chore: add yaml lint step for workflows, configs

sgammon · Aug 13, 2023 · fcb88d7 · fcb88d7
1 parent a3fe410
commit fcb88d7
Show file tree

Hide file tree

Showing 3 changed files with 111 additions and 0 deletions.
diff --git a/.github/workflows/codeql.yml → .github/workflows/check.codeql.yml b/.github/workflows/codeql.yml → .github/workflows/check.codeql.yml
@@ -62,5 +62,6 @@ jobs:
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3
+        continue-on-error: true
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/check.lint-yaml.yml b/.github/workflows/check.lint-yaml.yml
@@ -0,0 +1,110 @@
+name: "Lint: YAML"
+
+concurrency:
+    group: lint-yaml-${{ github.head_ref || github.run_id }}
+    cancel-in-progress: true
+
+on:
+    ## Check YAML on merge queue insertion
+    merge_group: {}
+
+    ## Check on release
+    release:
+        types: [created]
+
+    ## Check on push to `main` if modified
+    push:
+        branches:
+            - main
+        paths:
+            - ".github/workflows/*.yaml"
+            - ".github/workflows/*.yml"
+            - ".bazelci/presubmit.yml"
+            - ".bcr/*.yml"
+
+    ## Check each PR change against `main`
+    pull_request:
+        paths:
+            - ".github/workflows/*.yaml"
+            - ".github/workflows/*.yml"
+            - ".bazelci/presubmit.yml"
+            - ".bcr/*.yml"
+
+permissions:
+  contents: read
+
+jobs:
+    ## Task: Lint workflows in this respository with YAMLLint
+    lint-workflows-yaml:
+        name: "Workflows"
+        runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }}
+        permissions:
+            contents: "read"
+            id-token: "write"
+            checks: "write"
+            pull-requests: "read"
+        steps:
+            - name: Harden Runner
+              uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+              with:
+                egress-policy: audit
+            - name: "Setup: Checkout"
+              uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+            - name: 'Lint: YAML'
+              uses: karancode/yamllint-github-action@master
+              with:
+                yamllint_file_or_dir: '.github/workflows'
+                yamllint_strict: false
+                yamllint_comment: true
+              env:
+                GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    ## Task: Lint Bazel Central Registry config files
+    lint-bcr-yaml:
+        name: "BCR"
+        runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }}
+        permissions:
+            contents: "read"
+            id-token: "write"
+            checks: "write"
+            pull-requests: "read"
+        steps:
+            - name: Harden Runner
+              uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+              with:
+                egress-policy: audit
+            - name: "Setup: Checkout"
+              uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+            - name: 'Lint: YAML'
+              uses: karancode/yamllint-github-action@master
+              with:
+                yamllint_file_or_dir: '.bcr'
+                yamllint_strict: false
+                yamllint_comment: true
+              env:
+                GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    ## Task: Lint Bazel CI config files
+    lint-bazelci-yaml:
+        name: "BCR"
+        runs-on: ${{ vars.RUNNER || 'ubuntu-latest' }}
+        permissions:
+            contents: "read"
+            id-token: "write"
+            checks: "write"
+            pull-requests: "read"
+        steps:
+            - name: Harden Runner
+              uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+              with:
+                egress-policy: audit
+            - name: "Setup: Checkout"
+              uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+            - name: 'Lint: YAML'
+              uses: karancode/yamllint-github-action@master
+              with:
+                yamllint_file_or_dir: '.bazelci'
+                yamllint_strict: false
+                yamllint_comment: true
+              env:
+                GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/scorecards.yml → .github/workflows/check.scorecards.yml b/.github/workflows/scorecards.yml → .github/workflows/check.scorecards.yml