-
Notifications
You must be signed in to change notification settings - Fork 0
feat: add lint validation, task registry, and formatting helpers #108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
a679a02
c7d341e
0d6c281
848e66f
04c0fdf
91bd274
147d9e8
4cded8b
fe92ea2
20357b0
346aa64
5f27eb9
7deaa1a
b33a67f
3ef4ea9
00e2f87
d3ad0ea
cec918f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| name: Dist | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, master, develop] | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| # Rebuild the embedded task-ui bundle from source and commit it back when it | ||
| # changed. dist/taskui.js is gitignored build output that task/ui/assets.go | ||
| # embeds via `//go:embed`, so it must be kept in sync with task/ui/src. | ||
| # Only runs on push (a real branch to push to); the commit is marked | ||
| # [skip ci] to avoid re-triggering this workflow. | ||
| task-ui: | ||
| name: Rebuild task-ui bundle | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "22" | ||
|
|
||
| - name: Build and commit task-ui bundle | ||
| env: | ||
| GH_TOKEN: ${{ secrets.FLANKBOT }} | ||
| run: | | ||
| make task-ui | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||
| git add -f task/ui/dist/taskui.js | ||
| if ! git diff --cached --quiet; then | ||
| git commit -m "chore(embed): rebuild task-ui bundle [skip ci]" | ||
| git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" | ||
| git push origin HEAD:${{ github.ref_name }} | ||
| else | ||
| echo "task-ui bundle unchanged" | ||
| fi | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| name: CI | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, master, develop] | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| GO_VERSION: "1.26" | ||
|
|
||
| jobs: | ||
| test: | ||
| name: Test | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: ${{ env.GO_VERSION }} | ||
| cache: true | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "22" | ||
|
|
||
| - name: Gavel test | ||
| uses: flanksource/gavel@main | ||
| with: | ||
| args: test | ||
| comment-header: gavel-test | ||
| artifact-name: gavel-test-results | ||
|
|
||
| lint: | ||
| name: Lint | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: ${{ env.GO_VERSION }} | ||
| cache: true | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "22" | ||
|
|
||
| # The gavel action always injects `--show-passed`, which `gavel lint` | ||
| # rejects (only `gavel test` accepts it), so run the binary directly. | ||
| - name: Install gavel | ||
| run: | | ||
| mkdir -p "$HOME/.local/bin" | ||
| curl -fsSL "https://github.com/flanksource/gavel/releases/download/${GAVEL_VERSION}/gavel_linux_amd64.tar.gz" -o /tmp/gavel.tar.gz | ||
| tar -xzf /tmp/gavel.tar.gz -C /tmp | ||
| install -m 0755 /tmp/gavel "$HOME/.local/bin/gavel" | ||
| echo "$HOME/.local/bin" >> "$GITHUB_PATH" | ||
| env: | ||
| GAVEL_VERSION: v0.0.39 | ||
|
|
||
| - name: Gavel lint | ||
| run: gavel lint --no-progress --no-color | ||
|
|
||
| openapi: | ||
| name: OpenAPI Integration | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: ${{ env.GO_VERSION }} | ||
| cache: true | ||
|
|
||
| - name: Run OpenAPI integration tests | ||
| run: make test:openapi | ||
| env: | ||
| CGO_ENABLED: 1 | ||
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
|
||
|
Comment on lines
+83
to
+98
Comment on lines
+82
to
+98
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add explicit permissions block to the openapi job. The openapi job inherits default permissions, which may be overly broad. Explicitly grant only the minimum required permissions. 🔐 Proposed fix openapi:
name: OpenAPI Integration
runs-on: ubuntu-latest
+ permissions:
+ contents: read
steps:🧰 Tools🪛 GitHub Check: CodeQL[warning] 38-53: Workflow does not contain permissions 🪛 zizmor (1.25.2)[warning] 41-42: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [warning] 37-54: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block (excessive-permissions) [error] 42-42: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 45-45: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
This file was deleted.
This file was deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validate or quote the branch reference to prevent injection.
github.ref_nameis expanded into the git push command without validation or quoting. Although this workflow is restricted to specific branches, branch names containing shell metacharacters could lead to command injection if branch protections are misconfigured.🛡️ Proposed fix to quote the variable
git remote set-url origin "https://x-access-token:${GH_TOKEN}`@github.com/`${{ github.repository }}.git" - git push origin HEAD:${{ github.ref_name }} + git push origin "HEAD:${{ github.ref_name }}"Alternatively, validate that
ref_namematches expected branches:git remote set-url origin "https://x-access-token:${GH_TOKEN}`@github.com/`${{ github.repository }}.git" + case "${{ github.ref_name }}" in + main|master|develop) ;; + *) echo "Unexpected branch: ${{ github.ref_name }}"; exit 1 ;; + esac git push origin HEAD:${{ github.ref_name }}📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.25.2)
[error] 42-42: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents