diff --git a/.github/.mega-linter.yaml b/.github/.mega-linter.yaml
new file mode 100644
index 0000000..07be5e1
--- /dev/null
+++ b/.github/.mega-linter.yaml
@@ -0,0 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/megalinter/megalinter/main/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json
+# ref:
+
+EXTENDS:
+ - https://github.com/liblaf/repo/raw/refs/heads/main/.github/linters/.mega-linter.yaml
diff --git a/.github/megalinter/.checkov.yml b/.github/megalinter/.checkov.yml
deleted file mode 100644
index c58dc54..0000000
--- a/.github/megalinter/.checkov.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-# ref:
-
-# You can see all available properties here: https://github.com/bridgecrewio/checkov#configuration-using-a-config-file
-quiet: true
-
-skip-check:
- - CKV_DOCKER_2
- - CKV_GHA_7
- - CKV2_GHA_1
diff --git a/.github/megalinter/.devskim.json b/.github/megalinter/.devskim.json
deleted file mode 100644
index e6c4b73..0000000
--- a/.github/megalinter/.devskim.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
- "IgnoreRuleIds": ["DS176209"],
- "Globs": ["**/.git/**", "**/megalinter-reports/**"]
-}
diff --git a/.github/megalinter/kics.config b/.github/megalinter/kics.config
deleted file mode 100644
index 9cc8fde..0000000
--- a/.github/megalinter/kics.config
+++ /dev/null
@@ -1,2 +0,0 @@
-exclude-queries:
- - 555ab8f9-2001-455e-a077-f2d0f41e2fb9
diff --git a/.github/workflows/megalinter.yaml b/.github/workflows/megalinter.yaml
index 5fb30a5..58959d8 100644
--- a/.github/workflows/megalinter.yaml
+++ b/.github/workflows/megalinter.yaml
@@ -1,36 +1,17 @@
# ref:
+# ref:
-# MegaLinter GitHub Action configuration file
-# More info at https://megalinter.io
----
name: MegaLinter
-# Trigger mega-linter at every push. Action will also be visible from
-# Pull Requests to main
on:
- # Comment this line to trigger action only on pull-requests
- # (not recommended if you don't pay for GH Actions)
push:
-
pull_request:
branches:
- main
- - master
-# Comment env block if you do not want to apply fixes
env:
- # Apply linter fixes configuration
- #
- # When active, APPLY_FIXES must also be defined as environment variable
- # (in github/workflows/mega-linter.yml or other CI tool)
APPLY_FIXES: all
-
- # Decide which event triggers application of fixes in a commit or a PR
- # (pull_request, push, all)
APPLY_FIXES_EVENT: pull_request
-
- # If APPLY_FIXES is used, defines if the fixes are directly committed (commit)
- # or posted in a PR (pull_request)
APPLY_FIXES_MODE: commit
concurrency:
@@ -40,88 +21,64 @@ concurrency:
jobs:
megalinter:
name: MegaLinter
- runs-on: ubuntu-latest
-
- # Give the default GITHUB_TOKEN write permission to commit and push, comment
- # issues, and post new Pull Requests; remove the ones you do not need
permissions:
contents: write
issues: write
pull-requests: write
-
+ security-events: write
+ statuses: write
+ runs-on: ubuntu-latest
steps:
- # Git Checkout
- - name: Checkout Code
+ - name: Checkout
uses: actions/checkout@v4
with:
- token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
-
- # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
- # improve performance
- fetch-depth: 0
-
- # MegaLinter
- - name: MegaLinter
-
- # You can override MegaLinter flavor used to have faster performances
- # More info at https://megalinter.io/latest/flavors/
+ token: ${{ github.token }}
+ - id: ml
+ name: MegaLinter
uses: oxsecurity/megalinter@v8
-
- id: ml
-
- # All available variables are described in documentation
- # https://megalinter.io/latest/config-file/
+ # ref:
env:
- # Validates all source when push on main, else just the git diff with
- # main. Override with true if you always want to lint all sources
- #
- # To validate the entire codebase, set to:
- # VALIDATE_ALL_CODEBASE: true
- #
- # To validate only diff with main, set to:
