Skip to content
Quality Checks

feat: enforce Copilot code review ruleset via sync script (#9) #22

Sign in to view logs

feat: enforce Copilot code review ruleset via sync script (#9)

feat: enforce Copilot code review ruleset via sync script (#9) #22

Workflow file for this run

.github/workflows/quality-checks.yml at 83a8534
name: Quality Checks
on:
pull_request:
branches: [main]
push:
branches: [main]
permissions:
contents: read
jobs:
markdown-lint:
name: Markdown Linting
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Lint markdown
uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v22.0.0
yaml-lint:
name: YAML Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Lint YAML
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
with:
config_file: .yamllint.yml
shell-check:
name: Shell Script Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
structure:
name: Validate Repository Structure
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check required files
run: |
MISSING=0
for file in LICENSE README.md .gitignore CODEOWNERS CONTRIBUTING.md \
SECURITY.md CLAUDE.md .pre-commit-config.yaml \
.github/dependabot.yml config/baseline.json \
config/overrides.json; do
if [ ! -f "$file" ]; then
echo "MISSING: $file"
MISSING=$((MISSING + 1))
else
echo "OK: $file"
fi
done
if [ "$MISSING" -gt 0 ]; then
echo "ERROR: $MISSING required files are missing"
exit 1
fi
- name: Validate JSON configs
run: |
for file in config/baseline.json config/overrides.json; do
if ! jq empty "$file" 2>/dev/null; then
echo "ERROR: Invalid JSON in $file"
exit 1
else
echo "OK: $file is valid JSON"
fi
done
- name: Validate baseline schema
run: |
ERRORS=0
for section in repo_settings security branch_protection rulesets labels required_files; do
if ! jq -e ".$section" config/baseline.json > /dev/null 2>&1; then
echo "ERROR: Missing section '$section' in baseline.json"
ERRORS=$((ERRORS + 1))
else
echo "OK: section '$section' present"
fi
done
# Validate label structure
LABEL_ERRORS=$(jq '[.labels[] | select(.name == null or .color == null or .description == null)] | length' config/baseline.json)
if [ "$LABEL_ERRORS" -gt 0 ]; then
echo "ERROR: $LABEL_ERRORS labels missing required fields (name, color, description)"
ERRORS=$((ERRORS + LABEL_ERRORS))
fi
if [ "$ERRORS" -gt 0 ]; then
echo "ERROR: baseline.json schema validation failed"
exit 1
fi
actions-security:
name: Actions Security
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install zizmor
run: |
ZIZMOR_VERSION="1.23.1"
curl -sL "https://github.com/woodruffw/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-x86_64-unknown-linux-gnu.tar.gz" -o /tmp/zizmor.tar.gz
mkdir -p /tmp/zizmor-extract
tar -xzf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract
find /tmp/zizmor-extract -name zizmor -type f -exec sudo mv {} /usr/local/bin/zizmor \;
chmod +x /usr/local/bin/zizmor
- name: Run zizmor
run: zizmor --config zizmor.yml .github/workflows/