From dd8fc476cec38c933221da87f9f02ea4f21dbc14 Mon Sep 17 00:00:00 2001 From: Ben Manes Date: Sun, 24 Mar 2024 11:50:32 -0700 Subject: [PATCH] add more linters --- .github/actions/run-gradle/action.yml | 3 +- .github/workflows/reviewdog.yml | 86 +++++++++++++++++++++++ .github/workflows/scorecards-analysis.yml | 2 +- .github/workflows/spelling.yml | 4 -- .github/workflows/trivy.yml | 32 +++++++++ gradle/libs.versions.toml | 4 +- 6 files changed, 123 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/reviewdog.yml create mode 100644 .github/workflows/trivy.yml diff --git a/.github/actions/run-gradle/action.yml b/.github/actions/run-gradle/action.yml index 40e08b461f..4c60cd5cab 100644 --- a/.github/actions/run-gradle/action.yml +++ b/.github/actions/run-gradle/action.yml @@ -2,7 +2,7 @@ name: Run Gradle description: Sets up Gradle JDKs and runs Gradle inputs: arguments: - required: true + required: false description: Gradle arguments java: required: true @@ -83,6 +83,7 @@ runs: gradle-home-cache-cleanup: true gradle-home-cache-strict-match: true - name: Run ${{ inputs.arguments }} + if: ${{ env.arguments != '' }} env: JAVA_HOME: ${{ steps.setup-gradle-jdk.outputs.path }} ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download: 'false' diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml new file mode 100644 index 0000000000..4649af2dbf --- /dev/null +++ b/.github/workflows/reviewdog.yml @@ -0,0 +1,86 @@ +name: reviewdog +permissions: read-all +on: [ push, pull_request ] + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - uses: actions/checkout@v3 + - name: Setup node/npm + uses: actions/setup-node@v1 + with: + node-version: '*' + + - name: actionlint + uses: reviewdog/action-actionlint@v1 + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: alex + uses: reviewdog/action-alex@v1 + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: detect-secrets + uses: reviewdog/action-detect-secrets@master + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: languagetool + uses: reviewdog/action-languagetool@v1 + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: markdownlint + uses: reviewdog/action-markdownlint@v0 + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: misspell + uses: reviewdog/action-misspell@v1 + with: + locale: US + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: install remark presets + shell: bash + run: npm install remark-preset-lint-recommended + - name: remark-lint + uses: reviewdog/action-remark-lint@v5 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + reporter: github-check + + - name: shellcheck + uses: reviewdog/action-shellcheck@v1 + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: shfmt + uses: reviewdog/action-nimlint@v1 + with: + reporter: github-check + github_token: ${{ secrets.GITHUB_TOKEN }} + + - name: textlint + uses: tsuyoshicho/action-textlint@v3 + with: + reporter: github-check + textlint_flags: "**/*.md" + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 5c927b9cc7..4ee6d80da0 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -29,13 +29,13 @@ jobs: api.osv.dev:443 api.securityscorecards.dev:443 bestpractices.coreinfrastructure.org:443 - bestpractices.dev:443 fulcio.sigstore.dev:443 github.com:443 oss-fuzz-build-logs.storage.googleapis.com:443 rekor.sigstore.dev:443 sigstore-tuf-root.storage.googleapis.com:443 tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout code uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index a1a3cce3ba..99b794bfac 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -17,9 +17,5 @@ jobs: objects.githubusercontent.com:443 raw.githubusercontent.com:443 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Install - run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b . - - name: Spell Check with Misspell - run: ./misspell -error . - name: Spell Check with Typos uses: crate-ci/typos@bcafd462cb07ef7ba57e34abf458fe20767e808b # v1.19.0 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..67dd622ff4 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,32 @@ +name: trivy +permissions: read-all +on: [ push, pull_request ] + +jobs: + trivy: + runs-on: ubuntu-20.04 + permissions: + checks: write + actions: read + contents: read + security-events: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: fs + format: sarif + output: trivy-results.sarif + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: trivy-results.sarif diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index d940a94bb0..6ffc2c83da 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -1,5 +1,5 @@ [versions] -asm = "9.6" +asm = "9.7" auto-value = "1.10.4" awaitility = "4.2.1" bcel = "6.8.2" @@ -33,7 +33,7 @@ felix-framework = "7.0.5" felix-scr = "2.2.10" findsecbugs = "1.13.0" flip-tables = "1.1.1" -forbidden-apis = "3.6" +forbidden-apis = "3.7" google-java-format = "1.21.0" guava = "33.1.0-jre" guice = "6.0.0"