Skip to content

[automation] Auto-update linters version, help and documentation #8659

[automation] Auto-update linters version, help and documentation

[automation] Auto-update linters version, help and documentation #8659

---
#########################
#########################
## Deploy Docker Image Linters ##
#########################
#########################
# Documentation:
# https://help.github.com/en/articles/workflow-syntax-for-github-actions
#
#######################################
# Start the job on all push to main #
#######################################
name: "Build & Deploy - DEV linters"
on:
pull_request:
###############
# Set the Job #
###############
concurrency:
group: ${{ github.ref_name }}-${{ github.workflow }}
cancel-in-progress: true
jobs:
build:
# Name the Job
name: DEV/Linters
# Set the agent to run on
runs-on: ubuntu-latest
permissions: read-all
strategy:
fail-fast: false
max-parallel: 14
matrix:
# linters-start
linter:
[
"action_actionlint",
"ansible_ansible_lint",
"api_spectral",
"arm_arm_ttk",
"bash_exec",
"bash_shellcheck",
"bash_shfmt",
"bicep_bicep_linter",
"c_cpplint",
"c_clang_format",
"clojure_clj_kondo",
"cloudformation_cfn_lint",
"coffee_coffeelint",
"copypaste_jscpd",
"cpp_cpplint",
"cpp_clang_format",
"csharp_dotnet_format",
"csharp_csharpier",
"csharp_roslynator",
"css_stylelint",
"dart_dartanalyzer",
"dockerfile_hadolint",
"editorconfig_editorconfig_checker",
"env_dotenv_linter",
"gherkin_gherkin_lint",
"go_golangci_lint",
"go_revive",
"graphql_graphql_schema_linter",
"groovy_npm_groovy_lint",
"html_djlint",
"html_htmlhint",
"java_checkstyle",
"java_pmd",
"javascript_es",
"javascript_standard",
"javascript_prettier",
"json_jsonlint",
"json_v8r",
"json_prettier",
"json_npm_package_json_lint",
"jsx_eslint",
"kotlin_ktlint",
"kotlin_detekt",
"kubernetes_kubeconform",
"kubernetes_helm",
"kubernetes_kubescape",
"latex_chktex",
"lua_luacheck",
"lua_selene",
"lua_stylua",
"markdown_markdownlint",
"markdown_markdown_link_check",
"markdown_markdown_table_formatter",
"perl_perlcritic",
"php_phpcs",
"php_phpstan",
"php_psalm",
"php_phplint",
"php_phpcsfixer",
"powershell_powershell",
"powershell_powershell_formatter",
"protobuf_protolint",
"puppet_puppet_lint",
"python_pylint",
"python_black",
"python_flake8",
"python_isort",
"python_bandit",
"python_mypy",
"python_pyright",
"python_ruff",
"r_lintr",
"raku_raku",
"repository_checkov",
"repository_devskim",
"repository_dustilock",
"repository_git_diff",
"repository_gitleaks",
"repository_grype",
"repository_kics",
"repository_ls_lint",
"repository_secretlint",
"repository_semgrep",
"repository_syft",
"repository_trivy",
"repository_trivy_sbom",
"repository_trufflehog",
"rst_rst_lint",
"rst_rstcheck",
"rst_rstfmt",
"ruby_rubocop",
"rust_clippy",
"salesforce_sfdx_scanner_apex",
"salesforce_sfdx_scanner_aura",
"salesforce_sfdx_scanner_lwc",
"salesforce_lightning_flow_scanner",
"scala_scalafix",
"snakemake_lint",
"snakemake_snakefmt",
"spell_cspell",
"spell_proselint",
"spell_vale",
"spell_lychee",
"sql_sqlfluff",
"swift_swiftlint",
"tekton_tekton_lint",
"terraform_tflint",
"terraform_terrascan",
"terraform_terragrunt",
"terraform_terraform_fmt",
"tsx_eslint",
"typescript_es",
"typescript_standard",
"typescript_prettier",
"vbdotnet_dotnet_format",
"xml_xmllint",
"yaml_prettier",
"yaml_yamllint",
"yaml_v8r",
]
# linters-end
platform: ["linux/amd64"]
# Only run this on the main repo
if: |
(
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
(github.event_name == 'push' && github.repository == 'oxsecurity/megalinter')
)
&& !contains(github.event.head_commit.message, 'skip deploy')
##################
# Load all steps #
##################
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Docker Metadata action
uses: docker/[email protected]
id: meta
with:
images: |
${{ github.repository }}-only-${{ matrix.linter }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
if: ${{ ( ( runner.arch != 'X64' || runner.os != 'Linux' ) && matrix.platform == 'linux/amd64' ) || matrix.platform != 'linux/amd64' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Image
uses: docker/build-push-action@v6
with:
context: .
file: linters/${{ matrix.linter }}/Dockerfile
platforms: ${{ matrix.platform }}
build-args: |
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
BUILD_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
BUILD_REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
load: true
push: false
secrets: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
tags: ${{ steps.meta.outputs.tags }}
#####################################
# Run Linter test cases #
#####################################
- name: Run Test Cases
shell: bash
run: |
GITHUB_REPOSITORY=$([ "${{ github.event_name }}" == "pull_request" ] && echo "${{ github.event.pull_request.head.repo.full_name }}" || echo "${{ github.repository }}")
GITHUB_BRANCH=$([ "${{ github.event_name }}" == "pull_request" ] && echo "${{ github.head_ref }}" || echo "${{ github.ref_name }}")
TEST_KEYWORDS_TO_USE_UPPER="${{ matrix.linter }}"
TEST_KEYWORDS_TO_USE="${TEST_KEYWORDS_TO_USE_UPPER,,}"
docker image ls
docker run -e TEST_CASE_RUN=true -e OUTPUT_FORMAT=text -e OUTPUT_FOLDER=${{ github.sha }} -e OUTPUT_DETAIL=detailed -e GITHUB_SHA=${{ github.sha }} -e GITHUB_REPOSITORY=${GITHUB_REPOSITORY} -e GITHUB_BRANCH=${GITHUB_BRANCH} -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" -e TEST_KEYWORDS="${TEST_KEYWORDS_TO_USE}" -e MEGALINTER_VOLUME_ROOT="${GITHUB_WORKSPACE}" -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v ${GITHUB_WORKSPACE}:/tmp/lint ${{ fromJson(steps.meta.outputs.json).tags[0]}}
timeout-minutes: 30
##############################################
# Check Docker image security with Trivy #
##############################################
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ fromJson(steps.meta.outputs.json).tags[0] }}"
format: "table"
exit-code: "1"
ignore-unfixed: true
scanners: vuln
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
timeout: 10m0s
env:
ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}