From de8cb2208c29289cedeca376eacaafd425c3179f Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 10:34:20 -0400 Subject: [PATCH 01/17] Fix: Resolve Checkov CKV2_GHA_1 error by setting root permissions for workflows (closes #3026) --- .github/workflows/mega-linter-for-runner.yml | 2 ++ .github/workflows/mega-linter.yml | 2 ++ CHANGELOG.md | 1 + README.md | 4 +++- TEMPLATES/mega-linter.yml | 2 ++ docs/install-github.md | 2 ++ .../generators/mega-linter/templates/mega-linter.yml | 2 ++ 7 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/mega-linter-for-runner.yml b/.github/workflows/mega-linter-for-runner.yml index 8fdd35751c5..e9033d443be 100644 --- a/.github/workflows/mega-linter-for-runner.yml +++ b/.github/workflows/mega-linter-for-runner.yml @@ -32,6 +32,8 @@ env: # or posted in a PR (pull_request) APPLY_FIXES_MODE: commit +permissions: read-all # All jobs should have read-only access, unless explicitly given + concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index d7b2e1f9bdc..ca15a20d613 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -32,6 +32,8 @@ env: # or posted in a PR (pull_request) APPLY_FIXES_MODE: commit +permissions: read-all # All jobs should have read-only access, unless explicitly given + concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 31a475c9199..60d73916177 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - Fixes - build.py: Remove exclusivity between pip, gem & cargo packages - Salesforce linters: Switch sfdx-cli to @salesforce/cli + - Set default permissions to all workflows to `read-only` to increase security and prevent Checkov `CKV2_GHA_1` errors - Fixed issue with `actionlint` throwing an error on `if` statements in the generated workflow file - Added default `.devskim.json` to mitigate errors introduced when no config exists diff --git a/README.md b/README.md index 2e729c42ef1..7c99756c208 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ _Github PR reporter_ ## Table of Contents -- [MegaLinter, by](#megalinter-by-) +- [MegaLinter, by ](#megalinter-by-) - [Table of Contents](#table-of-contents) - [Why MegaLinter](#why-megalinter) - [Quick Start](#quick-start) @@ -439,6 +439,8 @@ env: # Comment env block if you don't want to apply fixes APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) +permissions: read-all # All jobs should have read-only access, unless explicitly given + concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true diff --git a/TEMPLATES/mega-linter.yml b/TEMPLATES/mega-linter.yml index 633cf78d25a..0d7564e4f45 100644 --- a/TEMPLATES/mega-linter.yml +++ b/TEMPLATES/mega-linter.yml @@ -31,6 +31,8 @@ env: # or posted in a PR (pull_request) APPLY_FIXES_MODE: commit +permissions: read-all # All jobs should have read-only access, unless explicitly given + concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true diff --git a/docs/install-github.md b/docs/install-github.md index 1c225e2413a..f9a0f37464c 100644 --- a/docs/install-github.md +++ b/docs/install-github.md @@ -38,6 +38,8 @@ on: pull_request: branches: [master, main] +permissions: read-all # All jobs should have read-only access, unless explicitly given + env: # Comment env block if you don't want to apply fixes # Apply linter fixes configuration APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) diff --git a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml index 1b1376bd274..e459fa46aaf 100644 --- a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml +++ b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml @@ -31,6 +31,8 @@ env: # or posted in a PR (pull_request) APPLY_FIXES_MODE: commit +permissions: read-all # All jobs should have read-only access, unless explicitly given + concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true From 19a44f68646dd291399713a33bd1a8e265d02e01 Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 12:25:46 -0400 Subject: [PATCH 02/17] Docs: Enhanced .mega-linter.yml documentation and removed logical error --- .github/workflows/mega-linter-for-runner.yml | 352 +++++++++++++----- .github/workflows/mega-linter.yml | 351 ++++++++++++----- CHANGELOG.md | 1 + README.md | 342 +++++++++++++++-- TEMPLATES/mega-linter.yml | 324 ++++++++++++---- docs/install-github.md | 335 +++++++++++++++-- .../generators/mega-linter/index.js | 7 +- .../mega-linter/templates/mega-linter.yml | 241 ++++++++++-- 8 files changed, 1584 insertions(+), 369 deletions(-) diff --git a/.github/workflows/mega-linter-for-runner.yml b/.github/workflows/mega-linter-for-runner.yml index e9033d443be..570212f1681 100644 --- a/.github/workflows/mega-linter-for-runner.yml +++ b/.github/workflows/mega-linter-for-runner.yml @@ -1,39 +1,119 @@ -# MegaLinter GitHub Action configuration file -# More info at https://megalinter.io +## +# MegaLinter GitHub Action configuration file. +# +# MegaLinter is an Open-Source tool for CI/CD workflows that analyzes the +# consistency of your code, IAC, configuration, and scripts in your repository +# sources, to ensure all your projects sources are clean and formatted whatever +# IDE/toolbox is used by their developers, powered by OX Security. +# +# More info at: +# https://megalinter.io +# --- -name: MegaLinter for mega-linter-runner # ml workflow change +name: MegaLinter -# Trigger mega-linter at every push. Action will also be visible from Pull -# Requests to main +## +# By default, Megalinter runs whenever a Pull Request is opened with the default +# branch, or on any push. +# +# Later logic enforces a full code-wide test on only the `production` and +# `staging` Branches. The default Branch only has changed files linted for +# efficiency. +# on: - # Comment this line to trigger action only on pull-requests - # (not recommended if you don't pay for GH Actions) + + ## + # To only have MegaLinter run on Pull Requests, comment out the following line. + # It is not recommended to use `push` linting on all pushes (the default, + # here)if you do not pay for GitHub Actions. + # + # Some projects also prefer to limit push linting to specific branches, such + # as when a `production` branch is updated. This can be done by adding a + # `branches` filter, here, such as: + # + # push: + # branches: + # - production + # push: + ## + # Run whenever a Pull Request occurs on the `main`, `master`, and `alpha` + # branches. + # pull_request: branches: - main - master - - alpha # ml workflow addition + - alpha -# Comment env block if you do not want to apply fixes +## +# By default, Megalinter runs whenever a Pull Request is opened with the default +# branch, or on any push. +# +# Later logic enforces a full code-wide test on only the `production` and +# `staging` Branches. The default Branch only has changed files linted for +# efficiency. +# env: - # Apply linter fixes configuration + + ## + # Automatically applies formatting fixes during linting for linters that + # support fixes. This is set to `all` to apply fixes from all linters, or can + # be a list of comma-separated linter keys. # - # When active, APPLY_FIXES must also be defined as environment variable + # When active, `APPLY_FIXES` must also be defined as environment variable # (in github/workflows/mega-linter.yml or other CI tool) + # + # More info at: + # https://megalinter.io/latest/config-apply-fixes/ + # APPLY_FIXES: all - # Decide which event triggers application of fixes in a commit or a PR - # (pull_request, push, all) + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines which GitHub event triggers the application of fixes. Options + # include: + # + # - `all` - whenever any of the below events occur + # - `pull_request` - whenever a Pull Request occurs in GitHub (default) + # - `push` - whenever a push occurs to a branch + # APPLY_FIXES_EVENT: pull_request - - # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) - # or posted in a PR (pull_request) + + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines how fixes are applied to the repository. Options include: + # + # - `commit` - the fixes are directly committed to the repository (default) + # - `pull_request` - the fixes are posted in a separate Pull Request for review + # APPLY_FIXES_MODE: commit -permissions: read-all # All jobs should have read-only access, unless explicitly given +## +# Sets all jobs to have `read-all` permissions by default, instead of GitHub's +# insecure default of `write-all`. +# +# Do not change permissions here. Instead, update permissions per-job, below. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs +# +permissions: read-all +## +# When this workflow is triggered, if another MegaLinter workflow is already +# running on the target branch, the old workflow will be canceled to reduce +# unnecessary runner usage. +# +# There is usually no need to modify this area, unless you wish to change how +# concurrency is managed in your workflow. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/using-concurrency +# concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true @@ -43,70 +123,136 @@ jobs: name: MegaLinter runs-on: ubuntu-latest - # Give the default GITHUB_TOKEN write permission to commit and push, comment - # issues & post new PR; remove the ones you do not need + ## + # This job's `GITHUB_TOKEN` or your added `PAT` must have the following + # permissions enabled to `write` for MegaLinter to function. + # + # Always aim to provide as few permissions as possible for personal access + # tokens. By default, all permissions are set to read only. Write + # permissions must be set for the following scopes in the described + # circumstances: + # + # To have MegaLinter write and update a linting report comment on Pull + # Requests, the `pull-requests` and `issues` permissions must be `write`. + # + # To enable `APPLY_FIXES`, the `pull-requests` and `contents` permissions + # must be `write`. + # + # More info at: + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication + # permissions: contents: write issues: write pull-requests: write - environment: # ml workflow addition - name: dev # ml workflow addition + + ## + # Sets the runner environment name to `dev`. Specific to this workflow. + # + environment: + name: dev steps: - # Git Checkout + ## + # Clone the Repository for linting. + # + # More info at: + # https://github.com/actions/checkout + # - name: Checkout Code uses: actions/checkout@v4 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} - # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to - # improve performance + ## + # A fetch depth of `0` pulls the entire Repository's history, + # Branches, and Tags. Limiting this to `1` (or commenting out the + # line, as this is the default) increases efficiency, but is only + # applicable when `VALIDATE_ALL_CODE_BASE = true`. + # fetch-depth: 0 - # MegaLinter + ## + # Run MegaLinter. + # + # More info at: + # https://github.com/oxsecurity/megalinter + # - name: MegaLinter - - # You can override MegaLinter flavor used to have faster performances - # More info at https://megalinter.io/flavors/ - uses: oxsecurity/megalinter/flavors/javascript@beta # ml workflow change - id: ml - # All available variables are described in documentation - # https://megalinter.io/configuration/ + ## + # The full MegaLinter project can be over 8GB in size! This is due to it including every linter available for + # the full MegaLinter project. It is highly recommended to select a more refined "flavor" that better-matches + # your project by changing the image used here. + # + # For example, a Python project