chore: cleanup ci jobs, add actionlint check

Signed-off-by: Sam Gammon <sam@elide.ventures>
buildless · Dec 2, 2023 · c13cd1b · c13cd1b
1 parent a365acd
commit c13cd1b
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 75 deletions.
diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
@@ -1,4 +1,4 @@
-name: Check Dist
+name: "Check: Distribution"
 
 on:
   workflow_dispatch: {}
@@ -17,34 +17,28 @@ jobs:
       statuses: write
 
     steps:
-      - name: Harden Runner
+      - name: "Setup: Harden Runner"
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
       - name: "Setup: Checkout"
         id: checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-
       - name: "Setup: PNPM"
         uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0
         with:
           version: 8.9.0
-
       - name: "Setup: Node"
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: 20
           cache: pnpm
-
       - name: "Setup: Install Dependencies"
         id: install
         run: pnpm install && pnpm install -g turbo
-
       - name: "Build: Bundle"
         id: build
         run: turbo build --token ${{ secrets.BUILDLESS_APIKEY }} --no-daemon --remote-only
-
       - name: "Check: Compare Expected and Actual Directories"
         id: diff
         run: |
@@ -53,7 +47,6 @@ jobs:
             git diff --ignore-space-at-eol --text dist/
             exit 1
           fi
-
       - name: "Build: Upload Artifact"
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,4 +1,4 @@
-name: CodeQL
+name: "Check: CodeQL"
 
 on:
   push:
@@ -32,28 +32,24 @@ jobs:
           - TypeScript
 
     steps:
-      - name: Harden Runner
+      - name: "Setup: Harden Runner"
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
-      - name: Checkout
+      - name: "Setup: Checkout"
         id: checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-
-      - name: Initialize CodeQL
+      - name: "Setup: Initialize CodeQL"
         id: initialize
         uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
         with:
           languages: ${{ matrix.language }}
           source-root: src
-
-      - name: Autobuild
+      - name: "Build: Autobuild"
         id: autobuild
         continue-on-error: true
         uses: github/codeql-action/autobuild@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
-
-      - name: Perform CodeQL Analysis
+      - name: "Check: Perform CodeQL Analysis"
         id: analyze
         continue-on-error: true
         uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -1,12 +1,4 @@
-# Dependency Review Action
-#
-# This Action will scan dependency manifest files that change as part of a Pull Request,
-# surfacing known-vulnerable versions of the packages declared or updated in the PR.
-# Once installed, if the workflow run is marked as required,
-# PRs introducing known-vulnerable packages will be blocked from merging.
-#
-# Source repository: https://github.com/actions/dependency-review-action
-name: 'Dependency Review'
+name: 'Check: Dependency Review'
 on: [pull_request]
 
 permissions:
@@ -16,12 +8,11 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
+      - name: "Setup: Harden Runner"
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
-      - name: 'Checkout Repository'
+      - name: "Setup: Checkout"
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-      - name: 'Dependency Review'
+      - name: "Check: Dependency Review"
         uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/linter.action.yml b/.github/workflows/linter.action.yml
@@ -0,0 +1,19 @@
+name: "Check: Action Lint"
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches-ignore:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: "Check: Action Lint"
+    permissions:
+      contents: read
+    uses: elide-dev/build-infra/.github/workflows/lint.action.yml
diff --git a/.github/workflows/linter.yml → .github/workflows/linter.code.yml b/.github/workflows/linter.yml → .github/workflows/linter.code.yml
@@ -1,4 +1,4 @@
-name: Lint
+name: "Check: Code Lint"
 
 on:
   pull_request:
@@ -22,11 +22,10 @@ jobs:
       statuses: write
 
     steps:
-      - name: Harden Runner
+      - name: "Setup: Harden Runner"
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
       - name: "Setup: Checkout"
         id: checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -35,19 +34,16 @@ jobs:
         uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0
         with:
           version: 8.9.0
-
       - name: "Setup: Node"
         id: setup-node
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: 20
           cache: pnpm
-
       - name: "Setup: Install Dependencies"
         id: install
         run: pnpm install && pnpm run gen
-
-      - name: Lint Code Base
+      - name: "Check: Linter"
         id: super-linter
         uses: super-linter/super-linter/slim@3213b9ea991e2d45d760ea8a76aaebad8a2bdb1a # v5.4.0
         env:

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -1,14 +1,6 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
-
-name: Scorecard supply-chain security
+name: "Check: Scorecard"
 on:
-  # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
-  # To guarantee Maintained check is occasionally updated. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  branch_protection_rule: {}
   schedule:
     - cron: '20 7 * * 2'
   push:
@@ -19,7 +11,7 @@ permissions: read-all
 
 jobs:
   analysis:
-    name: Scorecard analysis
+    name: "Check: Scorecard"
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -30,47 +22,27 @@ jobs:
       actions: read
 
     steps:
-      - name: Harden Runner
+      - name: "Setup: Harden Runner"
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
-      - name: "Checkout code"
+      - name: "Setup: Checkout"
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           persist-credentials: false
-
-      - name: "Run analysis"
+      - name: "Check: Scorecard Analysis"
         uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
         with:
           results_file: results.sarif
           results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecards on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
           publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
+      - name: "Artifacts: Analysis SARIF"
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
+      - name: "Artifacts: GitHub Advanced Security"
         uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
         with:
           sarif_file: results.sarif