chore(deps): bump tempoxyz/changelogs from de0250123a1d70a2b64a458bd5efcf313986df7a to 57e22cb5bd8367edc8cc1450b9eb0aea75d6e019 #81
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Workflow Validation | |
| permissions: {} | |
| on: | |
| push: | |
| branches: [main, master] | |
| paths: | |
| - .github/workflows/** | |
| pull_request: | |
| branches: [main, master] | |
| paths: | |
| - .github/workflows/** | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| jobs: | |
| actionlint: | |
| name: actionlint | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Install actionlint | |
| run: | | |
| set -euo pipefail | |
| version=1.7.8 | |
| expected_sha256="be92c2652ab7b6d08425428797ceabeb16e31a781c07bc388456b4e592f3e36a" | |
| curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${version}/actionlint_${version}_linux_amd64.tar.gz" -o /tmp/actionlint.tgz | |
| actual_sha256=$(sha256sum /tmp/actionlint.tgz | cut -d' ' -f1) | |
| if [ "$actual_sha256" != "$expected_sha256" ]; then | |
| echo "::error::actionlint checksum mismatch: expected $expected_sha256, got $actual_sha256" | |
| exit 1 | |
| fi | |
| tar -xzf /tmp/actionlint.tgz -C /tmp | |
| sudo mv /tmp/actionlint /usr/local/bin/actionlint | |
| - name: Run actionlint | |
| run: actionlint -color | |
| workflow-policy: | |
| name: workflow policy | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Enforce workflow security and fork-safety invariants | |
| run: | | |
| set -euo pipefail | |
| echo "Checking for mutable action refs..." | |
| if grep -REn "uses:[[:space:]]+[^#]+@(main|master)$" .github/workflows; then | |
| echo "::error::Found mutable action ref (@main/@master). Pin to a commit SHA." | |
| exit 1 | |
| fi | |
| echo "Checking changelog fork behavior..." | |
| grep -n "if: github.event.pull_request.head.repo.full_name != github.repository" .github/workflows/changelog.yml >/dev/null | |
| grep -n "if: github.event.pull_request.head.repo.full_name == github.repository" .github/workflows/changelog.yml >/dev/null | |
| echo "Checking tempo-lints fork-safe mode..." | |
| grep -n "post-comment:[[:space:]]\+false" .github/workflows/lint.yml >/dev/null | |
| echo "Checking pr-audit pinning and trust gate..." | |
| if grep -n "tempoxyz/gh-actions/.github/workflows/pr-audit.yml@main" .github/workflows/pr-audit.yml; then | |
| echo "::error::pr-audit reusable workflow must be pinned to a commit SHA." | |
| exit 1 | |
| fi | |
| grep -n "contains(fromJson('\[\"OWNER\",\"MEMBER\",\"COLLABORATOR\"\]'), github.event.comment.author_association)" .github/workflows/pr-audit.yml >/dev/null | |
| echo "Checking pull_request_target hardening..." | |
| grep -n "pull_request_target:" .github/workflows/changelog-generate.yml >/dev/null | |
| grep -n "if: steps.source.outputs.same_repo == 'true'" .github/workflows/changelog-generate.yml >/dev/null | |
| # The push must go to the validated branch ref via an authenticated URL | |
| # (App-token), since persist-credentials=false on the checkout step. | |
| grep -n "git push \"https://x-access-token:\${APP_TOKEN}@github.com/\${GITHUB_REPOSITORY}.git\" \"HEAD:" .github/workflows/changelog-generate.yml >/dev/null | |
| if grep -n "git checkout -b \$\{\{ github.event.pull_request.head.ref \}\}" .github/workflows/changelog-generate.yml; then | |
| echo "::error::Unsafe branch checkout pattern detected in changelog generation workflow." | |
| exit 1 | |
| fi | |
| echo "Workflow policy checks passed." |