may elect to use: + # + # oxsecurity/megalinter/flavors/python@v7 + # + # More info at: + # https://megalinter.io/flavors/ + # + uses: oxsecurity/megalinter/flavors/javascript@beta + + ## + # These variables will override project configurations, including those + # set in the `.mega-linter.yml` file. This is useful for creating + # conditional exceptions during GitHub workflows, for example, when + # linting a production deployment. + # + # https://megalinter.io/latest/config-file/ + # env: - DEFAULT_WORKSPACE: mega-linter-runner # ml workflow addition - # Validates all source when push on main, else just the git diff with - # main. Override with true if you always want to lint all sources + ## + # By default, this validates full codebase whenever a push to the + # default branch occurs. Otherwise, only the `git diff` files will + # be linted for better efficiency. # - # To validate the entire codebase, set to: - # VALIDATE_ALL_CODEBASE: true + # This can be overridden to always lint the codebase with: + # + # VALIDATE_ALL_CODEBASE: true + # + # To validate only `git diff`` with the default branch on push: # - # To validate only diff with main, set to: # VALIDATE_ALL_CODEBASE: >- # ${{ # github.event_name == 'push' && - # contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) - # }} - VALIDATE_ALL_CODEBASE: true # ml workflow change - # >- - # ${{ - # github.event_name == 'push' && - # contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) + # ( + # github.ref == 'refs/heads/main' || + # github.ref == 'refs/heads/master' + # ) # }} + # + VALIDATE_ALL_CODEBASE: true + ## + # This token is automatically created on the GitHub server and you + # should not modify this line. + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE - # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY + ## + # Add any other variables you wish to override from `.mega-linter.yml` + # below this line. + # - # Uncomment to disable copy-paste and spell checks - # DISABLE: COPYPASTE,SPELL + DEFAULT_WORKSPACE: mega-linter-runner - # Upload MegaLinter artifacts + ## + # Upload MegaLinter artifacts. + # + # This stores each report and log from tests for your reference on the + # GitHub Action report. + # + # More info at: + # https://github.com/actions/upload-artifact + # https://megalinter.io/latest/reporters/ + # - name: Archive production artifacts + if: success() || failure() uses: actions/upload-artifact@v3 if: ${{ success() }} || ${{ failure() }} with: @@ -115,61 +261,91 @@ jobs: megalinter-reports mega-linter.log - # Set APPLY_FIXES_IF var for use in future steps - - name: Set APPLY_FIXES_IF var - run: | - printf 'APPLY_FIXES_IF=%s\n' "${{ - steps.ml.outputs.has_updated_sources == 1 && - ( - env.APPLY_FIXES_EVENT == 'all' || - env.APPLY_FIXES_EVENT == github.event_name - ) && - ( - github.event_name == 'push' || - github.event.pull_request.head.repo.full_name == github.repository - ) - }}" >> "${GITHUB_ENV}" - - # Set APPLY_FIXES_IF_* vars for use in future steps - - name: Set APPLY_FIXES_IF_* vars - run: | - printf 'APPLY_FIXES_IF_PR=%s\n' "${{ - env.APPLY_FIXES_IF == 'true' && - env.APPLY_FIXES_MODE == 'pull_request' - }}" >> "${GITHUB_ENV}" - printf 'APPLY_FIXES_IF_COMMIT=%s\n' "${{ - env.APPLY_FIXES_IF == 'true' && - env.APPLY_FIXES_MODE == 'commit' && - (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) - }}" >> "${GITHUB_ENV}" - - # Create pull request if applicable - # (for now works only on PR from same repository, not from forks) + ## + # Create a Pull Request with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `pull_request`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Create Pull Request with applied fixes uses: peter-evans/create-pull-request@v5 id: cpr - if: env.APPLY_FIXES_IF_PR == 'true' + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} commit-message: "[MegaLinter] Apply linters automatic fixes" title: "[MegaLinter] Apply linters automatic fixes" labels: bot - - name: Create PR output - if: env.APPLY_FIXES_IF_PR == 'true' + - name: Create Pull Request output + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') run: | echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}" echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}" - # Push new commit if applicable - # (for now works only on PR from same repository, not from forks) + ## + # Create a commit with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `commit`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Prepare commit - if: env.APPLY_FIXES_IF_COMMIT == 'true' + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + github.ref != 'refs/heads/main' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') run: sudo chown -Rc $UID .git/ - name: Commit and push applied linter fixes - uses: stefanzweifel/git-auto-commit-action@v5 - if: env.APPLY_FIXES_IF_COMMIT == 'true' + uses: stefanzweifel/git-auto-commit-action@v4 + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + github.ref != 'refs/heads/main' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') with: branch: >- ${{ diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index ca15a20d613..48954f58ee4 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -1,39 +1,118 @@ -# MegaLinter GitHub Action configuration file -# More info at https://megalinter.io +## +# MegaLinter GitHub Action configuration file. +# +# MegaLinter is an Open-Source tool for CI/CD workflows that analyzes the +# consistency of your code, IAC, configuration, and scripts in your repository +# sources, to ensure all your projects sources are clean and formatted whatever +# IDE/toolbox is used by their developers, powered by OX Security. +# +# More info at: +# https://megalinter.io +# --- name: MegaLinter -# Trigger mega-linter at every push. Action will also be visible from Pull -# Requests to main +## +# By default, Megalinter runs whenever a Pull Request is opened with the default +# branch, or on any push. +# +# Later logic enforces a full code-wide test on only the `production` and +# `staging` Branches. The default Branch only has changed files linted for +# efficiency. +# on: - # Comment this line to trigger action only on pull-requests - # (not recommended if you don't pay for GH Actions) + + ## + # To only have MegaLinter run on Pull Requests, comment out the following line. + # It is not recommended to use `push` linting on all pushes (the default, + # here)if you do not pay for GitHub Actions. + # + # Some projects also prefer to limit push linting to specific branches, such + # as when a `production` branch is updated. This can be done by adding a + # `branches` filter, here, such as: + # + # push: + # branches: + # - production + # push: + ## + # Run whenever a Pull Request occurs on the `main`, `master`, and `alpha` + # branches. + # pull_request: branches: - main - master - - alpha # ml workflow addition + - alpha -# Comment env block if you do not want to apply fixes +## +# This `env` section can be entirely removed or commented out if you do not wish +# for fixes to be applied during the MegaLinter run. +# +# More info at: +# https://docs.github.com/en/actions/learn-github-actions/contexts#env-context +# env: - # Apply linter fixes configuration + + ## + # Automatically applies formatting fixes during linting for linters that + # support fixes. This is set to `all` to apply fixes from all linters, or can + # be a list of comma-separated linter keys. # - # When active, APPLY_FIXES must also be defined as environment variable + # When active, `APPLY_FIXES` must also be defined as environment variable # (in github/workflows/mega-linter.yml or other CI tool) + # + # More info at: + # https://megalinter.io/latest/config-apply-fixes/ + # APPLY_FIXES: all - # Decide which event triggers application of fixes in a commit or a PR - # (pull_request, push, all) + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines which GitHub event triggers the application of fixes. Options + # include: + # + # - `all` - whenever any of the below events occur + # - `pull_request` - whenever a Pull Request occurs in GitHub (default) + # - `push` - whenever a push occurs to a branch + # APPLY_FIXES_EVENT: pull_request - # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) - # or posted in a PR (pull_request) + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines how fixes are applied to the repository. Options include: + # + # - `commit` - the fixes are directly committed to the repository (default) + # - `pull_request` - the fixes are posted in a separate Pull Request for review + # APPLY_FIXES_MODE: commit -permissions: read-all # All jobs should have read-only access, unless explicitly given +## +# Sets all jobs to have `read-all` permissions by default, instead of GitHub's +# insecure default of `write-all`. +# +# Do not change permissions here. Instead, update permissions per-job, below. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs +# +permissions: read-all +## +# When this workflow is triggered, if another MegaLinter workflow is already +# running on the target branch, the old workflow will be canceled to reduce +# unnecessary runner usage. +# +# There is usually no need to modify this area, unless you wish to change how +# concurrency is managed in your workflow. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/using-concurrency +# concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true @@ -43,133 +122,231 @@ jobs: name: MegaLinter runs-on: ubuntu-latest - # Give the default GITHUB_TOKEN write permission to commit and push, comment - # issues & post new PR; remove the ones you do not need + ## + # This job's `GITHUB_TOKEN` or your added `PAT` must have the following + # permissions enabled to `write` for MegaLinter to function. + # + # Always aim to provide as few permissions as possible for personal access + # tokens. By default, all permissions are set to read only. Write + # permissions must be set for the following scopes in the described + # circumstances: + # + # To have MegaLinter write and update a linting report comment on Pull + # Requests, the `pull-requests` and `issues` permissions must be `write`. + # + # To enable `APPLY_FIXES`, the `pull-requests` and `contents` permissions + # must be `write`. + # + # More info at: + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication + # permissions: contents: write issues: write pull-requests: write - environment: # ml workflow addition - name: dev # ml workflow addition + ## + # Sets the runner environment name to `dev`. Specific to this workflow. + # + environment: + name: dev + steps: - # Git Checkout + ## + # Clone the Repository for linting. + # + # More info at: + # https://github.com/actions/checkout + # - name: Checkout Code uses: actions/checkout@v4 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} - # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to - # improve performance + ## + # A fetch depth of `0` pulls the entire Repository's history, + # Branches, and Tags. Limiting this to `1` (or commenting out the + # line, as this is the default) increases efficiency, but is only + # applicable when `VALIDATE_ALL_CODE_BASE = true`. + # fetch-depth: 0 # MegaLinter - name: MegaLinter - - # You can override MegaLinter flavor used to have faster performances - # More info at https://megalinter.io/flavors/ - uses: oxsecurity/megalinter/flavors/python@beta # ml workflow change - id: ml - # All available variables are described in documentation - # https://megalinter.io/configuration/ - env: + ## + # The full MegaLinter project can be over 8GB in size! This is due to it + # including every linter available for the full MegaLinter project. It + # is highly recommended to select a more refined "flavor" that better + # matches your project by changing the image used here. + # + # For example, a Python project may elect to use: + # + # oxsecurity/megalinter/flavors/python@v7 + # + # More info at: + # https://megalinter.io/flavors/ + # + uses: oxsecurity/megalinter/flavors/python@beta - # Validates all source when push on main, else just the git diff with - # main. Override with true if you always want to lint all sources + ## + # These variables will override project configurations, including those + # set in the `.mega-linter.yml` file. This is useful for creating + # conditional exceptions during GitHub workflows, for example, when + # linting a production deployment. + # + # https://megalinter.io/latest/config-file/ + # + env: + + ## + # By default, this validates full codebase whenever a push to the + # default branch occurs. Otherwise, only the `git diff` files will + # be linted for better efficiency. # - # To validate the entire codebase, set to: - # VALIDATE_ALL_CODEBASE: true + # This can be overridden to always lint the codebase with: + # + # VALIDATE_ALL_CODEBASE: true + # + # To validate only `git diff`` with the default branch on push: # - # To validate only diff with main, set to: # VALIDATE_ALL_CODEBASE: >- # ${{ # github.event_name == 'push' && - # contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) - # }} - VALIDATE_ALL_CODEBASE: true # ml workflow change - # >- - # ${{ - # github.event_name == 'push' && - # contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) + # ( + # github.ref == 'refs/heads/main' || + # github.ref == 'refs/heads/master' + # ) # }} + # + VALIDATE_ALL_CODEBASE: >- + ${{ + github.event_name == 'push' && + ( + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/master' + ) + }} + ## + # This token is automatically created on the GitHub server and you + # should not modify this line. + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - EMAIL_REPORTER_SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} # ml workflow addtion - # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE - # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY + ## + # Add any other variables you wish to override from `.mega-linter.yml` + # below this line. + # - # Uncomment to disable copy-paste and spell checks - # DISABLE: COPYPASTE,SPELL + EMAIL_REPORTER_SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} - # Upload MegaLinter artifacts + ## + # Upload MegaLinter artifacts. + # + # This stores each report and log from tests for your reference on the + # GitHub Action report. + # + # More info at: + # https://github.com/actions/upload-artifact + # https://megalinter.io/latest/reporters/ + # - name: Archive production artifacts uses: actions/upload-artifact@v3 - if: ${{ success() }} || ${{ failure() }} + if: success() || failure() with: name: MegaLinter reports path: | megalinter-reports mega-linter.log - # Set APPLY_FIXES_IF var for use in future steps - - name: Set APPLY_FIXES_IF var - run: | - printf 'APPLY_FIXES_IF=%s\n' "${{ - steps.ml.outputs.has_updated_sources == 1 && - ( - env.APPLY_FIXES_EVENT == 'all' || - env.APPLY_FIXES_EVENT == github.event_name - ) && - ( - github.event_name == 'push' || - github.event.pull_request.head.repo.full_name == github.repository - ) - }}" >> "${GITHUB_ENV}" - - # Set APPLY_FIXES_IF_* vars for use in future steps - - name: Set APPLY_FIXES_IF_* vars - run: | - printf 'APPLY_FIXES_IF_PR=%s\n' "${{ - env.APPLY_FIXES_IF == 'true' && - env.APPLY_FIXES_MODE == 'pull_request' - }}" >> "${GITHUB_ENV}" - printf 'APPLY_FIXES_IF_COMMIT=%s\n' "${{ - env.APPLY_FIXES_IF == 'true' && - env.APPLY_FIXES_MODE == 'commit' && - (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) - }}" >> "${GITHUB_ENV}" - - # Create pull request if applicable - # (for now works only on PR from same repository, not from forks) + ## + # Create a Pull Request with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `pull_request`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Create Pull Request with applied fixes uses: peter-evans/create-pull-request@v5 id: cpr - if: env.APPLY_FIXES_IF_PR == 'true' + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} commit-message: "[MegaLinter] Apply linters automatic fixes" title: "[MegaLinter] Apply linters automatic fixes" labels: bot - - name: Create PR output - if: env.APPLY_FIXES_IF_PR == 'true' + - name: Create Pull Request output + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') run: | echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}" echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}" - # Push new commit if applicable - # (for now works only on PR from same repository, not from forks) + ## + # Create a commit with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `commit`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Prepare commit - if: env.APPLY_FIXES_IF_COMMIT == 'true' + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + github.ref != 'refs/heads/main' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') run: sudo chown -Rc $UID .git/ - name: Commit and push applied linter fixes - uses: stefanzweifel/git-auto-commit-action@v5 - if: env.APPLY_FIXES_IF_COMMIT == 'true' + uses: stefanzweifel/git-auto-commit-action@v4 + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + github.ref != 'refs/heads/main' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) && + !contains(github.event.head_commit.message, 'skip fix') with: branch: >- ${{ diff --git a/CHANGELOG.md b/CHANGELOG.md index 60d73916177..462602c2628 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - Display list of articles from newest to oldest - Fix incorrect environment variable in djlint docs - Improve lychee documentation to add an example of `.lycheeignore` + - Improved commenting in `.mega-linter.yml` file to help new users configure the GitHub workflow more effectively - CI - Add the other maintainers globally to the CODEOWNERS file ([#3008](https://github.com/oxsecurity/megalinter/pull/3008)) diff --git a/README.md b/README.md index 7c99756c208..12938489bd9 100644 --- a/README.md +++ b/README.md @@ -422,25 +422,119 @@ In your repository you should have a `.github/workflows` folder with **GitHub** This file should have this code ```yml +## +# MegaLinter GitHub Action configuration file. +# +# MegaLinter is an Open-Source tool for CI/CD workflows that analyzes the +# consistency of your code, IAC, configuration, and scripts in your repository +# sources, to ensure all your projects sources are clean and formatted whatever +# IDE/toolbox is used by their developers, powered by OX Security. +# +# More info at: +# https://megalinter.io +# --- -# MegaLinter GitHub Action configuration file -# More info at https://megalinter.io name: MegaLinter +## +# By default, Megalinter runs whenever a Pull Request is opened with the default +# branch, or on any push. +# +# Later logic enforces a full code-wide test on only the `production` and +# `staging` Branches. The default Branch only has changed files linted for +# efficiency. +# on: - # Trigger mega-linter at every push. Action will also be visible from Pull Requests to main - push: # Comment this line to trigger action only on pull-requests (not recommended if you don't pay for GH Actions) - pull_request: - branches: [master, main] - -env: # Comment env block if you don't want to apply fixes - # Apply linter fixes configuration - APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) - APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) - APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) - -permissions: read-all # All jobs should have read-only access, unless explicitly given + ## + # To only have MegaLinter run on Pull Requests, comment out the following line. + # It is not recommended to use `push` linting on all pushes (the default, + # here)if you do not pay for GitHub Actions. + # + # Some projects also prefer to limit push linting to specific branches, such + # as when a `production` branch is updated. This can be done by adding a + # `branches` filter, here, such as: + # + # push: + # branches: + # - production + # + push: + + ## + # Run whenever a Pull Request occurs on the configured, default branch. + # + pull_request: + branches: + - main + - master + +## +# This `env` section can be entirely removed or commented out if you do not wish +# for fixes to be applied during the MegaLinter run. +# +# More info at: +# https://docs.github.com/en/actions/learn-github-actions/contexts#env-context +# +env: + + ## + # Automatically applies formatting fixes during linting for linters that + # support fixes. This is set to `all` to apply fixes from all linters, or can + # be a list of comma-separated linter keys. + # + # When active, `APPLY_FIXES` must also be defined as environment variable + # (in github/workflows/mega-linter.yml or other CI tool) + # + # More info at: + # https://megalinter.io/latest/config-apply-fixes/ + # + APPLY_FIXES: all + + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines which GitHub event triggers the application of fixes. Options + # include: + # + # - `all` - whenever any of the below events occur + # - `pull_request` - whenever a Pull Request occurs in GitHub (default) + # - `push` - whenever a push occurs to a branch + # + APPLY_FIXES_EVENT: pull_request + + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines how fixes are applied to the repository. Options include: + # + # - `commit` - the fixes are directly committed to the repository (default) + # - `pull_request` - the fixes are posted in a separate Pull Request for review + # + APPLY_FIXES_MODE: commit + +## +# Sets all jobs to have `read-all` permissions by default, instead of GitHub's +# insecure default of `write-all`. +# +# Do not change permissions here. Instead, update permissions per-job, below. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs +# +permissions: read-all + +## +# When this workflow is triggered, if another MegaLinter workflow is already +# running on the target branch, the old workflow will be canceled to reduce +# unnecessary runner usage. +# +# There is usually no need to modify this area, unless you wish to change how +# concurrency is managed in your workflow. