-
Notifications
You must be signed in to change notification settings - Fork 0
176 lines (147 loc) · 6.61 KB
/
lint.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
---
# yamllint disable rule:line-length
name: Lint all
# yamllint disable-line rule:truthy
on:
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
lint:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 1
- name: Determine what files types have changed
id: changed-files-yaml
uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44
with:
files_yaml: |
actions:
- .github/workflows/**
- .shellcheckrc
renovate:
- .github/renovate.json
- .github/renovate/**
terraform:
- '**.tf'
- '**/.terraform-version'
- '**/.terraform.lock.hcl'
- '.tflint.hcl'
docker:
- '**/Dockerfile'
- '.hadolint.yaml'
- name: Setup poetry
run: pipx install poetry==$POETRY_VERSION
env:
# renovate: datasource=pypi depName=poetry
POETRY_VERSION: "1.8.3"
- name: Set up python
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5
with:
python-version: '3.12'
cache: 'poetry'
- name: Set up node
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4
with:
node-version-file: '.node-version'
cache: 'npm'
cache-dependency-path: 'package-lock.json'
- name: Setup tflint
uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4
- name: Cache pre-commit hooks
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
with:
path: ~/.cache/pre-commit/
key: pre-commit|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
- name: Install python requirements
run: |
poetry --version
poetry install --no-interaction
poetry env info
- name: Install node packages
run: npm ci --no-fund --no-audit
- name: Install pre-commit hooks
run: poetry run pre-commit install --install-hooks --hook-type pre-commit
- name: check-added-large-files
run: poetry run pre-commit run --all-files --color=always check-added-large-files
- name: check-executables-have-shebangs
if: success() || failure()
run: poetry run pre-commit run --all-files --color=always check-executables-have-shebangs
- name: check-json
if: success() || failure()
run: poetry run pre-commit run --all-files --color=always check-json
- name: detect-private-key
if: success() || failure()
run: poetry run pre-commit run --all-files --color=always detect-private-key
- name: end-of-file-fixer
if: success() || failure()
run: poetry run pre-commit run --all-files --color=always end-of-file-fixer
- name: forbid-new-submodules
if: success() || failure()
run: poetry run pre-commit run --all-files --color=always forbid-new-submodules
- name: mixed-line-ending
if: success() || failure()
run: poetry run pre-commit run --all-files --color=always mixed-line-ending
- name: trailing-whitespace
if: success() || failure()
run: poetry run pre-commit run --all-files --color=always trailing-whitespace
- name: shellcheck
if: success() || failure()
run: poetry run pre-commit run --all-files --color=always shellcheck
- name: terraform-fmt
if: (success() || failure()) && (steps.changed-files-yaml.outputs.terraform_any_changed == 'true' || github.event_name == 'workflow_dispatch')
run: poetry run pre-commit run --all-files --color=always terraform-fmt
- name: terraform-validate
if: (success() || failure()) && (steps.changed-files-yaml.outputs.terraform_any_changed == 'true' || github.event_name == 'workflow_dispatch')
run: poetry run pre-commit run --all-files --color=always terraform-validate
- name: tflint
if: (success() || failure()) && (steps.changed-files-yaml.outputs.terraform_any_changed == 'true' || github.event_name == 'workflow_dispatch')
run: poetry run pre-commit run --all-files --color=always tflint
- name: hadolint
if: (success() || failure()) && (steps.changed-files-yaml.outputs.docker_any_changed == 'true' || github.event_name == 'workflow_dispatch')
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
with:
dockerfile: "Dockerfile"
recursive: true
failure-threshold: warning
config: .hadolint.yaml
- name: yamllint
if: success() || failure()
run: poetry run yamllint -c .yamllint --strict --format github .
- name: actionlint
if: (success() || failure()) && (steps.changed-files-yaml.outputs.actions_any_changed == 'true' || github.event_name == 'workflow_dispatch')
shell: bash
run: |
[[ "$RUNNER_ARCH" == "ARM64" ]] && export PKG_ARCH=arm64 || export PKG_ARCH=amd64
wget --quiet -c https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_${PKG_ARCH}.tar.gz -O /tmp/actionlint.tar.gz
tar -xzf /tmp/actionlint.tar.gz -C /tmp
sudo install -o root -g root -m 0755 /tmp/actionlint /usr/local/sbin/actionlint
set -x
actionlint -shellcheck "shellcheck -c .shellcheckrc"
env:
# renovate: datasource=github-releases depName=rhysd/actionlint
ACTIONLINT_VERSION: "1.7.1"
- name: commitlint
if: (success() || failure()) && (github.event_name == 'pull_request')
run: npx commitlint --color --from ${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }} --to ${{ github.event.pull_request.head.sha }} --verbose
- name: validate-renovate-config
if: (success() || failure()) && (steps.changed-files-yaml.outputs.renovate_any_changed == 'true' || github.event_name == 'workflow_dispatch')
shell: bash
# yamllint disable-line rule:indentation
run: |
npm install --no-fund --no-audit renovate
echo "Validating renovate main configuration..."
echo ".github/renovate.json:"
npx --yes --package renovate -- renovate-config-validator .github/renovate.json | pr -t -o 4
echo
echo "Validating renovate sub configuration..."
for rc in $(find .github/renovate -type f -name '*.json' | sort); do
echo "${rc}:"
npx --yes --package renovate -- renovate-config-validator ${rc} | pr -t -o 4
done