From ccfa9f9ab2de447498d791b8dc547019027aac03 Mon Sep 17 00:00:00 2001 From: Bill Napier Date: Tue, 25 Mar 2025 18:59:55 +0000 Subject: [PATCH 1/3] Add some more lint/format checks. * Add yamlfmt as a required check * Make it easier for people to run the checks locally --- .github/workflows/markdown_format.yml | 2 +- .github/workflows/yaml_format.yml | 20 +++++++++++++++++++ .yamlfmt | 3 +++ .../pull_request_target_needs_exception.yaml | 4 ++-- ...l_request_target_needs_exception.test.yaml | 2 +- tools/mdformat | 2 ++ tools/yamlfmt | 2 ++ 7 files changed, 31 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/yaml_format.yml create mode 100644 .yamlfmt create mode 100755 tools/mdformat create mode 100755 tools/yamlfmt diff --git a/.github/workflows/markdown_format.yml b/.github/workflows/markdown_format.yml index 7ec56eb..eebc8dd 100644 --- a/.github/workflows/markdown_format.yml +++ b/.github/workflows/markdown_format.yml @@ -16,4 +16,4 @@ jobs: uses: 'actions/checkout@v4' - name: 'Check Markdown Format' - run: 'pipx run mdformat --check --wrap 100 .' \ No newline at end of file + run: 'tools/mdformat --check --wrap 100 .' \ No newline at end of file diff --git a/.github/workflows/yaml_format.yml b/.github/workflows/yaml_format.yml new file mode 100644 index 0000000..4befdcc --- /dev/null +++ b/.github/workflows/yaml_format.yml @@ -0,0 +1,20 @@ +### Ensure that Yaml files are properly formatted +name: 'Check Yaml Format' + +on: + pull_request: + paths: + - '**.yml' + - '**.yaml' + +jobs: + yamlfmt: + name: 'yamlfmt' + runs-on: 'ubuntu-latest' + + steps: + - name: 'Checkout Code' + uses: 'actions/checkout@v4' + + - name: 'Check Yaml Format' + run: 'tools/yamlfmt --lint --dstar "**/*.yaml"' \ No newline at end of file diff --git a/.yamlfmt b/.yamlfmt new file mode 100644 index 0000000..444835e --- /dev/null +++ b/.yamlfmt @@ -0,0 +1,3 @@ +formatter: + lines: 100 + \ No newline at end of file diff --git a/semgrep-rules/actions/pull_request_target_needs_exception.yaml b/semgrep-rules/actions/pull_request_target_needs_exception.yaml index ce2709a..ea8b0f2 100644 --- a/semgrep-rules/actions/pull_request_target_needs_exception.yaml +++ b/semgrep-rules/actions/pull_request_target_needs_exception.yaml @@ -7,9 +7,9 @@ rules: metadata: category: best-practice technology: - - github-actions + - github-actions patterns: - pattern-either: - patterns: - pattern-inside: "{on: ...}" - - pattern: pull_request_target \ No newline at end of file + - pattern: pull_request_target diff --git a/semgrep-tests/actions/pull_request_target_needs_exception.test.yaml b/semgrep-tests/actions/pull_request_target_needs_exception.test.yaml index 26411be..551312c 100644 --- a/semgrep-tests/actions/pull_request_target_needs_exception.test.yaml +++ b/semgrep-tests/actions/pull_request_target_needs_exception.test.yaml @@ -1,3 +1,3 @@ on: # ruleid: pull-request-target-needs-exception - pull_request_target: \ No newline at end of file + pull_request_target: diff --git a/tools/mdformat b/tools/mdformat new file mode 100755 index 0000000..a9ecfed --- /dev/null +++ b/tools/mdformat @@ -0,0 +1,2 @@ +#!/bin/sh +pipx run mdformat $* \ No newline at end of file diff --git a/tools/yamlfmt b/tools/yamlfmt new file mode 100755 index 0000000..b8c55e6 --- /dev/null +++ b/tools/yamlfmt @@ -0,0 +1,2 @@ +#!