Skip to content

Conversation

@andrewvaughan
Copy link
Contributor

Fixes #3026

Proposed Changes

  1. Adds permissions: read-all to resolve Issue Reduce generated permissions to read-all at top level for generated workflow file #3026

  2. Resolves a logical error I found in some of the .mega-linter.yml files

Specifically, this:

VALIDATE_ALL_CODEBASE: >-
  ${{
    github.event_name == 'push' &&
    contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
  }}

This is intended to match both refs/heads/main and refs/heads/master as a shorthand for an or-statement, but it will also match branches like refs/head/main-staging or refs/head/masterfoobar which isn't intended. I've reverted these to a proper, explicit or statement.

  1. Improved documentation and resources within .mega-linter.yml files

I have improved commenting within the configuration files to provide new users better resources
and information on what the files are for.

I've separated item 1 above from the rest into two commits, that way if the other changes are not of interest, we can just commit the permissions changes from issue #3026.

Readiness Checklist

Author/Contributor

  • Add entry to the CHANGELOG listing the change and linking to the corresponding issue (if appropriate)
  • If documentation is needed for this change, has that been included in this pull request

Reviewing Maintainer

  • Label as breaking if this is a large fundamental change
  • Label as either automation, bug, documentation, enhancement, infrastructure, or performance

@echoix echoix temporarily deployed to dev October 21, 2023 17:08 — with GitHub Actions Inactive
@echoix
Copy link
Collaborator

echoix commented Oct 21, 2023

Wow! I like that style! It's not rare to have questions from new users that would have needed these kind of hints, either on usage or configuration.

@rasa
Copy link
Contributor

rasa commented Oct 21, 2023

    contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)

... but it will also match branches like refs/head/main-staging or refs/head/masterfoobar which isn't intended.

With all due respect, not according to
https://docs.github.com/en/actions/learn-github-actions/expressions#contains
which says:
Returns true if search contains item. If search is an array, this function returns true if the item is an element in the array. If search is a string, this function returns true if the item is a substring of search. This function is not case sensitive. Casts values to a string.

Edit: Though

(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

works just as well, and is perhaps more readable.

@andrewvaughan
Copy link
Contributor Author

andrewvaughan commented Oct 21, 2023

Wow! I like that style! It's not rare to have questions from new users that would have needed these kind of hints, either on usage or configuration.

Thanks! If you like my documentation design, you might like my https://github.com/andrewvaughan/template-core project. I've been revamping it the past week or so.

@andrewvaughan
Copy link
Contributor Author

    contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)

... but it will also match branches like refs/head/main-staging or refs/head/masterfoobar which isn't intended.

With all due respect, not according to docs.github.com/en/actions/learn-github-actions/expressions#contains which says: Returns true if search contains item. If search is an array, this function returns true if the item is an element in the array. If search is a string, this function returns true if the item is a substring of search. This function is not case sensitive. Casts values to a string.

Edit: Though

(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

works just as well, and is perhaps more readable.

You're absolutely right and was a misunderstanding of how I understood contains( to work. I agree it's more readable and a better option then - but it'd be good for it to be consistent across the files (which it wasn't before). I will add a commit that updates it in a few.

@echoix
Copy link
Collaborator

echoix commented Oct 21, 2023

I think there will be missing to sync up the other files and I'll take a new look

@andrewvaughan
Copy link
Contributor Author

    contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)

... but it will also match branches like refs/head/main-staging or refs/head/masterfoobar which isn't intended.

With all due respect, not according to docs.github.com/en/actions/learn-github-actions/expressions#contains which says: Returns true if search contains item. If search is an array, this function returns true if the item is an element in the array. If search is a string, this function returns true if the item is a substring of search. This function is not case sensitive. Casts values to a string.
Edit: Though

(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

works just as well, and is perhaps more readable.

You're absolutely right and was a misunderstanding of how I understood contains( to work. I agree it's more readable and a better option then - but it'd be good for it to be consistent across the files (which it wasn't before). I will add a commit that updates it in a few.

I've been thinking on this further...

I think keeping the more readable version:

(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

Has one major benefit - it's super easy to understand what's going on there. I do quite a bit with GitHub Actions programming and even I missed exactly what was going on with the contains directive. My vote would be to keep it with an explicit || writing so people can extend it easily without having to look into what fromJSON and contains do (or make the mis-assumption like I did that contains is a string-based function and not an array-based function).

Either way, it's your call, but if you could please make a proposed change (if any) for the files as to how you'd like it to look, I'll accept them. Thanks!

@andrewvaughan
Copy link
Contributor Author

QQ for the maintainers - I haven't been super verbose with my commit message when accepting proposals. Do you want me to squash those commits when we've resolved all conversations, or is that something you'll manage during acceptance of the PR?

@echoix
Copy link
Collaborator

echoix commented Oct 22, 2023

It'll be a squashed commit at the end... so it doesn't really matter. You always could pre-squash them if you'd like, you'd be one of the first to do it, but the committing style hasn't been held to a high standard here yet.

