-
Notifications
You must be signed in to change notification settings - Fork 0
126 lines (118 loc) · 3.75 KB
/
ci.yml
File metadata and controls
126 lines (118 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: CI
on:
push:
branches: [main]
pull_request:
permissions:
contents: read
jobs:
bash-syntax:
name: bash -n (syntax)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Syntax-check every shell script
run: |
set -e
rc=0
while IFS= read -r f; do
if ! bash -n "$f"; then
echo "::error file=$f::bash -n failed"
rc=1
fi
done < <(find . -type f -name '*.sh' -not -path './.git/*')
exit $rc
shellcheck-error:
name: shellcheck (errors block merge)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install shellcheck
run: sudo apt-get update -qq && sudo apt-get install -y shellcheck
- name: shellcheck --severity=error
run: |
set -e
shellcheck \
--shell=bash \
--severity=error \
--external-sources \
-e SC1090,SC1091 \
$(find . -type f -name '*.sh' -not -path './.git/*')
shellcheck-warn:
name: shellcheck (warnings — non-blocking)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v6
- name: Install shellcheck
run: sudo apt-get update -qq && sudo apt-get install -y shellcheck
- name: shellcheck --severity=warning
run: |
shellcheck \
--shell=bash \
--severity=warning \
--external-sources \
-e SC1090,SC1091,SC2012,SC2015,SC2034,SC2153,SC2317 \
$(find . -type f -name '*.sh' -not -path './.git/*') \
|| echo "::warning::shellcheck warnings present — see job log"
shfmt:
name: shfmt (format — non-blocking)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v6
- name: Install shfmt
run: |
curl -fsSL -o /tmp/shfmt \
https://github.com/mvdan/sh/releases/download/v3.8.0/shfmt_v3.8.0_linux_amd64
chmod +x /tmp/shfmt
sudo mv /tmp/shfmt /usr/local/bin/shfmt
- name: shfmt --diff
run: |
set +e
shfmt -d -i 4 -ci -bn $(find . -type f -name '*.sh' -not -path './.git/*')
if [ $? -ne 0 ]; then
echo "::warning::shfmt formatting differences detected — run 'shfmt -w -i 4 -ci -bn .' locally"
fi
exit 0
gitleaks:
name: gitleaks (secret scan)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Install gitleaks
run: |
curl -fsSL -o /tmp/gitleaks.tar.gz \
https://github.com/gitleaks/gitleaks/releases/download/v8.24.3/gitleaks_8.24.3_linux_x64.tar.gz
tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks
sudo mv /tmp/gitleaks /usr/local/bin/gitleaks
gitleaks version
- name: Scan repo (full history)
run: |
gitleaks detect \
--source=. \
--redact \
--no-banner \
--exit-code=1 \
--report-format=sarif \
--report-path=gitleaks.sarif
- name: Upload SARIF (visible in Security tab)
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gitleaks.sarif
continue-on-error: true
markdown-links:
name: markdown-link-check (non-blocking)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v6
- name: Check links in README and docs
uses: gaurav-nelson/github-action-markdown-link-check@v1
with:
use-quiet-mode: 'yes'
use-verbose-mode: 'yes'
config-file: '.github/markdown-link-check.json'