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/using-concurrency +# concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true @@ -449,69 +543,235 @@ jobs: megalinter: name: MegaLinter runs-on: ubuntu-latest + + ## + # This job's `GITHUB_TOKEN` or your added `PAT` must have the following + # permissions enabled to `write` for MegaLinter to function. + # + # Always aim to provide as few permissions as possible for personal access + # tokens. By default, all permissions are set to read only. Write + # permissions must be set for the following scopes in the described + # circumstances: + # + # To have MegaLinter write and update a linting report comment on Pull + # Requests, the `pull-requests` and `issues` permissions must be `write`. + # + # To enable `APPLY_FIXES`, the `pull-requests` and `contents` permissions + # must be `write`. + # + # More info at: + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication + # permissions: - # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR - # Remove the ones you do not need contents: write issues: write pull-requests: write + steps: - # Git Checkout + + ## + # Clone the Repository for linting. + # + # More info at: + # https://github.com/actions/checkout + # - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} - fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances - # MegaLinter + ## + # A fetch depth of `0` pulls the entire Repository's history, + # Branches, and Tags. Limiting this to `1` (or commenting out the + # line, as this is the default) increases efficiency, but is only + # applicable when `VALIDATE_ALL_CODE_BASE = true`. + # + fetch-depth: 0 + + ## + # Run MegaLinter. + # + # More info at: + # https://github.com/oxsecurity/megalinter + # - name: MegaLinter id: ml - # You can override MegaLinter flavor used to have faster performances - # More info at https://megalinter.io/flavors/ + + ## + # The full MegaLinter project can be over 8GB in size! This is due to it + # including every linter available for the full MegaLinter project. It + # is highly recommended to select a more refined "flavor" that better + # matches your project by changing the image used here. + # + # For example, a Python project may elect to use: + # + # oxsecurity/megalinter/flavors/python@v7 + # + # More info at: + # https://megalinter.io/flavors/ + # uses: oxsecurity/megalinter@v7 + + ## + # These variables will override project configurations, including those + # set in the `.mega-linter.yml` file. This is useful for creating + # conditional exceptions during GitHub workflows, for example, when + # linting a production deployment. + # + # https://megalinter.io/latest/config-file/ + # env: - # All available variables are described in documentation - # https://megalinter.io/configuration/ - VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} # Validates all source when push on main, else just the git diff with main. Override with true if you always want to lint all sources + + ## + # By default, this validates full codebase whenever a push to the + # default branch occurs. Otherwise, only the `git diff` files will + # be linted for better efficiency. + # + # This can be overridden to always lint the codebase with: + # + # VALIDATE_ALL_CODEBASE: true + # + # To validate only `git diff`` with the default branch on push: + # + # VALIDATE_ALL_CODEBASE: >- + # ${{ + # github.event_name == 'push' && + # ( + # github.ref == 'refs/heads/main' || + # github.ref == 'refs/heads/master' + # ) + # }} + # + VALIDATE_ALL_CODEBASE: >- + ${{ + github.event_name == 'push' && + ( + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/master' + ) + }} + + ## + # This token is automatically created on the GitHub server and you + # should not modify this line. + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY - # DISABLE: COPYPASTE,SPELL # Uncomment to disable copy-paste and spell checks - # Upload MegaLinter artifacts + ## + # Add any other variables you wish to override from `.mega-linter.yml` + # below this line. + # + + # Uncomment to disable copy-paste and spell checks + # DISABLE: COPYPASTE,SPELL + + ## + # Upload MegaLinter artifacts. + # + # This stores each report and log from tests for your reference on the + # GitHub Action report. + # + # More info at: + # https://github.com/actions/upload-artifact + # https://megalinter.io/latest/reporters/ + # - name: Archive production artifacts - if: ${{ success() }} || ${{ failure() }} uses: actions/upload-artifact@v3 + if: success() || failure() with: name: MegaLinter reports path: | megalinter-reports mega-linter.log - # Create pull request if applicable (for now works only on PR from same repository, not from forks) + ## + # Create a Pull Request with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `pull_request`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Create Pull Request with applied fixes - id: cpr - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') uses: peter-evans/create-pull-request@v5 + id: cpr + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} commit-message: "[MegaLinter] Apply linters automatic fixes" title: "[MegaLinter] Apply linters automatic fixes" labels: bot - - name: Create PR output - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') - run: | - echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" - echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" - # Push new commit if applicable (for now works only on PR from same repository, not from forks) + - name: Create Pull Request output + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) + run: | + echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}" + echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}" + + ## + # Create a commit with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `commit`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Prepare commit - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) run: sudo chown -Rc $UID .git/ + - name: Commit and push applied linter fixes - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') uses: stefanzweifel/git-auto-commit-action@v4 + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) with: - branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} + branch: >- + ${{ + github.event.pull_request.head.ref || + github.head_ref || + github.ref + }} commit_message: "[MegaLinter] Apply linters fixes" commit_user_name: megalinter-bot commit_user_email: nicolas.vuillamy@ox.security diff --git a/TEMPLATES/mega-linter.yml b/TEMPLATES/mega-linter.yml index 0d7564e4f45..2c69aa89dd0 100644 --- a/TEMPLATES/mega-linter.yml +++ b/TEMPLATES/mega-linter.yml @@ -1,38 +1,116 @@ -# MegaLinter GitHub Action configuration file -# More info at https://megalinter.io +## +# MegaLinter GitHub Action configuration file. +# +# MegaLinter is an Open-Source tool for CI/CD workflows that analyzes the +# consistency of your code, IAC, configuration, and scripts in your repository +# sources, to ensure all your projects sources are clean and formatted whatever +# IDE/toolbox is used by their developers, powered by OX Security. +# +# More info at: +# https://megalinter.io +# --- name: MegaLinter -# Trigger mega-linter at every push. Action will also be visible from Pull -# Requests to main +## +# By default, Megalinter runs whenever a Pull Request is opened with the default +# branch, or on any push. +# +# Later logic enforces a full code-wide test on only the `production` and +# `staging` Branches. The default Branch only has changed files linted for +# efficiency. +# on: - # Comment this line to trigger action only on pull-requests - # (not recommended if you don't pay for GH Actions) + + ## + # To only have MegaLinter run on Pull Requests, comment out the following line. + # It is not recommended to use `push` linting on all pushes (the default, + # here)if you do not pay for GitHub Actions. + # + # Some projects also prefer to limit push linting to specific branches, such + # as when a `production` branch is updated. This can be done by adding a + # `branches` filter, here, such as: + # + # push: + # branches: + # - production + # push: + ## + # Run whenever a Pull Request occurs on the configured, default branch. + # pull_request: branches: - main - master -# Comment env block if you do not want to apply fixes +## +# This `env` section can be entirely removed or commented out if you do not wish +# for fixes to be applied during the MegaLinter run. +# +# More info at: +# https://docs.github.com/en/actions/learn-github-actions/contexts#env-context +# env: - # Apply linter fixes configuration + + ## + # Automatically applies formatting fixes during linting for linters that + # support fixes. This is set to `all` to apply fixes from all linters, or can + # be a list of comma-separated linter keys. # - # When active, APPLY_FIXES must also be defined as environment variable + # When active, `APPLY_FIXES` must also be defined as environment variable # (in github/workflows/mega-linter.yml or other CI tool) + # + # More info at: + # https://megalinter.io/latest/config-apply-fixes/ + # APPLY_FIXES: all - # Decide which event triggers application of fixes in a commit or a PR - # (pull_request, push, all) + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines which GitHub event triggers the application of fixes. Options + # include: + # + # - `all` - whenever any of the below events occur + # - `pull_request` - whenever a Pull Request occurs in GitHub (default) + # - `push` - whenever a push occurs to a branch + # APPLY_FIXES_EVENT: pull_request - # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) - # or posted in a PR (pull_request) + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines how fixes are applied to the repository. Options include: + # + # - `commit` - the fixes are directly committed to the repository (default) + # - `pull_request` - the fixes are posted in a separate Pull Request for review + # APPLY_FIXES_MODE: commit -permissions: read-all # All jobs should have read-only access, unless explicitly given +## +# Sets all jobs to have `read-all` permissions by default, instead of GitHub's +# insecure default of `write-all`. +# +# Do not change permissions here. Instead, update permissions per-job, below. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs +# +permissions: read-all +## +# When this workflow is triggered, if another MegaLinter workflow is already +# running on the target branch, the old workflow will be canceled to reduce +# unnecessary runner usage. +# +# There is usually no need to modify this area, unless you wish to change how +# concurrency is managed in your workflow. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/using-concurrency +# concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true @@ -42,8 +120,24 @@ jobs: name: MegaLinter runs-on: ubuntu-latest - # Give the default GITHUB_TOKEN write permission to commit and push, comment - # issues & post new PR; remove the ones you do not need + ## + # This job's `GITHUB_TOKEN` or your added `PAT` must have the following + # permissions enabled to `write` for MegaLinter to function. + # + # Always aim to provide as few permissions as possible for personal access + # tokens. By default, all permissions are set to read only. Write + # permissions must be set for the following scopes in the described + # circumstances: + # + # To have MegaLinter write and update a linting report comment on Pull + # Requests, the `pull-requests` and `issues` permissions must be `write`. + # + # To enable `APPLY_FIXES`, the `pull-requests` and `contents` permissions + # must be `write`. + # + # More info at: + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication + # permissions: contents: write issues: write @@ -51,120 +145,202 @@ jobs: steps: - # Git Checkout + ## + # Clone the Repository for linting. + # + # More info at: + # https://github.com/actions/checkout + # - name: Checkout Code uses: actions/checkout@v4 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} - # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to - # improve performance + ## + # A fetch depth of `0` pulls the entire Repository's history, + # Branches, and Tags. Limiting this to `1` (or commenting out the + # line, as this is the default) increases efficiency, but is only + # applicable when `VALIDATE_ALL_CODE_BASE = true`. + # fetch-depth: 0 - # MegaLinter + ## + # Run MegaLinter. + # + # More info at: + # https://github.com/oxsecurity/megalinter + # - name: MegaLinter + id: ml - # You can override MegaLinter flavor used to have faster performances - # More info at https://megalinter.io/flavors/ + ## + # The full MegaLinter project can be over 8GB in size! This is due to it + # including every linter available for the full MegaLinter project. It + # is highly recommended to select a more refined "flavor" that better + # matches your project by changing the image used here. + # + # For example, a Python project may elect to use: + # + # oxsecurity/megalinter/flavors/python@v7 + # + # More info at: + # https://megalinter.io/flavors/ + # uses: oxsecurity/megalinter@v7 - id: ml - - # All available variables are described in documentation - # https://megalinter.io/configuration/ + ## + # These variables will override project configurations, including those + # set in the `.mega-linter.yml` file. This is useful for creating + # conditional exceptions during GitHub workflows, for example, when + # linting a production deployment. + # + # https://megalinter.io/latest/config-file/ + # env: - # Validates all source when push on main, else just the git diff with - # main. Override with true if you always want to lint all sources + ## + # By default, this validates full codebase whenever a push to the + # default branch occurs. Otherwise, only the `git diff` files will + # be linted for better efficiency. # - # To validate the entire codebase, set to: - # VALIDATE_ALL_CODEBASE: true + # This can be overridden to always lint the codebase with: + # + # VALIDATE_ALL_CODEBASE: true + # + # To validate only `git diff`` with the default branch on push: # - # To validate only diff with main, set to: # VALIDATE_ALL_CODEBASE: >- # ${{ # github.event_name == 'push' && - # contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) + # ( + # github.ref == 'refs/heads/main' || + # github.ref == 'refs/heads/master' + # ) # }} + # VALIDATE_ALL_CODEBASE: >- ${{ github.event_name == 'push' && - contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) + ( + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/master' + ) }} + ## + # This token is automatically created on the GitHub server and you + # should not modify this line. + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE - # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY + ## + # Add any other variables you wish to override from `.mega-linter.yml` + # below this line. + # # Uncomment to disable copy-paste and spell checks # DISABLE: COPYPASTE,SPELL - # Upload MegaLinter artifacts + ## + # Upload MegaLinter artifacts. + # + # This stores each report and log from tests for your reference on the + # GitHub Action report. + # + # More info at: + # https://github.com/actions/upload-artifact + # https://megalinter.io/latest/reporters/ + # - name: Archive production artifacts uses: actions/upload-artifact@v3 - if: ${{ success() }} || ${{ failure() }} + if: success() || failure() with: name: MegaLinter reports path: | megalinter-reports mega-linter.log - # Set APPLY_FIXES_IF var for use in future steps - - name: Set APPLY_FIXES_IF var - run: | - printf 'APPLY_FIXES_IF=%s\n' "${{ - steps.ml.outputs.has_updated_sources == 1 && - ( - env.APPLY_FIXES_EVENT == 'all' || - env.APPLY_FIXES_EVENT == github.event_name - ) && - ( - github.event_name == 'push' || - github.event.pull_request.head.repo.full_name == github.repository - ) - }}" >> "${GITHUB_ENV}" - - # Set APPLY_FIXES_IF_* vars for use in future steps - - name: Set APPLY_FIXES_IF_* vars - run: | - printf 'APPLY_FIXES_IF_PR=%s\n' "${{ - env.APPLY_FIXES_IF == 'true' && - env.APPLY_FIXES_MODE == 'pull_request' - }}" >> "${GITHUB_ENV}" - printf 'APPLY_FIXES_IF_COMMIT=%s\n' "${{ - env.APPLY_FIXES_IF == 'true' && - env.APPLY_FIXES_MODE == 'commit' && - (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) - }}" >> "${GITHUB_ENV}" - - # Create pull request if applicable - # (for now works only on PR from same repository, not from forks) + ## + # Create a Pull Request with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `pull_request`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Create Pull Request with applied fixes uses: peter-evans/create-pull-request@v5 id: cpr - if: env.APPLY_FIXES_IF_PR == 'true' + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} commit-message: "[MegaLinter] Apply linters automatic fixes" title: "[MegaLinter] Apply linters automatic fixes" labels: bot - - name: Create PR output - if: env.APPLY_FIXES_IF_PR == 'true' + - name: Create Pull Request output + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) run: | echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}" echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}" - # Push new commit if applicable - # (for now works only on PR from same repository, not from forks) + ## + # Create a commit with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `commit`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Prepare commit - if: env.APPLY_FIXES_IF_COMMIT == 'true' + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) run: sudo chown -Rc $UID .git/ - name: Commit and push applied linter fixes uses: stefanzweifel/git-auto-commit-action@v4 - if: env.APPLY_FIXES_IF_COMMIT == 'true' + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) with: branch: >- ${{ diff --git a/docs/install-github.md b/docs/install-github.md index f9a0f37464c..8ad5a8016e5 100644 --- a/docs/install-github.md +++ b/docs/install-github.md @@ -27,25 +27,119 @@ In your repository you should have a `.github/workflows` folder with **GitHub** This file should have this code ```yml +## +# MegaLinter GitHub Action configuration file. +# +# MegaLinter is an Open-Source tool for CI/CD workflows that analyzes the +# consistency of your code, IAC, configuration, and scripts in your repository +# sources, to ensure all your projects sources are clean and formatted whatever +# IDE/toolbox is used by their developers, powered by OX Security. +# +# More info at: +# https://megalinter.io +# --- -# MegaLinter GitHub Action configuration file -# More info at https://megalinter.io name: MegaLinter +## +# By default, Megalinter runs whenever a Pull Request is opened with the default +# branch, or on any push. +# +# Later logic enforces a full code-wide test on only the `production` and +# `staging` Branches. The default Branch only has changed files linted for +# efficiency. +# on: - # Trigger mega-linter at every push. Action will also be visible from Pull Requests to main - push: # Comment this line to trigger action only on pull-requests (not recommended if you don't pay for GH Actions) + + ## + # To only have MegaLinter run on Pull Requests, comment out the following line. + # It is not recommended to use `push` linting on all pushes (the default, + # here)if you do not pay for GitHub Actions. + # + # Some projects also prefer to limit push linting to specific branches, such + # as when a `production` branch is updated. This can be done by adding a + # `branches` filter, here, such as: + # + # push: + # branches: + # - production + # + push: + + ## + # Run whenever a Pull Request occurs on the configured, default branch. + # pull_request: - branches: [master, main] + branches: + - main + - master + +## +# This `env` section can be entirely removed or commented out if you do not wish +# for fixes to be applied during the MegaLinter run. +# +# More info at: +# https://docs.github.com/en/actions/learn-github-actions/contexts#env-context +# +env: + + ## + # Automatically applies formatting fixes during linting for linters that + # support fixes. This is set to `all` to apply fixes from all linters, or can + # be a list of comma-separated linter keys. + # + # When active, `APPLY_FIXES` must also be defined as environment variable + # (in github/workflows/mega-linter.yml or other CI tool) + # + # More info at: + # https://megalinter.io/latest/config-apply-fixes/ + # + APPLY_FIXES: all + + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines which GitHub event triggers the application of fixes. Options + # include: + # + # - `all` - whenever any of the below events occur + # - `pull_request` - whenever a Pull Request occurs in GitHub (default) + # - `push` - whenever a push occurs to a branch + # + APPLY_FIXES_EVENT: pull_request -permissions: read-all # All jobs should have read-only access, unless explicitly given + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines how fixes are applied to the repository. Options include: + # + # - `commit` - the fixes are directly committed to the repository (default) + # - `pull_request` - the fixes are posted in a separate Pull Request for review + # + APPLY_FIXES_MODE: commit -env: # Comment env block if you don't want to apply fixes - # Apply linter fixes configuration - APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) - APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) - APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) +## +# Sets all jobs to have `read-all` permissions by default, instead of GitHub's +# insecure default of `write-all`. +# +# Do not change permissions here. Instead, update permissions per-job, below. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs +# +permissions: read-all +## +# When this workflow is triggered, if another MegaLinter workflow is already +# running on the target branch, the old workflow will be canceled to reduce +# unnecessary runner usage. +# +# There is usually no need to modify this area, unless you wish to change how +# concurrency is managed in your workflow. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/using-concurrency +# concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true @@ -54,69 +148,236 @@ jobs: megalinter: name: MegaLinter runs-on: ubuntu-latest + + ## + # This job's `GITHUB_TOKEN` or your added `PAT` must have the following + # permissions enabled to `write` for MegaLinter to function. + # + # Always aim to provide as few permissions as possible for personal access + # tokens. By default, all permissions are set to read only. Write + # permissions must be set for the following scopes in the described + # circumstances: + # + # To have MegaLinter write and update a linting report comment on Pull + # Requests, the `pull-requests` and `issues` permissions must be `write`. + # + # To enable `APPLY_FIXES`, the `pull-requests` and `contents` permissions + # must be `write`. + # + # More info at: + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication + # permissions: - # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR - # Remove the ones you do not need contents: write issues: write pull-requests: write + + steps: - # Git Checkout + + ## + # Clone the Repository for linting. + # + # More info at: + # https://github.com/actions/checkout + # - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} - fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances - # MegaLinter + ## + # A fetch depth of `0` pulls the entire Repository's history, + # Branches, and Tags. Limiting this to `1` (or commenting out the + # line, as this is the default) increases efficiency, but is only + # applicable when `VALIDATE_ALL_CODE_BASE = true`. + # + fetch-depth: 0 + + ## + # Run MegaLinter. + # + # More info at: + # https://github.com/oxsecurity/megalinter + # - name: MegaLinter id: ml - # You can override MegaLinter flavor used to have faster performances - # More info at https://megalinter.io/flavors/ + + ## + # The full MegaLinter project can be over 8GB in size! This is due to it + # including every linter available