushing to master
   pull_request:
-    branches: [master, main]
+    branches:
+      - main
+      - master
 
-############################################
-# Grant status permission for MULTI_STATUS #
-############################################
 permissions:
   contents: read
-  packages: read
-  statuses: write
+  issues: read
+  pull-requests: read
+  statuses: read
+
+env:
+  APPLY_FIXES: all
+  APPLY_FIXES_EVENT: pull_request
+  APPLY_FIXES_MODE: commit
+  FILEIO_REPORTER: false # Generate file.io report
+  GITHUB_STATUS_REPORTER: true # Generate GitHub status report
+  IGNORE_GENERATED_FILES: true # Ignore generated files
+  JAVASCRIPT_DEFAULT_STYLE: prettier # Default style for JavaScript
+  PRINT_ALPACA: false # Print Alpaca logo in console
+  SARIF_REPORTER: true # Generate SARIF report
+  SHOW_ELAPSED_TIME: false # Show elapsed time at the end of MegaLinter run
+  SHOW_SKIPPED_LINTERS: false # Show skipped linters in MegaLinter log
+  # Tooling configuration
+  REPOSITORY_KICS_DISABLE_ERRORS: true # Show errors as warnings in KICS
+  SPELL_CSPELL_DISABLE_ERRORS: true
+  # Linters that are run, but not reported on
+  DISABLE_ERRORS_LINTERS: REPOSITORY_DEVSKIM
+  # List of linters to disable. These are not typical in my repos,
+  # except for spelling errors and copypasta. I'm handling those
+  # with other tools.
+  DISABLE: ARM, C, CLOJURE, COFFEE, COPYPASTE, DART, GROOVY, JAVA, KOTLIN, R, SALESFORCE, SCALA, SNAKEMAKE, SPELL, SWIFT, TEKTON, VBDOTNET
+  DISABLE_LINTERS: REPOSITORY_DEVSKIM, SPELL_CSPELL
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
 
-###############
-# Set the Job #
-###############
 jobs:
-  build:
-    # Name the Job
-    name: Lint Code Base
-    # Set the agent to run on
+  megalinter:
+    name: MegaLinter
     runs-on: ubuntu-latest
 
-    ##################
-    # Load all steps #
-    ##################
+    # Give the default GITHUB_TOKEN write permission to commit and push, comment
+    # issues, and post new Pull Requests; remove the ones you do not need
+    permissions:
+      contents: write # Required for PR creation
+      issues: write # Required for PR creation
+      pull-requests: write # Required for PR creation
+      statuses: write # Required for GitHub Security tab upload
+
     steps:
-      ##########################
-      # Checkout the code base #
-      ##########################
+      # Git Checkout
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
-          # Full git history is needed to get a proper
-          # list of changed files within `super-linter`
+          token: ${{ secrets.FIXIMUS_TOKEN || secrets.PAT || secrets.GITHUB_TOKEN }}
+
+          # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
+          # improve performance
           fetch-depth: 0
 
