mirror of
https://github.com/ivuorinen/actions.git
synced 2026-03-20 14:01:03 +00:00
Ismo Vuorinen
900dd96797
* chore(pre-commit): update hooks and add action-validator Update uv-pre-commit 0.10.9→0.10.11 and checkov 3.2.508→3.2.510. Normalize single quotes to double quotes in hook args. Add action-validator v0.8.0 hook for GitHub Actions validation. * fix(ci): clean up workflow path filters Remove non-existent action.yaml paths from action-security workflow. Fix glob patterns (**.md → **/*.md) in pr-lint workflow. Remove unused trigger paths (yarn.lock, pnpm-lock.yaml, requirements.txt, .github/labels.yml, docs/**) from security-suite and sync-labels workflows. * feat(make): add lint-actions target for action-validator Add lint-actions target that runs action-validator via pre-commit. Include it in the lint dependency list and .PHONY declaration. * docs: add context-mode routing rules to CLAUDE.md Add mandatory routing rules section for context-mode MCP plugin, documenting blocked commands, redirected tools, tool selection hierarchy, and output constraints. * fix(lint): resolve action-validator failure on language-version-detect - Remove unsupported `deprecated: true` from language-version-detect/action.yml (deprecation already communicated via description field) - Scope action-validator pre-commit hook to workflow and action.yml files only - Make missing pre-commit a hard error in lint-actions target * fix(deps): update action pins and fix trivy-action version comment Update SHA-pinned action references to latest versions: - github/codeql-action v4.32.6 → v4.33.0 - nick-fields/retry v3.0.2 → v4.0.0 - actions/cache v5.0.3 → v5.0.4 - oven-sh/setup-bun v2.1.3 → v2.2.0 - softprops/action-gh-release v2.5.0 → v2.6.1 - github/issue-metrics v4.1.0 → v4.1.1 - shivammathur/setup-php 2.36.0 → 2.37.0 - astral-sh/setup-uv v7.5.0 → v7.6.0 - terraform-linters/setup-tflint v6.2.1 → v6.2.2 - aquasecurity/trivy-action: pin from master to v0.35.0 Fix pinact warning in docker-build by adding missing v prefix to trivy-action version comment (0.35.0 → v0.35.0).
59 lines
2.1 KiB
YAML
59 lines
2.1 KiB
YAML
---
|
|
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
|
name: Scorecard analysis workflow
|
|
on:
|
|
push:
|
|
# Only the default branch is supported.
|
|
branches:
|
|
- main
|
|
schedule:
|
|
# Weekly on Saturdays.
|
|
- cron: '30 1 * * 6'
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
analysis:
|
|
name: Scorecard analysis
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
# Needed for Code scanning upload
|
|
security-events: write
|
|
# Needed for GitHub OIDC token if publish_results is true
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: 'Checkout code'
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: 'Run analysis'
|
|
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
|
|
with:
|
|
results_file: results.sarif
|
|
results_format: sarif
|
|
# Scorecard team runs a weekly scan of public GitHub repos,
|
|
# see https://github.com/ossf/scorecard#public-data.
|
|
# Setting `publish_results: true` helps us scale by leveraging your workflow to
|
|
# extract the results instead of relying on our own infrastructure to run scans.
|
|
# And it's free for you!
|
|
publish_results: true
|
|
|
|
# Upload the results as artifacts (optional). Commenting out will disable
|
|
# uploads of run results in SARIF format to the repository Actions tab.
|
|
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
|
|
- name: 'Upload artifact'
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: SARIF file
|
|
path: results.sarif
|
|
retention-days: 5
|
|
|
|
# Upload the results to GitHub's code scanning dashboard (optional).
|
|
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
|
|
- name: 'Upload to code-scanning'
|
|
uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
|
|
with:
|
|
sarif_file: results.sarif
|