-
Notifications
You must be signed in to change notification settings - Fork 0
233 lines (210 loc) · 9.69 KB
/
megalinter.yml
File metadata and controls
233 lines (210 loc) · 9.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
---
name: MegaLinter
# yamllint disable-line rule:truthy
on:
# MegaLinter can be triggered by one or more of the following events:
#
# pull_request: triggers MegaLinter when there is activity Pull Request (PR)
# push: triggers MegaLinter when there is a push to the repository
# workflow_dispatch: triggers MegaLinter when manually triggered
# schedule: triggers MegaLinter on a schedule
#
# Note: running MegaLinter on every push is not recommended if you're payinh
# for GitHub Actions, as it will consume your minutes quickly.
pull_request:
branches:
- main
- master
workflow_dispatch:
# Set the top-level permissions to read-only to avoid accidental changes
permissions:
contents: read
env:
# When active, APPLY_FIXES must be defined as an environment variable; it
# cannot be defined in the MegaLinter configuration file. APPLY_FIXES may
# be set to one of the following values:
#
# all: apply all fixes
# none: apply no fixes
APPLY_FIXES: all
# Decide which events trigger application of fixes in a commit or PR:
#
# pull_request: triggers MegaLinter when there is activity in a Pull Request
# push: triggers MegaLinter when there is a push to the repository
# all: triggers MegaLinter on all events
APPLY_FIXES_EVENT: pull_request
# Decide how fixes are applied:
#
# commit: applies fixes in a new commit
# pull_request: applies fixes in a new Pull Request
APPLY_FIXES_MODE: commit
# If using signed commits, uncomment the following lines:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
# If MegaLinter is already running, cancel the previous run
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
jobs:
megalinter:
name: MegaLinter
runs-on: ubuntu-24.04
# Give the default GITHUB_TOKEN write permission to commit and push,
# comment on issues and post new PRs. Remove the ones you do not need.
permissions:
contents: write
issues: write
pull-requests: write
security-events: write
checks: write
steps:
# Checkout the code
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN || github.token }}
fetch-depth: 0
# Run MegaLinter
- name: MegaLinter
id: ml
uses: oxsecurity/megalinter/flavors/security@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # pin@v8.8.0
env:
GITHUB_TOKEN: ${{ secrets.PAT || secrets.GITHUB_TOKEN || github.token }}
# This will import the GPG key if the MegaLinter has updated the sources
# with Crazy Max's ghaction-import-gpg action. This is necessary to sign
# commits with a GPG key. The GPG key must be added to the repository
# as secrets. GPG_PRIVATE_KEY is the **private key** and
# GPG_PRIVATE_KEY_PASSPHRASE is the passphrase for the private key.
#
# For more information, see:
# https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
# https://github.com/crazy-max/ghaction-import-gpg
#
# If using signed commits, uncomment the following step:
- name: "Import GPG key"
id: import-gpg
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # pin@v6
if: |
steps.ml.outputs.has_updated_sources == 1
&& (env.APPLY_FIXES_EVENT == 'all'
|| env.APPLY_FIXES_EVENT == github.event_name)
&& env.APPLY_FIXES_MODE == 'commit'
&& github.ref != 'refs/heads/main'
&& (github.event_name == 'push'
|| github.event.pull_request.head.repo.full_name == github.repository)
with:
gpg_private_key: ${{ env.GPG_PRIVATE_KEY }}
passphrase: ${{ env.GPG_PRIVATE_KEY_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
# Upload MegaLinter artifacts
- name: Archive production artifacts
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4.6.2
with:
name: MegaLinter reports
path: |
megalinter-reports
megalinter-reports/megalinter.log
# Create pull request with applied fixes if APPLY_FIXES is set and there
# are changes, and we're using pull_request mode to add the changes to a
# new branch. This step only works on PRs from same repository, not
# from forks
- name: Create Pull Request with applied fixes
id: cpr
if: |
steps.ml.outputs.has_updated_sources == 1
