chore(deps): update pre-commit hook bridgecrewio/checkov (3.2.471 → 3.2.473) (#50)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.cspell.json

@@ -0,0 +1,7 @@
+{
+  "ignorePaths": ["**/node_modules/**", "**/vscode-extension/**", "**/.git/**", "**/.pnpm-lock.json", ".vscode", "megalinter", "package-lock.json", "report"],
+  "language": "en",
+  "noConfigSearch": true,
+  "words": ["megalinter", "oxsecurity"],
+  "version": "0.2"
+}

.envrc

@@ -0,0 +1 @@
+use asdf

.github/workflows/composer-install.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Run Composer Install
 
 on:
@@ -8,7 +9,10 @@ on:
       - "composer.json"
       - "composer.lock"
 
-permissions: read-all
+permissions:
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   ComposerInstall:
@@ -16,19 +20,20 @@ jobs:
 
     permissions:
       contents: write
+      packages: read
       statuses: write
 
     strategy:
       matrix:
         operating-system: ["ubuntu-latest"]
-        php: ["8.0", "8.1", "8.2"]
+        php: ["8.1", "8.2", "8.3", "8.4"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Cache Composer packages
         id: composer-cache
-        uses: actions/cache@v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
         with:
           path: vendor
           key: ${{ runner.os }}-php-${{ matrix.php }}-${{ hashFiles('**/composer.json') }}
@@ -37,7 +42,7 @@ jobs:
             ${{ runner.os }}-php-
 
       - name: Composer (PHP ${{ matrix.php }})
-        uses: php-actions/composer@v6
+        uses: php-actions/composer@8a65f0d3c6a1d17ca4800491a40b5756a4c164f3 # v6
         with:
           php_version: ${{ matrix.php }}
           args: --no-progress --prefer-dist --optimize-autoloader

.github/workflows/compress-images.yml

@@ -1,4 +1,6 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+#
 # Compress images on demand (workflow_dispatch), and at 11pm every Sunday (schedule).
 # Open a Pull Request if any images can be compressed.
 name: Compress Images on Demand
@@ -8,7 +10,10 @@ on:
   schedule:
     - cron: "00 23 * * 0"
 
-permissions: read-all
+permissions:
+  contents: read
+  statuses: read
+  pull-requests: read
 
 jobs:
   CompressOnDemandOrSchedule:
@@ -23,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Compress Images
         id: calibre
@@ -34,7 +39,7 @@ jobs:
 
       - name: Create New Pull Request If Needed
         if: steps.calibre.outputs.markdown != ''
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7
         with:
           title: Compressed Images Nightly
           branch-suffix: timestamp

.github/workflows/dependency-review.yml

@@ -1,4 +1,6 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+#
 # Dependency Review Action
 #
 # This Action will scan dependency manifest files that change as part of a Pull Request,
@@ -12,16 +14,21 @@ name: "Dependency Review"
 
 on: [pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      packages: read
+      statuses: read
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4

.github/workflows/laravel-phpunit.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Laravel Setup and Composer test
 
 on:
@@ -7,7 +8,10 @@ on:
   pull_request:
     branches: [main]
 
-permissions: read-all
+permissions:
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   laravel-tests:
@@ -15,18 +19,19 @@ jobs:
 
     permissions:
       contents: write
+      packages: read
       statuses: write
 
     steps:
-      - uses: shivammathur/setup-php@v2
+      - uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2
         with:
           php-version: "8.3"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: "Check file existence"
         id: check_files
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "package.json, artisan"
 

.github/workflows/pr-compress-images.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Compress Images
 
 on:
@@ -11,7 +12,11 @@ on:
       - "**.png"
       - "**.webp"
 
-permissions: read-all
+permissions:
+  contents: read
+  packages: read
+  statuses: read
+  pull-requests: read
 
 jobs:
   CompressInPR:
@@ -22,12 +27,13 @@ jobs:
 
     permissions:
       contents: write
+      packages: read
       statuses: write
       pull-requests: write
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Compress Images
         uses: calibreapp/image-actions@main

