Add some more lint/format checks.

.github/workflows/action_scanning.yml

@@ -1,46 +1,36 @@
 ### Required actions to scan GitHub action workflows for security issues.
 name: 'Scan GitHub Action workflows files for security issues'
-
 on:
   pull_request: {}
-
 permissions:
   contents: 'read'
   security-events: 'write'
   actions: 'read'
-
 jobs:
   semgrep:
     name: 'semgrep-oss/scan'
     runs-on: 'ubuntu-latest'
-
     container:
       image: 'index.docker.io/semgrep/semgrep@sha256:85782eaf09692e6dfb684cd3bad87ef315775814b01f76b4d15582e4ca7c1c89' # ratchet:semgrep/semgrep
-
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
-
     steps:
       - name: 'Checkout Code'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
-
       - name: 'Checkout Workflow Config'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
         env:
           GH_REPO_OWNER: ${{ github.repository_owner }}
         with:
           repository: 'google/github-team'
           path: action_scanning
-
       - name: 'Run Actions semgrep scan'
         run: 'semgrep scan --sarif --config action_scanning/semgrep-rules/actions >> semgrep-results-actions.sarif'
-
       - name: 'Save Actions SARIF results as artifact'
         uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
         with:
           name: 'semgrep-scan-results-actions'
           path: 'semgrep-results-actions.sarif'
-
       - name: 'Upload Actions SARIF result to the GitHub Security Dashboard'
         uses: 'github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841' # ratchet:github/codeql-action/upload-sarif@v3
         with:

.github/workflows/markdown_format.yml

@@ -1,19 +1,15 @@
 ### Ensure that markdown files are properly formatted
 name: 'Check Markdown Format'
-
 on:
-  pull_request: 
+  pull_request:
     paths:
       - '**.md'
-
 jobs:
   mdformat:
     name: 'mdformat'
     runs-on: 'ubuntu-latest'
-
     steps:
       - name: 'Checkout Code'
         uses: 'actions/checkout@v4'
-
       - name: 'Check Markdown Format'
-        run: 'pipx run mdformat --check --wrap 100 .'
+        run: 'tools/mdformat --check --wrap 100 .'

.github/workflows/publish_docs.yml

@@ -1,30 +1,27 @@
 name: 'Publish Docs Site'
-
 on:
   push:
     branches:
       - master
   workflow_dispatch:
-
 permissions:
   pages: 'write'
   id-token: 'write'
-
 jobs:
   build:
     name: "Build Docs"
     runs-on: 'ubuntu-latest'
     steps:
-    - uses: 'actions/checkout@v4'
-    - name: 'Generate HTML from Markdown'
-      uses: 'ldeluigi/markdown-docs@latest'
-      with:
-        src: 'docs'
-        dst: 'generated-pages'
-    - name: 'Upload artifact'
-      uses: 'actions/upload-pages-artifact@v3'
-      with:
-        path: 'generated-pages'
+      - uses: 'actions/checkout@v4'
+      - name: 'Generate HTML from Markdown'
+        uses: 'ldeluigi/markdown-docs@latest'
+        with:
+          src: 'docs'
+          dst: 'generated-pages'
+      - name: 'Upload artifact'
+        uses: 'actions/upload-pages-artifact@v3'
+        with:
+          path: 'generated-pages'
   deploy:
     name: "Deploy Docs"
     environment:
@@ -35,4 +32,4 @@ jobs:
     steps:
       - name: 'Deploy to GitHub Pages'
         id: 'deployment'
-        uses: 'actions/deploy-pages@v4'
+        uses: 'actions/deploy-pages@v4'

