fix: update README.md file to list explicit secure practices to apply #462
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: presubmit workflow lint | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: {} | |
| jobs: | |
| validate-schema: | |
| uses: GeoNet/Actions/.github/workflows/reusable-presubmit-github-actions-workflow-validator.yml@main | |
| commit-digest-vet: | |
| uses: GeoNet/Actions/.github/workflows/reusable-presubmit-actions-workflow-require-commit-digest-vet.yml@main | |
| require-actions-run-from-GeoNet-org: | |
| runs-on: ubuntu-latest | |
| env: | |
| REQUIRED_STRING_GENERIC: "startsWith(github.repository, 'GeoNet/') == false" # use the steps field and exit 1 | |
| REQUIRED_STRING_APPS: "startsWith(github.repository, 'GeoNet/') != false" # use existing if statements for the chained reuse of workflows, since there's no steps field | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: check for GeoNet org requirement | |
| run: | | |
| FAILURES=false | |
| for WORKFLOW in $(find .github/workflows -name 'reusable*' | xargs); do | |
| if ! ( grep -q "$REQUIRED_STRING_GENERIC" "$WORKFLOW" \ | |
| || ( echo "$WORKFLOW" | grep -q apps && grep -q "$REQUIRED_STRING_APPS" "$WORKFLOW" ) ); then | |
| echo "Reusable workflow must be restricted to only run from GeoNet org: $WORKFLOW" | |
| FAILURES=true | |
| fi | |
| done | |
| if [ "$FAILURES" = true ]; then | |
| exit 1 | |
| fi | |
| require-reusable-workflow-is-documented: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: check workflow is documented | |
| run: | | |
| FAILURES=false | |
| for WORKFLOW in $(find .github/workflows -name 'reusable*' | xargs); do | |
| if ! grep -q "$WORKFLOW" USAGE.md; then | |
| echo "Not found in USAGE.md: $WORKFLOW" | |
| FAILURES=true | |
| fi | |
| done | |
| if [ "$FAILURES" = true ]; then | |
| exit 1 | |
| fi | |
| require-jobs-run-steps-have-name: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: check for run steps without name | |
| run: | | |
| FAILURES=false | |
| for WORKFLOW in $(find .github/workflows -type f | xargs); do | |
| if yq e -o json '.jobs.*.steps[]' "$WORKFLOW" -P \ | |
| | jq -rc --arg WORKFLOW "$WORKFLOW" 'select(.run!=null) | select(.name==null) | "workflow (" + $WORKFLOW + ") missing name in step with run\n" + .run' \ | |
| | grep -z "missing name"; then | |
| FAILURES=true | |
| fi | |
| done | |
| if [ "$FAILURES" = true ]; then | |
| exit 1 | |
| fi |