From ff848c298ecd18a624192652b5d240934a39ef7f Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Wed, 19 Jun 2024 13:44:49 +0200 Subject: [PATCH 1/9] BUILD-5391 Enable pre-commit validation at PR level --- .github/workflows/pre-commit.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/pre-commit.yml diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 0000000..c8f210b --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,15 @@ +name: Pre-commit checks +on: + pull_request: + merge_group: + +jobs: + pre-commit: + name: "pre-commit" + runs-on: ubuntu-latest + steps: + - uses: SonarSource/gh-action_pre-commit@f04ea4aa921469a3f203f82f8965d3a308f59d91 # 0.0.7 + with: + extra-args: > + --from-ref=origin/${{ github.event.pull_request.base.ref }} + --to-ref=${{ github.event.pull_request.head.sha }} From e48c1731bce3e85252b6cac598222e4220dd90e5 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Wed, 19 Jun 2024 13:45:33 +0200 Subject: [PATCH 2/9] BUILD-5391 Update pre-commit-config so that it verify also the github action and workflow about good practices --- .markdownlint.yaml | 12 ++++++++++++ .pre-commit-config.yaml | 31 +++++++++++++++++++++---------- 2 files changed, 33 insertions(+), 10 deletions(-) create mode 100644 .markdownlint.yaml diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 0000000..0433311 --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,12 @@ +# Default state for all rules +default: true + +# MD013/line-length - Line length +MD013: + line_length: 120 + tables: false + +# MD031/blanks-around-fences : Fenced code blocks should be surrounded by blank lines : https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md031.md +MD031: + # Disable for list_items to create a tight list containing a code fence + list_items: false diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1432fc9..e99faa8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,18 +4,29 @@ repos: - id: check-hooks-apply - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.1.0 + rev: f71fa2c1f9cf5cb705f73dffe4b21f7c61470ba9 # frozen: v4.4.0 hooks: - id: trailing-whitespace - args: [ --markdown-linebreak-ext=md ] - - id: end-of-file-fixer - - id: check-added-large-files - id: check-yaml - - id: check-json - - id: pretty-format-json - args: [--autofix, --indent, "4", --no-sort-keys] - files: ^.github/renovate.json + - id: check-added-large-files + - id: end-of-file-fixer - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.14.0 + rev: 20447075e31543a8b125f2df18d75f3b5e7d4d2e # frozen: 0.22.0 + hooks: + - id: check-github-workflows + - repo: https://github.com/gruntwork-io/pre-commit + rev: 5341f388c2a962d3bc66e075f00b80ab45b15f24 # v0.1.20 + hooks: + - id: shellcheck + - repo: https://github.com/igorshubovych/markdownlint-cli + rev: c9ea83146232fb263effdfe6f222d87f5395b27a # v0.39.0 + hooks: + - id: markdownlint + - repo: https://github.com/renovatebot/pre-commit-hooks + rev: 32ee411cf36142e6082f10870ae62172ce9af133 # frozen: 35.32.0 + hooks: + - id: renovate-config-validator + - repo: https://github.com/rhysd/actionlint + rev: 62dc61a45fc95efe8c800af7a557ab0b9165d63b # v1.7.1 hooks: - - id: check-renovate + - id: actionlint From 463d178f3759d2d887e35d08b777008344c5f2d8 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Wed, 19 Jun 2024 13:47:44 +0200 Subject: [PATCH 3/9] BUILD-5391 Fix linter reported issues: If an input is required, the default value do not make sense as it is never used. --- .github/workflows/workflow.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 5162832..2f8a955 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -7,14 +7,11 @@ on: required: true type: string description: "The Docker image to scan." - # description: "Newline-delimited list of Docker images to scan" - default: "example/image_name:tag" + # i.e: "example/image_name:tag" filename: required: true type: string description: "The generated SBOM file name" - # description: "Newline-delimited list of generated SBOM file names" - default: "bom.json" upload-artifact: required: false type: boolean From 44a7256cb448b148b0c1f40ce45bfe3e525072f7 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Wed, 19 Jun 2024 13:49:01 +0200 Subject: [PATCH 4/9] BUILD-5391 Fix linter reported issues: true is not a String type (That way it follows the json schema provided by GitHub) --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 9fceaf5..4091f17 100644 --- a/action.yml +++ b/action.yml @@ -15,11 +15,11 @@ inputs: upload-artifact: required: false description: "Attach the SBOM to the workflow" - default: true + default: "true" upload-release-assets: required: false description: "Attach the SBOM to the release" - default: true + default: "true" syft-version: required: false description: "Syft version" From 5a99cb4349b628f3be5031965705d595961d9fe2 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Wed, 19 Jun 2024 13:54:01 +0200 Subject: [PATCH 5/9] BUILD-5391 Fix Markdown issues --- README.