From 6f664c92fd8dd7704a837054ef5137a90e48a82c Mon Sep 17 00:00:00 2001 From: ColorfulRhino <131405023+ColorfulRhino@users.noreply.github.com> Date: Wed, 10 Jul 2024 00:42:34 +0200 Subject: [PATCH] actions: Run YAML formatter over all workflow files --- .github/workflows/build-board-list.yml | 4 +- .github/workflows/build-train.yml | 4 +- .github/workflows/labels-from-yml.yml | 19 +++---- .github/workflows/open-jira-ticket.yml | 1 + .github/workflows/pr-auto-labeler.yml | 19 ++++--- .github/workflows/pr-build-artifacts.yml | 17 +++--- .../workflows/pr-kernel-security-analysis.yml | 54 +++++++++---------- .github/workflows/pr-lint-scripts.yml | 50 +++++++++-------- .github/workflows/rebase.yml | 9 ++-- .github/workflows/scorecard.yml | 8 +-- 10 files changed, 90 insertions(+), 95 deletions(-) diff --git a/.github/workflows/build-board-list.yml b/.github/workflows/build-board-list.yml index 9df75b12f75f..0dac92bc98e3 100644 --- a/.github/workflows/build-board-list.yml +++ b/.github/workflows/build-board-list.yml @@ -4,8 +4,8 @@ run-name: Update board list at armbian/os - Pushed commit "${{ github.event.push on: push: paths: - - 'config/boards/*.*' - branches: [ main ] + - "config/boards/*.*" + branches: [main] jobs: update-board-list-dispatch: diff --git a/.github/workflows/build-train.yml b/.github/workflows/build-train.yml index 0a5f18fb9458..4f3204fbcc94 100644 --- a/.github/workflows/build-train.yml +++ b/.github/workflows/build-train.yml @@ -4,9 +4,9 @@ run-name: Run build train - Pushed commit "${{ github.event.push.head_commit.mes on: push: branches: - - 'main' + - "main" paths: - - 'config/*.config' + - "config/*.config" jobs: build-train-dispatch: diff --git a/.github/workflows/labels-from-yml.yml b/.github/workflows/labels-from-yml.yml index b582aed9df68..f8bffea4be80 100644 --- a/.github/workflows/labels-from-yml.yml +++ b/.github/workflows/labels-from-yml.yml @@ -5,27 +5,28 @@ on: workflow_dispatch: push: branches: - - 'main' + - "main" paths: - - '.github/labels.yml' + - ".github/labels.yml" pull_request: paths: - - '.github/labels.yml' + - ".github/labels.yml" jobs: labeler: permissions: - contents: read # for actions/labeler to determine modified files - pull-requests: write # for actions/labeler to add labels to PRs + contents: read # for actions/labeler to determine modified files + pull-requests: write # for actions/labeler to add labels to PRs issues: write # for actions/labeler to add labels to issues + if: ${{ github.repository_owner == 'Armbian' }} runs-on: ubuntu-latest + steps: - - - name: Checkout + - name: Checkout uses: actions/checkout@v4 - - - name: Run Labeler + + - name: Run Labeler uses: crazy-max/ghaction-github-labeler@v5 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/open-jira-ticket.yml b/.github/workflows/open-jira-ticket.yml index 73a13d31901d..f89d0e6e311a 100644 --- a/.github/workflows/open-jira-ticket.yml +++ b/.github/workflows/open-jira-ticket.yml @@ -8,6 +8,7 @@ jobs: sync: name: Sync Items runs-on: ubuntu-latest + steps: - name: Sync uses: igorpecovnik/github-action-issue-to-jira@master diff --git a/.github/workflows/pr-auto-labeler.yml b/.github/workflows/pr-auto-labeler.yml index cbf9d6ed8720..3d93b938873d 100644 --- a/.github/workflows/pr-auto-labeler.yml +++ b/.github/workflows/pr-auto-labeler.yml @@ -5,28 +5,27 @@ run-name: 'Set labels - PR #${{ github.event.pull_request.number }} ("${{ github # on: -- pull_request_target + - pull_request_target jobs: - label-category: permissions: - contents: read # for actions/labeler to determine modified files - pull-requests: write # for actions/labeler to add labels to PRs + contents: read # for actions/labeler to determine modified files + pull-requests: write # for actions/labeler to add labels to PRs name: "Category labels" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/labeler@v5 - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" + - uses: actions/checkout@v4 + - uses: actions/labeler@v5 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" label-size: permissions: - contents: read # for pascalgn/size-label-action to determine modified files - pull-requests: write # for pascalgn/size-label-action to add labels to PRs + contents: read # for pascalgn/size-label-action to determine modified files + pull-requests: write # for pascalgn/size-label-action to add labels to PRs name: "Size label" runs-on: ubuntu-latest diff --git a/.github/workflows/pr-build-artifacts.yml b/.github/workflows/pr-build-artifacts.yml index 98232cb51d4f..3ef7c49f6d56 100644 --- a/.github/workflows/pr-build-artifacts.yml +++ b/.github/workflows/pr-build-artifacts.yml @@ -10,7 +10,6 @@ on: types: [opened, reopened, synchronize, labeled] jobs: - Check: permissions: pull-requests: read @@ -21,17 +20,15 @@ jobs: outputs: member: ${{ steps.checkUserMember.outputs.isTeamMember }} steps: - - - uses: tspascoal/get-user-teams-membership@v3 - id: checkUserMember - with: - username: ${{ github.actor }} - organization: armbian - team: "Release manager" - GITHUB_TOKEN: ${{ secrets.ORG_MEMBERS }} + - uses: tspascoal/get-user-teams-membership@v3 + id: checkUserMember + with: + username: ${{ github.actor }} + organization: armbian + team: "Release manager" + GITHUB_TOKEN: ${{ secrets.ORG_MEMBERS }} Compile: - needs: Check name: Generate artifacts concurrency: diff --git a/.github/workflows/pr-kernel-security-analysis.yml b/.github/workflows/pr-kernel-security-analysis.yml index 101e65f7be61..bcc8b4213e8c 100644 --- a/.github/workflows/pr-kernel-security-analysis.yml +++ b/.github/workflows/pr-kernel-security-analysis.yml @@ -21,36 +21,34 @@ concurrency: cancel-in-progress: true jobs: - Analysis: - name: Check kernel security options runs-on: ubuntu-latest if: ${{ github.repository_owner == 'Armbian' }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v44 - - - name: Checkout repository - uses: actions/checkout@v4 - with: - repository: a13xp0p0v/kconfig-hardened-check - path: kconfig-hardened-check - - - name: Check kernel config for security issues - # Run kernel-hardening-checker for each kernel config file excluding RISC-V configs, since they are not supported yet. - # See https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56 - # sed explanation: 1) Put spaces in front of every line 2) replace colored output with emojis since GitHub Actions job summaries don't support colored output - run: | - for file in ${{ steps.changed-files.outputs.all_changed_files }}; do - if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then - kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file | sed 's/^/ /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' >> $GITHUB_STEP_SUMMARY - fi - done + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v44 + + - name: Checkout repository + uses: actions/checkout@v4 + with: + repository: a13xp0p0v/kconfig-hardened-check + path: kconfig-hardened-check + + - name: Check kernel config for security issues + # Run kernel-hardening-checker for each kernel config file excluding RISC-V configs, since they are not supported yet. + # See https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56 + # sed explanation: 1) Put spaces in front of every line 2) replace colored output with emojis since GitHub Actions job summaries don't support colored output + run: | + for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then + kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file | sed 's/^/ /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' >> $GITHUB_STEP_SUMMARY + fi + done diff --git a/.github/workflows/pr-lint-scripts.yml b/.github/workflows/pr-lint-scripts.yml index 3b9e34511c00..7496bd91d872 100644 --- a/.github/workflows/pr-lint-scripts.yml +++ b/.github/workflows/pr-lint-scripts.yml @@ -17,45 +17,43 @@ concurrency: cancel-in-progress: true jobs: - Shellcheck: - name: Shell script analysis runs-on: ubuntu-latest if: ${{ github.repository_owner == 'Armbian' }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 2 + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 2 - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v44 + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v44 - - name: List all changed files - run: | + - name: List all changed files + run: | - # Use framework internal mechanism for checking `lib` and `extensions` code only one file is passed, - # and source's are followed, thus the whole project is "understood" by shellcheck. - # For example, when checking individual files, one variable might be thought "unused" because it - # is only used in another file, which does not happen when done properly. + # Use framework internal mechanism for checking `lib` and `extensions` code only one file is passed, + # and source's are followed, thus the whole project is "understood" by shellcheck. + # For example, when checking individual files, one variable might be thought "unused" because it + # is only used in another file, which does not happen when done properly. - bash lib/tools/shellcheck.sh + bash lib/tools/shellcheck.sh - ret=0 + ret=0 - for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + for file in ${{ steps.changed-files.outputs.all_changed_files }}; do - if [[ ! "${file}" =~ lib/|extensions/|.py|.service|.rules|.network|.netdev ]]; then - if grep -qE "^#\!/.*bash" $file; then + if [[ ! "${file}" =~ lib/|extensions/|.py|.service|.rules|.network|.netdev ]]; then + if grep -qE "^#\!/.*bash" $file; then - shellcheck --severity=error $file || ret=$? + shellcheck --severity=error $file || ret=$? - fi - fi + fi + fi - done + done - exit $ret + exit $ret diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index 7a248fcd916d..143bb3fdfb85 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -4,7 +4,6 @@ run-name: Check comment for `/rebase` # If you comment "/rebase" to the PR this Action will rebase the PR # - on: issue_comment: types: [created] @@ -12,18 +11,20 @@ on: jobs: rebase: permissions: - contents: write # for cirrus-actions/rebase to push code to rebase - pull-requests: read # for cirrus-actions/rebase to get info about PR + contents: write # for cirrus-actions/rebase to push code to rebase + pull-requests: read # for cirrus-actions/rebase to get info about PR name: Rebase if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') runs-on: ubuntu-latest + steps: - - name: Checkout the latest code + - name: Checkout repository uses: actions/checkout@v4 with: token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 # otherwise, you will fail to push refs to dest repo + - name: Automatic Rebase uses: cirrus-actions/rebase@1.8 env: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6928abdf08c6..dfacd98d51bc 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -6,9 +6,9 @@ on: branch_protection_rule: schedule: # Weekly on Saturdays. - - cron: '30 1 * * 6' + - cron: "30 1 * * 6" push: - branches: [ main ] + branches: [main] # Declare default permissions as read only. permissions: read-all @@ -44,8 +44,8 @@ jobs: repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless # of the value entered here. publish_results: true