diff --git a/.github/super-linter.env b/.github/super-linter.env index fcc611762..1b6896359 100644 --- a/.github/super-linter.env +++ b/.github/super-linter.env @@ -3,8 +3,8 @@ # name=value GITLEAKS_LOG_LEVEL=warn -# todo need to resolve all clones +VALIDATE_GITHUB_ACTIONS_ZIZMOR=false VALIDATE_JSCPD=false -# Turned off because requires changing lists from "*" to "-" VALIDATE_MARKDOWN_PRETTIER=false +VALIDATE_TRIVY=false VALIDATE_YAML_PRETTIER=false diff --git a/.github/workflows/automatic-pr-labeler.yaml b/.github/workflows/automatic-pr-labeler.yaml index abd15acd7..4256aa3c8 100644 --- a/.github/workflows/automatic-pr-labeler.yaml +++ b/.github/workflows/automatic-pr-labeler.yaml @@ -21,25 +21,34 @@ permissions: jobs: assign-labels: - if: github.event.pull_request.merged == false + if: (github.event.pull_request.merged == false) && (github.event.pull_request.user.login != 'dependabot[bot]') && (github.event.pull_request.user.login != 'github-actions[bot]') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - - name: "Execute assign labels" - id: action-assign-labels - uses: mauroalderete/action-assign-labels@v1 - with: - pull-request-number: ${{ github.event.pull_request.number }} - github-token: ${{ github.token }} - conventional-commits: "./.github/auto-labeler-config.yaml" - maintain-labels-not-matched: true - apply-changes: ${{ github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }} - - name: "Drop warning if PR from fork" - if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }} - run: | - { - echo "⚠️ Pull request from fork! ⚠️" - echo "Labels will not be applied to PR. Assign them manually please." - echo "Labels to assign: ${{ steps.action-assign-labels.outputs.labels-next }}" - } >> "$GITHUB_STEP_SUMMARY" + - name: "Execute assign labels" + id: action-assign-labels + uses: mauroalderete/action-assign-labels@671a4ca2da0f900464c58b8b5540a1e07133e915 # v1.5.1 + with: + pull-request-number: ${{ github.event.pull_request.number }} + github-token: ${{ github.token }} + conventional-commits: "./.github/auto-labeler-config.yaml" + maintain-labels-not-matched: true + apply-changes: ${{ github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }} + + - name: Set labels-next safely + if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }} + run: | + echo "LABELS_NEXT=$(echo ${STEPS_ACTION_ASSIGN_LABELS_OUTPUTS_LABELS_NEXT} | tr -dc 'a-zA-Z0-9-,')" >> $GITHUB_ENV + env: + STEPS_ACTION_ASSIGN_LABELS_OUTPUTS_LABELS_NEXT: ${{ steps.action-assign-labels.outputs.labels-next }} + - name: "Drop warning if PR from fork" + if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }} + run: | + { + echo "⚠️ Pull request from fork! ⚠️"; + echo "Labels will not be applied to PR. Assign them manually please."; + echo "Labels to assign: '${LABELS_NEXT}'"; + } >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 652d89968..889b68d6f 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -5,9 +5,9 @@ name: Conventional Commits PR Check on: pull_request: types: - - opened - - edited - - synchronize + - opened + - edited + - synchronize permissions: pull-requests: read @@ -16,5 +16,8 @@ jobs: name: Conventional Commits runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: webiny/action-conventional-commits@v1.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 diff --git a/.github/workflows/pr-lint-title.yaml b/.github/workflows/pr-lint-title.yaml index 81c62b5b8..ce7e52b4e 100644 --- a/.github/workflows/pr-lint-title.yaml +++ b/.github/workflows/pr-lint-title.yaml @@ -5,8 +5,10 @@ name: "Lint PR Title" on: pull_request: types: - - opened - - edited + - opened + - edited + - synchronize + - reopened permissions: pull-requests: read @@ -16,6 +18,6 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 - env: - GITHUB_TOKEN: ${{ github.token }} + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 + env: + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/profanity-filter.yaml b/.github/workflows/profanity-filter.yaml index f7e0389d9..74926d3c3 100644 --- a/.github/workflows/profanity-filter.yaml +++ b/.github/workflows/profanity-filter.yaml @@ -14,16 +14,16 @@ permissions: pull-requests: write jobs: - call-apply-filter: - if: ${{ github.event_name == 'issue_comment' || github.event_name == 'issues' || (github.event_name == 'pull_request' && github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id) }} - uses: Netcracker/qubership-workflow-hub/.github/workflows/profanityFilter.yaml@main - warning: + apply-filter: runs-on: ubuntu-latest - if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }} steps: - - name: "Warning" - run: | - { - echo "⚠️ Pull request from fork! ⚠️" - echo "The action cannot be run over PRs from fork." - } >> "$GITHUB_STEP_SUMMARY" + - name: Scan issue or pull request for profanity + # Conditionally run the step if the actor isn't a bot + if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' }} + uses: IEvangelist/profanity-filter@9.07 + id: profanity-filter + with: + token: ${{ secrets.GITHUB_TOKEN }} + # See https://bit.ly/potty-mouth-replacement-strategies + replacement-strategy: middle-asterisk # See Replacement strategy + custom-profane-words-url: https://github.com/Hesham-Elbadawi/list-of-banned-words/raw/refs/heads/master/ru diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 6d294c461..45c179b68 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -14,10 +14,10 @@ name: Lint Code Base on: push: branches: - - '**' + - '**' pull_request: branches: - - '**' + - '**' workflow_dispatch: inputs: full_scan: @@ -29,25 +29,70 @@ permissions: contents: read jobs: + prepare-configs: + runs-on: ubuntu-latest + steps: + - name: "Get the common linters configuration" + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + ref: main # fix/superlinter-config + repository: netcracker/.github + persist-credentials: false + sparse-checkout: | + config/linters + - name: "Upload the common linters configuration" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: linter-config + path: "${{ github.workspace }}/config" + include-hidden-files: true run-lint: + needs: [prepare-configs] runs-on: ubuntu-latest + permissions: + contents: read + packages: read + # To report GitHub Actions status checks + statuses: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 + persist-credentials: false + - name: "Get the common linters configuration" + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 + id: download + with: + name: linter-config + path: /tmp/linter-config + - name: "Apply the common linters configuration" + if: ${{ steps.download.outputs.download-path != '' }} + run: | + mkdir -p ./.github/linters + cp --update=none -vRT /tmp/linter-config/linters ./.github/linters - name: "Load super-linter environment file" + shell: bash run: | # shellcheck disable=2086 - if [ -f "./.github/super-linter.env" ]; then - grep "\S" ./.github/super-linter.env | grep -v "^#" - grep "\S" ./.github/super-linter.env | grep -v "^#" >> $GITHUB_ENV + if [ -f "${GITHUB_WORKSPACE}/.github/super-linter.env" ]; then + echo "Applying local linter environment:" + grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#" + grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#" >> $GITHUB_ENV + elif [ -f "/tmp/linter-config/linters/super-linter.env" ]; then + echo "::warning:: Local linter environment file .github/super-linter.env is not found" + echo "Applying common linter environment:" + grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#" + grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#" >> $GITHUB_ENV fi - name: Lint Code Base - uses: super-linter/super-linter/slim@v7.3.0 + uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0 env: VALIDATE_ALL_CODEBASE: ${{ inputs.full_scan || false }} + # To report GitHub Actions status checks GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DEFAULT_BRANCH: ${{ github.event.pull_request.base.ref || github.event.push.ref }} +