-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into narumigsa-patch-1
- Loading branch information
Showing
13 changed files
with
321 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
--- | ||
name: MegaLinter | ||
|
||
# yamllint disable-line rule:truthy | ||
on: | ||
# Triggers mega-linter when a pull_request event's activity type is opened, synchronize, or reopened by default. | ||
pull_request: | ||
branches: | ||
- main | ||
workflow_dispatch: | ||
|
||
|
||
permissions: | ||
contents: write | ||
issues: write | ||
pull-requests: write | ||
|
||
env: | ||
# Comment env block if you do not want to apply fixes | ||
# Apply linter fixes configuration | ||
APPLY_FIXES: none # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) | ||
APPLY_FIXES_EVENT: all # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) | ||
APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) | ||
|
||
concurrency: | ||
group: ${{ github.ref }}-${{ github.workflow }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
build: | ||
name: MegaLinter | ||
runs-on: ubuntu-latest | ||
permissions: write-all | ||
steps: | ||
# Git Checkout | ||
- name: Checkout Code | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
with: | ||
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} | ||
fetch-depth: 0 | ||
|
||
# MegaLinter | ||
- name: MegaLinter | ||
id: ml | ||
uses: oxsecurity/megalinter/flavors/javascript@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 # [email protected] | ||
env: | ||
VALIDATE_ALL_CODEBASE: true | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
# Upload MegaLinter artifacts | ||
- name: Archive production artifacts | ||
if: always() | ||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3 | ||
with: | ||
name: MegaLinter reports | ||
path: | | ||
megalinter-reports | ||
megalinter-reports/megalinter.log | ||
# Create pull request if applicable (for now works only on PR from same repository, not from forks) | ||
- name: Create Pull Request with applied fixes | ||
id: cpr | ||
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | ||
uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # pin@v5 | ||
with: | ||
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} | ||
commit-message: "[MegaLinter] Apply linters automatic fixes" | ||
title: "[MegaLinter] Apply linters automatic fixes" | ||
labels: bot | ||
- name: Create PR output | ||
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | ||
run: | | ||
echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" | ||
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" | ||
# Push new commit if applicable (for now works only on PR from same repository, not from forks) | ||
- name: Prepare commit | ||
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | ||
run: sudo chown -Rc $UID .git/ | ||
- name: Commit and push applied linter fixes | ||
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | ||
uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # pin@v5 | ||
with: | ||
branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} | ||
commit_message: "[MegaLinter] Apply linters fixes" | ||
commit_user_name: megalinter-bot | ||
commit_user_email: [email protected] | ||
|
||
- name: Check to see if the SARIF a was generated | ||
id: sarif_file_exists | ||
uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b # pin@v2 | ||
with: | ||
files: "megalinter-reports/megalinter-report.sarif" | ||
|
||
- name: Upload MegaLinter scan results to GitHub Security tab | ||
if: steps.sarif_file_exists.outputs.files_exists == 'true' | ||
uses: github/codeql-action/upload-sarif@3e0e84636c6f5df46a2cb232ae1dd1384713150d # pin@v2 | ||
with: | ||
sarif_file: "megalinter-reports/megalinter-report.sarif" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,18 +1,22 @@ | ||
--- | ||
# This workflow uses actions that are not certified by GitHub. They are provided | ||
# by a third-party and are governed by separate terms of service, privacy | ||
# policy, and support documentation. | ||
|
||
name: Scorecard supply-chain security | ||
|
||
# yamllint disable-line rule:truthy | ||
on: | ||
# For Branch-Protection check. Only the default branch is supported. See | ||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection | ||
branch_protection_rule: | ||
# To guarantee Maintained check is occasionally updated. See | ||
branch_protection_rule: # To guarantee Maintained check is occasionally updated. See | ||
|
||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained | ||
schedule: | ||
- cron: '43 7 * * 3' | ||
push: | ||
branches: [ "main" ] | ||
branches: | ||
- "main" | ||
|
||
# Declare default permissions as read only. | ||
permissions: read-all | ||
|
@@ -32,12 +36,12 @@ jobs: | |
|
||
steps: | ||
- name: "Checkout code" | ||
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7 | ||
with: | ||
persist-credentials: false | ||
