chore: update of common workflows

.github/super-linter.env

@@ -3,8 +3,8 @@
 # name=value
 
 GITLEAKS_LOG_LEVEL=warn
-# todo need to resolve all clones
+VALIDATE_GITHUB_ACTIONS_ZIZMOR=false
 VALIDATE_JSCPD=false
-# Turned off because requires changing lists from "*" to "-"
 VALIDATE_MARKDOWN_PRETTIER=false
+VALIDATE_TRIVY=false
 VALIDATE_YAML_PRETTIER=false

.github/workflows/automatic-pr-labeler.yaml

@@ -21,25 +21,34 @@ permissions:
 
 jobs:
   assign-labels:
-    if: github.event.pull_request.merged == false
+    if: (github.event.pull_request.merged == false) && (github.event.pull_request.user.login != 'dependabot[bot]') && (github.event.pull_request.user.login != 'github-actions[bot]')
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-    - name: "Execute assign labels"
-      id: action-assign-labels
-      uses: mauroalderete/action-assign-labels@v1
-      with:
-        pull-request-number: ${{ github.event.pull_request.number }}
-        github-token: ${{ github.token }}
-        conventional-commits: "./.github/auto-labeler-config.yaml"
-        maintain-labels-not-matched: true
-        apply-changes: ${{ github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
-    - name: "Drop warning if PR from fork"
-      if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }}
-      run: |
-        {
-          echo "⚠️ Pull request from fork! ⚠️"
-          echo "Labels will not be applied to PR. Assign them manually please."
-          echo "Labels to assign: ${{ steps.action-assign-labels.outputs.labels-next }}"
-        } >> "$GITHUB_STEP_SUMMARY"
+      - name: "Execute assign labels"
+        id: action-assign-labels
+        uses: mauroalderete/action-assign-labels@671a4ca2da0f900464c58b8b5540a1e07133e915 # v1.5.1
+        with:
+          pull-request-number: ${{ github.event.pull_request.number }}
+          github-token: ${{ github.token }}
+          conventional-commits: "./.github/auto-labeler-config.yaml"
+          maintain-labels-not-matched: true
+          apply-changes: ${{ github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
+
+      - name: Set labels-next safely
+        if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }}
+        run: |
+          echo "LABELS_NEXT=$(echo ${STEPS_ACTION_ASSIGN_LABELS_OUTPUTS_LABELS_NEXT} | tr -dc 'a-zA-Z0-9-,')" >> $GITHUB_ENV
+        env:
+          STEPS_ACTION_ASSIGN_LABELS_OUTPUTS_LABELS_NEXT: ${{ steps.action-assign-labels.outputs.labels-next }}
+      - name: "Drop warning if PR from fork"
+        if: ${{ github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }}
+        run: |
+          {
+            echo "⚠️ Pull request from fork! ⚠️";
+            echo "Labels will not be applied to PR. Assign them manually please.";
+            echo "Labels to assign: '${LABELS_NEXT}'";
+          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/pr-conventional-commits.yaml

@@ -5,9 +5,9 @@ name: Conventional Commits PR Check
 on:
   pull_request:
     types:
-    - opened
-    - edited
-    - synchronize
+      - opened
+      - edited
+      - synchronize
 
 permissions:
   pull-requests: read
@@ -16,5 +16,8 @@ jobs:
     name: Conventional Commits
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: webiny/action-conventional-commits@v1.3.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - uses: webiny/action-conventional-commits@8bc41ff4e7d423d56fa4905f6ff79209a78776c7 # v1.3.0

.github/workflows/pr-lint-title.yaml

@@ -5,8 +5,10 @@ name: "Lint PR Title"
 on:
   pull_request:
     types:
-    - opened
-    - edited
+      - opened
+      - edited
+      - synchronize
+      - reopened
 
 permissions:
   pull-requests: read
@@ -16,6 +18,6 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-    - uses: amannn/action-semantic-pull-request@v5
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/profanity-filter.yaml

@@ -14,16 +14,16 @@ permissions:
   pull-requests: write
 
 jobs:
-  call-apply-filter:
-    if: ${{ github.event_name == 'issue_comment' || github.event_name == 'issues' || (github.event_name == 'pull_request' && github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id) }}
-    uses: Netcracker/qubership-workflow-hub/.github/workflows/profanityFilter.yaml@main
-  warning:
+  apply-filter:
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.repo.id != github.event.pull_request.head.repo.id }}
     steps:
-    - name: "Warning"
-      run: |
-        {
-          echo "⚠️ Pull request from fork! ⚠️"
-          echo "The action cannot be run over PRs from fork."
-        } >> "$GITHUB_STEP_SUMMARY"
+    - name: Scan issue or pull request for profanity
+      # Conditionally run the step if the actor isn't a bot
+      if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' }}
+      uses: IEvangelist/profanity-filter@9.07
+      id: profanity-filter
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        # See https://bit.ly/potty-mouth-replacement-strategies
+        replacement-strategy: middle-asterisk # See Replacement strategy
+        custom-profane-words-url: https://github.com/Hesham-Elbadawi/list-of-banned-words/raw/refs/heads/master/ru

.github/workflows/super-linter.yaml

@@ -14,10 +14,10 @@ name: Lint Code Base
 on:
   push:
     branches:
-    - '**'
+      - '**'
   pull_request:
     branches:
-    - '**'
+      - '**'
   workflow_dispatch:
     inputs:
       full_scan:
@@ -29,25 +29,70 @@ permissions:
   contents: read
 
 jobs:
+  prepare-configs:
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Get the common linters configuration"
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        ref: main # fix/superlinter-config
+        repository: netcracker/.github
+        persist-credentials: false
+        sparse-checkout: |
+          config/linters
+    - name: "Upload the common linters configuration"
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: linter-config
+        path: "${{ github.workspace }}/config"
+        include-hidden-files: true
   run-lint:
+    needs: [prepare-configs]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      # To report GitHub Actions status checks
+      statuses: write
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         # Full git history is needed to get a proper list of changed files within `super-linter`
         fetch-depth: 0
+        persist-credentials: false
+    - name: "Get the common linters configuration"
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      id: download
+      with:
+        name: linter-config
+        path: /tmp/linter-config
+    - name: "Apply the common linters configuration"
+      if: ${{ steps.download.outputs.download-path != '' }}
+      run: |
+        mkdir -p ./.github/linters
+        cp --update=none -vRT /tmp/linter-config/linters ./.github/linters
 
     - name: "Load super-linter environment file"
+      shell: bash
       run: |
         # shellcheck disable=2086
-        if [ -f "./.github/super-linter.env" ]; then
-          grep "\S" ./.github/super-linter.env | grep -v "^#"
-          grep "\S" ./.github/super-linter.env | grep -v "^#" >> $GITHUB_ENV
+        if [ -f "${GITHUB_WORKSPACE}/.github/super-linter.env" ]; then
+          echo "Applying local linter environment:"
+          grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#"
+          grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#" >> $GITHUB_ENV
+        elif [ -f "/tmp/linter-config/linters/super-linter.env" ]; then
+          echo "::warning:: Local linter environment file .github/super-linter.env is not found"
+          echo "Applying common linter environment:"
+          grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#"
+          grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#" >> $GITHUB_ENV
         fi
 
     - name: Lint Code Base
-      uses: super-linter/super-linter/slim@v7.3.0
+      uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
       env:
         VALIDATE_ALL_CODEBASE: ${{ inputs.full_scan || false }}
+        # To report GitHub Actions status checks
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        DEFAULT_BRANCH: ${{ github.event.pull_request.base.ref || github.event.push.ref }}
+