fix: complete required files list and add missing override (#14) #30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Quality Checks | |
| on: | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| markdown-lint: | |
| name: Markdown Linting | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Lint markdown | |
| uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v22.0.0 | |
| yaml-lint: | |
| name: YAML Validation | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Lint YAML | |
| uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1 | |
| with: | |
| config_file: .yamllint.yml | |
| shell-check: | |
| name: Shell Script Validation | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run ShellCheck | |
| uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 | |
| structure: | |
| name: Validate Repository Structure | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Check required files | |
| run: | | |
| MISSING=0 | |
| for file in LICENSE README.md .gitignore CODEOWNERS CONTRIBUTING.md \ | |
| SECURITY.md CLAUDE.md .pre-commit-config.yaml \ | |
| .coderabbit.yaml .github/copilot-instructions.md \ | |
| .github/dependabot.yml .github/PULL_REQUEST_TEMPLATE.md \ | |
| config/baseline.json config/overrides.json; do | |
| if [ ! -f "$file" ]; then | |
| echo "MISSING: $file" | |
| MISSING=$((MISSING + 1)) | |
| else | |
| echo "OK: $file" | |
| fi | |
| done | |
| if [ "$MISSING" -gt 0 ]; then | |
| echo "ERROR: $MISSING required files are missing" | |
| exit 1 | |
| fi | |
| - name: Validate JSON configs | |
| run: | | |
| for file in config/baseline.json config/overrides.json; do | |
| if ! jq empty "$file" 2>/dev/null; then | |
| echo "ERROR: Invalid JSON in $file" | |
| exit 1 | |
| else | |
| echo "OK: $file is valid JSON" | |
| fi | |
| done | |
| - name: Validate baseline schema | |
| run: | | |
| ERRORS=0 | |
| for section in repo_settings security branch_protection rulesets labels required_files; do | |
| if ! jq -e ".$section" config/baseline.json > /dev/null 2>&1; then | |
| echo "ERROR: Missing section '$section' in baseline.json" | |
| ERRORS=$((ERRORS + 1)) | |
| else | |
| echo "OK: section '$section' present" | |
| fi | |
| done | |
| # Validate label structure | |
| LABEL_ERRORS=$(jq '[.labels[] | select(.name == null or .color == null or .description == null)] | length' config/baseline.json) | |
| if [ "$LABEL_ERRORS" -gt 0 ]; then | |
| echo "ERROR: $LABEL_ERRORS labels missing required fields (name, color, description)" | |
| ERRORS=$((ERRORS + LABEL_ERRORS)) | |
| fi | |
| if [ "$ERRORS" -gt 0 ]; then | |
| echo "ERROR: baseline.json schema validation failed" | |
| exit 1 | |
| fi | |
| actions-security: | |
| name: Actions Security | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Install zizmor | |
| run: | | |
| ZIZMOR_VERSION="1.23.1" | |
| curl -sL "https://github.com/woodruffw/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-x86_64-unknown-linux-gnu.tar.gz" -o /tmp/zizmor.tar.gz | |
| mkdir -p /tmp/zizmor-extract | |
| tar -xzf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract | |
| find /tmp/zizmor-extract -name zizmor -type f -exec sudo mv {} /usr/local/bin/zizmor \; | |
| chmod +x /usr/local/bin/zizmor | |
| - name: Run zizmor | |
| run: zizmor --config zizmor.yml .github/workflows/ | |
| link-checker: | |
| name: Check Links | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Check markdown links | |
| uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 | |
| with: | |
| config-file: '.markdown-link-check.json' | |
| use-quiet-mode: 'yes' | |
| continue-on-error: true | |
| prose-lint: | |
| name: Prose Linting (Vale) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Install Vale | |
| env: | |
| VALE_VERSION: "3.13.1" | |
| run: | | |
| tmpdir="$(mktemp -d)" | |
| wget -q "https://github.com/errata-ai/vale/releases/download/v${VALE_VERSION}/vale_${VALE_VERSION}_Linux_64-bit.tar.gz" | |
| tar xzf "vale_${VALE_VERSION}_Linux_64-bit.tar.gz" -C "$tmpdir" vale | |
| sudo mv "$tmpdir/vale" /usr/local/bin/vale | |
| - name: Run Vale | |
| run: | | |
| vale sync | |
| find . -name '*.md' -not -path './styles/*' -not -path './.git/*' \ | |
| -exec vale {} + |