From 1ef5684729646ca3a24aff83ab8edd0aa57914c7 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Thu, 14 May 2026 00:49:50 +0300 Subject: ci(doc-linter): lint added + renamed files, not only modified MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previous workflow: env: FILES_MODIFIED: ${{ steps.file_changes.outputs.files_modified }} run: python scripts/doc-linter.py "$FILES_MODIFIED" `trilom/file-changes-action`'s `files_modified` output is modifications-only. A PR adding a new `.md`/`.rst` doc page passed `files_added`, never `files_modified`, so a brand-new page with long lines or real public IPs slipped past the linter entirely. Workflow: also pass `files_added` and `files_renamed` as separate positional args. Each output is a JSON array (action v1.2.4) and is passed via env to avoid shell-quoting issues. Linter: `main()` now accepts one OR multiple positional argv entries, each a JSON array of paths. Arrays are merged and deduplicated before linting. Single-arg invocations remain backward-compatible. Switched from `ast.literal_eval` to `json.loads` — the action's outputs are JSON, and `json.loads` is the right tool (and dodges literal_eval-via-`eval`-substring linter warnings). Test coverage: - Two JSON arrays merge -> single linter run on union. - Empty-string argv entry skipped (no `files_renamed` in many PRs). - Malformed JSON -> falls back to walking DOCS_ROOT. - No argv -> walks DOCS_ROOT. - Single-arg invocation -> backward-compat preserved. Tracked as item 7 of the rolling-side cleanup backlog from PR #2014 / #2019 / #2020 reviews. 🤖 Generated by [robots](https://vyos.io) --- .github/workflows/lint-doc.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/lint-doc.yml b/.github/workflows/lint-doc.yml index d7f25f38..eb7386d0 100644 --- a/.github/workflows/lint-doc.yml +++ b/.github/workflows/lint-doc.yml @@ -30,5 +30,14 @@ jobs: - name: run doc linter env: + # Pass modified + added + renamed file lists. `files_modified` + # alone misses newly-added pages — a PR adding a new doc with + # long lines or real public IPs would otherwise slip through. FILES_MODIFIED: ${{ steps.file_changes.outputs.files_modified }} - run: python scripts/doc-linter.py "$FILES_MODIFIED" + FILES_ADDED: ${{ steps.file_changes.outputs.files_added }} + FILES_RENAMED: ${{ steps.file_changes.outputs.files_renamed }} + run: | + python scripts/doc-linter.py \ + "$FILES_MODIFIED" \ + "$FILES_ADDED" \ + "$FILES_RENAMED" -- cgit v1.2.3 From e99182b911dbe9d3a3f02e000426f7075cadc608 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Thu, 14 May 2026 00:50:16 +0300 Subject: ci(lint-doc): pin all GitHub Actions to commit SHAs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Each `uses:` line was pinned to a mutable version tag (`@v6`, `@v0.8.4`, …). Tags can be rewritten to point to malicious code — CVE-2025-30066 (reviewdog/action-setup) and the tj-actions/changed-files incident in 2025 are the canonical real-world examples. GitHub's hardening guide for Actions recommends pinning to full-length commit SHAs and keeping the tag as a trailing comment for human readability. Resolved each action's tag to its commit SHA via `gh api /repos//git/refs/tags/` and verified the SHA is a commit (not an annotated-tag object) via `gh api /repos//git/commits/`: - actions/checkout v6 -> de0fac2e4500dabe0009e67214ff5f5447ce83dd - bullfrogsec/bullfrog v0.8.4 -> 1831f79cce8ad602eef14d2163873f27081ebfb3 - trilom/file-changes-action v1.2.4 -> a6ca26c14274c33b15e6499323aac178af06ad4b - actions/setup-python v6 -> a309ff8b426b58ec0e2a45f0f869d46889d02405 This change covers `lint-doc.yml` only. A fleet-wide sweep across every workflow in `.github/workflows/` is a separate effort — worth doing because the drift / supply-chain risk is the same in every one. Tracked as a follow-up to this PR's review. Tracked as item 11 of the rolling-side cleanup backlog from PR #2014 / #2019 / #2020 reviews. 🤖 Generated by [robots](https://vyos.io) --- .github/workflows/lint-doc.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/lint-doc.yml b/.github/workflows/lint-doc.yml index eb7386d0..0bd7a197 100644 --- a/.github/workflows/lint-doc.yml +++ b/.github/workflows/lint-doc.yml @@ -11,20 +11,20 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Bullfrog Secure Runner continue-on-error: true - uses: bullfrogsec/bullfrog@v0.8.4 + uses: bullfrogsec/bullfrog@1831f79cce8ad602eef14d2163873f27081ebfb3 # v0.8.4 with: egress-policy: audit - name: Get File Changes id: file_changes - uses: trilom/file-changes-action@v1.2.4 + uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.x' -- cgit v1.2.3