BRE-370 - Add rule settings for document-start and document-end markers

[vgrassia]

🎟️ Tracking

• Card

📔 Objective

This PR adds rule settings for document-start and document-end markers for yamllint. If a document-start or document-end marker is in the workflow file, the workflow linter will fail with an error.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[Eeebru]

So we must remove all document-start from all workflow files then? Should this be on hold until we clear workflow files up?

[github-actions]

Checkmarx One – Scan Summary & Details – 707072d5-db73-4458-bf07-cf2f4eff98a6

New Issues

Severity	Issue	Source File / Package	Checkmarx Insight
	Unpinned Actions Full Length Commit SHA	/workflow-linter.yml: 51	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Fixed Issues

Severity	Issue	Source File / Package
	Absolute_Path_Traversal	/download-artifacts/node_modules/unzip-stream/test.js: 20
	Log_Forging	/download-artifacts/node_modules/minimist/example/parse.js: 3
	Log_Forging	/download-artifacts/node_modules/unzip-stream/test.js: 6
	Log_Forging	/download-artifacts/node_modules/uuid/dist/uuid-bin.js: 26
	Log_Forging	/download-artifacts/node_modules/uuid/dist/uuid-bin.js: 26
	Log_Forging	/get-keyvault-secrets/node_modules/uuid/dist/uuid-bin.js: 26
	Log_Forging	/get-keyvault-secrets/node_modules/uuid/dist/uuid-bin.js: 26

[mimartin12]

So we must remove all document-start from all workflow files then? Should this be on hold until we clear workflow files up?

Good call out.
Linking some docs here:
https://yamllint.readthedocs.io/en/latest/rules.html#module-yamllint.rules.document_start
https://yamllint.readthedocs.io/en/latest/rules.html#module-yamllint.rules.document_end

While it would be the most annoying, throwing an error on this would make the updates go faster, as opposed to generating a lot of warnings that will take the team a bit to uncover and update.

[vgrassia]

@Eeebru created a card for this. I'll be holding on merging this until we clean up all the current workflows.