draft #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Code Quality | |
# Workflow to check if project meets the code quality standards of the Biosustain group | |
on: | |
workflow_call: | |
inputs: | |
APPLY_FIXES: # If true, the workflow will try to fix the issues | |
description: | | |
Apply linter fixes configuration. | |
'all' to apply fixes of all linters, or a list of linter keys (ex: JAVASCRIPT_ES,MARKDOWN_MARKDOWNLINT) | |
required: false | |
default: none | |
type: string | |
APPLY_FIXES_EVENT: | |
description: | | |
Decide which event triggers application of fixes in a commit or a PR. | |
'pull_request', 'push', 'all' | |
required: false | |
default: pull_request | |
type: string | |
APPLY_FIXES_MODE: | |
description: | | |
If APPLY_FIXES is used, defines if the fixes are directly committed (commit) | |
or posted in a PR (pull_request) | |
required: false | |
default: pull_request | |
type: string | |
# Trigger the workflow also on push or pull request in this repository | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
concurrency: | |
group: ${{ github.ref }}-${{ github.workflow }} | |
cancel-in-progress: true | |
env: | |
# Apply linter fixes configuration | |
# | |
# When active, APPLY_FIXES must also be defined as environment variable | |
# (in github/workflows/mega-linter.yml or other CI tool) | |
APPLY_FIXES: ${{ github.event.inputs.APPLY_FIXES || 'none' }} | |
# Decide which event triggers application of fixes in a commit or a PR | |
# (pull_request, push, all) | |
APPLY_FIXES_EVENT: ${{ github.event.inputs.APPLY_FIXES_EVENT }} | |
# If APPLY_FIXES is used, defines if the fixes are directly committed (commit) | |
# or posted in a PR (pull_request) | |
APPLY_FIXES_MODE: ${{ github.event.inputs.APPLY_FIXES_MODE }} | |
jobs: | |
check-code-quality: | |
name: Run MegaLinter to check code quality | |
runs-on: ubuntu-latest | |
# Give the default GITHUB_TOKEN write permission to commit and push, comment | |
# issues & post new PR; remove the ones you do not need | |
permissions: | |
actions: read # Needed to run codeql/upload-sarif@v3 | |
contents: write | |
issues: write | |
pull-requests: write | |
steps: | |
- name: Load configuration | |
uses: actions/checkout@v4 | |
with: | |
path: config | |
- name: Check if GHAS is enabled | |
uses: actions/github-script@v7 | |
id: ghas-enabled | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
const response = await github.rest.repos.get({ | |
owner: '${{ github.repository }}'.split("/")[0], | |
repo: '${{ github.repository }}'.split("/")[1] | |
}); | |
const securityEnabled = response.data.security_and_analysis?.advanced_security?.status === 'enabled'; | |
if (!securityEnabled) { | |
let message = 'GitHub Advanced Security is NOT enabled.'; | |
const url = 'https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/advanced-security-must-be-enabled'; | |
message += ` For more information, see ${url}`; | |
core.warning(message); | |
} | |
return securityEnabled; | |
- name: Checkout Code | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} | |
path: code | |
# If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to | |
# improve performance | |
fetch-depth: 0 | |
# MegaLinter | |
- name: MegaLinter | |
# You can override MegaLinter flavor used to have faster performances | |
# More info at https://megalinter.io/flavors/ | |
uses: oxsecurity/megalinter@v7 | |
# All available variables are described in documentation | |
# https://megalinter.io/configuration/ | |
env: | |
# Define the reporters used in this action (not overrideable) | |
SARIF_REPORTER: true | |
MARKDOWN_SUMMARY_REPORTER: true | |
GITHUB_WORKSPACE: code | |