@echoix
Copy link
Collaborator

echoix commented Oct 22, 2023

contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)

... but it will also match branches like refs/head/main-staging or refs/head/masterfoobar which isn't intended.

With all due respect, not according to docs.github.com/en/actions/learn-github-actions/expressions#contains which says: Returns true if search contains item. If search is an array, this function returns true if the item is an element in the array. If search is a string, this function returns true if the item is a substring of search. This function is not case sensitive. Casts values to a string.

Edit: Though

(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

works just as well, and is perhaps more readable.

You're absolutely right and was a misunderstanding of how I understood contains( to work. I agree it's more readable and a better option then - but it'd be good for it to be consistent across the files (which it wasn't before). I will add a commit that updates it in a few.

I've been thinking on this further...

I think keeping the more readable version:


(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

Has one major benefit - it's super easy to understand what's going on there. I do quite a bit with GitHub Actions programming and even I missed exactly what was going on with the contains directive. My vote would be to keep it with an explicit || writing so people can extend it easily without having to look into what fromJSON and contains do (or make the mis-assumption like I did that contains is a string-based function and not an array-based function).

Either way, it's your call, but if you could please make a proposed change (if any) for the files as to how you'd like it to look, I'll accept them. Thanks!

I agree with the second though, going with the explicit boolean expression that any programmer should be able to figure out without any docs.

@andrewvaughan
Copy link
Contributor Author

It'll be a squashed commit at the end... so it doesn't really matter. You always could pre-squash them if you'd like, you'd be one of the first to do it, but the committing style hasn't been held to a high standard here yet.

I'll let y'all do it so you can determine what messages are helpful and what aren't. My SDLc actually asks people not to pre-squash for that reason.

@andrewvaughan andrewvaughan force-pushed the bug/3026/checkov-CKV2_GHA_1 branch from febce26 to aa96d18 Compare October 31, 2023 16:57
@andrewvaughan andrewvaughan temporarily deployed to dev October 31, 2023 16:57 — with GitHub Actions Inactive
@andrewvaughan
Copy link
Contributor Author

Just rebased the branch from main given the latest release.

@echoix
Copy link
Collaborator

echoix commented Oct 31, 2023

contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)

... but it will also match branches like refs/head/main-staging or refs/head/masterfoobar which isn't intended.

With all due respect, not according to docs.github.com/en/actions/learn-github-actions/expressions#contains which says: Returns true if search contains item. If search is an array, this function returns true if the item is an element in the array. If search is a string, this function returns true if the item is a substring of search. This function is not case sensitive. Casts values to a string.

Edit: Though

(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

works just as well, and is perhaps more readable.

You're absolutely right and was a misunderstanding of how I understood contains( to work. I agree it's more readable and a better option then - but it'd be good for it to be consistent across the files (which it wasn't before). I will add a commit that updates it in a few.

I've been thinking on this further...
I think keeping the more readable version:


(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

Has one major benefit - it's super easy to understand what's going on there. I do quite a bit with GitHub Actions programming and even I missed exactly what was going on with the contains directive. My vote would be to keep it with an explicit || writing so people can extend it easily without having to look into what fromJSON and contains do (or make the mis-assumption like I did that contains is a string-based function and not an array-based function).
Either way, it's your call, but if you could please make a proposed change (if any) for the files as to how you'd like it to look, I'll accept them. Thanks!

I agree with the second though, going with the explicit boolean expression that any programmer should be able to figure out without any docs.

Cool, let's leave it as is, and that way they can add (or remove) any branches they need easily.

:Québec-Atlanta-High-Five:

I found out that we can use

github.ref == format('refs/heads/{0}', github.event.repository.default_branch)

instead of specifying what is the default branch in a or condition, What do you think?

Comment on lines +270 to +272
# Uncomment to disable copy-paste and spell checks
# DISABLE: COPYPASTE,SPELL

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Uncomment to disable copy-paste and spell checks
# DISABLE: COPYPASTE,SPELL

To match mega-linter-runner/generators/mega-linter/templates/mega-linter.yml

The other file doesn't have these 3 lines. to discuss

Comment on lines +51 to +57
# By default, Megalinter runs whenever a Pull Request is opened with the default
# branch, or on any push.
#
# Later logic enforces a full code-wide test on only the `production` and
# `staging` Branches. The default Branch only has changed files linted for
# efficiency.
#
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is different from the template. The template has:

##
# This `env` section can be entirely removed or commented out if you do not wish
# for fixes to be applied during the MegaLinter run.
#
# More info at:
# https://docs.github.com/en/actions/learn-github-actions/contexts#env-context

@andrewvaughan
Copy link
Contributor Author

contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)

... but it will also match branches like refs/head/main-staging or refs/head/masterfoobar which isn't intended.