for the full MegaLinter project. It + # is highly recommended to select a more refined "flavor" that better + # matches your project by changing the image used here. + # + # For example, a Python project may elect to use: + # + # oxsecurity/megalinter/flavors/python@v7 + # + # More info at: + # https://megalinter.io/flavors/ + # uses: oxsecurity/megalinter@v7 + + ## + # These variables will override project configurations, including those + # set in the `.mega-linter.yml` file. This is useful for creating + # conditional exceptions during GitHub workflows, for example, when + # linting a production deployment. + # + # https://megalinter.io/latest/config-file/ + # env: - # All available variables are described in documentation - # https://megalinter.io/configuration/ - VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} # Validates all source when push on main, else just the git diff with main. Override with true if you always want to lint all sources + + ## + # By default, this validates full codebase whenever a push to the + # default branch occurs. Otherwise, only the `git diff` files will + # be linted for better efficiency. + # + # This can be overridden to always lint the codebase with: + # + # VALIDATE_ALL_CODEBASE: true + # + # To validate only `git diff`` with the default branch on push: + # + # VALIDATE_ALL_CODEBASE: >- + # ${{ + # github.event_name == 'push' && + # ( + # github.ref == 'refs/heads/main' || + # github.ref == 'refs/heads/master' + # ) + # }} + # + VALIDATE_ALL_CODEBASE: >- + ${{ + github.event_name == 'push' && + ( + github.ref == 'refs/heads/main' || + github.ref == 'refs/heads/master' + ) + }} + + ## + # This token is automatically created on the GitHub server and you + # should not modify this line. + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY - # DISABLE: COPYPASTE,SPELL # Uncomment to disable copy-paste and spell checks - # Upload MegaLinter artifacts + ## + # Add any other variables you wish to override from `.mega-linter.yml` + # below this line. + # + + # Uncomment to disable copy-paste and spell checks + # DISABLE: COPYPASTE,SPELL + + ## + # Upload MegaLinter artifacts. + # + # This stores each report and log from tests for your reference on the + # GitHub Action report. + # + # More info at: + # https://github.com/actions/upload-artifact + # https://megalinter.io/latest/reporters/ + # - name: Archive production artifacts - if: ${{ success() }} || ${{ failure() }} uses: actions/upload-artifact@v3 + if: success() || failure() with: name: MegaLinter reports path: | megalinter-reports mega-linter.log - # Create pull request if applicable (for now works only on PR from same repository, not from forks) + ## + # Create a Pull Request with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `pull_request`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Create Pull Request with applied fixes - id: cpr - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') uses: peter-evans/create-pull-request@v5 + id: cpr + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} commit-message: "[MegaLinter] Apply linters automatic fixes" title: "[MegaLinter] Apply linters automatic fixes" labels: bot - - name: Create PR output - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + + - name: Create Pull Request output + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'pull_request' && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) run: | - echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" - echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" + echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}" + echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}" - # Push new commit if applicable (for now works only on PR from same repository, not from forks) + ## + # Create a commit with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `commit`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Prepare commit - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) run: sudo chown -Rc $UID .git/ + - name: Commit and push applied linter fixes - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') uses: stefanzweifel/git-auto-commit-action@v4 + if: >- + steps.ml.outputs.has_updated_sources == 1 && + ( + env.APPLY_FIXES_EVENT == 'all' || + env.APPLY_FIXES_EVENT == github.event_name + ) && + env.APPLY_FIXES_MODE == 'commit' && + (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) && + ( + github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository + ) with: - branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} + branch: >- + ${{ + github.event.pull_request.head.ref || + github.head_ref || + github.ref + }} commit_message: "[MegaLinter] Apply linters fixes" commit_user_name: megalinter-bot commit_user_email: nicolas.vuillamy@ox.security diff --git a/mega-linter-runner/generators/mega-linter/index.js b/mega-linter-runner/generators/mega-linter/index.js index d3dc5e8852d..cee374463de 100644 --- a/mega-linter-runner/generators/mega-linter/index.js +++ b/mega-linter-runner/generators/mega-linter/index.js @@ -196,8 +196,11 @@ When you don't know what option to select, please use default values` } else { this.validateAllCodeBaseGha = ">-\n" this.validateAllCodeBaseGha += " ${{"; - this.validateAllCodeBaseGha += " github.event_name == 'push' &&" - this.validateAllCodeBaseGha += " github.ref == 'refs/heads/main'" + this.validateAllCodeBaseGha += " github.event_name == 'push' &&"; + this.validateAllCodeBaseGha += " ("; + this.validateAllCodeBaseGha += " github.ref == 'refs/heads/main' ||"; + this.validateAllCodeBaseGha += " github.ref == 'refs/heads/master'"; + this.validateAllCodeBaseGha += " )"; this.validateAllCodeBaseGha += " }}"; } this.disable = false; diff --git a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml index e459fa46aaf..7f888c770b5 100644 --- a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml +++ b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml @@ -1,38 +1,116 @@ -# MegaLinter GitHub Action configuration file -# More info at https://megalinter.io +## +# MegaLinter GitHub Action configuration file. +# +# MegaLinter is an Open-Source tool for CI/CD workflows that analyzes the +# consistency of your code, IAC, configuration, and scripts in your repository +# sources, to ensure all your projects sources are clean and formatted whatever +# IDE/toolbox is used by their developers, powered by OX Security. +# +# More info at: +# https://megalinter.io +# --- name: MegaLinter -# Trigger mega-linter at every push. Action will also be visible from -# Pull Requests to main +## +# By default, Megalinter runs whenever a Pull Request is opened with the default +# branch, or on any push. +# +# Later logic enforces a full code-wide test on only the `production` and +# `staging` Branches. The default Branch only has changed files linted for +# efficiency. +# on: - # Comment this line to trigger action only on pull-requests - # (not recommended if you don't pay for GH Actions) + + ## + # To only have MegaLinter run on Pull Requests, comment out the following line. + # It is not recommended to use `push` linting on all pushes (the default, + # here)if you do not pay for GitHub Actions. + # + # Some projects also prefer to limit push linting to specific branches, such + # as when a `production` branch is updated. This can be done by adding a + # `branches` filter, here, such as: + # + # push: + # branches: + # - production + # push: + ## + # Run whenever a Pull Request occurs on the configured, default branch. + # pull_request: branches: - main - master -# Comment env block if you do not want to apply fixes +## +# This `env` section can be entirely removed or commented out if you do not wish +# for fixes to be applied during the MegaLinter run. +# +# More info at: +# https://docs.github.com/en/actions/learn-github-actions/contexts#env-context +# env: - # Apply linter fixes configuration + + ## + # Automatically applies formatting fixes during linting for linters that + # support fixes. This is set to `all` to apply fixes from all linters, or can + # be a list of comma-separated linter keys. # - # When active, APPLY_FIXES must also be defined as environment variable + # When active, `APPLY_FIXES` must also be defined as environment variable # (in github/workflows/mega-linter.yml or other CI tool) + # + # More info at: + # https://megalinter.io/latest/config-apply-fixes/ + # APPLY_FIXES: <%= APPLY_FIXES %> - # Decide which event triggers application of fixes in a commit or a PR - # (pull_request, push, all) + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines which GitHub event triggers the application of fixes. Options + # include: + # + # - `all` - whenever any of the below events occur + # - `pull_request` - whenever a Pull Request occurs in GitHub (default) + # - `push` - whenever a push occurs to a branch + # APPLY_FIXES_EVENT: pull_request - # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) - # or posted in a PR (pull_request) + ## + # Only applies if `APPLY_FIXES` is enabled. + # + # Defines how fixes are applied to the repository. Options include: + # + # - `commit` - the fixes are directly committed to the repository (default) + # - `pull_request` - the fixes are posted in a separate Pull Request for review + # APPLY_FIXES_MODE: commit -permissions: read-all # All jobs should have read-only access, unless explicitly given +## +# Sets all jobs to have `read-all` permissions by default, instead of GitHub's +# insecure default of `write-all`. +# +# Do not change permissions here. Instead, update permissions per-job, below. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs +# +permissions: read-all +## +# When this workflow is triggered, if another MegaLinter workflow is already +# running on the target branch, the old workflow will be canceled to reduce +# unnecessary runner usage. +# +# There is usually no need to modify this area, unless you wish to change how +# concurrency is managed in your workflow. +# +# More info at: +# https://docs.github.com/en/actions/using-jobs/using-concurrency +# concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true @@ -42,56 +120,127 @@ jobs: name: MegaLinter runs-on: ubuntu-latest - # Give the default GITHUB_TOKEN write permission to commit and push, comment - # issues, and post new Pull Requests; remove the ones you do not need + ## + # This job's `GITHUB_TOKEN` or your added `PAT` must have the following + # permissions enabled to `write` for MegaLinter to function. + # + # Always aim to provide as few permissions as possible for personal access + # tokens. By default, all permissions are set to read only. Write + # permissions must be set for the following scopes in the described + # circumstances: + # + # To have MegaLinter write and update a linting report comment on Pull + # Requests, the `pull-requests` and `issues` permissions must be `write`. + # + # To enable `APPLY_FIXES`, the `pull-requests` and `contents` permissions + # must be `write`. + # + # More info at: + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication + # permissions: contents: write issues: write pull-requests: write steps: - # Git Checkout + + ## + # Clone the Repository for linting. + # + # More info at: + # https://github.com/actions/checkout + # - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} - # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to - # improve performance + ## + # A fetch depth of `0` pulls the entire Repository's history, + # Branches, and