Automated backport of #1517: Only fail builds for high+ vulns #2432
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Linting | |
on: | |
pull_request: | |
permissions: {} | |
jobs: | |
apply-suggestions-commits: | |
name: 'No "Apply suggestions from code review" Commits' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get PR commits | |
id: 'get-pr-commits' | |
uses: tim-actions/get-pr-commits@198af03565609bb4ed924d1260247b4881f09e7d | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: 'Verify no "Apply suggestions from code review" commits' | |
uses: tim-actions/commit-message-checker-with-regex@094fc16ff83d04e2ec73edb5eaf6aa267db33791 | |
with: | |
commits: ${{ steps.get-pr-commits.outputs.commits }} | |
pattern: '^(?!.*(apply suggestions from code review))' | |
flags: 'i' | |
error: 'Commits addressing code review feedback should typically be squashed into the commits under review' | |
- name: 'Verify no "fixup!" commits' | |
uses: tim-actions/commit-message-checker-with-regex@094fc16ff83d04e2ec73edb5eaf6aa267db33791 | |
with: | |
commits: ${{ steps.get-pr-commits.outputs.commits }} | |
pattern: '^(?!fixup!)' | |
flags: 'i' | |
error: 'Fixup commits should be squashed into the commits under review' | |
gitlint: | |
name: Commit Message(s) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
with: | |
fetch-depth: 0 | |
- name: Run gitlint | |
run: make gitlint | |
golangci-lint: | |
name: Go | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Run golangci-lint | |
run: make golangci-lint | |
licenses: | |
name: Dependency Licenses | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Check the licenses | |
run: make licensecheck | |
markdown-link-check: | |
name: Markdown Links (modified files) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Run markdown-link-check | |
uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec | |
with: | |
config-file: ".markdownlinkcheck.json" | |
check-modified-files-only: "yes" | |
base-branch: ${{ github.base_ref }} | |
markdownlint: | |
name: Markdown | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Run markdownlint | |
run: make markdownlint | |
packagedoc-lint: | |
name: Package Documentation | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Run packagedoc-lint | |
run: make packagedoc-lint | |
vulnerability-scan: | |
name: Vulnerability Scanning | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Run Anchore vulnerability scanner | |
uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a | |
id: scan | |
with: | |
path: "." | |
fail-build: true | |
severity-cutoff: high | |
- name: Show Anchore scan SARIF report | |
if: always() | |
run: cat ${{ steps.scan.outputs.sarif }} | |
- name: Upload Anchore scan SARIF report | |
if: always() | |
uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 | |
with: | |
sarif_file: ${{ steps.scan.outputs.sarif }} | |
yaml-lint: | |
name: YAML | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Run yamllint | |
run: make yamllint |