Spaces:
Build error
Build error
| name: Lint | |
| on: | |
| workflow_call: | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| checks: write | |
| security-events: write | |
| actions: read | |
| jobs: | |
| taplo: | |
| name: Taplo ${{ matrix.command }} | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| command: | |
| - format | |
| - lint | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install taplo | |
| uses: baptiste0928/cargo-install@b687c656bda5733207e629b50a22bf68974a0305 # v3.3.2 | |
| with: | |
| crate: taplo-cli | |
| locked: true | |
| - name: ${{ matrix.command }} | |
| run: >- | |
| taplo ${{matrix.command}} | |
| --config .github/lint/.taplo.toml | |
| ${{matrix.command == 'lint' && '--default-schema-catalogs' || ''}} | |
| - name: Commit and push applied formatter fixes | |
| if: matrix.command == 'format' | |
| uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 | |
| with: | |
| commit_message: '[Taplo] Apply formatter fixes' | |
| commit_options: --no-verify | |
| trufflehog: | |
| name: TruffleHog | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Install trufflehog | |
| uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 | |
| with: | |
| repo: trufflesecurity/trufflehog | |
| cache: enable | |
| - name: Git Secret Scanning | |
| run: >- | |
| trufflehog git ${{github.event.repository.html_url}} --branch=${{github.head_ref || github.ref_name}} | |
| --fail --github-actions --results=verified,unknown --log-level=4 --no-update | |
| pre-commit: | |
| name: pre-commit | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 | |
| with: | |
| enable-cache: true | |
| activate-environment: true | |
| - name: Restore pre-commit cache | |
| uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| id: cache-restore | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: pre-commit-${{ hashFiles('**/.pre-commit-config.yaml') }} | |
| restore-keys: pre-commit- | |
| - name: Run pre-commit hooks | |
| run: uvx pre-commit run --show-diff-on-failure --color=always --all-files | |
| - name: Save pre-commit cache | |
| uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| if: always() && steps.cache-restore.outputs.cache-hit != 'true' | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: ${{ steps.cache-restore.outputs.cache-primary-key }} | |
| - name: Run pre-commit-ci-lite | |
| uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0 | |
| if: always() | |
| uv_lock: | |
| name: UV Lock Check | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 | |
| with: | |
| enable-cache: true | |
| activate-environment: true | |
| - name: Check if the lockfile is up-to-date | |
| id: uv_lock_check | |
| run: uv lock --check | |
| - name: Job Summary | |
| uses: jazanne/job-summary-action@690eb386a0b86fe4da7c6f0e543e61330ff09f06 # v1.0.0 | |
| if: success() || failure() | |
| with: | |
| summary: | | |
| ## UV Lock Check | |
| - **Status**: ${{ steps.uv_lock_check.outcome == 'success' && ':white_check_mark:' || ':x:' }} | |
| ls_lint: | |
| name: ls-lint | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Lint file names | |
| uses: ls-lint/action@02e380fe8733d499cbfc9e22276de5085508a5bd # v2.3.1 | |
| with: | |
| config: .github/lint/.ls-lint.yaml | |
| ruff: | |
| name: Ruff ${{ matrix.command }} | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| command: | |
| - check | |
| - format | |
| include: | |
| - command: check | |
| output: sarif | |
| - command: format | |
| output: github | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| token: ${{ secrets.GH_TOKEN }} | |
| - name: ${{ matrix.command }} | |
| uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 # v3.5.1 | |
| with: | |
| args: >- | |
| ${{ matrix.command }} --config .github/lint/.ruff.toml | |
| --output-format ${{matrix.output}} | |
| ${{matrix.output == 'sarif' && '--output-file ruff.sarif' || ''}} | |
| - name: upload Ruff scan SARIF report | |
| if: matrix.output == 'sarif' && ( success() || failure() ) | |
| uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| sarif_file: ruff.sarif | |
| - name: Commit and push applied Ruff fixes | |
| if: matrix.output == 'github' | |
| uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 | |
| with: | |
| commit_message: '[Ruff] Apply format fixes' | |
| commit_options: --no-verify | |
| yamlfix: | |
| name: YamlFix | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| token: ${{ secrets.GH_TOKEN }} | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 | |
| with: | |
| enable-cache: true | |
