Add workflow-linter.yml prevention workflow #163
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: MPL-2.0 | |
| # Prevention workflow - validates all workflows have proper security config | |
| name: Workflow Security Linter | |
| on: | |
| pull_request: | |
| paths: | |
| - '.github/workflows/**' | |
| push: | |
| paths: | |
| - '.github/workflows/**' | |
| permissions: read-all | |
| jobs: | |
| lint-workflows: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
| - name: Check SPDX headers | |
| run: | | |
| errors=0 | |
| for f in .github/workflows/*.yml .github/workflows/*.yaml; do | |
| [ -f "$f" ] || continue | |
| if ! head -1 "$f" | grep -q "SPDX-License-Identifier"; then | |
| echo "ERROR: $f missing SPDX header" | |
| errors=$((errors + 1)) | |
| fi | |
| done | |
| exit $errors | |
| - name: Check permissions declaration | |
| run: | | |
| errors=0 | |
| for f in .github/workflows/*.yml .github/workflows/*.yaml; do | |
| [ -f "$f" ] || continue | |
| if ! grep -q "^permissions:" "$f"; then | |
| echo "ERROR: $f missing permissions declaration" | |
| errors=$((errors + 1)) | |
| fi | |
| done | |
| exit $errors | |
| - name: Check pinned actions | |
| run: | | |
| errors=0 | |
| for f in .github/workflows/*.yml .github/workflows/*.yaml; do | |
| [ -f "$f" ] || continue | |
| # Look for uses: without SHA | |
| if grep -E "uses:.*@v[0-9]" "$f" | grep -v "#"; then | |
| echo "WARNING: $f has unpinned actions (missing SHA comment)" | |
| fi | |
| done |