Skip to content

Merge pull request #201399 from Homebrew/ww/zizmor-drop-openssl #8

Merge pull request #201399 from Homebrew/ww/zizmor-drop-openssl

Merge pull request #201399 from Homebrew/ww/zizmor-drop-openssl #8

Workflow file for this run

name: actionlint
on:
push:
branches:
- master
paths:
- '.github/workflows/*.ya?ml'
- 'Formula/a/actionlint.rb'
- 'Formula/s/shellcheck.rb'
- 'Formula/z/zizmor.rb'
pull_request:
paths:
- '.github/workflows/*.ya?ml'
defaults:
run:
shell: bash -xeuo pipefail {0}
concurrency:
group: "actionlint-${{ github.ref }}"
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
env:
HOMEBREW_DEVELOPER: 1
HOMEBREW_NO_AUTO_UPDATE: 1
HOMEBREW_NO_ENV_HINTS: 1
permissions: {}
jobs:
workflow_syntax:
if: github.repository_owner == 'Homebrew'
runs-on: ubuntu-latest
container:
image: ghcr.io/homebrew/ubuntu22.04:master
steps:
- name: Set up Homebrew
id: setup-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
core: true
cask: false
test-bot: false
- name: Install tools
run: brew install actionlint shellcheck zizmor
- name: Set up GITHUB_WORKSPACE
env:
HOMEBREW_TAP_REPOSITORY: ${{ steps.setup-homebrew.outputs.repository-path }}
run: |
# Annotations work only relative to GITHUB_WORKSPACE
(shopt -s dotglob; rm -rf "${GITHUB_WORKSPACE:?}"/*; mv "${HOMEBREW_TAP_REPOSITORY:?}"/* "$GITHUB_WORKSPACE")
rmdir "$HOMEBREW_TAP_REPOSITORY"
ln -vs "$GITHUB_WORKSPACE" "$HOMEBREW_TAP_REPOSITORY"
- run: zizmor --format sarif . > results.sarif
- name: Upload SARIF file
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: results.sarif
path: results.sarif
- name: Set up actionlint
run: |
# Setting `shell: /bin/bash` prevents shellcheck from running on
# those steps, so let's change them to `shell: bash` for linting.
sed -i 's|shell: /bin/bash -x|shell: bash -x|' .github/workflows/*.y*ml
# The JSON matcher needs to be accessible to the container host.
cp "$(brew --repository)/.github/actionlint-matcher.json" "$HOME"
echo "::add-matcher::$HOME/actionlint-matcher.json"
- run: actionlint
upload_sarif:
needs: workflow_syntax
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Download SARIF file
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: results.sarif
path: results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
with:
sarif_file: results.sarif
category: zizmor