.github/workflows/pr-lint.yml

@@ -1,75 +1,210 @@
+# MegaLinter GitHub Action configuration file
+# More info at https://megalinter.io
 ---
-#################################
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-#################################
+name: MegaLinter (Cupcake)
-## Super Linter GitHub Actions ##
-#################################
-#################################
-name: Lint Code Base
 
-#
-# Documentation:
-# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
-#
-
-env:
-  MAIN_BRANCH: main
-
-#############################
-# Start the job on all push #
-#############################
 on:
-  push:
-    branches-ignore: [master, main]
-    # Remove the line above to run when pushing to master
   pull_request:
-    branches: [master, main]
+    branches:
+      - main
+      - master
 
-permissions: read-all
-
-###############
-# Set the Job #
-###############
-jobs:
-  build:
-    # Name the Job
-    name: Lint Code Base
-    # Set the agent to run on
-    runs-on: ubuntu-latest
-
-    ############################################
-    # Grant status permission for MULTI_STATUS #
-    ############################################
 permissions:
   contents: read
-      packages: read
+  issues: read
-      statuses: write
+  pull-requests: read
+  statuses: read
+
+env:
+  APPLY_FIXES: all
+  APPLY_FIXES_EVENT: pull_request
+  APPLY_FIXES_MODE: commit
+  FILEIO_REPORTER: false # Generate file.io report
+  GITHUB_STATUS_REPORTER: true # Generate GitHub status report
+  IGNORE_GENERATED_FILES: true # Ignore generated files
+  JAVASCRIPT_DEFAULT_STYLE: prettier # Default style for JavaScript
+  PRINT_ALPACA: false # Print Alpaca logo in console
+  SARIF_REPORTER: true # Generate SARIF report
+  SHOW_ELAPSED_TIME: false # Show elapsed time at the end of MegaLinter run
+  SHOW_SKIPPED_LINTERS: false # Show skipped linters in MegaLinter log
+  # Tooling configuration
+  REPOSITORY_KICS_DISABLE_ERRORS: true # Show errors as warnings in KICS
+  SPELL_CSPELL_DISABLE_ERRORS: true
+  # Linters that are run, but not reported on
+  DISABLE_ERRORS_LINTERS: REPOSITORY_DEVSKIM
+  # List of linters to disable. These are not typical in my repos,
+  # except for spelling errors and copypasta. I'm handling those
+  # with other tools.
+  DISABLE: ARM, C, CLOJURE, COFFEE, COPYPASTE, DART, GROOVY, JAVA, KOTLIN, R, SALESFORCE, SCALA, SNAKEMAKE, SPELL, SWIFT, TEKTON, VBDOTNET
+  DISABLE_LINTERS: REPOSITORY_DEVSKIM, SPELL_CSPELL
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  megalinter:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+
+    # Give the default GITHUB_TOKEN write permission to commit and push, comment
+    # issues, and post new Pull Requests; remove the ones you do not need
+    permissions:
+      contents: write # Required for PR creation
+      issues: write # Required for PR creation
+      pull-requests: write # Required for PR creation
+      statuses: write # Required for GitHub Security tab upload
 
-    ##################
-    # Load all steps #
-    ##################
     steps:
-      ##########################
+      # Git Checkout
-      # Checkout the code base #
-      ##########################
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
-          # Full git history is needed to get a proper
+          token: ${{ secrets.FIXIMUS_TOKEN || secrets.PAT || secrets.GITHUB_TOKEN }}
-          # list of changed files within `super-linter`
+
+          # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
+          # improve performance
           fetch-depth: 0
 
