Skip to content

[StepSecurity] Apply security best practices #71

[StepSecurity] Apply security best practices

[StepSecurity] Apply security best practices #71

Workflow file for this run

name: Lint
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
schedule:
- cron: '36 15 * * 5'
permissions:
contents: read
security-events: write
actions: read
packages: read
checks: write
jobs:
eslint:
name: ESLint
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Set up Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: '21'
- name: Set up pnpm
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
with:
standalone: true
package_json_file: 'ui/package.json'
version: latest
- name: Get pnpm store directory
shell: bash
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
name: Setup pnpm cache
with:
path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-store-
- name: Install dependencies
working-directory: ./ui
run: pnpm install
- name: Run ESLint
working-directory: ./ui
run: >-
pnpm eslint .
--ext ".ts,.tsx"
--format @microsoft/eslint-formatter-sarif
--output-file eslint-results.sarif
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
with:
sarif_file: ./ui/eslint-results.sarif
wait-for-processing: true
golangci-lint:
name: GolangCI Lint
runs-on: ubuntu-latest
steps:
- name: Checkout Actions Repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Run golangci-lint
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
with:
version: v1.59
args: '--out-format=colored-line-number,sarif:golangci-lint-results.sarif'
continue-on-error: true
# fixme: remove this after https://github.com/golangci/golangci-lint/pull/4758 merged
- name: Workaround to fix the issue with golangci-lint sarif output
run: |
jq '(.runs[] | select(.results == null) | .results) = []' golangci-lint-results.sarif > tmp.sarif
mv tmp.sarif golangci-lint-results.sarif
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
with:
sarif_file: ./golangci-lint-results.sarif
wait-for-processing: true