&& (env.APPLY_FIXES_EVENT == 'all'
|| env.APPLY_FIXES_EVENT == github.event_name)
&& env.APPLY_FIXES_MODE == 'pull_request'
&& (github.event_name == 'push'
|| github.event.pull_request.head.repo.full_name == github.repository)
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # pin@v5
with:
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
commit-message: "[MegaLinter] Apply linter automatic fixes"
title: "[MegaLinter] Apply linter automatic fixes"
labels: bot
# If using signed commits, comment the following lines:
# committer: megalinter-bot <129584137+megalinter-bot@users.noreply.github.com>
# sign-commits: false
# If using signed commits, uncomment the following lines:
committer: "${{ steps.import-gpg.outputs.name }} <${{ steps.import-gpg.outputs.email }}>"
sign-commits: true
# Output the PR number and URL
- name: Create PR output
id: pr-output
if: |
steps.ml.outputs.has_updated_sources == 1
&& (env.APPLY_FIXES_EVENT == 'all'
|| env.APPLY_FIXES_EVENT == github.event_name)
&& env.APPLY_FIXES_MODE == 'pull_request'
&& (github.event_name == 'push'
|| github.event.pull_request.head.repo.full_name == github.repository)
env:
pull_request_number: ${{ steps.cpr.outputs.pull-request-number }}
pull_request_urlL: ${{ steps.cpr.outputs.pull-request-url }}
run: |
echo "Pull Request Number - ${pull_request_number}"
echo "Pull Request URL - ${pull-request-url}"
# Prepare commit if APPLY_FIXES is set, there are changes, and we're
# using commit mode to add the changes to the current branch. This step
# is necessary to change the ownership of the .git directory to the
# current user.
#
# This works only on PRs from same repository, not from forks
- name: Prepare commit
id: prepare-commit
if: |
steps.ml.outputs.has_updated_sources == 1
&& (env.APPLY_FIXES_EVENT == 'all'
|| env.APPLY_FIXES_EVENT == github.event_name)
&& env.APPLY_FIXES_MODE == 'commit'
&& github.ref != 'refs/heads/main'
&& (github.event_name == 'push'
|| github.event.pull_request.head.repo.full_name == github.repository)
run: sudo chown -Rc $UID .git/
# Commit and push the changes if APPLY_FIXES is set, there are changes,
# and we're using commit mode to add the changes to the current branch.
- name: Commit and push applied linter fixes
id: create-commit
if: |
steps.ml.outputs.has_updated_sources == 1
&& (env.APPLY_FIXES_EVENT == 'all'
|| env.APPLY_FIXES_EVENT == github.event_name)
&& env.APPLY_FIXES_MODE == 'commit'
&& github.ref != 'refs/heads/main'
&& (github.event_name == 'push'
|| github.event.pull_request.head.repo.full_name == github.repository)
uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # pin@v5
with:
branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
commit_message: "[MegaLinter] Apply linter fixes"
# If using signed commits, comment the following lines:
# commit_user_name: megalinter-bot
# commit_user_email: 129584137+megalinter-bot@users.noreply.github.com
# If using signed commits, uncomment the following lines:
commit_author: "${{ steps.import-gpg.outputs.name }} <${{ steps.import-gpg.outputs.email }}>"
commit_user_name: ${{ steps.import-gpg.outputs.name }}
commit_user_email: ${{ steps.import-gpg.outputs.email }}
# Check to see if the SARIF file was generated; if there is no SARIF file,
# the upload-sarif step will fail, so we need to check for its existence
# first.
- name: Check to see if the SARIF a was generated
id: sarif_file_exists
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # pin@v3.0.0
with:
files: "megalinter-reports/megalinter-report.sarif"
# Only attempt to upload the SARIF file if it exists and if the
# repository is public (private / internal repos likely don't have GitHub
# Advanced Security (GHAS). If the repository is private or internal and
# GHAS is enabled, comment out the `github.event.repository.visibility`
# condition.
- name: Upload MegaLinter scan results to GitHub Security tab
id: upload-sarif
if: |
steps.sarif_file_exists.outputs.files_exists == 'true'
&& github.event.repository.visibility == 'public'
uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # pin@v3.29.5
with:
sarif_file: "megalinter-reports/megalinter-report.sarif"