- # VALIDATE_ALL_CODEBASE: >-
- # ${{
- # github.event_name == 'push' &&
- # github.ref == 'refs/heads/main'
- # }}
- VALIDATE_ALL_CODEBASE: true
-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
- # Uncomment to use ApiReporter (Grafana)
- # API_REPORTER: true
- # API_REPORTER_URL: ${{ secrets.API_REPORTER_URL }}
- # API_REPORTER_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_BASIC_AUTH_USERNAME }}
- # API_REPORTER_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_BASIC_AUTH_PASSWORD }}
- # API_REPORTER_METRICS_URL: ${{ secrets.API_REPORTER_METRICS_URL }}
- # API_REPORTER_METRICS_BASIC_AUTH_USERNAME: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_USERNAME }}
- # API_REPORTER_METRICS_BASIC_AUTH_PASSWORD: ${{ secrets.API_REPORTER_METRICS_BASIC_AUTH_PASSWORD }}
- # API_REPORTER_DEBUG: false
-
- # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF
- # .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
+ # Common Variables
+ MEGALINTER_CONFIG: .github/.mega-linter.yaml
+ VALIDATE_ALL_CODEBASE: true
+ # Linters
+ PYTHON_PYRIGHT_DISABLE_ERRORS: true
+ # Reporters
+ TEXT_REPORTER: true
+ GITHUB_COMMENT_REPORTER: true
+ GITHUB_STATUS_REPORTER: true
+ SARIF_REPORTER: true
+ UPDATED_SOURCES_REPORTER: true
+ CONFIG_REPORTER: true
+ CONSOLE_REPORTER: true
+ JSON_REPORTER: true
MARKDOWN_SUMMARY_REPORTER: true
- continue-on-error: true
-
- if: success() || failure()
- name: Add GitHub Summary
- run: cat megalinter-reports/megalinter-report.md >> "$GITHUB_STEP_SUMMARY"
-
- # Upload MegaLinter artifacts
- - name: Archive production artifacts
+ name: Archive production artifacts
uses: actions/upload-artifact@v4
- if: success() || failure()
with:
name: MegaLinter reports
- path: |
- megalinter-reports
+ path: |-
mega-linter.log
-
- # Create pull request if applicable
- # (for now works only on PR from same repository, not from forks)
- - name: Create Pull Request with applied fixes
- uses: peter-evans/create-pull-request@v7
- id: cpr
+ megalinter-reports/
+ - if: success() || failure()
+ name: Upload MegaLinter scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: megalinter-reports/megalinter-report.sarif
+ - if: success() || failure()
+ name: Add GitHub summary
+ run: cat megalinter-reports/megalinter-report.md >> "$GITHUB_STEP_SUMMARY"
+ - name: Remove MegaLinter reports
+ run: >-
+ sudo rm --force --recursive
+ .checkov.yml
+ .devskim.json
+ kics.config
+ mega-linter.log
+ megalinter-reports/
+ - id: cpr
if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
@@ -134,14 +91,14 @@ jobs:
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
+ name: Create Pull Request with applied fixes
+ uses: peter-evans/create-pull-request@v6
with:
- token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
- commit-message: "[MegaLinter] Apply linters automatic fixes"
- title: "[MegaLinter] Apply linters automatic fixes"
- labels: bot
-
- - name: Create PR output
- if: >-
+ token: ${{ github.token }}
+ commit-message: "chore(MegaLinter): apply linters automatic fixes"
+ title: "chore(MegaLinter): apply linters automatic fixes"
+ # TODO: add labels
+ - if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
@@ -153,14 +110,11 @@ jobs:
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
+ name: Create PR output
run: |
echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
-
- # Push new commit if applicable
- # (for now works only on PR from same repository, not from forks)
- - name: Prepare commit
- if: >-
+ - if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
@@ -173,11 +127,9 @@ jobs:
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
+ name: Prepare commit
run: sudo chown -Rc $UID .git/
-
- - name: Commit and push applied linter fixes
- uses: stefanzweifel/git-auto-commit-action@v5
- if: >-
+ - if: >-
steps.ml.outputs.has_updated_sources == 1 &&
(
env.APPLY_FIXES_EVENT == 'all' ||
