summaryrefslogtreecommitdiff
path: root/.github/workflows/lint-doc.yml
AgeCommit message (Collapse)Author
2026-05-14ci(lint-doc): pin all GitHub Actions to commit SHAsYuriy Andamasov
Each `uses:` line was pinned to a mutable version tag (`@v6`, `@v0.8.4`, …). Tags can be rewritten to point to malicious code — CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files incident in 2025 are the canonical real-world examples. GitHub's hardening guide for Actions recommends pinning to full-length commit SHAs and keeping the tag as a trailing comment for human readability. Resolved each action's tag to its commit SHA via `gh api /repos/<repo>/git/refs/tags/<tag>` and verified the SHA is a commit (not an annotated-tag object) via `gh api /repos/<repo>/git/commits/<sha>`: - actions/checkout v6 -> de0fac2e4500dabe0009e67214ff5f5447ce83dd - bullfrogsec/bullfrog v0.8.4 -> 1831f79cce8ad602eef14d2163873f27081ebfb3 - trilom/file-changes-action v1.2.4 -> a6ca26c14274c33b15e6499323aac178af06ad4b - actions/setup-python v6 -> a309ff8b426b58ec0e2a45f0f869d46889d02405 This change covers `lint-doc.yml` only. A fleet-wide sweep across every workflow in `.github/workflows/` is a separate effort — worth doing because the drift / supply-chain risk is the same in every one. Tracked as a follow-up to this PR's review. Tracked as item 11 of the rolling-side cleanup backlog from PR #2014 / #2019 / #2020 reviews. 🤖 Generated by [robots](https://vyos.io)
2026-05-14ci(doc-linter): lint added + renamed files, not only modifiedYuriy Andamasov
Previous workflow: env: FILES_MODIFIED: ${{ steps.file_changes.outputs.files_modified }} run: python scripts/doc-linter.py "$FILES_MODIFIED" `trilom/file-changes-action`'s `files_modified` output is modifications-only. A PR adding a new `.md`/`.rst` doc page passed `files_added`, never `files_modified`, so a brand-new page with long lines or real public IPs slipped past the linter entirely. Workflow: also pass `files_added` and `files_renamed` as separate positional args. Each output is a JSON array (action v1.2.4) and is passed via env to avoid shell-quoting issues. Linter: `main()` now accepts one OR multiple positional argv entries, each a JSON array of paths. Arrays are merged and deduplicated before linting. Single-arg invocations remain backward-compatible. Switched from `ast.literal_eval` to `json.loads` — the action's outputs are JSON, and `json.loads` is the right tool (and dodges literal_eval-via-`eval`-substring linter warnings). Test coverage: - Two JSON arrays merge -> single linter run on union. - Empty-string argv entry skipped (no `files_renamed` in many PRs). - Malformed JSON -> falls back to walking DOCS_ROOT. - No argv -> walks DOCS_ROOT. - Single-arg invocation -> backward-compat preserved. Tracked as item 7 of the rolling-side cleanup backlog from PR #2014 / #2019 / #2020 reviews. 🤖 Generated by [robots](https://vyos.io)
2026-05-10ci: inline doc lint workflow, drop vyos/.github cross-repo dependencyYuriy Andamasov
The reusable lint-doc workflow at vyos/.github checks out vyos/.github on the consumer's PR base.ref to source doc-linter.py — designed for per-release-train linter rules. With this repo's default renamed current → rolling and vyos/.github still on current, the checkout errors with "fetch +refs/heads/rolling*: exit code 1". Rather than chase branch parity across repos, move the linter where it belongs: doc-linter.py is doc-specific and only consumed here. Inlining removes the cross-repo coupling permanently and unblocks any future branch renames in this repo without touching vyos/.github. - scripts/doc-linter.py: copied byte-for-byte from vyos/.github@current:.github/doc-linter.py (sha 3dc7c2fc16242e62b0ea7107f767577e999ca417 — identical across all four release-train branches in vyos/.github, so no behavioral change). - .github/workflows/lint-doc.yml: replaces `uses: vyos/.github/.github/workflows/lint-doc.yml@current` with the inlined steps. Same actions (bullfrogsec/bullfrog, trilom/file-changes-action, setup-python) and the same final invocation, just sourcing the script from this repo. Adds explicit minimal permissions (contents/pull-requests read) and passes the file list via env var to follow the workflow- injection guidance. Follow-up: vyos/.github still hosts the now-orphaned doc-linter.py and its reusable workflow — separate cleanup PR can delete them once any other consumers migrate (none observed today; this repo was the only caller). 🤖 Generated by [robots](https://vyos.io)
2024-09-06Use branch current for lint-doc.ymlViacheslav Hletenko
2024-05-28T6410: workflow fixeskumvijaya
2024-05-28T6410: worflow fixeskumvijaya