From ff33f67fc53c3c4a7406945836af4792d4f39c88 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Thu, 16 Feb 2023 10:39:51 -0500 Subject: [PATCH 01/11] Use Actions-based linter --- .github/workflows/lint.yml | 73 ++++++++++++++++++++++++++++++++++++++ .gitignore | 3 ++ .jscpd.json | 15 ++++++++ .mega-linter.yml | 6 ++++ 4 files changed, 97 insertions(+) create mode 100644 .github/workflows/lint.yml create mode 100644 .jscpd.json create mode 100644 .mega-linter.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..7ade5d4 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,73 @@ +name: Lint + +on: + pull_request: + branches: [main] + +permissions: read-all + +env: + APPLY_FIXES: all + APPLY_FIXES_EVENT: pull_request + APPLY_FIXES_MODE: commit + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true + +jobs: + lint: + name: Lint + runs-on: ubuntu-22.04 + permissions: + contents: read + checks: write + pull-requests: write + + steps: + - name: Checkout repo + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + with: + token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0 + + - name: Lint + id: ml + uses: oxsecurity/megalinter@c1612a7969ca083ca64ea4d55fe174ec7ea54740 + env: + VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload report + if: ${{ success() }} || ${{ failure() }} + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + with: + name: Lint Report + path: | + megalinter-reports + mega-linter.log + + - name: Create pull request with applied fixes + id: cpr + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: "Apply lint fixes" + title: "Apply lint fixes" + labels: bot + - name: Output pull request + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + run: | + echo "PR: ${{ steps.cpr.outputs.pull-request-number }}" + echo "PR URL: ${{ steps.cpr.outputs.pull-request-url }}" + + - name: Prepare commit + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + run: sudo chown -Rc $UID .git/ + - name: Commit and push applied lint fixes + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a + with: + branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} + commit_message: "Apply lint fixes" diff --git a/.gitignore b/.gitignore index 4f42dd7..a26b538 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,6 @@ Thumbs.db # Node node_modules npm-debug.log + +# Lint +megalinter-reports/ diff --git a/.jscpd.json b/.jscpd.json new file mode 100644 index 0000000..2cee5f5 --- /dev/null +++ b/.jscpd.json @@ -0,0 +1,15 @@ +{ + "threshold": 0, + "reporters": ["html", "markdown"], + "ignore": [ + "**/node_modules/**", + "**/.git/**", + "**/.rbenv/**", + "**/.venv/**", + "**/*cache*/**", + "**/.github/**", + "**/.idea/**", + "**/report/**", + "**/*.svg" + ] +} diff --git a/.mega-linter.yml b/.mega-linter.yml new file mode 100644 index 0000000..019ee88 --- /dev/null +++ b/.mega-linter.yml @@ -0,0 +1,6 @@ +APPLY_FIXES: all +DEFAULT_BRANCH: main +SHOW_ELAPSED_TIME: false +FILEIO_REPORTER: false +DISABLE_LINTERS: + - SPELL_CSPELL From 480d313a2cb9edaa474af296765fb9e0ee346dd4 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Mon, 27 Mar 2023 09:33:30 -0400 Subject: [PATCH 02/11] Use latest release --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7ade5d4..e174386 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -33,7 +33,7 @@ jobs: - name: Lint id: ml - uses: oxsecurity/megalinter@c1612a7969ca083ca64ea4d55fe174ec7ea54740 + uses: oxsecurity/megalinter@c364436149b0ef3578bd24fa38ed9aa23af884db env: VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 98f8214a3242f2f500eff220b58140896a003f50 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 5 Apr 2023 10:26:48 -0400 Subject: [PATCH 03/11] Provide version tags for Actions --- .github/workflows/lint.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e174386..c2692c0 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -26,21 +26,21 @@ jobs: steps: - name: Checkout repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 with: token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 - name: Lint id: ml - uses: oxsecurity/megalinter@c364436149b0ef3578bd24fa38ed9aa23af884db + uses: oxsecurity/megalinter@93700f8c21c59ea784a32abe23896e49e54463b8 # v6.22.2 env: VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload report if: ${{ success() }} || ${{ failure() }} - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: Lint Report path: | @@ -50,7 +50,7 @@ jobs: - name: Create pull request with applied fixes id: cpr if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') - uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 + uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Apply lint fixes" @@ -67,7 +67,7 @@ jobs: run: sudo chown -Rc $UID .git/ - name: Commit and push applied lint fixes if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a + uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4.16.0 with: branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} commit_message: "Apply lint fixes" From 1279393d77e9429566a88ee1383351fc47143ff7 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 5 Apr 2023 10:28:17 -0400 Subject: [PATCH 04/11] Use bot for fix commits --- .github/workflows/lint.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c2692c0..db8e027 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -71,3 +71,5 @@ jobs: with: branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} commit_message: "Apply lint fixes" + commit_user_name: bitwarden-devops-bot + commit_user_email: 106330231+bitwarden-devops-bot@users.noreply.github.com From 1b92bf7f15a1042bb24db89e9068b65f2f6615d2 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 23 Aug 2023 08:47:48 -0400 Subject: [PATCH 05/11] Refresh steps --- .github/workflows/lint.