Windows-SysAdmin-ProSuite/.github/workflows/editorconfig-check.yml at 20b72d9853cbf47fd9492a8983116b55aa2bd747 · brazilianscriptguy/Windows-SysAdmin-ProSuite · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: EditorConfig Check

on:
  push:
    branches: [main, develop]
    paths:
      - ".editorconfig"
      - "**/.editorconfig"
      - "**/*"
  pull_request:
    branches: [main, develop]
    paths:
      - ".editorconfig"
      - "**/.editorconfig"
      - "**/*"
  workflow_dispatch:

concurrency:
  group: editorconfig-check-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  editorconfig-check:
    name: 🔍 EditorConfig Lint
    runs-on: ubuntu-latest
    timeout-minutes: 15

    env:
      # "true"  => never fail the job (report-only mode)
      # "false" => fail only when violations are detected in output
      ALLOW_WARNINGS: "false"

      # Pin for deterministic installs (update intentionally)
      EC_VERSION: "3.0.3"

      # Output files
      EC_OUTPUT: "ec-output.txt"
      EC_SUMMARY: "ec-summary.md"

    steps:
      - name: 📦 Checkout Repository
        uses: actions/checkout@v4

      - name: 📥 Install EditorConfig Checker (pinned)
        shell: bash
        run: |
          set -euo pipefail

          URL="https://github.com/editorconfig-checker/editorconfig-checker/releases/download/v${EC_VERSION}/ec-linux-amd64.tar.gz"
          echo "Downloading EditorConfig Checker v${EC_VERSION}..."
          echo "URL: ${URL}"

          TMPDIR="$(mktemp -d)"
          curl -fsSL "${URL}" -o "${TMPDIR}/ec.tar.gz"

          mkdir -p "${TMPDIR}/ec"
          tar -xzf "${TMPDIR}/ec.tar.gz" -C "${TMPDIR}/ec"

          BIN="$(find "${TMPDIR}/ec" -maxdepth 6 -type f \( -name 'ec-linux-amd64' -o -name 'ec' \) | head -n 1 || true)"
          if [[ -z "${BIN:-}" ]]; then
            echo "❌ Error: 'ec' binary not found after extraction."
            echo "Extracted contents:"
            find "${TMPDIR}/ec" -maxdepth 6 -print
            exit 1
          fi

          sudo install -m 0755 "${BIN}" /usr/local/bin/ec

          echo "Installed:"
          /usr/local/bin/ec --version

      - name: ▶️ Run EditorConfig Checker (capture output + exit code)
        id: ec
        shell: bash
        run: |
          set -euo pipefail

          # We do NOT hard-fail on non-zero exit codes because
          # ec can return 2 in some environments even when we
          # prefer policy-based enforcement via output parsing.
          set +e
          /usr/local/bin/ec --disable-logs . 2>&1 | tee "${EC_OUTPUT}"
          EC_EXIT="${PIPESTATUS[0]}"
          set -e

          echo "exit_code=${EC_EXIT}" >> "${GITHUB_OUTPUT}"
          echo "EditorConfig Checker exit code: ${EC_EXIT}"

      - name: 🧾 Compute Violation Signal (policy-based)
        id: policy
        shell: bash
        run: |
          set -euo pipefail

          # Enterprise-safe: decide pass/fail from output signal, not from ec exit codes.
          # Your known-good signal: lines starting with "[".
          if [[ -f "${EC_OUTPUT}" ]] && grep -q "^\[" "${EC_OUTPUT}"; then
            echo "violations=true" >> "${GITHUB_OUTPUT}"
          else
            echo "violations=false" >> "${GITHUB_OUTPUT}"
          fi

      - name: 📋 Generate Markdown Summary
        if: always()
        shell: bash
        run: |
          set -euo pipefail

          {
            echo "### 🔍 EditorConfig Check Summary"
            echo
            echo "- **Workflow:** \`${{ github.workflow }}\`"
            echo "- **Ref:** \`${{ github.ref }}\`"
            echo "- **Commit:** \`${{ github.sha }}\`"
            echo "- **EC version:** \`${EC_VERSION}\`"
            echo "- **Exit code:** \`${{ steps.ec.outputs.exit_code }}\`"
            echo "- **Violations detected:** \`${{ steps.policy.outputs.violations }}\`"
            echo "- **ALLOW_WARNINGS:** \`${ALLOW_WARNINGS}\`"
            echo

            if [[ "${{ steps.policy.outputs.violations }}" == "true" ]]; then
              echo "**Violations found (top 40 lines):**"
              echo
              echo '```text'
              head -n 40 "${EC_OUTPUT}" || true
              echo '```'
              echo
              echo "_Output truncated. Download artifact '${EC_OUTPUT}' for full details._"
            else
              echo "✅ No violations detected."
            fi
          } | tee "${EC_SUMMARY}" >> "${GITHUB_STEP_SUMMARY}"

      - name: 📦 Upload Artifacts (output + summary)
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: editorconfig-check
          path: |
            ${{ env.EC_OUTPUT }}
            ${{ env.EC_SUMMARY }}
          retention-days: 30

      - name: 🚫 Enforce Policy (fail only on violations)
        if: always()
        shell: bash
        run: |
          set -euo pipefail

          if [[ "${ALLOW_WARNINGS}" == "true" ]]; then
            echo "ALLOW_WARNINGS=true -> report-only mode. Passing."
            exit 0
          fi

          if [[ "${{ steps.policy.outputs.violations }}" == "true" ]]; then
            echo "❌ EditorConfig violations detected. Failing."
            exit 1
          fi

          echo "✅ No violations. Passing."