feat(gha): unify GitHub Actions - renovate, megalinter, markdown,

ruzickap · Jan 25, 2024 · 2cc9cab · 2cc9cab
1 parent 9788cfe
commit 2cc9cab
Show file tree

Hide file tree

Showing 18 changed files with 187 additions and 224 deletions.
diff --git a/.checkov.yml b/.checkov.yml
@@ -0,0 +1,5 @@
+skip-check:
+  # Ensure that HEALTHCHECK instructions have been added to container images
+  - CKV_DOCKER_2
+  # The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty
+  - CKV_GHA_7
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -27,14 +27,3 @@ jobs:
 
       - name: Build test
         run: docker build . --file Dockerfile
-
-  hadolint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: hadolint
-        uses: burdzwastaken/hadolint-action@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HADOLINT_ACTION_DOCKERFILE_FOLDER: .
diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
diff --git a/.github/workflows/markdown.yml → .github/workflows/markdown-check.yml b/.github/workflows/markdown.yml → .github/workflows/markdown-check.yml
@@ -1,19 +1,19 @@
-name: markdown
+name: markdown-check
 
 on:
   pull_request:
     types: [opened, synchronize]
     paths:
-      - '**.md'
-      - .github/workflows/markdown.yml
+      - "**.md"
+      - .github/workflows/markdown-check.yml
       - .markdownlint.yml
       - .spelling
   push:
     branches:
       - main
     paths:
-      - '**.md'
-      - .github/workflows/markdown.yml
+      - "**.md"
+      - .github/workflows/markdown-check.yml
       - .markdownlint.yml
       - .spelling
 

diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -0,0 +1,47 @@
+---
+name: MegaLinter
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - main
+
+permissions: read-all
+
+jobs:
+  build:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Restore lychee cache
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
+        with:
+          path: .lycheecache
+          key: cache-lychee-${{ github.sha }}
+          restore-keys: cache-lychee-
+
+      - name: Extract commands from markdown files
+        run: |
+          set -euxo pipefail
+          echo '#!/usr/bin/env bash' > README.sh
+          find . -name '*.md' -print0 | while IFS= read -r -d '' FILE ; do
+            # Extract: ```bash ... ```
+            sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh
+            # Extract:   ```bash ... ```
+            sed -n "/^  \`\`\`\(bash\|shell\)$/,/^  \`\`\`$/p" "${FILE}" | sed '/^  ```*/d; s/^  //' >> README.sh
+          done
+          chmod a+x README.sh
+
+      - name: 💡 MegaLinter
+        uses: oxsecurity/megalinter@7e042c726c68415475b05a65a686c612120a1232 # v7.7.0
+        env:
+          GITHUB_COMMENT_REPORTER: false
+          GITHUB_STATUS_REPORTER: true
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/commands.yml → .github/workflows/readme-commands-check.yml b/.github/workflows/commands.yml → .github/workflows/readme-commands-check.yml
@@ -1,23 +1,23 @@
-name: commands
+name: readme-commands-check
 
 on:
   pull_request:
     types: [opened, synchronize]
     paths:
       - README.md
-      - .github/workflows/check-commands.yml
+      - .github/workflows/readme-commands-check.yml
   push:
     branches:
       - main
     paths:
       - README.md
-      - .github/workflows/check-commands.yml
+      - .github/workflows/readme-commands-check.yml
 
 jobs:
-  command-check:
+  readme-commands-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Check commands in README.md file
+      - name: Run commands in README.md file
         run: sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p" README.md | sed "/^\`\`\`*/d" | bash -x
diff --git a/.github/workflows/release-please.yaml → .github/workflows/release-please.yml b/.github/workflows/release-please.yaml → .github/workflows/release-please.yml
@@ -13,21 +13,21 @@ jobs:
   release-please-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@v4
+      - uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4.0.2
         with:
           release-type: simple
           skip-github-release: true
 
   release-please-release:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@v4
+      - uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4.0.2
         id: release
         with:
           release-type: simple
           skip-github-pull-request: true
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: tag major and minor versions
         if: ${{ steps.release.outputs.release_created }}

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -1,3 +1,4 @@
+---
 name: Renovate
 
 on:
@@ -6,31 +7,35 @@ on:
       dryRun:
         type: boolean
         description: "Dry-Run"
-        required: false
-        default: false
       logLevel:
         type: choice
         description: "Log-Level"
-        default: "debug"
+        default: debug
         options:
           - info
           - debug
           - trace
   push:
     branches:
       - main
-    paths:
-      - ".github/renovate.json5"
+      - "!renovate/*"
   schedule:
-    - cron: "0 0,2,4 * * 0"
+    - cron: "0 0,2,4 * * *"
 
 env:
-  LOG_LEVEL: debug
-  RENOVATE_CONFIG_FILE: .github/renovate.json5
-  RENOVATE_DRY_RUN: false
+  # https://docs.renovatebot.com/troubleshooting/#log-debug-levels
+  LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}"
+  # https://docs.renovatebot.com/self-hosted-configuration/#repositories
   RENOVATE_REPOSITORIES: ${{ github.repository }}
+  # https://docs.renovatebot.com/self-hosted-configuration/#username
   RENOVATE_USERNAME: ${{ github.repository_owner }}
-  RENOVATE_GIT_AUTHOR: "Renovate Bot <bot@renovateapp.com>"
+  # https://docs.renovatebot.com/configuration-options/#platformcommit
+  RENOVATE_PLATFORM_COMMIT: "true"
+  # https://docs.renovatebot.com/self-hosted-configuration/#dryrun
+  # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated
+  RENOVATE_DRY_RUN: "${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }}"
+
+permissions: read-all
 
 jobs:
   renovate:
@@ -39,23 +44,15 @@ jobs:
       group: renovate
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Generate Token
-        uses: tibdex/github-app-token@v2
-        id: generate-token
+      - uses: actions/create-github-app-token@f04aa94d10cf56334d1c580e077ce2e3569e805d # v1.6.3
+        id: app-token
         with:
-          app_id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
-          private_key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}"
-
-      - name: Override default config from dispatch variables
-        run: |
-          echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.RENOVATE_DRY_RUN }}" | tee -a "${GITHUB_ENV}"
-          echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" | tee -a "${GITHUB_ENV}"
-          echo "RENOVATE_BASE_BRANCHES=${GITHUB_REF##*/}" | tee -a "${GITHUB_ENV}"
+          app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
+          private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}"
 
-      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@v39.2.1
+      - name: 💡 Self-hosted Renovate
+        uses: renovatebot/github-action@f9c81dddc9b589e4e6ae0326d1e36f6bc415d230 # v39.2.4
         with:
-          configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}"
-          token: "x-access-token:${{ steps.generate-token.outputs.token }}"
+          token: "${{ steps.app-token.outputs.token }}"
diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml
@@ -0,0 +1,20 @@
+name: Semantic Pull Request
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  pull-requests: read
+
+jobs:
+  main:
+    name: Semantic Pull Request
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml