<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-documentation.git/.github/workflows/lint-doc.yml, branch T9032-circinus</title>
<subtitle>VyOS readthedocs (mirror of https://github.com/vyos/vyos-documentation.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-documentation.git/atom?h=T9032-circinus</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-documentation.git/atom?h=T9032-circinus'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/'/>
<updated>2026-05-14T05:08:38+00:00</updated>
<entry>
<title>ci(lint-doc): pin all GitHub Actions to commit SHAs</title>
<updated>2026-05-14T05:08:38+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T21:50:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1c7ce94eae1914b32f5dc8f9cdcd2ad203c2fdf7'/>
<id>urn:sha1:1c7ce94eae1914b32f5dc8f9cdcd2ad203c2fdf7</id>
<content type='text'>
Each `uses:` line was pinned to a mutable version tag (`@v6`,
`@v0.8.4`, …). Tags can be rewritten to point to malicious code —
CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files
incident in 2025 are the canonical real-world examples. GitHub's
hardening guide for Actions recommends pinning to full-length commit
SHAs and keeping the tag as a trailing comment for human readability.

Resolved each action's tag to its commit SHA via `gh api
/repos/&lt;repo&gt;/git/refs/tags/&lt;tag&gt;` and verified the SHA is a commit
(not an annotated-tag object) via `gh api
/repos/&lt;repo&gt;/git/commits/&lt;sha&gt;`:

- actions/checkout v6 -&gt; de0fac2e4500dabe0009e67214ff5f5447ce83dd
- bullfrogsec/bullfrog v0.8.4 -&gt; 1831f79cce8ad602eef14d2163873f27081ebfb3
- trilom/file-changes-action v1.2.4 -&gt; a6ca26c14274c33b15e6499323aac178af06ad4b
- actions/setup-python v6 -&gt; a309ff8b426b58ec0e2a45f0f869d46889d02405

This change covers `lint-doc.yml` only. A fleet-wide sweep across
every workflow in `.github/workflows/` is a separate effort —
worth doing because the drift / supply-chain risk is the same in
every one. Tracked as a follow-up to this PR's review.

Tracked as item 11 of the rolling-side cleanup backlog from PR #2014
/ #2019 / #2020 reviews.

🤖 Generated by [robots](https://vyos.io)

(cherry picked from commit e99182b911dbe9d3a3f02e000426f7075cadc608)
</content>
</entry>
<entry>
<title>ci(doc-linter): lint added + renamed files, not only modified</title>
<updated>2026-05-14T05:08:38+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T21:49:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=628eb360bd84f45cdf4247cd3d1e102fe30bfc45'/>
<id>urn:sha1:628eb360bd84f45cdf4247cd3d1e102fe30bfc45</id>
<content type='text'>
Previous workflow:

    env:
      FILES_MODIFIED: ${{ steps.file_changes.outputs.files_modified }}
    run: python scripts/doc-linter.py "$FILES_MODIFIED"

`trilom/file-changes-action`'s `files_modified` output is
modifications-only. A PR adding a new `.md`/`.rst` doc page passed
`files_added`, never `files_modified`, so a brand-new page with long
lines or real public IPs slipped past the linter entirely.

Workflow: also pass `files_added` and `files_renamed` as separate
positional args. Each output is a JSON array (action v1.2.4) and is
passed via env to avoid shell-quoting issues.

Linter: `main()` now accepts one OR multiple positional argv entries,
each a JSON array of paths. Arrays are merged and deduplicated before
linting. Single-arg invocations remain backward-compatible. Switched
from `ast.literal_eval` to `json.loads` — the action's outputs are
JSON, and `json.loads` is the right tool (and dodges
literal_eval-via-`eval`-substring linter warnings).

Test coverage:
- Two JSON arrays merge -&gt; single linter run on union.
- Empty-string argv entry skipped (no `files_renamed` in many PRs).
- Malformed JSON -&gt; falls back to walking DOCS_ROOT.
- No argv -&gt; walks DOCS_ROOT.
- Single-arg invocation -&gt; backward-compat preserved.

Tracked as item 7 of the rolling-side cleanup backlog from PR #2014 /
#2019 / #2020 reviews.

🤖 Generated by [robots](https://vyos.io)

(cherry picked from commit 1ef5684729646ca3a24aff83ab8edd0aa57914c7)
</content>
</entry>
<entry>
<title>ci: inline doc-linter on circinus to match rolling</title>
<updated>2026-05-13T21:12:32+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T21:11:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=75e907d47847781e365a70eb4f5b800af8215127'/>
<id>urn:sha1:75e907d47847781e365a70eb4f5b800af8215127</id>
<content type='text'>
The lint workflow on this branch referenced
`vyos/.github/.github/workflows/lint-doc.yml@current`, which no
longer exists in `vyos/.github` — `lint-doc.yml` was dropped from
the central workflow set during the move toward repo-local linters.
The reusable-workflow `uses:` line has been silently failing
(no `doc-lint` check on recent circinus PRs).

Mirror rolling's approach (inlined 2026-05-10):

- Add `scripts/doc-linter.py` in this repo. Sourced from PR #2014's
  HEAD on rolling (the version that includes the `is_docs_path()`
  docs/-only scope guard so repo-root meta files like AGENTS.md and
  README.md are out of scope, plus the realpath / narrow-exception /
  Ruff fixes from that PR's review pass).
- Replace `.github/workflows/lint-doc.yml` with an in-repo workflow
  that runs `python scripts/doc-linter.py "$FILES_MODIFIED"` against
  the changed-file list from `trilom/file-changes-action`. Same job
  shape as rolling.
- Update the `## Lint` and `## CI` bullets in AGENTS.md to point at
  the in-repo paths.

This restores actual lint coverage on circinus PRs and keeps the
toolchain identical across rolling / circinus / sagitta. Behavior on
the 11 remaining `.rst` pages is unchanged — the linter's
SUPPORTED_EXTS already covers `.md`, `.rst`, and `.txt`.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>Use branch current for lint-doc.yml</title>
<updated>2024-09-06T14:58:43+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2024-09-06T14:58:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=cc48277a987446720c9f84e085a2cedfb54369e9'/>
<id>urn:sha1:cc48277a987446720c9f84e085a2cedfb54369e9</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T6410: workflow fixes</title>
<updated>2024-05-28T08:29:37+00:00</updated>
<author>
<name>kumvijaya</name>
<email>kumvijaya@gmail.com</email>
</author>
<published>2024-05-28T08:29:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=8e5147d802561dd0bf3b4ef7061c2234d5ab5b2b'/>
<id>urn:sha1:8e5147d802561dd0bf3b4ef7061c2234d5ab5b2b</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T6410: worflow fixes</title>
<updated>2024-05-28T08:09:08+00:00</updated>
<author>
<name>kumvijaya</name>
<email>kumvijaya@gmail.com</email>
</author>
<published>2024-05-28T08:09:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=7ddd96be3dd3f4ad9f886d6e7110d4380074ffb8'/>
<id>urn:sha1:7ddd96be3dd3f4ad9f886d6e7110d4380074ffb8</id>
<content type='text'>
</content>
</entry>
</feed>