Tags. Limiting this to `1` (or commenting out the + # line, as this is the default) increases efficiency, but is only + # applicable when `VALIDATE_ALL_CODE_BASE = true`. + # fetch-depth: 0 - # MegaLinter + ## + # Run MegaLinter. + # + # More info at: + # https://github.com/oxsecurity/megalinter + # - name: MegaLinter + id: ml - # You can override MegaLinter flavor used to have faster performances - # More info at https://megalinter.io/latest/flavors/ + ## + # The full MegaLinter project can be over 8GB in size! This is due to it + # including every linter available for the full MegaLinter project. It + # is highly recommended to select a more refined "flavor" that better- + # matches your project by changing the image used here. + # + # For example, a Python project may elect to use: + # + # oxsecurity/megalinter/flavors/python@<%= GITHUB_ACTION_VERSION %> + # + # More info at: + # https://megalinter.io/flavors/ + # uses: <%= GITHUB_ACTION_NAME %>@<%= GITHUB_ACTION_VERSION %> - id: ml - - # All available variables are described in documentation + ## + # These variables will override project configurations, including those + # set in the `.mega-linter.yml` file. This is useful for creating + # conditional exceptions during GitHub workflows, for example, when + # linting a production deployment. + # # https://megalinter.io/latest/config-file/ + # env: - # Validates all source when push on main, else just the git diff with - # main. Override with true if you always want to lint all sources + + ## + # By default, this validates full codebase whenever a push to the + # default branch occurs. Otherwise, only the `git diff` files will + # be linted for better efficiency. # - # To validate the entire codebase, set to: - # VALIDATE_ALL_CODEBASE: true + # This can be overridden to always lint the codebase with: + # + # VALIDATE_ALL_CODEBASE: true + # + # To validate only `git diff`` with the default branch on push: # - # To validate only diff with main, set to: # VALIDATE_ALL_CODEBASE: >- # ${{ # github.event_name == 'push' && - # github.ref == 'refs/heads/main' + # ( + # github.ref == 'refs/heads/main' || + # github.ref == 'refs/heads/master' + # ) # }} + # VALIDATE_ALL_CODEBASE: <%- VALIDATE_ALL_CODE_BASE_GHA %> + ## + # This token is automatically created on the GitHub server and you + # should not modify this line. + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF - # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY + ## + # Add any other variables you wish to override from `.mega-linter.yml` + # below this line. + # - # Upload MegaLinter artifacts + ## + # Upload MegaLinter artifacts. + # + # This stores each report and log from tests for your reference on the + # GitHub Action report. + # + # More info at: + # https://github.com/actions/upload-artifact + # https://megalinter.io/latest/reporters/ + # - name: Archive production artifacts uses: actions/upload-artifact@v3 if: success() || failure() @@ -101,8 +250,14 @@ jobs: megalinter-reports mega-linter.log - # Create pull request if applicable - # (for now works only on PR from same repository, not from forks) + ## + # Create a Pull Request with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `pull_request`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Create Pull Request with applied fixes uses: peter-evans/create-pull-request@v5 id: cpr @@ -124,7 +279,7 @@ jobs: title: "[MegaLinter] Apply linters automatic fixes" labels: bot - - name: Create PR output + - name: Create Pull Request output if: >- steps.ml.outputs.has_updated_sources == 1 && ( @@ -141,8 +296,14 @@ jobs: echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}" echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}" - # Push new commit if applicable - # (for now works only on PR from same repository, not from forks) + ## + # Create a commit with any automatic fixes from linters that support + # fixing, if configured to do so via `APPLY_FIXES` and if + # `APPLY_FIXES_MODE` is set to `commit`. + # + # This doesn't currently work for forks, only Pull Requests from the same + # repository will have a new Pull Request created. + # - name: Prepare commit if: >- steps.ml.outputs.has_updated_sources == 1 && From bdf41198fdcec4224b66f10b0349b76068c52c29 Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 13:15:04 -0400 Subject: [PATCH 03/17] Update CHANGELOG.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 462602c2628..45a1ba3cf81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,7 +30,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - Fixes - build.py: Remove exclusivity between pip, gem & cargo packages - Salesforce linters: Switch sfdx-cli to @salesforce/cli - - Set default permissions to all workflows to `read-only` to increase security and prevent Checkov `CKV2_GHA_1` errors + - Set default permissions to all workflows to `read-only` to increase security and prevent Checkov `CKV2_GHA_1` errors, by @andrewvaughan in [#3032](https://github.com/oxsecurity/megalinter/pull/3032) - Fixed issue with `actionlint` throwing an error on `if` statements in the generated workflow file - Added default `.devskim.json` to mitigate errors introduced when no config exists From 641ec953a5826c5d4bce4d4d0c3af80e601c9c3e Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 13:15:47 -0400 Subject: [PATCH 04/17] Update README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 12938489bd9..7f7e455ffaf 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ _Github PR reporter_ ## Table of Contents -- [MegaLinter, by ](#megalinter-by-) +- [MegaLinter, by](#megalinter-by-) - [Table of Contents](#table-of-contents) - [Why MegaLinter](#why-megalinter) - [Quick Start](#quick-start) From 5bdb7e4813c0bb9e9b9cd493a77af0f8dede901e Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 16:44:44 -0400 Subject: [PATCH 05/17] Update TEMPLATES/mega-linter.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com> --- TEMPLATES/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TEMPLATES/mega-linter.yml b/TEMPLATES/mega-linter.yml index 2c69aa89dd0..3ddb18f1432 100644 --- a/TEMPLATES/mega-linter.yml +++ b/TEMPLATES/mega-linter.yml @@ -125,7 +125,7 @@ jobs: # permissions enabled to `write` for MegaLinter to function. # # Always aim to provide as few permissions as possible for personal access - # tokens. By default, all permissions are set to read only. Write + # tokens (PAT). By default, all permissions are set to read only. Write # permissions must be set for the following scopes in the described # circumstances: # From 4697ea9114150c5eaa1ea33d57ce48c6f5398915 Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 16:44:58 -0400 Subject: [PATCH 06/17] Update TEMPLATES/mega-linter.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com> --- TEMPLATES/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TEMPLATES/mega-linter.yml b/TEMPLATES/mega-linter.yml index 3ddb18f1432..15a16099025 100644 --- a/TEMPLATES/mega-linter.yml +++ b/TEMPLATES/mega-linter.yml @@ -25,7 +25,7 @@ on: ## # To only have MegaLinter run on Pull Requests, comment out the following line. # It is not recommended to use `push` linting on all pushes (the default, - # here)if you do not pay for GitHub Actions. + # here) if you do not pay for GitHub Actions. # # Some projects also prefer to limit push linting to specific branches, such # as when a `production` branch is updated. This can be done by adding a From 7ded8525fd1ef39ac71a9ed32aa4507839178006 Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 16:45:15 -0400 Subject: [PATCH 07/17] Update TEMPLATES/mega-linter.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com> --- TEMPLATES/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TEMPLATES/mega-linter.yml b/TEMPLATES/mega-linter.yml index 15a16099025..dff8e4b7eb1 100644 --- a/TEMPLATES/mega-linter.yml +++ b/TEMPLATES/mega-linter.yml @@ -60,7 +60,7 @@ env: # be a list of comma-separated linter keys. # # When active, `APPLY_FIXES` must also be defined as environment variable - # (in github/workflows/mega-linter.yml or other CI tool) + # (in .github/workflows/mega-linter.yml or other CI tool) # # More info at: # https://megalinter.io/latest/config-apply-fixes/ From d4a22bb1503f3cadce0cd4562685b0182f6235f7 Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 16:45:26 -0400 Subject: [PATCH 08/17] Update TEMPLATES/mega-linter.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com> --- TEMPLATES/mega-linter.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/TEMPLATES/mega-linter.yml b/TEMPLATES/mega-linter.yml index dff8e4b7eb1..71861c1a73f 100644 --- a/TEMPLATES/mega-linter.yml +++ b/TEMPLATES/mega-linter.yml @@ -70,8 +70,8 @@ env: ## # Only applies if `APPLY_FIXES` is enabled. # - # Defines which GitHub event triggers the application of fixes. Options - # include: + # Defines which GitHub event triggers the application of fixes. + # Options include: # # - `all` - whenever any of the below events occur # - `pull_request` - whenever a Pull Request occurs in GitHub (default) From 95d7bc265e8f2cce6da49541ebb86568160c46e0 Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 20:50:51 -0400 Subject: [PATCH 09/17] Update mega-linter-runner/generators/mega-linter/templates/mega-linter.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com> --- .../generators/mega-linter/templates/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml index 7f888c770b5..64d99ba50e3 100644 --- a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml +++ b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml @@ -184,7 +184,7 @@ jobs: # oxsecurity/megalinter/flavors/python@<%= GITHUB_ACTION_VERSION %> # # More info at: - # https://megalinter.io/flavors/ + # https://megalinter.io/latest/flavors/ # uses: <%= GITHUB_ACTION_NAME %>@<%= GITHUB_ACTION_VERSION %> From e16e33c8381cd2a02e79abb21fc1eb57b835595a Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 20:54:16 -0400 Subject: [PATCH 10/17] Update CHANGELOG.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 45a1ba3cf81..6e7ca8cb709 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,7 +30,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - Fixes - build.py: Remove exclusivity between pip, gem & cargo packages - Salesforce linters: Switch sfdx-cli to @salesforce/cli - - Set default permissions to all workflows to `read-only` to increase security and prevent Checkov `CKV2_GHA_1` errors, by @andrewvaughan in [#3032](https://github.com/oxsecurity/megalinter/pull/3032) + - Set default permissions to all workflows to `read-all` to increase security and prevent Checkov `CKV2_GHA_1` errors, by @andrewvaughan in [#3032](https://github.com/oxsecurity/megalinter/pull/3032) - Fixed issue with `actionlint` throwing an error on `if` statements in the generated workflow file - Added default `.devskim.json` to mitigate errors introduced when no config exists From c82b1054c5c9a7085087326e2c7479d2023b9c3b Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Sat, 21 Oct 2023 21:36:11 -0400 Subject: [PATCH 11/17] Update read only to read-only --- .../generators/mega-linter/templates/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml index 64d99ba50e3..64be994ae96 100644 --- a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml +++ b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml @@ -125,7 +125,7 @@ jobs: # permissions enabled to `write` for MegaLinter to function. # # Always aim to provide as few permissions as possible for personal access - # tokens. By default, all permissions are set to read only. Write + # tokens. By default, all permissions are set to read-only. Write # permissions must be set for the following scopes in the described # circumstances: # From 6cf736483706a3e01e54554b66288981c01c34dc Mon Sep 17 00:00:00 2001 From: Andrew Vaughan Date: Mon, 23 Oct 2023 10:16:33 -0400 Subject: [PATCH 12/17] Added recommended flavor language and fixed andrewvaughan cspell flag --- .cspell.json | 1 + TEMPLATES/mega-linter.yml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/.cspell.json b/.cspell.json index 79be1a3e99d..47960084266 100644 --- a/.cspell.json +++ b/.cspell.json @@ -35,6 +35,7 @@ "abefhkmnptuvx", "admiralawkbar", "alignat", + "andrewvaughan", "aproba", "arrify", "baprs", diff --git a/TEMPLATES/mega-linter.yml b/TEMPLATES/mega-linter.yml index 71861c1a73f..2b4996e42ff 100644 --- a/TEMPLATES/mega-linter.yml +++ b/TEMPLATES/mega-linter.yml @@ -183,6 +183,10 @@ jobs: # # oxsecurity/megalinter/flavors/python@v7 # + # By default, MegaLinter recommends a specific flavor for your project + # setup in its logs. It's shown after the summary table at the end of + # the run for your convenience. + # # More info at: # https://megalinter.io/flavors/ # From 9133abdcf733e81bb26724739eba5d9ce3b6dafd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Mon, 23 Oct 2023 22:28:03 -0400 Subject: [PATCH 13/17] Remove duplicated if in mega-linter-for-runner.yml --- .github/workflows/mega-linter-for-runner.