@@ -190,6 +142,8 @@ jobs:
github.event.pull_request.head.repo.full_name == github.repository
) &&
!contains(github.event.head_commit.message, 'skip fix')
+ name: Commit and push applied linter fixes
+ uses: stefanzweifel/git-auto-commit-action@v5
with:
branch: >-
${{
@@ -197,6 +151,6 @@ jobs:
github.head_ref ||
github.ref
}}
- commit_message: "[MegaLinter] Apply linters fixes"
+ commit_message: "chore(MegaLinter): apply linters fixes"
commit_user_name: megalinter-bot
commit_user_email: nicolas.vuillamy@ox.security
diff --git a/.mega-linter.yaml b/.mega-linter.yaml
deleted file mode 100644
index cf2239e..0000000
--- a/.mega-linter.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-# yaml-language-server: $schema=https://raw.githubusercontent.com/megalinter/megalinter/main/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json
-
-# Configuration file for MegaLinter
-#
-# See all available variables at https://megalinter.io/latest/config-file/ and in
-# linters documentation
-
-# all, none, or list of linter keys
-APPLY_FIXES: all
-
-# If you use ENABLE variable, all other languages/formats/tooling-formats will
-# be disabled by default
-# ENABLE:
-
-# If you use ENABLE_LINTERS variable, all other linters will be disabled by
-# default
-# ENABLE_LINTERS:
-
-# DISABLE:
-# - COPYPASTE # Uncomment to disable checks of excessive copy-pastes
-# - SPELL # Uncomment to disable checks of spelling mistakes
-
-SHOW_ELAPSED_TIME: true
-
-FILEIO_REPORTER: false
-# Uncomment if you want MegaLinter to detect errors but not block CI to pass
-# DISABLE_ERRORS: true
-
-DISABLE_LINTERS:
- - BASH_EXEC
- - PYTHON_BANDIT
- - PYTHON_BLACK
- - PYTHON_FLAKE8
- - PYTHON_ISORT
- - PYTHON_MYPY
- - PYTHON_PYLINT
-
-DISABLE_ERRORS_LINTERS:
- - SPELL_CSPELL
-
-REPOSITORY_CHECKOV_CONFIG_FILE: .github/megalinter/.checkov.yml
-REPOSITORY_DEVSKIM_CONFIG_FILE: .github/megalinter/.devskim.json
-REPOSITORY_KICS_CONFIG_FILE: .github/megalinter/kics.config
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
deleted file mode 100644
index 1de8329..0000000
--- a/.pre-commit-config.yaml
+++ /dev/null
@@ -1,75 +0,0 @@
-ci:
- autofix_commit_msg: "ci(pre-commit): auto fixes from pre-commit hooks"
- autoupdate_commit_msg: "ci(pre-commit): update pre-commit hooks"
- skip:
- - cspell
- - shellcheck
-repos:
- - repo: https://github.com/astral-sh/ruff-pre-commit
- rev: v0.6.5
- hooks:
- - id: ruff
- args:
- - --fix
- - id: ruff-format
- - repo: https://github.com/commitizen-tools/commitizen
- rev: v3.29.0
- hooks:
- - id: commitizen
- - repo: https://github.com/koalaman/shellcheck-precommit
- rev: v0.10.0
- hooks:
- - id: shellcheck
- files: \.(bash|sh|zsh)(\.tmpl)?$
- types:
- - text
- - repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.6.0
- hooks:
- - id: check-added-large-files
- - id: check-ast
- - id: check-builtin-literals
- - id: check-case-conflict
- - id: check-docstring-first
- - id: check-json
- exclude: tsconfig\.json$
- - id: check-merge-conflict
- - id: check-toml
- - id: check-vcs-permalinks
- - id: check-yaml
- args:
- - --unsafe
- - id: debug-statements
- - id: destroyed-symlinks
- - id: detect-private-key
- - id: end-of-file-fixer
- - id: fix-byte-order-marker
- - id: mixed-line-ending
- - id: trailing-whitespace
- - repo: https://github.com/python-jsonschema/check-jsonschema
- rev: 0.29.2
- hooks:
- - id: check-github-workflows
- - repo: https://github.com/scop/pre-commit-shfmt
- rev: v3.9.0-1
- hooks:
- - id: shfmt
- files: \.(bash|sh|zsh)(\.tmpl)?$
- types:
- - text
- args:
- - --write
- - --simplify
- - --indent=2
- - --case-indent
- - --space-redirects
- - repo: https://github.com/sirosen/texthooks
- rev: 0.6.7
- hooks:
- - id: fix-ligatures
- - id: fix-spaces
- - id: forbid-bidi-controls
- - repo: https://github.com/streetsidesoftware/cspell-cli
- rev: v8.13.3
- hooks:
- - id: cspell