ci: sync workflows from central-workflows #179
Conversation
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| $API_URL/repos/${{ github.repository }}/milestones/$MILESTONE_NUMBER | ||
|
|
||
| - name: Trigger Release Workflow | ||
| uses: peter-evans/repository-dispatch@v1 |
Check warning
Code scanning / Semgrep (reported by Codacy)
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Warning
| uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action | ||
|
|
||
| - name: PR Conventional Commit Validation | ||
| uses: ytanikin/[email protected] # Use the PRConventionalCommits action to validate PR titles |
Check warning
Code scanning / Semgrep (reported by Codacy)
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Warning
| curl -X POST -H 'Content-Type: application/json' --data '{"alias":"Mo-Auto","emoji":":robot:","text":":x: :cry: I am reporting a bad [commit](https://github.com/${{github.repository}}/commit/${{github.sha}}) by :thinking_face: @${{github.actor}} :x:","attachments":[{"title":"GitHub user behavior reporter","title_link":"https://www.conventionalcommits.org","text":"We are not too happy with your last [commit](https://github.com/${{github.repository}}/commit/${{github.sha}}). Here is why : ${{ steps.push_get_commit_message.outputs.errormsg }}","color":"#764FA5"}]}' ${{ secrets.GITHUBUSERBEHAVIORSLACKREPORTER }} | ||
| exit 1 | ||
|
|
||
| - name: "[Pull Request] Report Commit Standard Status" |
Check notice
Code scanning / Checkov (reported by Codacy)
Suspicious use of curl with secrets Note
| git log --format=%B -n 1 HEAD^2 | npx commitlint | ||
| continue-on-error: true | ||
|
|
||
| - name: "[Push] Report Commit Standard Status" |
Check notice
Code scanning / Checkov (reported by Codacy)
Suspicious use of curl with secrets Note
| @@ -0,0 +1,66 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| @@ -0,0 +1,33 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| with: | ||
| fetch-depth: 0 # Fetch all history for all branches to ensure we have the full commit history | ||
|
|
||
| - name: Check GPG verification status # Step to check each commit for GPG signature verification |
Check notice
Code scanning / Checkov (reported by Codacy)
Suspicious use of curl with secrets Note
| @@ -0,0 +1,49 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| @@ -0,0 +1,43 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| milestoneId: |
Check notice
Code scanning / Checkov (reported by Codacy)
The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. Note
| @@ -0,0 +1,52 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | |||
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
| eslint: | ||
| name: Run eslint scanning | ||
| runs-on: ubuntu-latest | ||
| permissions: |
Check notice
Code scanning / Checkov (reported by Codacy)
Ensure top-level permissions are not set to write-all Note
|
@vorsterk closing this, to be recreated |
This PR syncs workflows from the central-workflows repository. Signed-off-by: Kyle Vorster [email protected]