.github/workflows/publish_docs_preview.yml

@@ -1,29 +1,26 @@
 name: 'Publish Preview of Docs Site'
-
 on:
   pull_request:
     types:
       - opened
       - reopened
       - synchronize
       - closed
-
 permissions:
   contents: 'write'
   pull-requests: 'write'
-
 jobs:
   build:
     name: "Build PR Preview Docs"
     runs-on: 'ubuntu-latest'
     steps:
-    - uses: 'actions/checkout@v4'
-    - name: 'Generate HTML from Markdown'
-      uses: 'ldeluigi/markdown-docs@latest'
-      with:
-        src: 'docs'
-        dst: 'generated-pages'
-    - name: 'Deploy GitHub Pages Preview'
-      uses: rossjrw/pr-preview-action@v1
-      with:
-        source-dir: './generated-pages/'
+      - uses: 'actions/checkout@v4'
+      - name: 'Generate HTML from Markdown'
+        uses: 'ldeluigi/markdown-docs@latest'
+        with:
+          src: 'docs'
+          dst: 'generated-pages'
+      - name: 'Deploy GitHub Pages Preview'
+        uses: rossjrw/pr-preview-action@v1
+        with:
+          source-dir: './generated-pages/'

.github/workflows/publish_docs_preview_branch.yml

@@ -1,30 +1,25 @@
 name: 'Publish Preview of Docs Site from branch'
-
-# The publish_docs_preview.yml workflow takes a PR and publishes the results to it's own branch 
+# The publish_docs_preview.yml workflow takes a PR and publishes the results to it's own branch
 # so users can preview it.  But that git branch then needs some way to publish, so this action does that.
-
-on: 
+on:
   push:
     branch:
-        - gh-pages
-
+      - gh-pages
 permissions:
   pages: 'write'
   id-token: 'write'
-
-
 jobs:
   stage:
     name: "Stage PR preview from branch to pages"
     runs-on: 'ubuntu-latest'
     steps:
-    - uses: 'actions/checkout@v4'
-      with:
-        ref: 'refs/heads/gh-pages'
-    - name: 'Upload artifact'
-      uses: 'actions/upload-pages-artifact@v3'
-      with:
-        path: '.'
+      - uses: 'actions/checkout@v4'
+        with:
+          ref: 'refs/heads/gh-pages'
+      - name: 'Upload artifact'
+        uses: 'actions/upload-pages-artifact@v3'
+        with:
+          path: '.'
   deploy:
     name: "Deploy PR Preview from branch to pages"
     needs: 'stage'

.github/workflows/semgrep_testing.yml

@@ -1,27 +1,20 @@
 ### Ensure that our local testing always passes
 name: 'Run semgrep tests'
-
 on:
   pull_request: {}
-
 permissions:
   contents: 'read'
   actions: 'read'
-
 jobs:
   semgrep-tests:
     name: 'Run semgrep tests'
     runs-on: 'ubuntu-latest'
-
     container:
       image: index.docker.io/semgrep/semgrep@sha256:85782eaf09692e6dfb684cd3bad87ef315775814b01f76b4d15582e4ca7c1c89 # ratchet:semgrep/semgrep
-
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
-
     steps:
       - name: 'Checkout Code'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
-
       - name: 'Run Actions semgrep scan'
         run: 'semgrep --test --config semgrep-rules semgrep-tests'

.github/workflows/yaml_format.yml

@@ -0,0 +1,16 @@
+### Ensure that Yaml files are properly formatted
+name: 'Check Yaml Format'
+on:
+  pull_request:
+    paths:
+      - '**.yml'
+      - '**.yaml'
+jobs:
+  yamlfmt:
+    name: 'yamlfmt'
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: 'Checkout Code'
+        uses: 'actions/checkout@v4'
+      - name: 'Check Yaml Format'
+        run: 'tools/yamlfmt --lint .'

.yamlfmt

@@ -0,0 +1,3 @@
+formatter:
+  max_line_length: 100
+  trim_trailing_whitespace: true

semgrep-tests/actions/pull_request_target_needs_exception.test.yaml

@@ -1,3 +1,3 @@
 on:
   # ruleid: pull-request-target-needs-exception
-  pull_request_target:
+  pull_request_target:

tools/mdformat

@@ -0,0 +1,2 @@
+#!/bin/sh
+pipx run mdformat $*

tools/yamlfmt

@@ -0,0 +1,2 @@
+#!/bin/sh
+docker run -v "$(pwd):/project" ghcr.io/google/yamlfmt:latest $*