Skip to content

ci(deps-dev): bump the python-workflow-tools group in /tools/github-workflow-tools with 2 updates #83

ci(deps-dev): bump the python-workflow-tools group in /tools/github-workflow-tools with 2 updates

ci(deps-dev): bump the python-workflow-tools group in /tools/github-workflow-tools with 2 updates #83

Workflow file for this run

name: PRs Review
on:
pull_request:
types: [opened, reopened, synchronize, ready_for_review]
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
reviewdog-actionlint:
name: reviewdog (actionlint)
runs-on: ubuntu-latest
permissions:
pull-requests: write # Required to post review comments
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: false # actionlint needs to run in a container
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: actionlint with reviewdog
uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-review
filter_mode: added
fail_level: error
level: warning
reviewdog-ruff:
name: reviewdog (ruff)
runs-on: ubuntu-latest
permissions:
pull-requests: write # Required to post review comments
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
raw.githubusercontent.com:443
files.pythonhosted.org:443
github.com:443
pypi.org:443
release-assets.githubusercontent.com:443
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- name: Setup reviewdog
uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f # v1.5.0
- name: ruff with reviewdog
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
uv run --project tools/github-workflow-tools --group reviewdog-ruff ruff check .github/scripts --output-format=rdjson \
| reviewdog -f=rdjson -name="ruff" -reporter=github-pr-review -filter-mode=added -fail-level=error
reviewdog-shellcheck:
name: reviewdog (shellcheck)
runs-on: ubuntu-latest
permissions:
pull-requests: write # Required to post review comments
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: false # require sudo to install shellcheck
egress-policy: block
allowed-endpoints: >
*.archive.ubuntu.com:80
api.github.com:443
esm.ubuntu.com:443
github.com:443
release-assets.githubusercontent.com:443
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup reviewdog
uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f # v1.5.0
- name: Install shellcheck
run: sudo apt-get update && sudo apt-get install -y shellcheck
- name: shellcheck with reviewdog
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
files="$(git ls-files '*.sh')"
if [[ -z "${files}" ]]; then
echo "No shell scripts to check."
exit 0
fi
git ls-files '*.sh' | xargs shellcheck -f checkstyle \
| reviewdog -f=checkstyle -name="shellcheck" -reporter=github-pr-review -filter-mode=added -fail-level=error
reviewdog-prek:
name: reviewdog (prek)
runs-on: ubuntu-latest
permissions:
pull-requests: write # Required to post review comments
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
release-assets.githubusercontent.com:443
raw.githubusercontent.com:443
proxy.golang.org:443
dl.google.com:443
storage.googleapis.com:443
files.pythonhosted.org:443
pypi.org:443
go.dev:443
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up Java
uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0
with:
distribution: temurin
java-version: "21"
- name: Set up uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- name: Run prek
id: prek
continue-on-error: true
env:
# poutine has a dedicated job in ci-guardrails.yml.
# unit-tests/integration-tests are pre-push hooks and covered by ci.yml.
# actionlint/ruff/shellcheck have dedicated reviewdog jobs above.
# zizmor has a dedicated job in ci-guardrails.yml (with SARIF upload).
# check-pom-consistency/check-hook-revisions-frozen have dedicated jobs in ci-guardrails.yml.
# markdownlint has a dedicated reviewdog job above.
SKIP: poutine,unit-tests,integration-tests,actionlint,ruff,shellcheck,zizmor,check-pom-consistency,check-hook-revisions-frozen,markdownlint
run: uv run --project tools/github-workflow-tools --group prek prek run --all-files --show-diff-on-failure
- name: Suggest fixes with reviewdog
if: ${{ always() }}
uses: reviewdog/action-suggester@2558ba17e65a9039e73764a73009fc05fef28a46 # v1.24.3
with:
tool_name: prek
fail_on_error: "false"
- name: Fail if prek found issues
if: ${{ steps.prek.outcome == 'failure' }}
shell: bash
run: |
echo "::error::Prek checks failed. Run locally: prek run --all-files"
exit 1
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # Required to post comments
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
api.deps.dev:443
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Dependency Review
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
with:
config-file: ./.github/dependency-review-config.yml
reviewdog-markdownlint:
name: reviewdog (markdownlint)
runs-on: ubuntu-latest
permissions:
pull-requests: write # Required to post review comments
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: false # markdownlint needs to run in a container
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: markdownlint with reviewdog
uses: reviewdog/action-markdownlint@844fd04b127b0d78328653f182d32988ad41d3d7 # v0.27.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-review
filter_mode: added
fail_level: error
level: warning