<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-documentation.git/.github/workflows/lint-doc.yml, branch docs/t8887-phase1-batch1</title>
<subtitle>VyOS readthedocs (mirror of https://github.com/vyos/vyos-documentation.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-documentation.git/atom?h=docs%2Ft8887-phase1-batch1</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-documentation.git/atom?h=docs%2Ft8887-phase1-batch1'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/'/>
<updated>2026-05-13T21:50:16+00:00</updated>
<entry>
<title>ci(lint-doc): pin all GitHub Actions to commit SHAs</title>
<updated>2026-05-13T21:50:16+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T21:50:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=e99182b911dbe9d3a3f02e000426f7075cadc608'/>
<id>urn:sha1:e99182b911dbe9d3a3f02e000426f7075cadc608</id>
<content type='text'>
Each `uses:` line was pinned to a mutable version tag (`@v6`,
`@v0.8.4`, …). Tags can be rewritten to point to malicious code —
CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files
incident in 2025 are the canonical real-world examples. GitHub's
hardening guide for Actions recommends pinning to full-length commit
SHAs and keeping the tag as a trailing comment for human readability.

Resolved each action's tag to its commit SHA via `gh api
/repos/&lt;repo&gt;/git/refs/tags/&lt;tag&gt;` and verified the SHA is a commit
(not an annotated-tag object) via `gh api
/repos/&lt;repo&gt;/git/commits/&lt;sha&gt;`:

- actions/checkout v6 -&gt; de0fac2e4500dabe0009e67214ff5f5447ce83dd
- bullfrogsec/bullfrog v0.8.4 -&gt; 1831f79cce8ad602eef14d2163873f27081ebfb3
- trilom/file-changes-action v1.2.4 -&gt; a6ca26c14274c33b15e6499323aac178af06ad4b
- actions/setup-python v6 -&gt; a309ff8b426b58ec0e2a45f0f869d46889d02405

This change covers `lint-doc.yml` only. A fleet-wide sweep across
every workflow in `.github/workflows/` is a separate effort —
worth doing because the drift / supply-chain risk is the same in
every one. Tracked as a follow-up to this PR's review.

Tracked as item 11 of the rolling-side cleanup backlog from PR #2014
/ #2019 / #2020 reviews.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci(doc-linter): lint added + renamed files, not only modified</title>
<updated>2026-05-13T21:49:50+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-13T21:49:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1ef5684729646ca3a24aff83ab8edd0aa57914c7'/>
<id>urn:sha1:1ef5684729646ca3a24aff83ab8edd0aa57914c7</id>
<content type='text'>
Previous workflow:

    env:
      FILES_MODIFIED: ${{ steps.file_changes.outputs.files_modified }}
    run: python scripts/doc-linter.py "$FILES_MODIFIED"

`trilom/file-changes-action`'s `files_modified` output is
modifications-only. A PR adding a new `.md`/`.rst` doc page passed
`files_added`, never `files_modified`, so a brand-new page with long
lines or real public IPs slipped past the linter entirely.

Workflow: also pass `files_added` and `files_renamed` as separate
positional args. Each output is a JSON array (action v1.2.4) and is
passed via env to avoid shell-quoting issues.

Linter: `main()` now accepts one OR multiple positional argv entries,
each a JSON array of paths. Arrays are merged and deduplicated before
linting. Single-arg invocations remain backward-compatible. Switched
from `ast.literal_eval` to `json.loads` — the action's outputs are
JSON, and `json.loads` is the right tool (and dodges
literal_eval-via-`eval`-substring linter warnings).

Test coverage:
- Two JSON arrays merge -&gt; single linter run on union.
- Empty-string argv entry skipped (no `files_renamed` in many PRs).
- Malformed JSON -&gt; falls back to walking DOCS_ROOT.
- No argv -&gt; walks DOCS_ROOT.
- Single-arg invocation -&gt; backward-compat preserved.

Tracked as item 7 of the rolling-side cleanup backlog from PR #2014 /
#2019 / #2020 reviews.

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>ci: inline doc lint workflow, drop vyos/.github cross-repo dependency</title>
<updated>2026-05-10T12:42:44+00:00</updated>
<author>
<name>Yuriy Andamasov</name>
<email>yuriy@vyos.io</email>
</author>
<published>2026-05-10T12:42:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=1bf386e2ce6e4039f9adbef868ef54758e4204c0'/>
<id>urn:sha1:1bf386e2ce6e4039f9adbef868ef54758e4204c0</id>
<content type='text'>
The reusable lint-doc workflow at vyos/.github checks out vyos/.github
on the consumer's PR base.ref to source doc-linter.py — designed for
per-release-train linter rules. With this repo's default renamed
current → rolling and vyos/.github still on current, the checkout
errors with "fetch +refs/heads/rolling*: exit code 1".

Rather than chase branch parity across repos, move the linter where it
belongs: doc-linter.py is doc-specific and only consumed here. Inlining
removes the cross-repo coupling permanently and unblocks any future
branch renames in this repo without touching vyos/.github.

- scripts/doc-linter.py: copied byte-for-byte from
  vyos/.github@current:.github/doc-linter.py (sha
  3dc7c2fc16242e62b0ea7107f767577e999ca417 — identical across all four
  release-train branches in vyos/.github, so no behavioral change).
- .github/workflows/lint-doc.yml: replaces `uses:
  vyos/.github/.github/workflows/lint-doc.yml@current` with the inlined
  steps. Same actions (bullfrogsec/bullfrog, trilom/file-changes-action,
  setup-python) and the same final invocation, just sourcing the script
  from this repo. Adds explicit minimal permissions (contents/pull-requests
  read) and passes the file list via env var to follow the workflow-
  injection guidance.

Follow-up: vyos/.github still hosts the now-orphaned doc-linter.py and
its reusable workflow — separate cleanup PR can delete them once any
other consumers migrate (none observed today; this repo was the only
caller).

🤖 Generated by [robots](https://vyos.io)
</content>
</entry>
<entry>
<title>Use branch current for lint-doc.yml</title>
<updated>2024-09-06T14:58:43+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2024-09-06T14:58:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=cc48277a987446720c9f84e085a2cedfb54369e9'/>
<id>urn:sha1:cc48277a987446720c9f84e085a2cedfb54369e9</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T6410: workflow fixes</title>
<updated>2024-05-28T08:29:37+00:00</updated>
<author>
<name>kumvijaya</name>
<email>kumvijaya@gmail.com</email>
</author>
<published>2024-05-28T08:29:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=8e5147d802561dd0bf3b4ef7061c2234d5ab5b2b'/>
<id>urn:sha1:8e5147d802561dd0bf3b4ef7061c2234d5ab5b2b</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T6410: worflow fixes</title>
<updated>2024-05-28T08:09:08+00:00</updated>
<author>
<name>kumvijaya</name>
<email>kumvijaya@gmail.com</email>
</author>
<published>2024-05-28T08:09:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-documentation.git/commit/?id=7ddd96be3dd3f4ad9f886d6e7110d4380074ffb8'/>
<id>urn:sha1:7ddd96be3dd3f4ad9f886d6e7110d4380074ffb8</id>
<content type='text'>
</content>
</entry>
</feed>