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 9100ad8..24498a8 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ jobs: ### GitHub Reusable Workflow :warning: The strategy property is not supported in any job that calls a reusable workflow. -See https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations +See [reusing workflows limitations](https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) ```yaml jobs: @@ -49,13 +49,13 @@ jobs: ## Versioning -Using the versioned semantic [tags](#Tags) is recommended for security and reliability. +Using the versioned semantic [tags](#tags) is recommended for security and reliability. See [GitHub: Using tags for release management](https://docs.github.com/en/actions/creating-actions/about-custom-actions#using-tags-for-release-management) and [GitHub: Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot) . -For convenience, it is possible to use the [branches](#Branches) following the major releases. +For convenience, it is possible to use the [branches](#branches) following the major releases. ### Tags @@ -108,10 +108,9 @@ git push origin v1 ### Warning Unexpected input -> ``` > Warning: Unexpected input(s) 'upload-artifact', 'upload-release-assets', -> valid inputs are ['path', 'image', 'registry-username', 'registry-password', 'format', 'github-token', 'artifact-name', 'output-file', 'syft-version', 'dependency-snapshot'] -> ``` +> valid inputs are ['path', 'image', 'registry-username', 'registry-password', 'format', 'github-token', +> 'artifact-name', 'output-file', 'syft-version', 'dependency-snapshot'] The warning can be ignored, see anchore/sbom-action#269 From cf7f42d0f3333444d893a7de9e34e53d0fb33fc2 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Wed, 19 Jun 2024 13:58:35 +0200 Subject: [PATCH 6/9] BUILD-5391 Fix action lint and workflow lint reported issues using an unknown input for upload-release-action --- .github/workflows/workflow.yml | 1 - action.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 2f8a955..cf9ae3e 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -79,4 +79,3 @@ jobs: file_glob: true file: "${{ inputs.filename }}?(.asc)" tag: ${{ github.ref }} - overwrite: true diff --git a/action.yml b/action.yml index 4091f17..fb5695d 100644 --- a/action.yml +++ b/action.yml @@ -64,4 +64,3 @@ runs: file_glob: true file: "${{ inputs.filename }}?(.asc)" tag: ${{ github.ref }} - overwrite: true From 8f5968bf60b8d7c42fd31189294c60afdf07aae5 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Wed, 19 Jun 2024 14:55:25 +0200 Subject: [PATCH 7/9] BUILD-5391 Code gardening --- action.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index fb5695d..7b04af5 100644 --- a/action.yml +++ b/action.yml @@ -5,13 +5,10 @@ inputs: image: required: true description: "The Docker image to scan." -# description: "Newline-delimited list of Docker images to scan" - default: "example/image_name:tag" + # i.e: "example/image_name:tag" filename: required: true description: "The generated SBOM file name" -# description: "Newline-delimited list of generated SBOM file names" - default: "bom.json" upload-artifact: required: false description: "Attach the SBOM to the workflow" @@ -26,7 +23,7 @@ inputs: default: v0.105.0 runs: - using: 'composite' + using: "composite" steps: - uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0 with: From c1747fc6976954d626fa50c84bed06910a4b7211 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Thu, 20 Jun 2024 09:06:40 +0200 Subject: [PATCH 8/9] Readd overwrite: true --- action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yml b/action.yml index 7b04af5..6091814 100644 --- a/action.yml +++ b/action.yml @@ -61,3 +61,4 @@ runs: file_glob: true file: "${{ inputs.filename }}?(.asc)" tag: ${{ github.ref }} + overwrite: true From 3d699f5b0d7941556514a64c3c0b2e52139497d5 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Thu, 20 Jun 2024 09:13:08 +0200 Subject: [PATCH 9/9] Readd overwrite: true --- .github/workflows/workflow.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index cf9ae3e..2f8a955 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -79,3 +79,4 @@ jobs: file_glob: true file: "${{ inputs.filename }}?(.asc)" tag: ${{ github.ref }} + overwrite: true