added worfklow for zizmor scanning #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) Microsoft Corporation. | |
| # Licensed under the MIT License. | |
| --- | |
| name: Spec Linting | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| paths: | |
| - .github/workflows/lint-specs.yml | |
| - '**.spec' | |
| branches: [main, 3.0, 3.0-dev] | |
| permissions: read-all | |
| jobs: | |
| spec-lint: | |
| name: Spec Linting | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout the branch of our repo that triggered this action | |
| - name: Workflow trigger checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Get base commit for PRs | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| base_ref="${BASE_REF}" | |
| echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV" | |
| echo "Merging ${{ github.sha }} into $base_ref" | |
| env: | |
| BASE_REF: ${{ github.base_ref }} | |
| - name: Get base commit for Pushes | |
| if: ${{ github.event_name == 'push' }} | |
| run: | | |
| echo "base_sha=${{ github.event.before }}" >> "$GITHUB_ENV" | |
| echo "Merging ${{ github.sha }} into ${{ github.event.before }}" | |
| - name: Get the changed files | |
| run: | | |
| git config --global --add safe.directory '*' | |
| echo "Files changed: '$(git diff-tree --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }})'" | |
| changed_specs=$(git diff-tree --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }} | { grep "SPECS.*/.*\.spec$" || test $? = 1; } | awk '{printf "%s ", $0}') | |
| echo "Files to validate: '${changed_specs}'" | |
| echo "updated-specs=${changed_specs}" >> "$GITHUB_ENV" | |
| - name: Main branch checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: '3.0' | |
| path: '3.0-checkout' | |
| persist-credentials: false | |
| # Our linter is based on the spec-cleaner tool from the folks at openSUSE | |
| # We apply a patch to modify it for our needs | |
| - name: spec-cleaner checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: 'rpm-software-management/spec-cleaner' | |
| ref: 'spec-cleaner-1.2.0' | |
| path: 'spec-cleaner' | |
| persist-credentials: false | |
| # For consistency, we use the same major/minor version of Python that Azure Linux ships | |
| - name: Setup Python 3.12 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.12 | |
| # We take our version of the linting tool from the master branch to ensure rules | |
| # are consistent across all branches | |
| - name: Patch spec-cleaner with specific lints requirement | |
| run: | | |
| pushd spec-cleaner | |
| git apply ../3.0-checkout/.github/workflows/azurelinux-spec-cleaner.patch | |
| popd | |
| shell: bash | |
| - name: Install patched spec-cleaner | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install -e ./spec-cleaner | |
| # Set continue-on-error to true if we're blocking too many PRs here | |
| # We don't want this tool to have a low signal-to-noise ratio | |
| - name: Lint changed spec files | |
| run: | | |
| touch linted_specs.diff | |
| spec-cleaner -d --diff-prog="git --no-pager diff" ${{ env.updated-specs }} | tee linted_specs.diff | |
| if [ -s linted_specs.diff ] | |
| then | |
| echo -e "\n====================== LINTING FAILED ======================" | |
| echo "Specs are not correctly formatted." | |
| echo "A diff of the changes required is printed above." | |
| echo "Linting output is available in the linted_specs artifact." | |
| echo "Please properly format your specs according to the output before merging." | |
| exit 1 | |
| fi | |
| exit 0 | |
| - uses: actions/upload-artifact@v4 | |
| if: ${{ always() }} | |
| with: | |
| name: linted_specs | |
| path: linted_specs.diff | |
| if-no-files-found: ignore |