/bin/sh +docker run -v "$(pwd):/project" ghcr.io/google/yamlfmt:latest $* \ No newline at end of file From 7b362ab684f2e0fd44e670e7a1c184b891cba9cf Mon Sep 17 00:00:00 2001 From: Bill Napier Date: Tue, 25 Mar 2025 22:21:57 +0000 Subject: [PATCH 2/3] yamlfmt all files. --- .github/workflows/action_scanning.yml | 10 -------- .github/workflows/markdown_format.yml | 8 ++---- .github/workflows/publish_docs.yml | 25 ++++++++----------- .github/workflows/publish_docs_preview.yml | 23 ++++++++--------- .../workflows/publish_docs_preview_branch.yml | 23 +++++++---------- .github/workflows/semgrep_testing.yml | 7 ------ .github/workflows/yaml_format.yml | 8 ++---- 7 files changed, 34 insertions(+), 70 deletions(-) diff --git a/.github/workflows/action_scanning.yml b/.github/workflows/action_scanning.yml index 72207f7..09ef45b 100644 --- a/.github/workflows/action_scanning.yml +++ b/.github/workflows/action_scanning.yml @@ -1,29 +1,22 @@ ### Required actions to scan GitHub action workflows for security issues. name: 'Scan GitHub Action workflows files for security issues' - on: pull_request: {} - permissions: contents: 'read' security-events: 'write' actions: 'read' - jobs: semgrep: name: 'semgrep-oss/scan' runs-on: 'ubuntu-latest' - container: image: 'index.docker.io/semgrep/semgrep@sha256:85782eaf09692e6dfb684cd3bad87ef315775814b01f76b4d15582e4ca7c1c89' # ratchet:semgrep/semgrep - # Skip any PR created by dependabot to avoid permission issues: if: (github.actor != 'dependabot[bot]') - steps: - name: 'Checkout Code' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 - - name: 'Checkout Workflow Config' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 env: @@ -31,16 +24,13 @@ jobs: with: repository: 'google/github-team' path: action_scanning - - name: 'Run Actions semgrep scan' run: 'semgrep scan --sarif --config action_scanning/semgrep-rules/actions >> semgrep-results-actions.sarif' - - name: 'Save Actions SARIF results as artifact' uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4 with: name: 'semgrep-scan-results-actions' path: 'semgrep-results-actions.sarif' - - name: 'Upload Actions SARIF result to the GitHub Security Dashboard' uses: 'github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841' # ratchet:github/codeql-action/upload-sarif@v3 with: diff --git a/.github/workflows/markdown_format.yml b/.github/workflows/markdown_format.yml index eebc8dd..afd17b6 100644 --- a/.github/workflows/markdown_format.yml +++ b/.github/workflows/markdown_format.yml @@ -1,19 +1,15 @@ ### Ensure that markdown files are properly formatted name: 'Check Markdown Format' - on: - pull_request: + pull_request: paths: - '**.md' - jobs: mdformat: name: 'mdformat' runs-on: 'ubuntu-latest' - steps: - name: 'Checkout Code' uses: 'actions/checkout@v4' - - name: 'Check Markdown Format' - run: 'tools/mdformat --check --wrap 100 .' \ No newline at end of file + run: 'tools/mdformat --check --wrap 100 .' diff --git a/.github/workflows/publish_docs.yml b/.github/workflows/publish_docs.yml index 348ba98..d59a3cb 100644 --- a/.github/workflows/publish_docs.yml +++ b/.github/workflows/publish_docs.yml @@ -1,30 +1,27 @@ name: 'Publish Docs Site' - on: push: branches: - master workflow_dispatch: - permissions: pages: 'write' id-token: 'write' - jobs: build: name: "Build Docs" runs-on: 'ubuntu-latest' steps: - - uses: 'actions/checkout@v4' - - name: 'Generate HTML from Markdown' - uses: 'ldeluigi/markdown-docs@latest' - with: - src: 'docs' - dst: 'generated-pages' - - name: 'Upload artifact' - uses: 'actions/upload-pages-artifact@v3' - with: - path: 'generated-pages' + - uses: 'actions/checkout@v4' + - name: 'Generate HTML from Markdown' + uses: 'ldeluigi/markdown-docs@latest' + with: + src: 'docs' + dst: 'generated-pages' + - name: 'Upload artifact' + uses: 'actions/upload-pages-artifact@v3' + with: + path: 'generated-pages' deploy: name: "Deploy Docs" environment: @@ -35,4 +32,4 @@ jobs: steps: - name: 'Deploy to GitHub Pages' id: 'deployment' - uses: 'actions/deploy-pages@v4' \ No newline at end of file + uses: 'actions/deploy-pages@v4' diff --git a/.github/workflows/publish_docs_preview.yml b/.github/workflows/publish_docs_preview.yml index b1e1d4d..13d6e3a 100644 --- a/.github/workflows/publish_docs_preview.yml +++ b/.github/workflows/publish_docs_preview.yml @@ -1,5 +1,4 @@ name: 'Publish Preview of Docs Site' - on: pull_request: types: @@ -7,23 +6,21 @@ on: - reopened - synchronize - closed - permissions: contents: 'write' pull-requests: 'write' - jobs: build: name: "Build PR Preview Docs" runs-on: 'ubuntu-latest' steps: - - uses: 'actions/checkout@v4' - - name: 'Generate HTML from Markdown' - uses: 'ldeluigi/markdown-docs@latest' - with: - src: 'docs' - dst: 'generated-pages' - - name: 'Deploy GitHub Pages Preview' - uses: rossjrw/pr-preview-action@v1 - with: - source-dir: './generated-pages/' \ No newline at end of file + - uses: 'actions/checkout@v4' + - name: 'Generate HTML from Markdown' + uses: 'ldeluigi/markdown-docs@latest' + with: + src: 'docs' + dst: 'generated-pages' + - name: 'Deploy GitHub Pages Preview' + uses: rossjrw/pr-preview-action@v1 + with: + source-dir: './generated-pages/' diff --git a/.github/workflows/publish_docs_preview_branch.yml b/.github/workflows/publish_docs_preview_branch.yml index 32e5032..b083ed7 100644 --- a/.github/workflows/publish_docs_preview_branch.yml +++ b/.github/workflows/publish_docs_preview_branch.yml @@ -1,30 +1,25 @@ name: 'Publish Preview of Docs Site from branch' - # The publish_docs_preview.yml workflow takes a PR and publishes the results to it's own branch # so users can preview it. But that git branch then needs some way to publish, so this action does that. - -on: +on: push: branch: - - gh-pages - + - gh-pages permissions: pages: 'write' id-token: 'write' - - jobs: stage: name: "Stage PR preview from branch to pages" runs-on: 'ubuntu-latest' steps: - - uses: 'actions/checkout@v4' - with: - ref: 'refs/heads/gh-pages' - - name: 'Upload artifact' - uses: 'actions/upload-pages-artifact@v3' - with: - path: '.' + - uses: 'actions/checkout@v4' + with: + ref: 'refs/heads/gh-pages' + - name: 'Upload artifact' + uses: 'actions/upload-pages-artifact@v3' + with: + path: '.' deploy: name: "Deploy PR Preview from branch to pages" needs: 'stage' diff --git a/.github/workflows/semgrep_testing.yml b/.github/workflows/semgrep_testing.yml index 7c69a9c..73abc01 100644 --- a/.github/workflows/semgrep_testing.yml +++ b/.github/workflows/semgrep_testing.yml @@ -1,27 +1,20 @@ ### Ensure that our local testing always passes name: 'Run semgrep tests' - on: pull_request: {} - permissions: contents: 'read' actions: 'read' - jobs: semgrep-tests: name: 'Run semgrep tests' runs-on: 'ubuntu-latest' - container: image: index.docker.io/semgrep/semgrep@sha256:85782eaf09692e6dfb684cd3bad87ef315775814b01f76b4d15582e4ca7c1c89 # ratchet:semgrep/semgrep - # Skip