fix(ci): exclude self-contained sub-apps from MegaLinter linters#4892
Open
devantler wants to merge 5 commits into
Open
fix(ci): exclude self-contained sub-apps from MegaLinter linters#4892devantler wants to merge 5 commits into
devantler wants to merge 5 commits into
Conversation
Contributor
❌MegaLinter analysis: Error❌ COPYPASTE / jscpd - 1 error❌ REPOSITORY / osv-scanner - 1 error❌ ACTION / zizmor - 1 error✅ Linters with no issuesactionlint, git_diff, hadolint, jsonlint, lychee, markdown-table-formatter, markdownlint, prettier, prettier, stylelint, syft, trivy-sbom, trufflehog, v8r, v8r, yamllint Notices📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining See detailed reports in MegaLinter artifacts
|
The CodeQL default-setup analysis on this PR failed at 12:16:50Z with "action could not be found at URI codeload.github.com/.../codeql-action" (the 2026-05-26 GitHub Actions outage). The code_scanning ruleset rule gates merge on a successful CodeQL analysis, so a fresh run is needed. The Actions rerun API rejects default-setup analyses, so this empty commit moves the head to trigger a new pull_request analysis.
![ksail-bot[bot]](https://avatars.githubusercontent.com/in/2880167?s=60&v=4){kind=small}
Contributor
Author
Corrected root cause — this PR's
The same gate blocks the dependabot backlog (#4881–#4890). Parts 1 + 2 are mechanical; part 3 is a maintainer-policy decision (refactor vs. exclude/threshold). I'll prepare the validated config fix via a local megalinter run on the next substantive pass. Flagging now so this PR isn't merged expecting the |
…pps from jscpd MegaLinter's lint job fails on three independent linters; this resolves the two config-fixable ones: - zizmor: MegaLinter strips GITHUB_TOKEN from the linter env, so zizmor hits HTTP 401 when resolving action tags. ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES lets it authenticate (same fix as go-template's .mega-linter.yml). - jscpd: all 6 reported clones live inside vsce/ (the self-contained VS Code extension). Exclude vsce/, web/ui/ and desktop/ — the self-contained sub-apps already kept out of the repo-wide linters — from duplicate detection. The remaining two lint failures need more than config and are tracked separately: osv-scanner (a cgo crash in the MegaLinter image masks a dependency-vuln backlog) and one in-tree Go clone (argocd.go <-> talos/manager.go) that needs a refactor.
devantler
changed the title
Drop the zizmor ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES change added in the previous commit. Passing GITHUB_TOKEN does fix the HTTP 401, but it lets zizmor authenticate and complete its audits, which then surfaces a backlog of ~119 findings (incl. High- confidence github-app App-token warnings) that the 401 had been masking — so it raises the lint job's error count instead of reducing it, and that backlog is its own triage effort, not part of this config PR. This PR therefore keeps only the jscpd change: excluding the self-contained sub-apps (vsce/, web/ui/, desktop/) from duplicate detection, which drops jscpd from 7 clones to 1 (the real in-tree Go clone, tracked for a separate refactor).
devantler
changed the title
Comment on lines
+26
to
+30
| # (webview C bindings, kept out of the static ksail binary); MegaLinter's containerized Go | ||
| # analysis cannot import "C" without the desktop C deps installed, so it fails with | ||
| # "could not import C" / "webview.HintNone unknown invalid type". Real CI builds and tests | ||
| # desktop/ via dedicated jobs, so exclude it from the repo-wide linters here too. | ||
| FILTER_REGEX_EXCLUDE: (megalinter-reports/.*|web/ui/.*|desktop/.*) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Excludes the self-contained sub-apps from MegaLinter, so the
🧹 Lint - mega-linterjob's duplicate detection stops flagging code that lives in app-private toolchains:vsce/(the self-contained VS Code extension). Addedvsce/,web/ui/anddesktop/to.jscpd.json's ignore list (jscpd is a "project" linter, so it reads.jscpd.jsonignore — not MegaLinter'sFILTER_REGEX_EXCLUDE). This drops jscpd from 7 clones to 1. ✅ verified in CI (run on43306b57/04c61f02).desktop/.*inFILTER_REGEX_EXCLUDEso the per-file repo-wide linters skip the separate cgo module.This is intentionally scoped to the clean config layer: the one change that monotonically reduces the lint failures with correct, low-risk config.
The lint gate masks real backlogs — three remaining blockers (this PR alone does NOT turn it green)
Investigation showed the
lintjob has been failing on three independent linters, two of which were masking real findings behind environmental failures:pkg/svc/tenant/argocd.go [400:413]↔pkg/fsutil/configmanager/talos/manager.go [228:241](the YAML-files-in-a-directory loop;talosalready factored its copy intoforEachYAMLFile). Withthreshold: 0this still fails after the sub-app exclusion. Clean fix = a sharedfsutilhelper used by both — but the two copies differ in file-reading (fsutil.ReadFileSafevsos.ReadFile+//nolint:gosec), so unifying them is a security-sensitive refactor that deserves its own reviewed PR.GITHUB_TOKEN, so zizmor can't reach the GitHub API and reports a single HTTP 401. Passing the token (ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES: [GITHUB_TOKEN]) lets it authenticate — but it then completes its audits and surfaces ~119 findings (incl. High-confidencegithub-app"dangerous use of GitHub App tokens" incd.yaml). So the token fix makes zizmor functional, not passing; the revealed findings are a separate triage effort and were deliberately not bundled here (it would raise the error count, not reduce it).goimage,osv-scanner scan source --recursive .crashes type-checkingdesktop/'s webview cgo (could not import C) and aborts before scanning. Running the same command in the standaloneosv-scanner:2.3.8image (no Go toolchain) completes and surfaces ~68 advisories on indirect deps (x/crypto0.51→0.52,x/net0.54→0.55,x/image0.38→0.39, plusk8s.io/kubernetesno-fix meta-module false-positives). Fix path: make the scanner functional (--no-call-analysis=all, validate in thegoimage) and bump the vulnerable indirect deps and osv-ignore the k8s findings. Security + dependency work, not config.Net: the gate needs a coordinated effort (Go-clone refactor + zizmor findings triage + osv dep/security work) to go green. This PR ships the one clean config win and maps the rest.