diff --git a/.github/workflows/lint-github-actions.yaml b/.github/workflows/lint-github-actions.yaml index 8d6758b..157bb01 100644 --- a/.github/workflows/lint-github-actions.yaml +++ b/.github/workflows/lint-github-actions.yaml @@ -20,6 +20,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token +permissions: + contents: read + jobs: lintGitHubActionsWithActionLint: runs-on: ubuntu-latest @@ -35,7 +39,7 @@ jobs: sparse-checkout-cone-mode: false - name: Lint GitHub Actions - uses: reviewdog/action-actionlint@v1 + uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281 # v1.65.2 - name: Check GitHub Actions with 'actionlint' # Ref: https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions @@ -64,11 +68,5 @@ jobs: .github/workflows sparse-checkout-cone-mode: false - - name: Setup Rust - uses: actions-rust-lang/setup-rust-toolchain@v1 - - - name: Install zizmor - run: cargo install zizmor - - name: Run zizmor on GitHub Actions - run: zizmor .github/workflows/* + run: docker run --rm --network none -v "$PWD":/work:ro ghcr.io/woodruffw/zizmor:latest --offline /work/.github/workflows diff --git a/.github/workflows/lint-markdown.yaml b/.github/workflows/lint-markdown.yaml index 6d0c90b..b31ddcb 100644 --- a/.github/workflows/lint-markdown.yaml +++ b/.github/workflows/lint-markdown.yaml @@ -1,3 +1,4 @@ +# Generated by Gabo (https://github.com/ashishb/gabo) --- # Run this locally with act - https://github.com/nektos/act # act -j lintMarkdown @@ -5,34 +6,38 @@ name: Lint Markdown on: # yamllint disable-line rule:truthy push: - branches: [master, main] + branches: [main, master] paths: - - '**.md' - - '.github/workflows/lint-markdown.yaml' + - "**.md" + - ".github/workflows/lint-markdown.yaml" pull_request: - branches: [master, main] + branches: [main, master] paths: - - '**.md' - - '.github/workflows/lint-markdown.yaml' + - "**.md" + - ".github/workflows/lint-markdown.yaml" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token +permissions: + contents: read + jobs: lintMarkdown: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - name: Checkout code + - name: Checkout repository uses: actions/checkout@v6 with: persist-credentials: false - name: Set up Ruby # See https://github.com/ruby/setup-ruby#versioning - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@13e7a03dc3ac6c3798f4570bfead2aed4d96abfb # v1.244.0 with: ruby-version: 3.0 diff --git a/.github/workflows/lint-shell-script.yaml b/.github/workflows/lint-shell-script.yaml index c09792d..698fbf4 100644 --- a/.github/workflows/lint-shell-script.yaml +++ b/.github/workflows/lint-shell-script.yaml @@ -1,27 +1,31 @@ +# Generated by Gabo (https://github.com/ashishb/gabo) --- # Run this locally with act - https://github.com/nektos/act # act -j lintShellScript name: Lint Shell scripts on: # yamllint disable-line rule:truthy - workflow_dispatch: push: - branches: [master, main] + branches: [main, master] paths: - - '**.sh' - - '**.bash' - - '.github/workflows/lint-shell-script.yaml' + - "**.sh" + - "**.bash" + - ".github/workflows/lint-shell-script.yaml" pull_request: - branches: [master, main] + branches: [main, master] paths: - - '**.sh' - - '**.bash' - - '.github/workflows/lint-shell-script.yaml' + - "**.sh" + - "**.bash" + - ".github/workflows/lint-shell-script.yaml" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token +permissions: + contents: read + jobs: lintShellScript: @@ -29,10 +33,10 @@ jobs: timeout-minutes: 15 steps: - - name: Checkout code + - name: Checkout repository uses: actions/checkout@v6 with: persist-credentials: false - name: Run ShellCheck - uses: ludeeus/action-shellcheck@2.0.0 + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 diff --git a/.github/workflows/lint-yaml.yaml b/.github/workflows/lint-yaml.yaml index 32ef228..6d60239 100644 --- a/.github/workflows/lint-yaml.yaml +++ b/.github/workflows/lint-yaml.yaml @@ -1,3 +1,4 @@ +# Generated by Gabo (https://github.com/ashishb/gabo) --- # Run this locally with act - https://github.com/nektos/act # act -j lintYaml @@ -5,24 +6,28 @@ name: Lint YAML on: # yamllint disable-line rule:truthy push: - branches: [master, main] + branches: [main, master] paths: - '**.yml' - '**.yaml' - '.github/workflows/**.yml' - '.github/workflows/**.yaml' pull_request: - branches: [master, main] + branches: [main, master] paths: - - '**.yml' - - '**.yaml' - - '.github/workflows/**.yml' - - '.github/workflows/**.yaml' + - "**.yml" + - "**.yaml" + - ".github/workflows/**.yml" + - ".github/workflows/**.yaml" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token +permissions: + contents: read + jobs: lintYaml: runs-on: ubuntu-latest @@ -35,7 +40,7 @@ jobs: persist-credentials: false - name: Check YAML files with linter - uses: ibiqlik/action-yamllint@v3 + uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1 with: # All files under base dir file_or_dir: "." @@ -53,3 +58,6 @@ jobs: level: warning trailing-spaces: level: warning + + - name: Lint GitHub Actions + uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281 # v1.65.2 diff --git a/.github/workflows/validate-links.yml b/.github/workflows/validate-links.yml index e9ef552..aa06dbd 100644 --- a/.github/workflows/validate-links.yml +++ b/.github/workflows/validate-links.yml @@ -20,6 +20,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: validateLinks: