Run actionlint static checker pre-merge. #1312
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Heh, this might take a while. Almost wish I hadn't looked underneath this rock 😂 |
380cab0 to
a5eafc0
Compare
sengi
commented
May 16, 2024
| "owner": "actionlint", | ||
| "pattern": [ | ||
| { | ||
| "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$", |
There was a problem hiding this comment.
I don't like that this is matching based on the colours, but meh, it works and I don't want to rewrite it myself :/
45464c3 to
fad613e
Compare
|
RFAL |
- Don't eval arbitrary Ruby code. - Use shell quotes correctly to avoid unintentional word-splitting etc. - Quote the version string correctly for sed. - Simplify the version string parsing. - Fix a ton of shellcheck errors.
e45101d to
f3ea433
Compare
- Don't substitute values directly into shell scripts. This helps avoid
command-injection vulns. (Kinda crazy that GitHub even allows this,
let alone without any kind of built-in lint warnings.)
- Omit superfluous `${{ }}` in `if:` expressions.
- Reduce logspew from apt-get and set it to noninteractive mode.
- Use `apt-get --no-install-recommends` to avoid installing some
unnecessary packages.
- Avoid some excessive version pinning (update toil) on the AWS actions.
- Fix a bunch of shellcheck issues (mostly with quoting).
Fixes `-ignore` config. Also a bit less third-party stuff to deal with.
- Don't substitute values from GitHub Actions directly into shell commands. - Fix shellcheck issues (mostly with quoting).
- Don't eval arbitrary Ruby code. - Fix shellcheck issues (mostly with quoting). - Use all-caps only for actual environment variables. - Remove the usage comment; we decided a while back not to include these as they just get out of date and cause more hassle than they save. - Surface some of the messages as `notice`-level output in GitHub.
- Fix actionlint issues. - Suppress an actionlint warning about `github.repository_visibility`. This appears to be an [undocumented] property of the `github` context. - Use an up-to-date version of upload-artifact. - Just output both formats from Brakeman in all cases and upload the the SARIF if we're in a public repo. This simplifies the workflow. [undocumented]: https://docs.github.com/en/actions/learn-github-actions/contexts
|
Closes #1312 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://github.com/rhysd/actionlint
We badly need this to help prevent more easily-avoidable vulns and bugs creeping into the reusable actions/workflows. Probably should have added this a long time ago, but hindsight etc. etc.
Fix all the pre-existing lints so that we can make this a mandatory check.
Tested: successfully ran the multi-arch build workflow and the Brakeman workflow. The others aren't so easy to test but they're also not that operationally important so we can just fix forward if I've introduced any issues.