@@ -15,20 +15,24 @@ jobs:
1515 runs-on : ubuntu-latest
1616 steps :
1717 - name : Checkout
18- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
18+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
19+ with :
20+ persist-credentials : false
1921
2022 - name : Lint markdown
21- uses : DavidAnson/markdownlint-cli2-action@db4c2f7b1e4a6de4660458dd8d547f94deaac667 # v22.0.0
23+ uses : DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v22.0.0
2224
2325 yaml-lint :
2426 name : YAML Validation
2527 runs-on : ubuntu-latest
2628 steps :
2729 - name : Checkout
28- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
30+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
31+ with :
32+ persist-credentials : false
2933
3034 - name : Lint YAML
31- uses : ibiqlik/action-yamllint@2576f72e4b4e5aef56e60fc8a24fa17e25be1fef # v3.1.1
35+ uses : ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
3236 with :
3337 config_file : .yamllint.yml
3438
3741 runs-on : ubuntu-latest
3842 steps :
3943 - name : Checkout
40- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
44+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
45+ with :
46+ persist-credentials : false
4147
4248 - name : Run ShellCheck
4349 uses : ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
4753 runs-on : ubuntu-latest
4854 steps :
4955 - name : Checkout
50- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
56+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
57+ with :
58+ persist-credentials : false
5159
5260 - name : Check required files
5361 run : |
@@ -79,20 +87,44 @@ jobs:
7987 fi
8088 done
8189
90+ - name : Validate baseline schema
91+ run : |
92+ ERRORS=0
93+ for section in repo_settings security branch_protection labels required_files; do
94+ if ! jq -e ".$section" config/baseline.json > /dev/null 2>&1; then
95+ echo "ERROR: Missing section '$section' in baseline.json"
96+ ERRORS=$((ERRORS + 1))
97+ else
98+ echo "OK: section '$section' present"
99+ fi
100+ done
101+ # Validate label structure
102+ LABEL_ERRORS=$(jq '[.labels[] | select(.name == null or .color == null or .description == null)] | length' config/baseline.json)
103+ if [ "$LABEL_ERRORS" -gt 0 ]; then
104+ echo "ERROR: $LABEL_ERRORS labels missing required fields (name, color, description)"
105+ ERRORS=$((ERRORS + LABEL_ERRORS))
106+ fi
107+ if [ "$ERRORS" -gt 0 ]; then
108+ echo "ERROR: baseline.json schema validation failed"
109+ exit 1
110+ fi
111+
82112 actions-security :
83113 name : Actions Security
84114 runs-on : ubuntu-latest
85115 steps :
86116 - name : Checkout
87- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
117+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
118+ with :
119+ persist-credentials : false
88120
89121 - name : Install zizmor
90122 run : |
91- ZIZMOR_VERSION="1.5.0 "
123+ ZIZMOR_VERSION="1.23.1 "
92124 curl -sL "https://github.com/woodruffw/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-x86_64-unknown-linux-gnu.tar.gz" -o /tmp/zizmor.tar.gz
93125 mkdir -p /tmp/zizmor-extract
94126 tar -xzf /tmp/zizmor.tar.gz -C /tmp/zizmor-extract
95- sudo mv /tmp/zizmor-extract/ zizmor /usr/local/bin/zizmor
127+ find /tmp/zizmor-extract -name zizmor -type f -exec sudo mv {} /usr/local/bin/zizmor \;
96128 chmod +x /usr/local/bin/zizmor
97129
98130 - name : Run zizmor
0 commit comments