Skip to content

Commit

Permalink
Merge pull request instructlab#43 from bjhargrave/harden-workflows
Browse files Browse the repository at this point in the history
Harden GitHub action workflows
  • Loading branch information
bjhargrave authored May 7, 2024
2 parents f677fad + 00cce95 commit 937f808
Show file tree
Hide file tree
Showing 8 changed files with 115 additions and 21 deletions.
11 changes: 11 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# SPDX-License-Identifier: Apache-2.0

# GitHub Dependabot configuration file
version: 2
updates:

# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
34 changes: 26 additions & 8 deletions .github/workflows/actionlint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,25 +6,43 @@ on:
branches:
- "main"
paths:
- '.github/**'
- '.github/workflows/*.ya?ml'
pull_request:
branches:
- "main"
paths:
- '.github/**'
- '.github/workflows/*.ya?ml'

env:
LC_ALL: en_US.UTF-8

defaults:
run:
shell: bash

permissions:
contents: read

jobs:
actionlint:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download actionlint
- name: "Harden Runner"
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: "Checkout"
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0

- name: "Download actionlint"
id: get_actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.6.27
- name: Check workflow files
run: PATH=".:$PATH" actionlint -color
run: |
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/2d26fef7e97b8ab345791f5ade3252da47d083e3/scripts/download-actionlint.bash)
- name: "Check workflow files"
run: |
echo "::add-matcher::.github/workflows/matchers/actionlint.json"
${{ steps.get_actionlint.outputs.executable }} -color
35 changes: 29 additions & 6 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
@@ -1,23 +1,46 @@
name: docs
# SPDX-License-Identifier: Apache-2.0

name: Lint Markdown documents

on:
push:
branches: ["main"]
branches:
- "main"
paths:
- '**/*.md'
- '.markdownlint-cli2.yaml'
- '.github/workflows/docs.yml' # This workflow
pull_request:
branches: ["main"]
branches:
- "main"
paths:
- '**/*.md'
- '.markdownlint-cli2.yaml'
- '.github/workflows/docs.yml' # This workflow

env:
LC_ALL: en_US.UTF-8

defaults:
run:
shell: bash

permissions:
contents: read

jobs:
markdown-lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: markdownlint-cli2-action
uses: DavidAnson/markdownlint-cli2-action@v15
- name: "Harden Runner"
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: "Checkout"
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: "Check Markdown documents"
uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 # v16.0.0
with:
globs: '**/*.md'
17 changes: 17 additions & 0 deletions .github/workflows/matchers/actionlint.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"problemMatcher": [
{
"owner": "actionlint",
"pattern": [
{
"regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
"file": 1,
"line": 2,
"column": 3,
"message": 4,
"code": 5
}
]
}
]
}
31 changes: 27 additions & 4 deletions .github/workflows/spellcheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,25 @@
name: Spellcheck

on:
push:
branches:
- "main"
paths:
- '**.md'
- '.github/workflows/spellcheck.yml' # This workflow
pull_request:
branches: [main]
branches:
- "main"
paths:
- '**.md'
- '.github/workflows/spellcheck.yml' # This workflow

env:
LC_ALL: en_US.UTF-8

defaults:
run:
shell: bash

permissions:
contents: read
Expand All @@ -16,7 +31,15 @@ jobs:
name: Spellcheck (en_US)
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: "Harden Runner"
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: "Checkout"
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0

- name: Spellcheck
uses: rojopolis/spellcheck-github-actions@0.35.0
uses: rojopolis/spellcheck-github-actions@dbd2f1da869c05ad874fffeb6fe1ed50cd1a6e98 # v0.36.0
3 changes: 3 additions & 0 deletions .markdownlint-cli2.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# SPDX-License-Identifier: Apache-2.0

config:
line-length: false
no-emphasis-as-header: false
Expand All @@ -8,6 +10,7 @@ config:
globs:
- "**/*.md"
ignores:
- ".github/**"
- ".tox/**"
- "venv/**"
- ".venv/**"
3 changes: 1 addition & 2 deletions .spellcheck.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

# SPDX-License-Identifier: Apache-2.0

matrix:
Expand All @@ -9,7 +8,7 @@ matrix:
camel-case: true
mode: markdown
sources:
- "**/*.md|!REVIEWERS.md|!build/**|!.tox/**"
- "**/*.md|!.tox/**"
dictionary:
wordlists:
- .spellcheck-en-custom.txt
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,4 @@ endif
.PHONY: md-lint
md-lint: ## Lint markdown files
$(ECHO_PREFIX) printf " %-12s ./...\n" "[MD LINT]"
$(CMD_PREFIX) podman run --rm -v $(CURDIR):/workdir --security-opt label=disable docker.io/davidanson/markdownlint-cli2:v0.12.1 > /dev/null
$(CMD_PREFIX) podman run --rm -v $(CURDIR):/workdir --security-opt label=disable docker.io/davidanson/markdownlint-cli2:latest > /dev/null

0 comments on commit 937f808

Please sign in to comment.