Skip to content

oh my goodCreate SECURITY.md #25198

oh my goodCreate SECURITY.md

oh my goodCreate SECURITY.md #25198

name: Lint and review content files
on:
pull_request_target:
branches:
- main
paths:
- "**/*.md"
permissions:
pull-requests: write
concurrency:
group: ci-${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
lint-and-review-docs:
# do not run on PRs in forks
if: github.repository == 'mdn/translated-content'
runs-on: ubuntu-latest
steps:
- name: Checkout BASE
uses: actions/checkout@v4
- name: Get changed files
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
# Use the GitHub API to get the list of changed files
# documentation: https://docs.github.com/rest/commits/commits#compare-two-commits
DIFF_DOCUMENTS=$(gh api repos/{owner}/{repo}/compare/${BASE_SHA}...${HEAD_SHA} \
--jq '.files | .[] | select(.status|IN("added", "modified", "renamed", "copied", "changed")) | .filename')
# filter out files that are not markdown
DIFF_DOCUMENTS=$(echo "${DIFF_DOCUMENTS}" | egrep -i ".*\.md$" | xargs)
echo "DIFF_DOCUMENTS=${DIFF_DOCUMENTS}" >> $GITHUB_ENV
- name: Checkout HEAD
if: ${{ env.DIFF_DOCUMENTS }}
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
path: pr_head
- name: Get changed content from HEAD
if: ${{ env.DIFF_DOCUMENTS }}
run: |
git config --global user.email "[email protected]"
git config --global user.name "mdn-bot"
rm -r files docs *.md
mv pr_head/files pr_head/docs pr_head/*.md .
rm -r pr_head
# To avoid contents of PR getting into the diff that we are going to generate
# after running the linters, here we make a dummy commit.
# Note, this commit is not getting pushed.
git add .
git commit -m "Code from PR head"
- uses: actions/checkout@v4
if: ${{ env.DIFF_DOCUMENTS }}
with:
repository: mdn/content
path: mdn/content
- name: Setup Node.js environment
if: ${{ env.DIFF_DOCUMENTS }}
uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: yarn
cache-dependency-path: |
mdn/content/yarn.lock
yarn.lock
- name: Install all yarn packages for mdn/translated-content
if: ${{ env.DIFF_DOCUMENTS }}
run: yarn --frozen-lockfile
- name: Install all yarn packages for mdn/content
if: ${{ env.DIFF_DOCUMENTS }}
working-directory: ${{ github.workspace }}/mdn/content
run: yarn --frozen-lockfile
env:
# https://github.com/microsoft/vscode-ripgrep#github-api-limit-note
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Lint and format markdown files
if: ${{ env.DIFF_DOCUMENTS }}
run: |
# Generate random delimiter
# https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings
EOF="$(openssl rand -hex 8)"
files_to_lint="${DIFF_DOCUMENTS}"
echo "Running markdownlint --fix"
MD_LINT_FAILED=false
MD_LINT_LOG=$(yarn markdownlint-cli2 --fix ${files_to_lint} 2>&1) || MD_LINT_FAILED=true
echo "MD_LINT_LOG<<${EOF}" >> $GITHUB_ENV
echo "${MD_LINT_LOG}" >> $GITHUB_ENV
echo "${EOF}" >> $GITHUB_ENV
echo "MD_LINT_FAILED=${MD_LINT_FAILED}" >> $GITHUB_ENV
echo "Linting front-matter"
FM_LINT_FAILED=false
# absolute_paths is needed because front-matter linter is run from mdn/content directory
absolute_paths=$(echo "${files_to_lint}" | xargs realpath -e | xargs)
FM_LINT_LOG=$(cd ${{ github.workspace }}/mdn/content && yarn fix:fm --config-file ${{ github.workspace }}/front-matter-config.json ${absolute_paths} 2>&1) || FM_LINT_FAILED=true
echo "FM_LINT_LOG<<${EOF}" >> $GITHUB_ENV
echo "${FM_LINT_LOG}" >> $GITHUB_ENV
echo "${EOF}" >> $GITHUB_ENV
echo "FM_LINT_FAILED=${FM_LINT_FAILED}" >> $GITHUB_ENV
echo "Running url locale checker"
node ./scripts/check-url-locale.js --fix ${files_to_lint}
echo "Running autocorrect"
yarn autocorrect --fix ${files_to_lint}
echo "Running Prettier"
yarn prettier -w ${files_to_lint}
if [[ -n $(git diff) ]]; then
echo "FILES_MODIFIED=true" >> $GITHUB_ENV
fi
# info for troubleshooting
echo MD_LINT_FAILED=${MD_LINT_FAILED}
echo FM_LINT_FAILED=${FM_LINT_FAILED}
git diff
- name: Setup reviewdog
if: env.FILES_MODIFIED == 'true' || env.MD_LINT_FAILED == 'true'
uses: reviewdog/action-setup@v1
with:
reviewdog_version: latest
- name: Suggest changes using diff
if: env.FILES_MODIFIED == 'true'
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
TMPFILE=$(mktemp)
git diff >"${TMPFILE}"
git stash -u && git stash drop
reviewdog \
-name="mdn-linter" \
-f=diff \
-f.diff.strip=1 \
-filter-mode=diff_context \
-reporter=github-pr-review < "${TMPFILE}"
- name: Add reviews for markdownlint errors
if: env.MD_LINT_FAILED == 'true'
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "${MD_LINT_LOG}" | \
reviewdog \
-efm="%f:%l:%c %m" \
-efm="%f:%l %m" \
-name="markdownlint" \
-diff="git diff" \
-reporter="github-pr-review"
- name: Fail if any issues pending
if: env.FILES_MODIFIED == 'true' || env.MD_LINT_FAILED == 'true' || env.FM_LINT_FAILED == 'true'
run: |
echo -e "\nLogs from markdownlint:"
echo "${MD_LINT_LOG}"
echo -e "\nLogs from front-matter linter:"
echo "${FM_LINT_LOG}"
echo -e "\nPlease fix all the linting issues mentioned in above logs and in the review comments."
exit 1