-      ################################
+      # MegaLinter
-      # Run Linter against code base #
+      - name: MegaLinter
-      ################################
+
-      - name: Lint Code Base
+        # You can override MegaLinter flavor used to have faster performances
-        uses: github/super-linter@v7
+        # More info at https://megalinter.io/latest/flavors/
+        uses: oxsecurity/megalinter/flavors/cupcake@0dcbedd66ea456ba2d54fd350affaa15df8a0da3 # v9.0.1
+
+        id: ml
+
+        # All available variables are described in documentation
+        # https://megalinter.io/latest/config-file/
         env:
-          VALIDATE_ALL_CODEBASE: false
+          # Validates all source when push on main, else just the git diff with
-          FIX_ANSIBLE: true
+          # main. Override with true if you always want to lint all sources
-          FIX_ENV: true
+          #
-          FIX_JSON: true
+          # To validate the entire codebase, set to:
-          FIX_JSONC_PRETTIER: true
+          # VALIDATE_ALL_CODEBASE: true
-          FIX_MARKDOWN: true
+          #
-          # Change to 'master' if your main branch differs
+          # To validate only diff with main, set to:
-          DEFAULT_BRANCH: ${{ env.MAIN_BRANCH }}
+          # VALIDATE_ALL_CODEBASE: >-
+          #   ${{
+          #     github.event_name == 'push' &&
+          #     github.ref == 'refs/heads/main'
+          #   }}
+          VALIDATE_ALL_CODEBASE: true
+
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          # Uncomment to use ApiReporter (Grafana)
+          # API_REPORTER: true
+          # API_REPORTER_URL: ${{ secrets.API_REPORTER_URL }}
+          # API_REPORTER_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_BASIC_AUTH_USERNAME }}
+          # API_REPORTER_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_BASIC_AUTH_PASSWORD }}
+          # API_REPORTER_METRICS_URL: ${{ secrets.API_REPORTER_METRICS_URL }}
+          # API_REPORTER_METRICS_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_USERNAME }}
+          # API_REPORTER_METRICS_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_PASSWORD }}
+          # API_REPORTER_DEBUG: false
+
+          # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF
+          # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+        if: success() || failure()
+        with:
+          name: MegaLinter reports
+          include-hidden-files: "true"
+          path: |
+            megalinter-reports
+            mega-linter.log
+
+      # Create pull request if applicable
+      # (for now works only on PR from same repository, not from forks)
+      - name: Create Pull Request with applied fixes
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7
+        id: cpr
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'pull_request' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          commit-message: "[MegaLinter] Apply linters automatic fixes"
+          title: "[MegaLinter] Apply linters automatic fixes"
+          labels: bot
+
+      - name: Create PR output
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'pull_request' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        run: |
+          echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
+
+      # Push new commit if applicable
+      # (for now works only on PR from same repository, not from forks)
+      - name: Prepare commit
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'commit' &&
+          github.ref != 'refs/heads/main' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        run: sudo chown -Rc $UID .git/
+
+      - name: Commit and push applied linter fixes
+        uses: stefanzweifel/git-auto-commit-action@3cc016cfc892e0844046da36fc68da4e525e081f # v6
+        if: >-
+          steps.ml.outputs.has_updated_sources == 1 &&
+          (
+            env.APPLY_FIXES_EVENT == 'all' ||
+            env.APPLY_FIXES_EVENT == github.event_name
+          ) &&
+          env.APPLY_FIXES_MODE == 'commit' &&
+          github.ref != 'refs/heads/main' &&
+          (
+            github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          ) &&
+          !contains(github.event.head_commit.message, 'skip fix')
+        with:
+          branch: >-
+            ${{
+              github.event.pull_request.head.ref ||
+              github.head_ref ||
+              github.ref
+            }}
+          commit_message: "[MegaLinter] Apply linters fixes"
+          commit_user_name: fiximus
+          commit_user_email: github-bot@ivuorinen.net
+
+      - name: Upload MegaLinter scan results to GitHub Security tab
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+        with:
+          sarif_file: "megalinter-reports/megalinter-report.sarif"

.github/workflows/release-drafter.yml

@@ -1,10 +1,14 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Release Drafter
 
 on:
   workflow_call:
 
-permissions: read-all
+permissions:
+  contents: read
+  statuses: read
+  packages: read
 
 jobs:
   update_release_draft:
@@ -13,8 +17,9 @@ jobs:
     permissions:
       contents: write
       statuses: write
+      packages: read
     steps:
       - name: 🚀 Run Release Drafter
-        uses: release-drafter/release-drafter@v6.0.0
+        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-monthly.yaml

