-
-
Notifications
You must be signed in to change notification settings - Fork 2
85 lines (71 loc) · 2.32 KB
/
actionlint.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: actionlint
on:
push:
branches:
- main
paths:
- '.github/workflows/*.ya?ml'
pull_request:
paths:
- '.github/workflows/*.ya?ml'
defaults:
run:
shell: bash -xeuo pipefail {0}
concurrency:
group: "actionlint-${{ github.ref }}"
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
env:
HOMEBREW_DEVELOPER: 1
HOMEBREW_NO_AUTO_UPDATE: 1
HOMEBREW_NO_ENV_HINTS: 1
permissions: {}
# FIXME: The `Install tools` step fails inside the Docker container for some reason.
jobs:
workflow_syntax:
if: github.repository_owner == 'Homebrew'
runs-on: ubuntu-latest
steps:
- name: Set up Homebrew
id: setup-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
core: false
cask: false
test-bot: false
- name: Install tools
run: brew install actionlint shellcheck zizmor
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- run: zizmor --format sarif . > results.sarif
- name: Upload SARIF file
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: results.sarif
path: results.sarif
- name: Set up actionlint
run: |
# Setting `shell: /bin/bash` prevents shellcheck from running on
# those steps, so let's change them to `shell: bash` for linting.
sed -i 's|shell: /bin/bash -x|shell: bash -x|' .github/workflows/*.y*ml
# The JSON matcher needs to be accessible to the container host.
cp "$(brew --repository)/.github/actionlint-matcher.json" "$HOME"
echo "::add-matcher::$HOME/actionlint-matcher.json"
- run: actionlint
upload_sarif:
needs: workflow_syntax
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Download SARIF file
uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
with:
name: results.sarif
path: results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
with:
sarif_file: results.sarif
category: zizmor