chore: standardize GitHub Actions workflows#87
Conversation
Standardize pinned GitHub Actions versions across lint, spellcheck, and update workflows while preserving repository-specific behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
@copilot fix the linting issues, use |
Agent-Logs-Url: https://github.com/electrocucaracha/bmaas/sessions/4082a456-d67d-4449-9264-686ef8810ad0 Co-authored-by: electrocucaracha <2782150+electrocucaracha@users.noreply.github.com>
Fixed in 23fd282. The yamllint warnings about "too few spaces before comment" were caused by single-space separators before the |
Agent-Logs-Url: https://github.com/electrocucaracha/bmaas/sessions/382bd557-9c4e-4202-a73c-3f9e6e8da525 Co-authored-by: electrocucaracha <2782150+electrocucaracha@users.noreply.github.com>
- Add persist-credentials: false to all checkout steps (artipacked) - Replace permissions: read-all with minimal explicit permissions in ci.yml, linter.yml, spell.yml - Move contents/pull-requests write permissions to job level in update.yml (excessive-permissions) - Suppress secrets-outside-env for WORKFLOW_TOKEN in update.yml - Add gitleaks:allow to tinkerbell/deploy.sh false positive - Run prettier to fix YAML formatting in all affected workflow files Agent-Logs-Url: https://github.com/electrocucaracha/bmaas/sessions/8c1c69d8-ea31-4c4e-bda7-6eb784822079 Co-authored-by: electrocucaracha <2782150+electrocucaracha@users.noreply.github.com>
Agent-Logs-Url: https://github.com/electrocucaracha/bmaas/sessions/9cf8ee63-1d48-4d6c-928e-120fe7fbf661 Co-authored-by: electrocucaracha <2782150+electrocucaracha@users.noreply.github.com>
- BIOME_FORMAT: convert bifrost/testvm.json, mlc_config.json, tinkerbell/testvm.json
from 2-space to tab indentation using biome formatter
- EDITORCONFIG: remove EDITORCONFIG_FILE_NAME env var from linter.yml that caused
ec to parse the INI-format .editorconfig as a JSON config file
- ENV: reorder tinkerbell/defaults.env TINKERBELL_* keys alphabetically (CERT_URL,
CERTS_PATH, GRPC_AUTHORITY, HOST_IP, HOST_NAME) and add dotenv-linter:off/on
SubstitutionKey blocks around ${VAR:-default} patterns
- GITHUB_ACTIONS_ZIZMOR: move statuses:write to check-super-linter job level in
linter.yml; move checks:write and pull-requests:write to check-reviewdog job
level in spell.yml
Agent-Logs-Url: https://github.com/electrocucaracha/bmaas/sessions/9cf8ee63-1d48-4d6c-928e-120fe7fbf661
Co-authored-by: electrocucaracha <2782150+electrocucaracha@users.noreply.github.com>
Agent-Logs-Url: https://github.com/electrocucaracha/bmaas/sessions/f899d6f9-431c-420b-9304-7d73461dc2c7 Co-authored-by: electrocucaracha <2782150+electrocucaracha@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Standardizes GitHub Actions workflow action pinning and permissions to align with owner-wide conventions, while keeping repository-specific validations intact.
Changes:
- Updates multiple workflows to use standardized pinned action revisions and more granular permissions.