@@ -7,7 +7,10 @@ on:
   schedule:
     - cron: "0 0 1 * *" # 1st of every month at midnight
 
-permissions: read-all
+permissions:
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   release:
@@ -15,9 +18,12 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      packages: read
+      statuses: read
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Create Release
         shell: bash

.github/workflows/reviewdog-linters.yml

@@ -1,9 +1,13 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Reviewdog Linters
 
-on: [push]
+on: [pull_request]
 
-permissions: read-all
+permissions:
+  contents: read
+  packages: read
+  statuses: read
 
 jobs:
   linters:
@@ -16,10 +20,10 @@ jobs:
       statuses: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: GitHub Actions
-        uses: reviewdog/action-actionlint@v1
+        uses: reviewdog/action-actionlint@abd537417cf4991e1ba8e21a67b1119f4f53b8e0 # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review
@@ -31,13 +35,13 @@ jobs:
           reporter: github-pr-review
 
       - name: markdownlint
-        uses: reviewdog/action-markdownlint@v0
+        uses: reviewdog/action-markdownlint@f901468edf9a3634dd39b35ba26cad0aad1a0bfd # v0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-review
 
       - name: shfmt
-        uses: reviewdog/action-shfmt@v1
+        uses: reviewdog/action-shfmt@f59386f08bd9a24ac1a746e69f026ddc2ed06710 # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           shfmt_flags: |
@@ -53,7 +57,7 @@ jobs:
             --func-next-line
 
       - name: yamllint
-        uses: reviewdog/action-yamllint@v1
+        uses: reviewdog/action-yamllint@1dca3ad811867be18fbe293a9818d715a6c2cd46 # v1
         with:
           github_token: ${{ secrets.github_token }}
           reporter: github-pr-review

.github/workflows/stale.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Stale
 
 on:
@@ -7,7 +8,12 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+  statuses: read
+  packages: read
 
 jobs:
   stale:
@@ -18,10 +24,12 @@ jobs:
       contents: write # only for delete-branch option
       issues: write
       pull-requests: write
+      statuses: read
+      packages: read
 
     steps:
       - name: 🚀 Run stale
-        uses: actions/stale@v9.0.0
+        uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 30

.github/workflows/sync-labels-to-own-projects.yml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Sync labels to other repositories
 
 on:
@@ -12,7 +13,9 @@ on:
   schedule:
     - cron: "0 0 * * *" # Every day at midnight
 
-permissions: read-all
+permissions:
+  contents: read
+  statuses: read
 
 jobs:
   sync-labels:
@@ -23,7 +26,7 @@ jobs:
     outputs:
       repos: ${{ steps.repos.outputs.REPOS }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Get Repositories
         id: repos
@@ -45,7 +48,7 @@ jobs:
             echo "$REPOS"
             echo "$EOF"
           } >> "$GITHUB_ENV"
-      - uses: micnncim/action-label-syncer@v1
+      - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1
         with:
           prune: true
           repository: ${{ steps.repos.outputs.REPOS }}

.github/workflows/sync-labels.yml

@@ -13,7 +13,11 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  issues: read
+  contents: read
+  statuses: read
+  packages: read
 
 jobs:
   labels:
@@ -21,6 +25,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       issues: write
+      contents: read
+      statuses: read
+      packages: read
     steps:
       - name: ⤵️ Download latest labels definitions
         run: |
@@ -28,7 +35,7 @@ jobs:
             "https://raw.githubusercontent.com/ivuorinen/.github/main/.github/labels.yml" \
             > labels.yml
       - name: 🚀 Run Label Syncer
-        uses: micnncim/action-label-syncer@v1.3.0
+        uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.gitignore