|
||
- name: "Run analysis" | ||
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 | ||
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0 | ||
with: | ||
results_file: results.sarif | ||
results_format: sarif | ||
|
@@ -59,14 +63,14 @@ jobs: | |
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||
# format to the repository Actions tab. | ||
- name: "Upload artifact" | ||
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 | ||
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # [email protected] | ||
with: | ||
name: SARIF file | ||
path: results.sarif | ||
retention-days: 5 | ||
|
||
# Upload the results to GitHub's code scanning dashboard. | ||
- name: "Upload to code-scanning" | ||
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 | ||
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # pin@v3 | ||
with: | ||
sarif_file: results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -120,3 +120,6 @@ web_modules/ | |
_site | ||
public | ||
node_modules | ||
|
||
megalinter-reports | ||
reports |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
|
||
title = "gitleaks config" | ||
|
||
[extend] | ||
# useDefault will extend the base configuration with the default gitleaks config: | ||
# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml | ||
useDefault = true | ||
|
||
[allowlist] | ||
description = "Allowlisted files" | ||
paths = [ | ||
'''.automation/test''', | ||
'''megalinter-reports''', | ||
'''.github/linters''', | ||
'''node_modules''', | ||
'''.mypy_cache''', | ||
'''(.*?)gitleaks\.toml$''', | ||
'''(?i)(.*?)(png|jpeg|jpg|gif|doc|docx|pdf|bin|xls|xlsx|pyc|zip)$''', | ||
'''(go.mod|go.sum)$'''] | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
--- | ||
fail-on-severity: "high" | ||
|
||
exclude: | ||
- './node_modules/**' | ||
- './.git/**' | ||
- './.github/**' | ||
- './_site/**' | ||
|
||
ignore: | ||
|
||
# Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail | ||
# @link https://nvd.nist.gov/vuln/detail/CVE-2018-20225 | ||
- vulnerability: CVE-2018-20225 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"retryOn429": true, | ||
"retryCount": 5, | ||
"aliveStatusCodes": [200, 203], | ||
"ignorePatterns": [ | ||
{ | ||
"pattern": "^https?://github.com/" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
--- | ||
blanks-around-fences: false | ||
blanks-around-headings: false | ||
blanks-around-lists: false | ||
code-fence-style: false | ||
emphasis-style: false | ||
heading-start-left: false | ||
hr-style: false | ||
list-indent: false | ||
list-marker-space: false | ||
no-blanks-blockquote: false | ||
no-hard-tabs: false | ||
no-missing-space-atx: false | ||
no-missing-space-closed-atx: false | ||
no-multiple-blanks: false | ||
no-multiple-space-atx: false | ||
no-multiple-space-blockquote: false | ||
no-multiple-space-closed-atx: false | ||
no-trailing-spaces: false | ||
ol-prefix: false | ||
strong-style: false | ||
ul-indent: false | ||
|
||
MD013: | ||
line_length: 999 | ||
heading_line_length: 999 | ||
code_block_line_length: 999 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
--- | ||
# don't test the reports Mega-Linter created, docs, or test files | ||
ADDITIONAL_EXCLUDED_DIRECTORIES: [ | ||
report, | ||
megalinter-reports, | ||
docs, | ||
node_modules, | ||
_site, | ||
] | ||
|
||
# don't lint test files or documentation | ||
FILTER_REGEX_EXCLUDE: (.venv/|/test/|\.test\.|_test\.|/docs/|/index.html|.github/.*\.html) | ||
|
||
# don't scan files listed in .gitignore (e.g., node_modules) | ||
IGNORE_GITIGNORED_FILES: true | ||
|
||
# Disable devskim as it's reporting an error with no log message | ||
DISABLE_LINTERS: | ||
[ | ||
REPOSITORY_DEVSKIM, | ||
SPELL_MISSPELL, | ||
SPELL_CSPELL, | ||
SPELL_PROSELINT, | ||
COPYPASTE_JSCPD, | ||
BASH_EXEC, | ||
] | ||
|
||
# only scan new / updated files, not everything | ||
VALIDATE_ALL_CODEBASE: true | ||
|
||
# don't print the alpaca -- it's cute, but we don't need it in the logs | ||
PRINT_ALPACA: false | ||
|
||
# write a SARIF file | ||
SARIF_REPORTER: true | ||
|
||
# don't fail on finding (yet) | ||
DISABLE_ERRORS: true | ||
|
||
# use prettier for JavaScript code formatting | ||
JAVASCRIPT_DEFAULT_STYLE: prettier | ||
|
||
# only scan the files in This commit, not the entire history of the repo | ||
REPOSITORY_GITLEAKS_ARGUMENTS: --no-git | ||
|
||
# don't lint the generated code in the docs/ directory | ||
REPOSITORY_DEVSKIM_ARGUMENTS: "--skip-git-ignored-files" | ||
|
||
# shfmt will.. | ||
# - use multiples of 2 spaces for indenting | ||
# - alllow binary operations to start new lines | ||
# - indent switch case statements | ||
# - place spaces around redirections | ||
# - keep column alignment padding | ||
BASH_SHFMT_ARGUMENTS: -i 2 -bn -ci -sr -kp | ||
|
||
REPOSITORY_TRUFFLEHOG_ARGUMENTS: "--exclude-paths=.trufflehogignore" |
Oops, something went wrong.