any PR created by dependabot to avoid permission issues: if: (github.actor != 'dependabot[bot]') - steps: - name: 'Checkout Code' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 - - name: 'Run Actions semgrep scan' run: 'semgrep --test --config semgrep-rules semgrep-tests' diff --git a/.github/workflows/yaml_format.yml b/.github/workflows/yaml_format.yml index 4befdcc..2a549d7 100644 --- a/.github/workflows/yaml_format.yml +++ b/.github/workflows/yaml_format.yml @@ -1,20 +1,16 @@ ### Ensure that Yaml files are properly formatted name: 'Check Yaml Format' - on: - pull_request: + pull_request: paths: - '**.yml' - '**.yaml' - jobs: yamlfmt: name: 'yamlfmt' runs-on: 'ubuntu-latest' - steps: - name: 'Checkout Code' uses: 'actions/checkout@v4' - - name: 'Check Yaml Format' - run: 'tools/yamlfmt --lint --dstar "**/*.yaml"' \ No newline at end of file + run: 'tools/yamlfmt --lint --dstar "**/*.yaml" "**/*.yml"' From 6711ef2658a7f768ade07a8159bcd38c2f7691cd Mon Sep 17 00:00:00 2001 From: Bill Napier Date: Tue, 25 Mar 2025 23:15:34 +0000 Subject: [PATCH 3/3] Fix workflow to be correct path. --- .github/workflows/publish_docs_preview_branch.yml | 2 +- .github/workflows/yaml_format.yml | 2 +- .yamlfmt | 4 ++-- .../actions/pull_request_target_needs_exception.yaml | 4 +++- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish_docs_preview_branch.yml b/.github/workflows/publish_docs_preview_branch.yml index b083ed7..dd62013 100644 --- a/.github/workflows/publish_docs_preview_branch.yml +++ b/.github/workflows/publish_docs_preview_branch.yml @@ -1,5 +1,5 @@ name: 'Publish Preview of Docs Site from branch' -# The publish_docs_preview.yml workflow takes a PR and publishes the results to it's own branch +# The publish_docs_preview.yml workflow takes a PR and publishes the results to it's own branch # so users can preview it. But that git branch then needs some way to publish, so this action does that. on: push: diff --git a/.github/workflows/yaml_format.yml b/.github/workflows/yaml_format.yml index 2a549d7..efc5017 100644 --- a/.github/workflows/yaml_format.yml +++ b/.github/workflows/yaml_format.yml @@ -13,4 +13,4 @@ jobs: - name: 'Checkout Code' uses: 'actions/checkout@v4' - name: 'Check Yaml Format' - run: 'tools/yamlfmt --lint --dstar "**/*.yaml" "**/*.yml"' + run: 'tools/yamlfmt --lint .' diff --git a/.yamlfmt b/.yamlfmt index 444835e..0a3382f 100644 --- a/.yamlfmt +++ b/.yamlfmt @@ -1,3 +1,3 @@ formatter: - lines: 100 - \ No newline at end of file + max_line_length: 100 + trim_trailing_whitespace: true diff --git a/semgrep-rules/actions/pull_request_target_needs_exception.yaml b/semgrep-rules/actions/pull_request_target_needs_exception.yaml index ea8b0f2..7549647 100644 --- a/semgrep-rules/actions/pull_request_target_needs_exception.yaml +++ b/semgrep-rules/actions/pull_request_target_needs_exception.yaml @@ -3,7 +3,9 @@ rules: languages: - yaml severity: ERROR - message: pull_request_target is considered very risky and should only be used when strictly needed. Please prefer other triggers when possible. If you think this is needed, you can dismiss this alert and merge your PR. + message: pull_request_target is considered very risky and should only be used when strictly needed. Please + prefer other triggers when possible. If you think this is needed, you can dismiss this alert and + merge your PR. metadata: category: best-practice technology: