name: Lint on: workflow_call: permissions: contents: write pull-requests: write checks: write security-events: write actions: read jobs: taplo: name: Taplo ${{ matrix.command }} runs-on: ubuntu-latest environment: name: code_quality strategy: fail-fast: false matrix: command: - format - lint steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install taplo uses: baptiste0928/cargo-install@b687c656bda5733207e629b50a22bf68974a0305 # v3.3.2 with: crate: taplo-cli locked: true - name: ${{ matrix.command }} run: >- taplo ${{matrix.command}} --config .github/lint/.taplo.toml ${{matrix.command == 'lint' && '--default-schema-catalogs' || ''}} - name: Commit and push applied formatter fixes if: matrix.command == 'format' uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 with: commit_message: '[Taplo] Apply formatter fixes' commit_options: --no-verify trufflehog: name: TruffleHog runs-on: ubuntu-latest environment: name: code_quality steps: - name: Install trufflehog uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 with: repo: trufflesecurity/trufflehog cache: enable - name: Git Secret Scanning run: >- trufflehog git ${{github.event.repository.html_url}} --branch=${{github.head_ref || github.ref_name}} --fail --github-actions --results=verified,unknown --log-level=4 --no-update pre-commit: name: pre-commit runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uv uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 with: enable-cache: true activate-environment: true - name: Restore pre-commit cache uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 id: cache-restore with: path: ~/.cache/pre-commit key: pre-commit-${{ hashFiles('**/.pre-commit-config.yaml') }} restore-keys: pre-commit- - name: Run pre-commit hooks run: uvx pre-commit run --show-diff-on-failure --color=always --all-files - name: Save pre-commit cache uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 if: always() && steps.cache-restore.outputs.cache-hit != 'true' with: path: ~/.cache/pre-commit key: ${{ steps.cache-restore.outputs.cache-primary-key }} - name: Run pre-commit-ci-lite uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0 if: always() uv_lock: name: UV Lock Check runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uv uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 with: enable-cache: true activate-environment: true - name: Check if the lockfile is up-to-date id: uv_lock_check run: uv lock --check - name: Job Summary uses: jazanne/job-summary-action@690eb386a0b86fe4da7c6f0e543e61330ff09f06 # v1.0.0 if: success() || failure() with: summary: | ## UV Lock Check - **Status**: ${{ steps.uv_lock_check.outcome == 'success' && ':white_check_mark:' || ':x:' }} ls_lint: name: ls-lint runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Lint file names uses: ls-lint/action@02e380fe8733d499cbfc9e22276de5085508a5bd # v2.3.1 with: config: .github/lint/.ls-lint.yaml ruff: name: Ruff ${{ matrix.command }} runs-on: ubuntu-latest environment: name: code_quality strategy: fail-fast: false matrix: command: - check - format include: - command: check output: sarif - command: format output: github steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.GH_TOKEN }} - name: ${{ matrix.command }} uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 # v3.5.1 with: args: >- ${{ matrix.command }} --config .github/lint/.ruff.toml --output-format ${{matrix.output}} ${{matrix.output == 'sarif' && '--output-file ruff.sarif' || ''}} - name: upload Ruff scan SARIF report if: matrix.output == 'sarif' && ( success() || failure() ) uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 with: sarif_file: ruff.sarif - name: Commit and push applied Ruff fixes if: matrix.output == 'github' uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 with: commit_message: '[Ruff] Apply format fixes' commit_options: --no-verify yamlfix: name: YamlFix runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: token: ${{ secrets.GH_TOKEN }} - name: Install uv uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 with: enable-cache: true activate-environment: true - name: Format run: uvx yamlfix . --config-file .github/lint/.yamlfix.toml - name: Commit and push applied linter fixes uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 with: commit_message: '[YamlFix] Apply linters fixes' commit_options: --no-verify yamllint: name: YamlLint runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uv uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 with: enable-cache: true activate-environment: true - name: Check run: uvx yamllint . --strict -c=.github/lint/.yamllint.yaml --format github syft: name: Syft runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: SBOM Generation uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1 with: path: . dependency-snapshot: true output-file: ${{ github.event.repository.name }}-sbom.json format: syft-json grype: name: Grype runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Scan current project uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # v7.3.1 id: scan with: path: . cache-db: true - name: upload Anchore scan SARIF report if: success() || failure() uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 with: sarif_file: ${{ steps.scan.outputs.sarif }} trivy: name: Trivy ${{ matrix.name }} runs-on: ubuntu-latest environment: name: code_quality strategy: fail-fast: false matrix: scan-type: - repo - config - fs include: - scan-type: repo format: sarif output: trivy-results-repo.sarif name: Repo - scan-type: config format: sarif output: trivy-results-config.sarif name: IaC - scan-type: fs format: github output: dependency-results.sbom.json name: SBOM steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 with: scan-type: ${{ matrix.scan-type }} trivy-config: .github/lint/.trivy.yaml format: ${{ matrix.format }} output: ${{ matrix.output }} github-pat: ${{ secrets.GH_TOKEN }} exit-code: '1' scanners: vuln,secret,misconfig - name: Upload Trivy scan results to GitHub Security tab if: matrix.scan-type != 'fs' && ( success() || failure() ) uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 with: sarif_file: ${{ matrix.output }} category: ${{ matrix.scan-type }} - name: Upload trivy report as a Github artifact if: matrix.scan-type == 'fs' && ( success() || failure() ) uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: trivy-sbom-report path: ${{ matrix.output }} dclint: name: DCLint runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Lint Docker Compose file uses: docker-compose-linter/dclint-github-action@18659f6a7956706cb67cf9c1ad5e55f4352cbc17 # v1.6.0 with: fix: true recursive: true ty: name: Ty runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uv uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1 with: enable-cache: true activate-environment: true - name: Setup Venv run: uv sync - name: Check run: uv run ty check --output-format github markdownlint: name: MarkdownLint runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Lint Markdown files uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v22.0.0 with: globs: '**/*.md' config: .github/lint/.markdownlint.yaml fix: true hadolint: name: Hadolint runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Lint Dockerfile uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 with: config: .github/lint/.hadolint.yaml format: sarif output-file: hadolint.sarif - name: upload Hadolint scan SARIF report if: success() || failure() uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 with: sarif_file: hadolint.sarif actionlint: name: ActionLint runs-on: ubuntu-latest environment: name: code_quality steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install actionlint uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 with: repo: rhysd/actionlint cache: enable - name: Download actionlint-matcher.json run: >- curl -fsSL https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json -o .github/actionlint-matcher.json - name: Run actionlint run: |- echo "::add-matcher::.github/actionlint-matcher.json" actionlint -color