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/mega-linter-for-runner.yml b/.github/workflows/mega-linter-for-runner.yml index 570212f1681..e32ffa35f5b 100644 --- a/.github/workflows/mega-linter-for-runner.yml +++ b/.github/workflows/mega-linter-for-runner.yml @@ -254,7 +254,6 @@ jobs: - name: Archive production artifacts if: success() || failure() uses: actions/upload-artifact@v3 - if: ${{ success() }} || ${{ failure() }} with: name: MegaLinter reports path: | From e3a56cd5eac21c68f31e0e1ce4899298abf1f3ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Mon, 23 Oct 2023 22:33:53 -0400 Subject: [PATCH 14/17] Run ./build.sh --doc on PR --- docs/install-github.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/install-github.md b/docs/install-github.md index 8ad5a8016e5..de1c4a70526 100644 --- a/docs/install-github.md +++ b/docs/install-github.md @@ -172,7 +172,6 @@ jobs: issues: write pull-requests: write - steps: ## @@ -227,7 +226,7 @@ jobs: # https://megalinter.io/latest/config-file/ # env: - + ## # By default, this validates full codebase whenever a push to the # default branch occurs. Otherwise, only the `git diff` files will @@ -256,7 +255,7 @@ jobs: github.ref == 'refs/heads/master' ) }} - + ## # This token is automatically created on the GitHub server and you # should not modify this line. From aa96d1810b53551cda7a51700fa6ed36882e8247 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Mon, 23 Oct 2023 22:51:11 -0400 Subject: [PATCH 15/17] Apply suggestions from code review --- .github/workflows/mega-linter-for-runner.yml | 2 +- .github/workflows/mega-linter.yml | 2 +- README.md | 2 +- TEMPLATES/mega-linter.yml | 6 +++--- docs/install-github.md | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/mega-linter-for-runner.yml b/.github/workflows/mega-linter-for-runner.yml index e32ffa35f5b..a9aa8287860 100644 --- a/.github/workflows/mega-linter-for-runner.yml +++ b/.github/workflows/mega-linter-for-runner.yml @@ -192,7 +192,7 @@ jobs: # oxsecurity/megalinter/flavors/python@v7 # # More info at: - # https://megalinter.io/flavors/ + # https://megalinter.io/latest/flavors/ # uses: oxsecurity/megalinter/flavors/javascript@beta diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 48954f58ee4..1edcf500b21 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -187,7 +187,7 @@ jobs: # oxsecurity/megalinter/flavors/python@v7 # # More info at: - # https://megalinter.io/flavors/ + # https://megalinter.io/latest/flavors/ # uses: oxsecurity/megalinter/flavors/python@beta diff --git a/README.md b/README.md index 7f7e455ffaf..395cd3f2edf 100644 --- a/README.md +++ b/README.md @@ -608,7 +608,7 @@ jobs: # oxsecurity/megalinter/flavors/python@v7 # # More info at: - # https://megalinter.io/flavors/ + # https://megalinter.io/latest/flavors/ # uses: oxsecurity/megalinter@v7 diff --git a/TEMPLATES/mega-linter.yml b/TEMPLATES/mega-linter.yml index 2b4996e42ff..a77d143448e 100644 --- a/TEMPLATES/mega-linter.yml +++ b/TEMPLATES/mega-linter.yml @@ -188,7 +188,7 @@ jobs: # the run for your convenience. # # More info at: - # https://megalinter.io/flavors/ + # https://megalinter.io/latest/flavors/ # uses: oxsecurity/megalinter@v7 @@ -208,9 +208,9 @@ jobs: # be linted for better efficiency. # # This can be overridden to always lint the codebase with: - # + # # VALIDATE_ALL_CODEBASE: true - # + # # To validate only `git diff`` with the default branch on push: # # VALIDATE_ALL_CODEBASE: >- diff --git a/docs/install-github.md b/docs/install-github.md index de1c4a70526..e95e44ca7ca 100644 --- a/docs/install-github.md +++ b/docs/install-github.md @@ -213,7 +213,7 @@ jobs: # oxsecurity/megalinter/flavors/python@v7 # # More info at: - # https://megalinter.io/flavors/ + # https://megalinter.io/latest/flavors/ # uses: oxsecurity/megalinter@v7 From c281d8c2098ad0a1a792a19c503be88d3d2ac7a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edouard=20Choini=C3=A8re?= <27212526+echoix@users.noreply.github.com> Date: Tue, 31 Oct 2023 19:38:22 -0400 Subject: [PATCH 16/17] Apply suggestions from code review --- .github/workflows/mega-linter-for-runner.yml | 16 +++++++--------- .github/workflows/mega-linter.yml | 11 +++++++---- README.md | 3 --- docs/install-github.md | 3 +-- .../mega-linter/templates/mega-linter.yml | 2 +- 5 files changed, 16 insertions(+), 19 deletions(-) diff --git a/.github/workflows/mega-linter-for-runner.yml b/.github/workflows/mega-linter-for-runner.yml index a9aa8287860..95ec6755fb8 100644 --- a/.github/workflows/mega-linter-for-runner.yml +++ b/.github/workflows/mega-linter-for-runner.yml @@ -21,11 +21,10 @@ name: MegaLinter # efficiency. # on: - ## # To only have MegaLinter run on Pull Requests, comment out the following line. # It is not recommended to use `push` linting on all pushes (the default, - # here)if you do not pay for GitHub Actions. + # here) if you do not pay for GitHub Actions. # # Some projects also prefer to limit push linting to specific branches, such # as when a `production` branch is updated. This can be done by adding a @@ -56,7 +55,6 @@ on: # efficiency. # env: - ## # Automatically applies formatting fixes during linting for linters that # support fixes. This is set to `all` to apply fixes from all linters, or can @@ -81,7 +79,6 @@ env: # - `push` - whenever a push occurs to a branch # APPLY_FIXES_EVENT: pull_request - ## # Only applies if `APPLY_FIXES` is enabled. # @@ -128,7 +125,7 @@ jobs: # permissions enabled to `write` for MegaLinter to function. # # Always aim to provide as few permissions as possible for personal access - # tokens. By default, all permissions are set to read only. Write + # tokens. By default, all permissions are set to read-only. Write # permissions must be set for the following scopes in the described # circumstances: # @@ -183,9 +180,10 @@ jobs: id: ml ## - # The full MegaLinter project can be over 8GB in size! This is due to it including every linter available for - # the full MegaLinter project. It is highly recommended to select a more refined "flavor" that better-matches - # your project by changing the image used here. + # The full MegaLinter project can be over 8GB in size! This is due to it + # including every linter available for the full MegaLinter project. It + # is highly recommended to select a more refined "flavor" that better + # matches your project by changing the image used here. # # For example, a Python project may elect to use: # @@ -252,8 +250,8 @@ jobs: # https://megalinter.io/latest/reporters/ # - name: Archive production artifacts - if: success() || failure() uses: actions/upload-artifact@v3 + if: success() || failure() with: name: MegaLinter reports path: | diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 1edcf500b21..efb8ce05033 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -21,7 +21,6 @@ name: MegaLinter # efficiency. # on: - ## # To only have MegaLinter run on Pull Requests, comment out the following line. # It is not recommended to use `push` linting on all pushes (the default, @@ -127,7 +126,7 @@ jobs: # permissions enabled to `write` for MegaLinter to function. # # Always aim to provide as few permissions as possible for personal access - # tokens. By default, all permissions are set to read only. Write + # tokens. By default, all permissions are set to read-only. Write # permissions must be set for the following scopes in the described # circumstances: # @@ -172,7 +171,12 @@ jobs: # fetch-depth: 0 - # MegaLinter + ## + # Run MegaLinter. + # + # More info at: + # https://github.com/oxsecurity/megalinter + # - name: MegaLinter id: ml @@ -200,7 +204,6 @@ jobs: # https://megalinter.io/latest/config-file/ # env: - ## # By default, this validates full codebase whenever a push to the # default branch occurs. Otherwise, only the `git diff` files will diff --git a/README.md b/README.md index 395cd3f2edf..1d8b7cf8cb7 100644 --- a/README.md +++ b/README.md @@ -662,9 +662,6 @@ jobs: # below this line. # - # Uncomment to disable copy-paste and spell checks - # DISABLE: COPYPASTE,SPELL - ## # Upload MegaLinter artifacts. # diff --git a/docs/install-github.md b/docs/install-github.md index e95e44ca7ca..cd207540eb8 100644 --- a/docs/install-github.md +++ b/docs/install-github.md @@ -154,7 +154,7 @@ jobs: # permissions enabled to `write` for MegaLinter to function. # # Always aim to provide as few permissions as possible for personal access - # tokens. By default, all permissions are set to read only. Write + # tokens. By default, all permissions are set to read-only. Write # permissions must be set for the following scopes in the described # circumstances: # @@ -173,7 +173,6 @@ jobs: pull-requests: write steps: - ## # Clone the Repository for linting. # diff --git a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml index 64be994ae96..62021590ddb 100644 --- a/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml +++ b/mega-linter-runner/generators/mega-linter/templates/mega-linter.yml @@ -176,7 +176,7 @@ jobs: ## # The full MegaLinter project can be over 8GB in size! This is due to it # including every linter available for the full MegaLinter project. It - # is highly recommended to select a more refined "flavor" that better- + # is highly recommended to select a more refined "flavor" that better # matches your project by changing the image used here. # # For example, a Python project may elect to use: From 8766889a0f4c15604fb1de15d81f955e2fffdcc5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 21 Nov 2023 01:06:24 +0000 Subject: [PATCH 17/17] [build-command] Update generated files --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c2c29264dfd..d0871e1d6f3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ FROM yoheimuta/protolint:latest as protolint FROM golang:alpine as dustilock RUN GOBIN=/usr/bin go install github.com/checkmarx/dustilock@v1.2.0 -FROM zricethezav/gitleaks:v8.18.1 as gitleaks +FROM zricethezav/gitleaks:v8.18.0 as gitleaks FROM checkmarx/kics:alpine as kics FROM trufflesecurity/trufflehog:latest as trufflehog FROM jdkato/vale:latest as vale