DEFAULT_WORKSPACE: code | |
# Extend the configuration file if it exists, else use default | |
EXTENDS: ${{ hashFiles('code/.mega-linter.yml') != '' && 'config/.mega-linter.yml' || '' }} | |
MEGALINTER_CONFIG_FILE: ${{ hashFiles('code/.mega-linter.yml') == '' && 'config/.mega-linter.yml' || '' }} | |
# Validates all source when push on main, else just the git diff with | |
# main. Override with true if you always want to lint all sources | |
# | |
# To validate the entire codebase, set to: | |
# VALIDATE_ALL_CODEBASE: true | |
# | |
# To validate only diff with main, set to: | |
# VALIDATE_ALL_CODEBASE: >- | |
# ${{ | |
# github.event_name == 'push' && | |
# contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) | |
# }} | |
VALIDATE_ALL_CODEBASE: > | |
${{ | |
github.event_name == 'push' && | |
contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) | |
}} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# Upload MegaLinter artifacts | |
- name: Archive production artifacts | |
uses: actions/upload-artifact@v4 | |
if: success() || failure() | |
with: | |
name: MegaLinter reports | |
path: | | |
megalinter-reports | |
mega-linter.log | |
- name: Upload MegaLinter scan results to GitHub Security tab | |
if: (steps.ghas-enabled.outputs.result == 'true') && (success() || failure()) | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'megalinter-reports/megalinter-report.sarif' | |
- name: Show report in job summary | |
if: always() | |
run: cat megalinter-reports/megalinter-report.md | tee $GITHUB_STEP_SUMMARY | |
# Set APPLY_FIXES_IF var for use in future steps | |
- name: Set APPLY_FIXES_IF var | |
run: | | |
printf 'APPLY_FIXES_IF=%s\n' "${{ | |
steps.ml.outputs.has_updated_sources == 1 && | |
( | |
env.APPLY_FIXES_EVENT == 'all' || | |
env.APPLY_FIXES_EVENT == github.event_name | |
) && | |
( | |
github.event_name == 'push' || | |
github.event.pull_request.head.repo.full_name == github.repository | |
) | |
}}" >> "${GITHUB_ENV}" | |
# Set APPLY_FIXES_IF_* vars for use in future steps | |
- name: Set APPLY_FIXES_IF_* vars | |
run: | | |
printf 'APPLY_FIXES_IF_PR=%s\n' "${{ | |
env.APPLY_FIXES_IF == 'true' && | |
env.APPLY_FIXES_MODE == 'pull_request' | |
}}" >> "${GITHUB_ENV}" | |
printf 'APPLY_FIXES_IF_COMMIT=%s\n' "${{ | |
env.APPLY_FIXES_IF == 'true' && | |
env.APPLY_FIXES_MODE == 'commit' && | |
(!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) | |
}}" >> "${GITHUB_ENV}" | |
# Create pull request if applicable | |
# (for now works only on PR from same repository, not from forks) | |
- name: Create Pull Request with applied fixes | |
uses: peter-evans/create-pull-request@v6 | |
id: cpr | |
if: env.APPLY_FIXES_IF_PR == 'true' | |
with: | |
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} | |
commit-message: "[BiosustainMegaLinter] Apply linters automatic fixes" | |
title: "[BiosustainMegaLinter] Apply linters automatic fixes" | |
labels: bot | |
- name: Create PR output | |
if: env.APPLY_FIXES_IF_PR == 'true' | |
run: | | |
echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}" | |
echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}" | |
# Push new commit if applicable | |
# (for now works only on PR from same repository, not from forks) | |
- name: Prepare commit | |
if: env.APPLY_FIXES_IF_COMMIT == 'true' | |
run: sudo chown -Rc $UID .git/ | |
- name: Commit and push applied linter fixes | |
uses: stefanzweifel/git-auto-commit-action@v4 | |
if: env.APPLY_FIXES_IF_COMMIT == 'true' | |
with: | |
branch: >- | |
${{ | |
github.event.pull_request.head.ref || | |
github.head_ref || | |
github.ref | |
}} | |
commit_message: "[BiosustainMegaLinter] Apply linters fixes" |