Import mega-linter.yml (#678)

Import mega-linter.yml, to test [mega-linter](https://megalinter.io/latest/). Include file mentioend at https://megalinter.io/latest/install-github/, but at least currently, do not commit directly to the PR, but create a new PR, to be tested/reviewed. Fix #147.
EGI-Federation · Oct 21, 2024 · c9cb810 · c9cb810 · github-actions · Oct 21, 2024
1 parent 54595fc
commit c9cb810
Show file tree

Hide file tree

Showing 11 changed files with 155 additions and 3 deletions.
diff --git a/.github/linters/.secretlintrc.json b/.github/linters/.secretlintrc.json
@@ -0,0 +1,15 @@
+{
+  "rules": [
+    {
+      "id": "@secretlint/secretlint-rule-preset-recommend",
+      "rules": [
+        {
+          "id": "@secretlint/secretlint-rule-basicauth",
+          "options": {
+            "allows": [ "/secret/i" ]
+          }
+        }
+      ]
+    }
+  ]
+}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,6 +5,8 @@ name: Build documentation
 
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   build:
     name: Build with Hugo

diff --git a/.github/workflows/build_pr_preview.yml b/.github/workflows/build_pr_preview.yml
@@ -8,6 +8,8 @@ on:
     # Run when label is added or present and when pushing to the PR
     types: [labeled, opened, synchronize]
 
+permissions: read-all
+
 jobs:
   build_preview:
     # Do not run on forks, and only if "safe for preview" label is set

diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml
@@ -7,6 +7,8 @@ on:
     # run on Sundays morning
     - cron: '32 9 * * 0'
 
+permissions: read-all
+
 jobs:
   markdown-link-check:
     name: Check links using markdown-link-check

diff --git a/.github/workflows/delete_pr_preview.yml b/.github/workflows/delete_pr_preview.yml
@@ -6,6 +6,8 @@ on:
     # Run when label is removed or pull request closed
     types: [unlabeled, closed]
 
+permissions: read-all
+
 jobs:
   delete_preview:
     # Do not run on forks, and only if "safe for preview" label is set

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -10,6 +10,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   deploy:
     name: Build using Hugo and deploy

diff --git a/.github/workflows/deploy_pr_preview.yml b/.github/workflows/deploy_pr_preview.yml
@@ -13,6 +13,8 @@ on:
     workflows: ["Build pull request preview"]
     types: [completed]
 
+permissions: read-all
+
 jobs:
   deploy_pr_preview:
     # Only run if PR preview build was successful
@@ -58,9 +60,6 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           # Purge older files from a given PR
           keep_files: false
-          # Accessible at http://docs.egi.eu/documentation/
-          # XXX use a different domain
-          # cname: docs.egi.eu
           # Branch to push to
           publish_branch: pr_previews
           # Source directory

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -4,6 +4,8 @@ name: Lint
 on:
   pull_request:
 
+permissions: read-all
+
 jobs:
   super-lint:
     name: Lint with Super-Linter

diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -0,0 +1,122 @@
+---
+# MegaLinter GitHub Action configuration file
+# More info at https://megalinter.io
+name: MegaLinter
+
+on:
+  # Trigger mega-linter at every push. Action will also be visible from Pull Requests to main
+  push:
+  pull_request:
+    branches: [main]
+
+permissions: read-all
+
+env:
+  # Apply linter fixes configuration
+  # When active, APPLY_FIXES must also be defined as environment variable
+  # (in github/workflows/mega-linter.yml or other CI tool)
+  APPLY_FIXES: all
+  APPLY_FIXES_EVENT: pull_request
+  # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)
+  APPLY_FIXES_MODE: pull_request
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  megalinter:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+    permissions:
+      # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR
+      # Remove the ones you do not need
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      # Git Checkout
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances
+          fetch-depth: 0
+
+      # MegaLinter
+      - name: MegaLinter
+        id: ml
+        # You can override MegaLinter flavor used to have faster performances
+        # More info at https://megalinter.io/flavors/
+        uses: oxsecurity/megalinter/flavors/documentation@v8
+        env:
+          # All available variables are described in documentation
+          # https://megalinter.io/configuration/
+          # Validates all source when push on main, else just the git diff with main.
+          # Override with true if you always want to lint all sources
+          VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
+          DISABLE: COPYPASTE
+          DISABLE_LINTERS: REPOSITORY_GRYPE,REPOSITORY_TRIVY,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL
+          # Scan only changes in PR, otherwise scan everything
+          REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: ${{ github.event_name == 'pull_request' }}
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        if: success() || failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: MegaLinter reports
+          path: |
+            megalinter-reports
+            mega-linter.log
+
+      # Create pull request if applicable (for now works only on PR from same repository, not from forks)
+      - name: Create Pull Request with applied fixes
+        id: cpr
+        if: steps.ml.outputs.has_updated_sources == 1 &&
+            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT ==
+            github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' &&
+            (github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository) &&
+            !contains(github.event.head_commit.message, 'skip fix')
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          commit-message: "[MegaLinter] Apply linters automatic fixes"
+          title: "[MegaLinter] Apply linters automatic fixes"
+          labels: bot
+      - name: Create PR output
+        if: steps.ml.outputs.has_updated_sources == 1 &&
+            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT ==
+            github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' &&
+            (github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository) &&
+            !contains(github.event.head_commit.message, 'skip fix')
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
+
+      # Push new commit if applicable (for now works only on PR from same repository, not from forks)
+      - name: Prepare commit
+        if: steps.ml.outputs.has_updated_sources == 1 &&
+            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT ==
+            github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref
+            != 'refs/heads/main' && (github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository) &&
+            !contains(github.event.head_commit.message, 'skip fix')
+        run: sudo chown -Rc $UID .git/
+      - name: Commit and push applied linter fixes
+        if: steps.ml.outputs.has_updated_sources == 1 &&
+            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT ==
+            github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref
+            != 'refs/heads/main' && (github.event_name == 'push' ||
+            github.event.pull_request.head.repo.full_name == github.repository) &&
+            !contains(github.event.head_commit.message, 'skip fix')
+        uses: stefanzweifel/git-auto-commit-action@v4
+        with:
+          branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+          commit_message: "[MegaLinter] Apply linters fixes"
+          commit_user_name: egibot
+          commit_user_email: [email protected]
diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
@@ -74,6 +74,8 @@ on:
     types:
       - "created"
 
+permissions: read-all
+
 jobs:
   spelling:
     name: Check Spelling

diff --git a/.lycheeignore b/.lycheeignore
@@ -0,0 +1,2 @@
+https://docs.egi.eu/documentation/*
+https://megalinter.io/*
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,8 @@ name: Build documentation @@
     on: [pull_request]
+    permissions: read-all
     jobs:
       build:
         name: Build with Hugo
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		https://docs.egi.eu/documentation/*
		https://megalinter.io/*