-      ################################
-      # Run Linter against code base #
-      ################################
-      - name: Lint Code Base
-        uses: github/super-linter@v6
+      # MegaLinter
+      - name: MegaLinter
+
+        # You can override MegaLinter flavor used to have faster performances
+        # More info at https://megalinter.io/latest/flavors/
+        uses: oxsecurity/megalinter/flavors/cupcake@5a91fb06c83d0e69fbd23756d47438aa723b4a5a # v8.7.0
+
+        id: ml
+
+        # All available variables are described in documentation
+        # https://megalinter.io/latest/config-file/
         env:
-          VALIDATE_ALL_CODEBASE: false
-          # Change to 'master' if your main branch differs
-          DEFAULT_BRANCH: ${{ env.MAIN_BRANCH }}
+          # Validates all source when push on main, else just the git diff with
+          # main. Override with true if you always want to lint all sources
+          #
+          # To validate the entire codebase, set to:
+          # VALIDATE_ALL_CODEBASE: true
+          #
+          # To validate only diff with main, set to:
+          # VALIDATE_ALL_CODEBASE: >-
+          #   ${{
+          #     github.event_name == 'push' &&
+          #     github.ref == 'refs/heads/main'
+          #   }}
+          VALIDATE_ALL_CODEBASE: true
+
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          # Uncomment to use ApiReporter (Grafana)
+          # API_REPORTER: true
+          # API_REPORTER_URL: ${{ secrets.API_REPORTER_URL }}
+          # API_REPORTER_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_BASIC_AUTH_USERNAME }}
+          # API_REPORTER_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_BASIC_AUTH_PASSWORD }}
+          # API_REPORTER_METRICS_URL: ${{ secrets.API_REPORTER_METRICS_URL }}
+          # API_REPORTER_METRICS_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_USERNAME }}
+          # API_REPORTER_METRICS_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_PASSWORD }}
+          # API_REPORTER_DEBUG: false
+
+          # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF
+          # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        if: success() || failure()
+        with:
+          name: MegaLinter reports
+          include-hidden-files: "true"
+          path: |
+            megalinter-reports
+            mega-linter.log
+
+      # Create pull request if applicable
+      # (for now works only on PR from same repository, not from forks)
+      - name: Create Pull Request with applied fixes
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7
+        id: cpr
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'pull_request' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          commit-message: "[MegaLinter] Apply linters automatic fixes"
+          title: "[MegaLinter] Apply linters automatic fixes"
+          labels: bot
+
+      - name: Create PR output
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'pull_request' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        run: |
+          echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
+
+      # Push new commit if applicable
+      # (for now works only on PR from same repository, not from forks)
+      - name: Prepare commit
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'commit' &&
+          github.ref != 'refs/heads/main' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        run: sudo chown -Rc $UID .git/
+
+      - name: Commit and push applied linter fixes
+        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'commit' &&
+          github.ref != 'refs/heads/main' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        with:
+          branch: >-
+            ${{
+              github.event.pull_request.head.ref ||
+              github.head_ref ||
+              github.ref
+            }}
+          commit_message: "[MegaLinter] Apply linters fixes"
+          commit_user_name: fiximus
+          commit_user_email: github-bot@ivuorinen.net
+
+      - name: Upload MegaLinter scan results to GitHub Security tab
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+        with:
+          sarif_file: "megalinter-reports/megalinter-report.sarif"

.github/workflows/release-drafter.yml

@@ -1,19 +1,25 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Release Drafter
 
 on:
   workflow_call:
 
 permissions:
-  contents: write
-  statuses: write
+  contents: read
+  statuses: read
+  packages: read
 
 jobs:
   update_release_draft:
     name: ✏️ Draft release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
+      packages: read
     steps:
       - name: 🚀 Run Release Drafter
-        uses: release-drafter/release-drafter@v6.0.0
+        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-monthly.yaml

@@ -8,15 +8,22 @@ on:
     - cron: "0 0 1 * *" # 1st of every month at midnight
 
 permissions:
-  contents: write
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: read
+      statuses: read
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Create Release
         shell: bash

.github/workflows/reviewdog-linters.yml

@@ -1,22 +1,29 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Reviewdog Linters
 
-on: [push]
+on: [pull_request]
 
 permissions:
   contents: read
   packages: read
-  statuses: write
+  statuses: read
 
 jobs:
   linters:
     name: Linters
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
+
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: GitHub Actions
-        uses: reviewdog/action-actionlint@v1
+        uses: reviewdog/action-actionlint@abd537417cf4991e1ba8e21a67b1119f4f53b8e0 # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review
@@ -28,13 +35,13 @@ jobs:
           reporter: github-pr-review
 
       - name: markdownlint
-        uses: reviewdog/action-markdownlint@v0
+        uses: reviewdog/action-markdownlint@f901468edf9a3634dd39b35ba26cad0aad1a0bfd # v0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review
 
       - name: shfmt
-        uses: reviewdog/action-shfmt@v1
+        uses: reviewdog/action-shfmt@f59386f08bd9a24ac1a746e69f026ddc2ed06710 # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           shfmt_flags: |
@@ -50,7 +57,7 @@ jobs:
             --func-next-line
 
       - name: yamllint
-        uses: reviewdog/action-yamllint@v1
+        uses: reviewdog/action-yamllint@1dca3ad811867be18fbe293a9818d715a6c2cd46 # v1
         with:
           github_token: ${{ secrets.github_token }}
           reporter: github-pr-review

.github/workflows/stale.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Stale
 
 on:
@@ -8,17 +9,27 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write # only for delete-branch option
-  issues: write
-  pull-requests: write
+  contents: read
+  issues: read
+  pull-requests: read
+  statuses: read
+  packages: read
 
 jobs:
   stale:
     name: 🧹 Clean up stale issues and PRs
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # only for delete-branch option
+      issues: write
+      pull-requests: write
+      statuses: read
+      packages: read
+
     steps:
       - name: 🚀 Run stale
-        uses: actions/stale@v9.0.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 30

