feat(gha): unify GHA - renovate, megalinter, markdown, ...

.checkov.yml

@@ -0,0 +1,7 @@
+skip-check:
+  # Ensure that HEALTHCHECK instructions have been added to container images
+  - CKV_DOCKER_2
+  # Ensure that a user for the container has been created
+  - CKV_DOCKER_3
+  # The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty
+  - CKV_GHA_7

.github/workflows/check-broken-links.yml

@@ -2,7 +2,7 @@ name: check-broken-links
 
 on:
   schedule:
-    - cron: '8 8 * * 0'
+    - cron: "8 8 * * 0"
   pull_request:
     types: [opened, synchronize]
     paths:
@@ -13,6 +13,8 @@ on:
     paths:
       - .github/workflows/check-broken-links.yml
 
+permissions: read-all
+
 jobs:
   my-broken-link-checker:
     runs-on: ubuntu-latest
@@ -36,8 +38,7 @@ jobs:
           INPUT_URL: https://my-testing-domain.com
           INPUT_PAGES_PATH: ./tests/
           INPUT_CMD_PARAMS: --skip-tls-verification --verbose --color=always
-        run:
-          ./entrypoint.sh
+        run: ./entrypoint.sh
 
   build-check:
     runs-on: ubuntu-latest

.github/workflows/docker-image.yml

@@ -19,6 +19,8 @@ on:
       - entrypoint.sh
       - .github/workflows/docker-image.yml
 
+permissions: read-all
+
 jobs:
   docker-build-test:
     runs-on: ubuntu-latest
@@ -27,14 +29,3 @@ jobs:
 
       - name: Build test
         run: docker build . --file Dockerfile
-
-  hadolint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: hadolint
-        uses: burdzwastaken/hadolint-action@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HADOLINT_ACTION_DOCKERFILE_FOLDER: .

.github/workflows/markdown.yml → .github/workflows/markdown-check.yml

@@ -1,22 +1,24 @@
-name: markdown
+name: markdown-check
 
 on:
   pull_request:
     types: [opened, synchronize]
     paths:
-      - '**.md'
-      - .github/workflows/markdown.yml
+      - "**.md"
+      - .github/workflows/markdown-check.yml
       - .markdownlint.yml
       - .spelling
   push:
     branches:
       - main
     paths:
-      - '**.md'
-      - .github/workflows/markdown.yml
+      - "**.md"
+      - .github/workflows/markdown-check.yml
       - .markdownlint.yml
       - .spelling
 
+permissions: read-all
+
 jobs:
   markdownlint-check:
     runs-on: ubuntu-latest

.github/workflows/mega-linter.yml

@@ -0,0 +1,47 @@
+---
+name: MegaLinter
+
+on:
+  workflow_dispatch:
+  push:
+    branches-ignore:
+      - main
+
+permissions: read-all
+
+jobs:
+  build:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Restore lychee cache
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
+        with:
+          path: .lycheecache
+          key: cache-lychee-${{ github.sha }}
+          restore-keys: cache-lychee-
+
+      - name: Extract commands from markdown files
+        run: |
+          set -euxo pipefail
+          echo '#!/usr/bin/env bash' > README.sh
+          find . -name '*.md' -print0 | while IFS= read -r -d '' FILE ; do
+            # Extract: ```bash ... ```
+            sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh
+            # Extract:   ```bash ... ```
+            sed -n "/^  \`\`\`\(bash\|shell\)$/,/^  \`\`\`$/p" "${FILE}" | sed '/^  ```*/d; s/^  //' >> README.sh
+          done
+          chmod a+x README.sh
+
+      - name: 💡 MegaLinter
+        uses: oxsecurity/megalinter@7e042c726c68415475b05a65a686c612120a1232 # v7.7.0
+        env:
+          GITHUB_COMMENT_REPORTER: false
+          GITHUB_STATUS_REPORTER: true
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/readme-commands-check.yml

@@ -0,0 +1,25 @@
+name: readme-commands-check
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - README.md
+      - .github/workflows/readme-commands-check.yml
+  push:
+    branches:
+      - main
+    paths:
+      - README.md
+      - .github/workflows/readme-commands-check.yml
+
+permissions: read-all
+
+jobs:
+  readme-commands-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Run commands in README.md file
+        run: sed -n "/^\`\`\`bash.*/,/^\`\`\`$/p" README.md | sed "/^\`\`\`*/d" | bash -eux

.github/workflows/release-please.yaml → .github/workflows/release-please.yml

@@ -13,21 +13,21 @@ jobs:
   release-please-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@v4
+      - uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4.0.2
         with:
           release-type: simple
           skip-github-release: true
 
   release-please-release:
     runs-on: ubuntu-latest
     steps:
-      - uses: google-github-actions/release-please-action@v4
+      - uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4.0.2
         id: release
         with:
           release-type: simple
           skip-github-pull-request: true
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: tag major and minor versions
         if: ${{ steps.release.outputs.release_created }}