From 9bc56ef4f6b96d0b56939e3cb86a38a2129dba90 Mon Sep 17 00:00:00 2001 From: borislavr Date: Thu, 4 Sep 2025 07:28:31 +0000 Subject: [PATCH 1/4] chore: update of common workflows --- .github/workflows/automatic-pr-labeler.yaml | 40 +++++++------ .../workflows/pr-conventional-commits.yaml | 13 ++-- .github/workflows/pr-lint-title.yaml | 12 ++-- .github/workflows/profanity-filter.yaml | 22 +++---- .github/workflows/super-linter.yaml | 59 ++++++++++++++++--- 5 files changed, 99 insertions(+), 47 deletions(-) diff --git a/.github/workflows/automatic-pr-labeler.yaml b/.github/workflows/automatic-pr-labeler.yaml index abd15acd7..03ef48913 100644 --- a/.github/workflows/automatic-pr-labeler.yaml +++ b/.github/workflows/automatic-pr-labeler.yaml @@ -21,25 +21,27 @@ permissions: jobs: assign-labels: - if: github.event.pull_request.merged == false + if: (github.event.pull_request.merged == false) && (github.event.pull_request.user.login != 'dependabot[bot]') && (github.event.pull_request.user.login != 'github-actions[bot]') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - - name: "Execute assign labels" - id: action-assign-labels - uses: mauroalderete/action-assign-labels@v1 - with: - pull-request-number: ${{ github.event.pull_request.number }} - github-token: ${{ github.token }} - conventional-commits: "./.github/auto-labeler-config.yaml" - maintain-labels-not-matched: true - apply-changes: ${{ github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }} - - name: "Drop warning if PR from fork" - if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }} - run: | - { - echo "⚠️ Pull request from fork! ⚠️" - echo "Labels will not be applied to PR. Assign them manually please." - echo "Labels to assign: ${{ steps.action-assign-labels.outputs.labels-next }}" - } >> "$GITHUB_STEP_SUMMARY" + - name: "Execute assign labels" + id: action-assign-labels + uses: mauroalderete/action-assign-labels@v1 + with: + pull-request-number: ${{ github.event.pull_request.number }} + github-token: ${{ github.token }} + conventional-commits: "./.github/auto-labeler-config.yaml" + maintain-labels-not-matched: true + apply-changes: ${{ github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }} + - name: "Drop warning if PR from fork" + if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }} + run: | + { + echo "⚠️ Pull request from fork! ⚠️"; + echo "Labels will not be applied to PR. Assign them manually please."; + echo "Labels to assign: ${{ steps.action-assign-labels.outputs.labels-next }}"; + } >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 652d89968..79dc9e084 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -5,9 +5,9 @@ name: Conventional Commits PR Check on: pull_request: types: - - opened - - edited - - synchronize + - opened + - edited + - synchronize permissions: pull-requests: read @@ -16,5 +16,8 @@ jobs: name: Conventional Commits runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: webiny/action-conventional-commits@v1.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - uses: webiny/action-conventional-commits@v1.3.0 diff --git a/.github/workflows/pr-lint-title.yaml b/.github/workflows/pr-lint-title.yaml index 81c62b5b8..64a586539 100644 --- a/.github/workflows/pr-lint-title.yaml +++ b/.github/workflows/pr-lint-title.yaml @@ -5,8 +5,10 @@ name: "Lint PR Title" on: pull_request: types: - - opened - - edited + - opened + - edited + - synchronize + - reopened permissions: pull-requests: read @@ -16,6 +18,6 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 - env: - GITHUB_TOKEN: ${{ github.token }} + - uses: amannn/action-semantic-pull-request@v6 + env: + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/profanity-filter.yaml b/.github/workflows/profanity-filter.yaml index f7e0389d9..74926d3c3 100644 --- a/.github/workflows/profanity-filter.yaml +++ b/.github/workflows/profanity-filter.yaml @@ -14,16 +14,16 @@ permissions: pull-requests: write jobs: - call-apply-filter: - if: ${{ github.event_name == 'issue_comment' || github.event_name == 'issues' || (github.event_name == 'pull_request' && github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id) }} - uses: Netcracker/qubership-workflow-hub/.github/workflows/profanityFilter.yaml@main - warning: + apply-filter: runs-on: ubuntu-latest - if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }} steps: - - name: "Warning" - run: | - { - echo "⚠️ Pull request from fork! ⚠️" - echo "The action cannot be run over PRs from fork." - } >> "$GITHUB_STEP_SUMMARY" + - name: Scan issue or pull request for profanity + # Conditionally run the step if the actor isn't a bot + if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' }} + uses: IEvangelist/profanity-filter@9.07 + id: profanity-filter + with: + token: ${{ secrets.GITHUB_TOKEN }} + # See https://bit.ly/potty-mouth-replacement-strategies + replacement-strategy: middle-asterisk # See Replacement strategy + custom-profane-words-url: https://github.com/Hesham-Elbadawi/list-of-banned-words/raw/refs/heads/master/ru diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 6d294c461..45c179b68 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -14,10 +14,10 @@ name: Lint Code Base on: push: branches: - - '**' + - '**' pull_request: branches: - - '**' + - '**' workflow_dispatch: inputs: full_scan: @@ -29,25 +29,70 @@ permissions: contents: read jobs: + prepare-configs: + runs-on: ubuntu-latest + steps: + - name: "Get the common linters configuration" + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + ref: main # fix/superlinter-config + repository: netcracker/.github + persist-credentials: false + sparse-checkout: | + config/linters + - name: "Upload the common linters configuration" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: linter-config + path: "${{ github.workspace }}/config" + include-hidden-files: true run-lint: + needs: [prepare-configs] runs-on: ubuntu-latest + permissions: + contents: read + packages: read + # To report GitHub Actions status checks + statuses: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 + persist-credentials: false + - name: "Get the common linters configuration" + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 + id: download + with: + name: linter-config + path: /tmp/linter-config + - name: "Apply the common linters configuration" + if: ${{ steps.download.outputs.download-path != '' }} + run: | + mkdir -p ./.github/linters + cp --update=none -vRT /tmp/linter-config/linters ./.github/linters - name: "Load super-linter environment file" + shell: bash run: | # shellcheck disable=2086 - if [ -f "./.github/super-linter.env" ]; then - grep "\S" ./.github/super-linter.env | grep -v "^#" - grep "\S" ./.github/super-linter.env | grep -v "^#" >> $GITHUB_ENV + if [ -f "${GITHUB_WORKSPACE}/.github/super-linter.env" ]; then + echo "Applying local linter environment:" + grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#" + grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#" >> $GITHUB_ENV + elif [ -f "/tmp/linter-config/linters/super-linter.env" ]; then + echo "::warning:: Local linter environment file .github/super-linter.env is not found" + echo "Applying common linter environment:" + grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#" + grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#" >> $GITHUB_ENV fi - name: Lint Code Base - uses: super-linter/super-linter/slim@v7.3.0 + uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0 env: VALIDATE_ALL_CODEBASE: ${{ inputs.full_scan || false }} + # To report GitHub Actions status checks GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DEFAULT_BRANCH: ${{ github.event.pull_request.base.ref || github.event.push.ref }} + From ae148f561f19529b3f360d911171c8fd5767c89e Mon Sep 17 00:00:00 2001 From: borislavr Date: Thu, 4 Sep 2025 12:45:43 +0000 Subject: [PATCH 2/4] chore: update of common workflows --- .github/workflows/automatic-pr-labeler.yaml | 11 +++++++++-- .github/workflows/pr-conventional-commits.yaml | 2 +- .github/workflows/pr-lint-title.yaml | 2 +- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/automatic-pr-labeler.yaml b/.github/workflows/automatic-pr-labeler.yaml index 03ef48913..4256aa3c8 100644 --- a/.github/workflows/automatic-pr-labeler.yaml +++ b/.github/workflows/automatic-pr-labeler.yaml @@ -30,18 +30,25 @@ jobs: - name: "Execute assign labels" id: action-assign-labels - uses: mauroalderete/action-assign-labels@v1 + uses: mauroalderete/action-assign-labels@671a4ca2da0f900464c58b8b5540a1e07133e915 # v1.5.1 with: pull-request-number: ${{ github.event.pull_request.number }} github-token: ${{ github.token }} conventional-commits: "./.github/auto-labeler-config.yaml" maintain-labels-not-matched: true apply-changes: ${{ github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }} + + - name: Set labels-next safely + if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }} + run: | + echo "LABELS_NEXT=$(echo ${STEPS_ACTION_ASSIGN_LABELS_OUTPUTS_LABELS_NEXT} | tr -dc 'a-zA-Z0-9-,')" >> $GITHUB_ENV + env: + STEPS_ACTION_ASSIGN_LABELS_OUTPUTS_LABELS_NEXT: ${{ steps.action-assign-labels.outputs.labels-next }} - name: "Drop warning if PR from fork" if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }} run: | { echo "⚠️ Pull request from fork! ⚠️"; echo "Labels will not be applied to PR. Assign them manually please."; - echo "Labels to assign: ${{ steps.action-assign-labels.outputs.labels-next }}"; + echo "Labels to assign: '${LABELS_NEXT}'"; } >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/pr-conventional-commits.yaml b/.github/workflows/pr-conventional-commits.yaml index 79dc9e084..889b68d6f 100644 --- a/.github/workflows/pr-conventional-commits.yaml +++ b/.github/workflows/pr-conventional-commits.yaml @@ -20,4 +20,4 @@ jobs: with: persist-credentials: false - - uses: webiny/action-conventional-commits@v1.3.0 + - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0 diff --git a/.github/workflows/pr-lint-title.yaml b/.github/workflows/pr-lint-title.yaml index 64a586539..ce7e52b4e 100644 --- a/.github/workflows/pr-lint-title.yaml +++ b/.github/workflows/pr-lint-title.yaml @@ -18,6 +18,6 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v6 + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: GITHUB_TOKEN: ${{ github.token }} From f4863d4a0b908c6f48828b892aa3ef104d1164c2 Mon Sep 17 00:00:00 2001 From: Alexey Karasev Date: Tue, 4 Nov 2025 13:18:55 +0500 Subject: [PATCH 3/4] chore(ci): disable several linters --- .github/super-linter.env | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/super-linter.env b/.github/super-linter.env index fcc611762..b83b99a44 100644 --- a/.github/super-linter.env +++ b/.github/super-linter.env @@ -6,5 +6,7 @@ GITLEAKS_LOG_LEVEL=warn # todo need to resolve all clones VALIDATE_JSCPD=false # Turned off because requires changing lists from "*" to "-" +VALIDATE_GITHUB_ACTIONS_ZIZMORR=false VALIDATE_MARKDOWN_PRETTIER=false +VALIDATE_TRIVYR=false VALIDATE_YAML_PRETTIER=false From ccae341b80a53efa3810134575c407df5a586cd0 Mon Sep 17 00:00:00 2001 From: Alexey Karasev Date: Tue, 4 Nov 2025 16:19:39 +0500 Subject: [PATCH 4/4] chore(ci): fix order of keys and key names --- .github/super-linter.env | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/super-linter.env b/.github/super-linter.env index b83b99a44..1b6896359 100644 --- a/.github/super-linter.env +++ b/.github/super-linter.env @@ -3,10 +3,8 @@ # name=value GITLEAKS_LOG_LEVEL=warn -# todo need to resolve all clones +VALIDATE_GITHUB_ACTIONS_ZIZMOR=false VALIDATE_JSCPD=false -# Turned off because requires changing lists from "*" to "-" -VALIDATE_GITHUB_ACTIONS_ZIZMORR=false VALIDATE_MARKDOWN_PRETTIER=false -VALIDATE_TRIVYR=false +VALIDATE_TRIVY=false VALIDATE_YAML_PRETTIER=false