-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (116 loc) · 4.17 KB
/
quality-checks.yml
File metadata and controls
131 lines (116 loc) · 4.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Quality Checks
on:
pull_request:
branches: [main]
push:
branches: [main]
permissions:
contents: read
jobs:
markdown-lint:
name: Markdown Linting
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Lint markdown
uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v22.0.0
yaml-lint:
name: YAML Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Lint YAML
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
with:
config_file: .yamllint.yml
shell-check:
name: Shell Script Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
structure:
name: Validate Repository Structure
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check required files
run: |
MISSING=0
for file in LICENSE README.md .gitignore CODEOWNERS CONTRIBUTING.md \
SECURITY.md CLAUDE.md .pre-commit-config.yaml \
.github/dependabot.yml config/baseline.json \
config/overrides.json; do
if [ ! -f "$file" ]; then
echo "MISSING: $file"
MISSING=$((MISSING + 1))
else
echo "OK: $file"
fi
done
if [ "$MISSING" -gt 0 ]; then
echo "ERROR: $MISSING required files are missing"
exit 1
fi
- name: Validate JSON configs
run: |
for file in config/baseline.json config/overrides.json; do
if ! jq empty "$file" 2>/dev/null; then
echo "ERROR: Invalid JSON in $file"
exit 1
else
echo "OK: $file is valid JSON"
fi
done
- name: Validate baseline schema
run: |
ERRORS=0
for section in repo_settings security branch_protection labels required_files; do
if ! jq -e ".$section" config/baseline.json > /dev/null 2>&1; then
echo "ERROR: Missing section '$section' in baseline.json"
ERRORS=$((ERRORS + 1))
else
echo "OK: section '$section' present"
fi
done
# Validate label structure
LABEL_ERRORS=$(jq '[.labels[] | select(.name == null or .color == null or .description == null)] | length' config/baseline.json)
if [ "$LABEL_ERRORS" -gt 0 ]; then
echo "ERROR: $LABEL_ERRORS labels missing required fields (name, color, description)"
ERRORS=$((ERRORS + LABEL_ERRORS))
fi
if [ "$ERRORS" -gt 0 ]; then
echo "ERROR: baseline.json schema validation failed"
exit 1
fi
actions-security:
name: Actions Security
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install zizmor
run: |
ZIZMOR_VERSION="1.23.1"
curl -sL "https://github.com/woodruffw/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-x86_64-unknown-linux-gnu.tar.gz" -o /tmp/zizmor.tar.gz
mkdir -p /tmp/zizmor-extract
tar -xzf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract
find /tmp/zizmor-extract -name zizmor -type f -exec sudo mv {} /usr/local/bin/zizmor \;
chmod +x /usr/local/bin/zizmor
- name: Run zizmor
run: zizmor --config zizmor.yml .github/workflows/