@@ -1 +1,3 @@
-node_modules
+.idea/
+node_modules/
+megalinter-reports/

.mega-linter.yml

@@ -0,0 +1,46 @@
+# Configuration file for MegaLinter
+#
+# See all available variables at https://megalinter.io/latest/config-file/ and in
+# linters documentation
+
+APPLY_FIXES: all # Apply fixes automatically
+FILEIO_REPORTER: false # Generate file.io report
+GITHUB_STATUS_REPORTER: true # Generate GitHub status report
+IGNORE_GENERATED_FILES: true # Ignore generated files
+JAVASCRIPT_DEFAULT_STYLE: prettier # Default style for JavaScript
+PRINT_ALPACA: false # Print Alpaca logo in console
+SARIF_REPORTER: true # Generate SARIF report
+SHOW_ELAPSED_TIME: false # Show elapsed time at the end of MegaLinter run
+SHOW_SKIPPED_LINTERS: false # Show skipped linters in MegaLinter log
+
+# Tooling configuration
+REPOSITORY_KICS_DISABLE_ERRORS: true # Show errors as warnings in KICS
+
+# Linters that are run, but not reported on
+DISABLE_ERRORS_LINTERS:
+  - REPOSITORY_DEVSKIM
+
+# List of linters to disable. These are not typical in my repos,
+# except for spelling errors and copypasta. I'm handling those
+# with other tools.
+DISABLE:
+  - ARM
+  - C
+  - CLOJURE
+  - COFFEE
+  - COPYPASTE
+  - DART
+  - GROOVY
+  - JAVA
+  - KOTLIN
+  - R
+  - SALESFORCE
+  - SCALA
+  - SNAKEMAKE
+  - SPELL
+  - SWIFT
+  - TEKTON
+  - VBDOTNET
+
+DISABLE_LINTERS:
+  - REPOSITORY_DEVSKIM

.pre-commit-config.yaml

@@ -0,0 +1,59 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: requirements-txt-fixer
+      - id: detect-private-key
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: check-executables-have-shebangs
+      - id: check-shebang-scripts-are-executable
+      - id: check-symlinks
+      - id: check-toml
+      - id: check-xml
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+        args: [--fix=auto]
+      - id: pretty-format-json
+        args: [--autofix, --no-sort-keys]
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.45.0
+    hooks:
+      - id: markdownlint
+        args: [-c, .markdownlint.yaml, --fix]
+
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.37.1
+    hooks:
+      - id: yamllint
+
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.11.0
+    hooks:
+      - id: shellcheck
+
+  - repo: https://github.com/scop/pre-commit-shfmt
+    rev: v3.10.0-2
+    hooks:
+      - id: shfmt
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.7
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 41.97.10
+    hooks:
+      - id: renovate-config-validator
+
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: 3.2.473
+    hooks:
+      - id: checkov
+        args: [--quiet]

.prettierrc.json

@@ -0,0 +1 @@
+{}

README.md

@@ -37,5 +37,5 @@ the following snippet as `.github/renovate.json`.
 ```
 
 [reusable]: https://docs.github.com/en/actions/using-workflows/reusing-workflows#calling-a-reusable-workflow
-[jobs]: https://docs.github.com/en/actions/using-workflows/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
+[jobs]: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
 [onboarding]: https://docs.renovatebot.com/getting-started/installing-onboarding

package-lock.json

@@ -13,9 +13,9 @@
       }
     },
     "node_modules/prettier": {
-      "version": "3.3.3",
+      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.3.3.tgz",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.4.2.tgz",
-      "integrity": "sha512-i2tDNA0O5IrMO757lfrdQZCc2jPNDVntV0m/+4whiDfWaTKfMNgR7Qz0NAeGz/nRqF4m5/6CLzbP4/liHt12Ew==",
+      "integrity": "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ==",
       "dev": true,
       "license": "MIT",
       "bin": {

package.json

@@ -4,7 +4,8 @@
   "private": true,
   "description": "My Shared GitHub Actions & Configurations.",
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "lint": "npx mega-linter-runner --flavor cupcake",
+    "test": "echo \"Error: no test specified\" && exit 0"
   },
   "author": "Ismo Vuorinen <https://github.com/ivuorinen>",
   "license": "MIT",