.github/workflows/sync-labels-to-own-projects.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Sync labels to other repositories
 
 on:
@@ -13,16 +14,19 @@ on:
     - cron: "0 0 * * *" # Every day at midnight
 
 permissions:
-  contents: write
-  statuses: write
+  contents: read
+  statuses: read
 
 jobs:
   sync-labels:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
     outputs:
       repos: ${{ steps.repos.outputs.REPOS }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Get Repositories
         id: repos
@@ -44,7 +48,7 @@ jobs:
             echo "$REPOS"
             echo "$EOF"
           } >> "$GITHUB_ENV"
-      - uses: micnncim/action-label-syncer@v1
+      - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1
         with:
           prune: true
           repository: ${{ steps.repos.outputs.REPOS }}

.github/workflows/sync-labels.yml

@@ -14,12 +14,20 @@ on:
   workflow_dispatch:
 
 permissions:
-  issues: write
+  issues: read
+  contents: read
+  statuses: read
+  packages: read
 
 jobs:
   labels:
     name: ♻️ Sync labels
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      contents: read
+      statuses: read
+      packages: read
     steps:
       - name: ⤵️ Download latest labels definitions
         run: |
@@ -27,7 +35,7 @@ jobs:
             "https://raw.githubusercontent.com/ivuorinen/.github/main/.github/labels.yml" \
             > labels.yml
       - name: 🚀 Run Label Syncer
-        uses: micnncim/action-label-syncer@v1.3.0
+        uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.gitignore

@@ -0,0 +1,3 @@
+.idea/
+node_modules/
+megalinter-reports/

.jscpd.json

@@ -0,0 +1,6 @@
+{
+  "threshold": 5,
+  "reporters": ["consoleFull"],
+  "ignore": ["**/__snapshots__/**", "**/node_modules/**"],
+  "absolute": true
+}

.mega-linter.yml

@@ -0,0 +1,46 @@
+# Configuration file for MegaLinter
+#
+# See all available variables at https://megalinter.io/latest/config-file/ and in
+# linters documentation
+
+APPLY_FIXES: all # Apply fixes automatically
+FILEIO_REPORTER: false # Generate file.io report
+GITHUB_STATUS_REPORTER: true # Generate GitHub status report
+IGNORE_GENERATED_FILES: true # Ignore generated files
+JAVASCRIPT_DEFAULT_STYLE: prettier # Default style for JavaScript
+PRINT_ALPACA: false # Print Alpaca logo in console
+SARIF_REPORTER: true # Generate SARIF report
+SHOW_ELAPSED_TIME: false # Show elapsed time at the end of MegaLinter run
+SHOW_SKIPPED_LINTERS: false # Show skipped linters in MegaLinter log
+
+# Tooling configuration
+REPOSITORY_KICS_DISABLE_ERRORS: true # Show errors as warnings in KICS
+
+# Linters that are run, but not reported on
+DISABLE_ERRORS_LINTERS:
+  - REPOSITORY_DEVSKIM
+
+# List of linters to disable. These are not typical in my repos,
+# except for spelling errors and copypasta. I'm handling those
+# with other tools.
+DISABLE:
+  - ARM
+  - C
+  - CLOJURE
+  - COFFEE
+  - COPYPASTE
+  - DART
+  - GROOVY
+  - JAVA
+  - KOTLIN
+  - R
+  - SALESFORCE
+  - SCALA
+  - SNAKEMAKE
+  - SPELL
+  - SWIFT
+  - TEKTON
+  - VBDOTNET
+
+DISABLE_LINTERS:
+  - REPOSITORY_DEVSKIM

.pre-commit-config.yaml

@@ -0,0 +1,59 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: requirements-txt-fixer
+      - id: detect-private-key
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: check-executables-have-shebangs
+      - id: check-shebang-scripts-are-executable
+      - id: check-symlinks
+      - id: check-toml
+      - id: check-xml
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+        args: [--fix=auto]
+      - id: pretty-format-json
+        args: [--autofix, --no-sort-keys]
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.43.0
+    hooks:
+      - id: markdownlint
+        args: [-c, .markdownlint.yaml, --fix]
+
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.35.1
+    hooks:
+      - id: yamllint
+
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.10.0
+    hooks:
+      - id: shellcheck
+
+  - repo: https://github.com/scop/pre-commit-shfmt
+    rev: v3.10.0-2
+    hooks:
+      - id: shfmt
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.7
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 39.122.0
+    hooks:
+      - id: renovate-config-validator
+
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: 3.2.354
+    hooks:
+      - id: checkov
+        args: [--quiet]