| activate-environment: true | |
| - name: Format | |
| run: uvx yamlfix . --config-file .github/lint/.yamlfix.toml | |
| - name: Commit and push applied linter fixes | |
| uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 | |
| with: | |
| commit_message: '[YamlFix] Apply linters fixes' | |
| commit_options: --no-verify | |
| yamllint: | |
| name: YamlLint | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 | |
| with: | |
| enable-cache: true | |
| activate-environment: true | |
| - name: Check | |
| run: uvx yamllint . --strict -c=.github/lint/.yamllint.yaml --format github | |
| syft: | |
| name: Syft | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: SBOM Generation | |
| uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1 | |
| with: | |
| path: . | |
| dependency-snapshot: true | |
| output-file: ${{ github.event.repository.name }}-sbom.json | |
| format: syft-json | |
| grype: | |
| name: Grype | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Scan current project | |
| uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # v7.3.1 | |
| id: scan | |
| with: | |
| path: . | |
| cache-db: true | |
| - name: upload Anchore scan SARIF report | |
| if: success() || failure() | |
| uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| trivy: | |
| name: Trivy ${{ matrix.name }} | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| scan-type: | |
| - repo | |
| - config | |
| - fs | |
| include: | |
| - scan-type: repo | |
| format: sarif | |
| output: trivy-results-repo.sarif | |
| name: Repo | |
| - scan-type: config | |
| format: sarif | |
| output: trivy-results-config.sarif | |
| name: IaC | |
| - scan-type: fs | |
| format: github | |
| output: dependency-results.sbom.json | |
| name: SBOM | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run Trivy vulnerability scanner in repo mode | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 | |
| with: | |
| scan-type: ${{ matrix.scan-type }} | |
| trivy-config: .github/lint/.trivy.yaml | |
| format: ${{ matrix.format }} | |
| output: ${{ matrix.output }} | |
| github-pat: ${{ secrets.GH_TOKEN }} | |
| exit-code: '1' | |
| scanners: vuln,secret,misconfig | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: matrix.scan-type != 'fs' && ( success() || failure() ) | |
| uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| sarif_file: ${{ matrix.output }} | |
| category: ${{ matrix.scan-type }} | |
| - name: Upload trivy report as a Github artifact | |
| if: matrix.scan-type == 'fs' && ( success() || failure() ) | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: trivy-sbom-report | |
| path: ${{ matrix.output }} | |
| dclint: | |
| name: DCLint | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Lint Docker Compose file | |
| uses: docker-compose-linter/dclint-github-action@18659f6a7956706cb67cf9c1ad5e55f4352cbc17 # v1.6.0 | |
| with: | |
| fix: true | |
| recursive: true | |
| ty: | |
| name: Ty | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 | |
| with: | |
| enable-cache: true | |
| activate-environment: true | |
| - name: Setup Venv | |
| run: uv sync | |
| - name: Check | |
| run: uv run ty check --output-format github | |
| markdownlint: | |
| name: MarkdownLint | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Lint Markdown files | |
| uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v22.0.0 | |
| with: | |
| globs: '**/*.md' | |
| config: .github/lint/.markdownlint.yaml | |
| fix: true | |
| hadolint: | |
| name: Hadolint | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Lint Dockerfile | |
| uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 | |
| with: | |
| config: .github/lint/.hadolint.yaml | |
| format: sarif | |
| output-file: hadolint.sarif | |
| - name: upload Hadolint scan SARIF report | |
| if: success() || failure() | |
| uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| with: | |
| sarif_file: hadolint.sarif | |
| actionlint: | |
| name: ActionLint | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: code_quality | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install actionlint | |
| uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 | |
| with: | |
| repo: rhysd/actionlint | |
| cache: enable | |
| - name: Download actionlint-matcher.json | |
| run: >- | |
| curl -fsSL https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json | |
| -o .github/actionlint-matcher.json | |
| - name: Run actionlint | |
| run: |- | |
| echo "::add-matcher::.github/actionlint-matcher.json" | |
| actionlint -color | |