- Adds a
biome.jsonformatter configuration. - Adjusts Tinkerbell deployment/env files to satisfy linters/secret scanners.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
tinkerbell/deploy.sh |
Adds a gitleaks suppression annotation on the local-registry curl auth check. |
tinkerbell/defaults.env |
Reorders/annotates env exports with dotenv-linter directives. |
biome.json |
Introduces Biome formatter configuration. |
.github/workflows/update.yml |
Tightens permissions and updates pinned action revisions; checkout uses persist-credentials: false. |
.github/workflows/spell.yml |
Updates pinned action revisions and job permissions; checkout uses persist-credentials: false. |
.github/workflows/linter.yml |
Updates pinned action revisions, permissions, and switches link-check + super-linter action references. |
.github/workflows/ci.yml |
Tightens top-level permissions and sets persist-credentials: false on checkout steps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Agent-Logs-Url: https://github.com/electrocucaracha/bmaas/sessions/c039fa9a-c96f-42c0-9a91-5e257311c524 Co-authored-by: electrocucaracha <2782150+electrocucaracha@users.noreply.github.com>
|
@copilot apply changes based on the comments in this thread |
…oy.sh; fix yamllint spacing in ci.yml Agent-Logs-Url: https://github.com/electrocucaracha/bmaas/sessions/368fc335-1a10-477e-9bf4-aebcaecc12a2 Co-authored-by: electrocucaracha <2782150+electrocucaracha@users.noreply.github.com>
Applied in 7a14f3e:
|
Agent-Logs-Url: https://github.com/electrocucaracha/bmaas/sessions/e48bb7e5-6e64-4d0c-b82c-a401ffdf04d4 Co-authored-by: electrocucaracha <2782150+electrocucaracha@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 | ||
| with: | ||
| persist-credentials: false | ||
| # Fine-grained PAT with contents:write and workflows:write scopes | ||
| token: ${{ secrets.WORKFLOW_TOKEN }} | ||
| token: ${{ secrets.WORKFLOW_TOKEN }} # zizmor: ignore[secrets-outside-env] | ||
| - uses: technote-space/create-pr-action@91114507cf92349bec0a9a501c2edf1635427bc5 # 2.1.4 |
There was a problem hiding this comment.
actions/checkout is configured with persist-credentials: false, so the WORKFLOW_TOKEN provided to checkout will not be persisted in the git remote credentials. The subsequent technote-space/create-pr-action step is not passed this token, so it may be unable to git push the commit (especially if it needs the fine-grained PAT scopes mentioned in the comment). Consider either removing persist-credentials: false for this job, or explicitly providing WORKFLOW_TOKEN to create-pr-action (and/or configuring the git remote) so the push/PR creation reliably uses the intended credentials.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 | ||
| with: | ||
| persist-credentials: false | ||
| - uses: technote-space/create-pr-action@91114507cf92349bec0a9a501c2edf1635427bc5 # 2.1.4 |
There was a problem hiding this comment.
This job runs create-pr-action but actions/checkout is set to persist-credentials: false and no explicit token is provided for pushing changes. If create-pr-action relies on the checkout step’s persisted credentials for git push, it will fail. Either allow checkout to persist credentials for this job or pass an explicit token/remote configuration that create-pr-action can use to push.
| - name: Check broken links | ||
| uses: gaurav-nelson/github-action-markdown-link-check@636e17b35a5803e014b7272d9e46a8262705416a # 1.0.16 | ||
| uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # 1.1.2 |
There was a problem hiding this comment.
This changes the markdown link checker action implementation (from gaurav-nelson/github-action-markdown-link-check to tcort/github-action-markdown-link-check). Since the PR description says workflow behavior should be preserved, please verify the new action’s defaults/config match the previous behavior (e.g., config file discovery, fail-on-error behavior) or add equivalent configuration inputs to keep results consistent.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
| - uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # 8.6.0 |
There was a problem hiding this comment.
This upgrades Super Linter from the previous major version (v7) to 8.6.0 and switches the action owner (github/super-linter -> super-linter/super-linter). Major version upgrades can change enabled linters/rules and therefore lint results. If the intent is to preserve existing behavior, consider pinning to the prior major or reviewing and adjusting configuration to keep output stable.
| { | ||
| "$schema": "https://biomejs.dev/schemas/1.9.4/schema.json", | ||
| "formatter": { | ||
| "indentStyle": "space", | ||
| "indentWidth": 2 | ||
| } | ||
| } |
There was a problem hiding this comment.
biome.json is added, but the repo’s formatting automation currently uses Prettier (Makefile target fmt) and there are no other references to Biome in the repo. If Biome isn’t actually used by CI/tooling here, consider removing this file to avoid confusion, or wire Biome into the formatting workflow/documentation so it’s clear why it exists.
| { | |
| "$schema": "https://biomejs.dev/schemas/1.9.4/schema.json", | |
| "formatter": { | |
| "indentStyle": "space", | |
| "indentWidth": 2 | |
| } | |
| } |
Summary