.prettierignore

@@ -0,0 +1,3 @@
+# Ignore artifacts:
+build
+coverage

.prettierrc

@@ -0,0 +1 @@
+{}

.prettierrc.json

@@ -0,0 +1 @@
+{}

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Ismo Vuorinen
+Copyright (c) 2022-2024 Ismo Vuorinen
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -16,7 +16,7 @@ jobs:
   ReusableMatrixJobForComposerInstall:
     strategy:
       matrix:
-        target: ["8.0", "8.1", "8.2"]
+        target: ["8.0", "8.1", "8.2", "8.3"]
     uses: ivuorinen/.github/workflows/composer-install.yml@main
     with:
       php-versions: ${{ matrix.target }}
@@ -32,10 +32,10 @@ the following snippet as `.github/renovate.json`.
 ```json
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>ivuorinen/.github:renovate-config"]
+  "extends": ["github>ivuorinen/renovate-config"]
 }
 ```
 
 [reusable]: https://docs.github.com/en/actions/using-workflows/reusing-workflows#calling-a-reusable-workflow
-[jobs]: https://docs.github.com/en/actions/using-workflows/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
+[jobs]: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
 [onboarding]: https://docs.renovatebot.com/getting-started/installing-onboarding

package-lock.json

@@ -0,0 +1,32 @@
+{
+  "name": "@ivuorinen/dotgithub",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "@ivuorinen/dotgithub",
+      "version": "1.0.0",
+      "license": "MIT",
+      "devDependencies": {
+        "prettier": "^3.3.3"
+      }
+    },
+    "node_modules/prettier": {
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.4.2.tgz",
+      "integrity": "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "prettier": "bin/prettier.cjs"
+      },
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/prettier/prettier?sponsor=1"
+      }
+    }
+  }
+}

package.json

@@ -0,0 +1,15 @@
+{
+  "name": "@ivuorinen/dotgithub",
+  "version": "1.0.0",
+  "private": true,
+  "description": "My Shared GitHub Actions & Configurations.",
+  "scripts": {
+    "lint": "npx mega-linter-runner --flavor cupcake",
+    "test": "echo \"Error: no test specified\" && exit 0"
+  },
+  "author": "Ismo Vuorinen <https://github.com/ivuorinen>",
+  "license": "MIT",
+  "devDependencies": {
+    "prettier": "^3.3.3"
+  }
+}

renovate-config.json

@@ -1,61 +1,5 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "description": "Renovate config for projects ivuorinen manages",
-  "extends": [
-    "config:recommended",
-    ":enableVulnerabilityAlerts",
-    ":labels(dependencies)",
-    ":maintainLockFilesWeekly",
-    ":preserveSemverRanges",
-    ":semanticCommits",
-    ":timezone(Europe/Helsinki)",
-    "github>ivuorinen/.github//.github/renovate/autoMerge.json5",
-    "github>ivuorinen/.github//.github/renovate/commitMessage.json5",
-    "github>ivuorinen/.github//.github/renovate/labels.json5",
-    "github>ivuorinen/.github//.github/renovate/semanticCommits.json5",
-    "docker:enableMajor",
-    "group:recommended",
-    "npm:unpublishSafe",
-    "replacements:all",
-    "schedule:nonOfficeHours",
-    "workarounds:all"
-  ],
-  "dependencyDashboardLabels": [
-    "no-stale"
-  ],
-  "lockFileMaintenance": {
-    "extends": [
-      "group:all"
-    ],
-    "commitMessageAction": "Update"
-  },
-  "packageRules": [
-    {
-      "matchPackagePatterns": [
-        "eslint"
-      ],
-      "groupName": "eslint"
-    }
-  ],
-  "digest": {
-    "enabled": false
-  },
-  "assigneesFromCodeOwners": true,
-  "configMigration": true,
-  "dependencyDashboardTitle": "Renovate Dashboard 🤖",
-  "ignorePaths": [
-    "**/*.sops.*",
-    "**/.archive/**"
-  ],
-  "separateMajorMinor": true,
-  "separateMinorPatch": false,
-  "separateMultipleMajor": true,
-  "suppressNotifications": [
-    "prEditedNotification",
-    "prIgnoreNotification"
-  ],
-  "vulnerabilityAlerts": {
-    "enabled": true
-  },
-  "commitBody": "Signed-off-by: {{{gitAuthor}}}"
+  "extends": ["github>ivuorinen/renovate-config"]
 }