mirror of
https://github.com/github/spec-kit.git
synced 2026-07-03 12:28:06 +08:00
* ci: pin actions to commit SHAs and add shellcheck Pin actions/github-script in catalog-assign.yml to a full commit SHA; all other workflows were already pinned. Add a repo-wide regression test that every workflow `uses:` ref is pinned to a 40-char commit SHA. Add a shellcheck job to lint.yml (--severity=error over scripts/bash/*.sh) and document the local command in CONTRIBUTING.md. * ci: use repo-standard actions/checkout v7.0.0 in shellcheck job * ci: shellcheck all tracked shell scripts Assisted-by: Codex (model: GPT-5, autonomous) * ci: address workflow hygiene review feedback Assisted-by: Codex (model: GPT-5, autonomous)
57 lines
1.8 KiB
YAML
57 lines
1.8 KiB
YAML
name: Lint
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
push:
|
|
branches: ["main"]
|
|
pull_request:
|
|
|
|
jobs:
|
|
markdownlint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Run git diff --check
|
|
shell: bash
|
|
env:
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
|
|
PUSH_BEFORE_SHA: ${{ github.event.before }}
|
|
GITHUB_SHA: ${{ github.sha }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
if [ "$EVENT_NAME" = "pull_request" ]; then
|
|
git fetch --no-tags --depth=1 origin "+${PR_BASE_SHA}:refs/checks/pr-base"
|
|
git diff --check refs/checks/pr-base HEAD
|
|
elif [ "$PUSH_BEFORE_SHA" = "0000000000000000000000000000000000000000" ]; then
|
|
git diff-tree --check --no-commit-id --root -r "$GITHUB_SHA"
|
|
else
|
|
git fetch --no-tags --depth=1 origin "+${PUSH_BEFORE_SHA}:refs/checks/push-before"
|
|
git diff --check refs/checks/push-before HEAD
|
|
fi
|
|
|
|
- name: Run markdownlint-cli2
|
|
uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23
|
|
with:
|
|
globs: |
|
|
'**/*.md'
|
|
!extensions/**/*.md
|
|
|
|
shellcheck:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
|
|
# shellcheck is preinstalled on ubuntu-latest runners.
|
|
# Start at --severity=error to block real bugs without flagging style
|
|
# (notably SC2155). Tighten in a follow-up after cleanup.
|
|
- name: Run shellcheck on shell scripts
|
|
run: git ls-files -z -- '*.sh' | xargs -0 shellcheck --severity=error
|