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index db8e027..99e7c68 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -25,15 +25,15 @@ jobs: pull-requests: write steps: - - name: Checkout repo - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 + - name: Check out repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 - name: Lint id: ml - uses: oxsecurity/megalinter@93700f8c21c59ea784a32abe23896e49e54463b8 # v6.22.2 + uses: oxsecurity/megalinter@fda6ac3a38be0e969820709ac16e442464e5a035 # v7.3.0 env: VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -50,7 +50,7 @@ jobs: - name: Create pull request with applied fixes id: cpr if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') - uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Apply lint fixes" From 58274fc0dbb3246f03e2b72485db6a826705ba25 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 23 Aug 2023 08:49:07 -0400 Subject: [PATCH 06/11] Restore cspell --- .mega-linter.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.mega-linter.yml b/.mega-linter.yml index 019ee88..b3343d1 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -2,5 +2,3 @@ APPLY_FIXES: all DEFAULT_BRANCH: main SHOW_ELAPSED_TIME: false FILEIO_REPORTER: false -DISABLE_LINTERS: - - SPELL_CSPELL From 12a18f8ea6e822cbd91926ae72f1107ec95b7508 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 23 Aug 2023 09:14:41 -0400 Subject: [PATCH 07/11] cspell configuration --- .cspell.json | 20 ++++++++++++++++++++ project-words.txt | 10 ++++++++++ 2 files changed, 30 insertions(+) create mode 100644 .cspell.json create mode 100644 project-words.txt diff --git a/.cspell.json b/.cspell.json new file mode 100644 index 0000000..001732c --- /dev/null +++ b/.cspell.json @@ -0,0 +1,20 @@ +{ + "$schema": "https://raw.githubusercontent.com/streetsidesoftware/cspell/main/cspell.schema.json", + "version": "0.2", + "dictionaryDefinitions": [ + { + "name": "project-words", + "path": "./project-words.txt", + "addWords": true + } + ], + "dictionaries": ["project-words"], + "ignorePaths": [ + ".vscode", + "**/.cspell.json", + "**/.git/**", + "**/node_modules/**", + "**/package-lock.json", + "/project-words.txt" + ] +} diff --git a/project-words.txt b/project-words.txt new file mode 100644 index 0000000..90f319a --- /dev/null +++ b/project-words.txt @@ -0,0 +1,10 @@ +# Custom dictionary for spellchecking. Before adding a word here, consider whether you can put +# it in a single (`) or multiline (```) code snippet instead, as they are automatically ignored +# by the spellchecker. Please keep the list sorted alphabetically. + +Bitwarden +classpath +fullname +keyserver +stefanzweifel +venv From a54950f373a2f4ba2232d768ad48dbfad56bcdad Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 23 Aug 2023 09:24:58 -0400 Subject: [PATCH 08/11] Add permissions to existing workflows to meet compliance --- .github/workflows/enforce-labels.yml | 5 +++++ .github/workflows/workflow-linter.yml | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/.github/workflows/enforce-labels.yml b/.github/workflows/enforce-labels.yml index 3e6f19f..5353a5d 100644 --- a/.github/workflows/enforce-labels.yml +++ b/.github/workflows/enforce-labels.yml @@ -9,6 +9,11 @@ jobs: enforce-label: name: Enforce label runs-on: ubuntu-22.04 + permissions: + contents: read + checks: write + pull-requests: write + steps: - name: Enforce label uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # 2.2.2 diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index b321da2..70dca12 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -9,3 +9,7 @@ on: jobs: call-workflow: uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@a30e9c3d658dc97c4c2e61ec749fdab64b83386c + permissions: + contents: read + checks: write + pull-requests: write From 4dbb348cac53e96c147def5174568ab853c851f4 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 23 Aug 2023 09:41:54 -0400 Subject: [PATCH 09/11] Use Bitwarden bot for lint commits --- .github/workflows/lint.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 99e7c68..2398834 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -71,5 +71,5 @@ jobs: with: branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} commit_message: "Apply lint fixes" - commit_user_name: bitwarden-devops-bot - commit_user_email: 106330231+bitwarden-devops-bot@users.noreply.github.com + commit_user_name: bitwarden-bot + commit_user_email: bot@bitwarden.com From f43e7c898861a7520f5248b488aae88548f07926 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 23 Aug 2023 10:01:11 -0400 Subject: [PATCH 10/11] One more custom word --- project-words.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/project-words.txt b/project-words.txt index 90f319a..32a7ec2 100644 --- a/project-words.txt +++ b/project-words.txt @@ -8,3 +8,4 @@ fullname keyserver stefanzweifel venv +yogevbd From f3c37f396dd6b4b2adda9e5cd12b0c501b6f89fd Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Wed, 23 Aug 2023 10:02:28 -0400 Subject: [PATCH 11/11] Set light top-level permissions for compliance --- .github/workflows/enforce-labels.yml | 3 +++ .github/workflows/workflow-linter.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/enforce-labels.yml b/.github/workflows/enforce-labels.yml index 5353a5d..442b1e2 100644 --- a/.github/workflows/enforce-labels.yml +++ b/.github/workflows/enforce-labels.yml @@ -5,6 +5,9 @@ on: workflow_call: pull_request: types: [labeled, unlabeled, opened, edited, synchronize] + +permissions: read-all + jobs: enforce-label: name: Enforce label diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index 70dca12..494d40f 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -6,6 +6,8 @@ on: paths: - .github/workflows/** +permissions: read-all + jobs: call-workflow: uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@a30e9c3d658dc97c4c2e61ec749fdab64b83386c