With all due respect, not according to docs.github.com/en/actions/learn-github-actions/expressions#contains which says: Returns true if search contains item. If search is an array, this function returns true if the item is an element in the array. If search is a string, this function returns true if the item is a substring of search. This function is not case sensitive. Casts values to a string.

Edit: Though

(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

works just as well, and is perhaps more readable.

You're absolutely right and was a misunderstanding of how I understood contains( to work. I agree it's more readable and a better option then - but it'd be good for it to be consistent across the files (which it wasn't before). I will add a commit that updates it in a few.

I've been thinking on this further...

I think keeping the more readable version:

(github.ref == "refs/heads/main" || github.ref == "refs/heads/master")

Has one major benefit - it's super easy to understand what's going on there. I do quite a bit with GitHub Actions programming and even I missed exactly what was going on with the contains directive. My vote would be to keep it with an explicit || writing so people can extend it easily without having to look into what fromJSON and contains do (or make the mis-assumption like I did that contains is a string-based function and not an array-based function).

Either way, it's your call, but if you could please make a proposed change (if any) for the files as to how you'd like it to look, I'll accept them. Thanks!

I agree with the second though, going with the explicit boolean expression that any programmer should be able to figure out without any docs.

Cool, let's leave it as is, and that way they can add (or remove) any branches they need easily.

:Québec-Atlanta-High-Five:

I found out that we can use

github.ref == format('refs/heads/{0}', github.event.repository.default_branch)

instead of specifying what is the default branch in a or condition, What do you think?

I had something like this originally, but read that default branch is not available in the if conditional section.

@echoix echoix temporarily deployed to dev October 31, 2023 23:38 — with GitHub Actions Inactive
@echoix
Copy link
Collaborator

echoix commented Oct 31, 2023

I had something like this originally, but read that default branch is not available in the if conditional section.

Oh, let me continue testing it myself in my fork, since some older stackoverflow posts are outdated, since has made some updates over time, ie it wasn't available for scheduled events, but it is now.

@echoix
Copy link
Collaborator

echoix commented Nov 21, 2023

/build

Command run output
Build command workflow started.
Installing dependencies
Running script ./build.sh
Build command workflow completed updating files.

- Fixes
- build.py: Remove exclusivity between pip, gem & cargo packages
- Salesforce linters: Switch sfdx-cli to @salesforce/cli
- Set default permissions to all workflows to `read-all` to increase security and prevent Checkov `CKV2_GHA_1` errors, by @andrewvaughan in [#3032](https://github.com/oxsecurity/megalinter/pull/3032)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should move back to next version

- Display list of articles from newest to oldest
- Fix incorrect environment variable in djlint docs
- Improve lychee documentation to add an example of `.lycheeignore`
- Improved commenting in `.mega-linter.yml` file to help new users configure the GitHub workflow more effectively
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should move to next version

megalinter-reports
mega-linter.log
# Set APPLY_FIXES_IF var for use in future steps
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please freshen this PR from main, so we don't undo #2957 's changes.

- name: Create Pull Request with applied fixes
uses: peter-evans/create-pull-request@v5
id: cpr
if: env.APPLY_FIXES_IF_PR == 'true'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Undoes #2957

labels: bot

- name: Create PR output
if: env.APPLY_FIXES_IF_PR == 'true'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Undoes #2957

# repository will have a new Pull Request created.
#
- name: Prepare commit
if: env.APPLY_FIXES_IF_COMMIT == 'true'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Undoes #2957

run: sudo chown -Rc $UID .git/

- name: Commit and push applied linter fixes
uses: stefanzweifel/git-auto-commit-action@v5
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please freshen from main, as the action's version is being downgraded from v5 to v4.

megalinter-reports
mega-linter.log
# Set APPLY_FIXES_IF var for use in future steps
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Undoes #2957

run: sudo chown -Rc $UID .git/

- name: Commit and push applied linter fixes
uses: stefanzweifel/git-auto-commit-action@v5
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please freshen from main per s/v5/v4/

FROM golang:alpine as dustilock
RUN GOBIN=/usr/bin go install github.com/checkmarx/[email protected]

FROM zricethezav/gitleaks:v8.18.1 as gitleaks
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please freshen from main per s/1/0/

megalinter-reports
mega-linter.log
# Set APPLY_FIXES_IF var for use in future steps
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Freshen this PR from main to avoid undoing #2957

@echoix
Copy link
Collaborator

echoix commented Nov 21, 2023

After #3143, I think we're finally ready to tackle this, as the last release is now done, and the needed fixes to main (and the docs) will be finished.

@nvuillam
Copy link
Member

nvuillam commented Dec 6, 2023

@echoix you can merge this one once you are confident of its content :) (looks promising but you investigated it more than i did ^^ )

@echoix
Copy link
Collaborator

echoix commented Dec 6, 2023

It will need a little manual work of fixing conflicts, and it seems a bad merge (or outdated starting point) reverted some changes of a previous PR.

As the potential breaking changes would be limited to new users generating a new workflow, I don't think it's really a problem, since there was nothing to break to begin with. If users would want to recreate their workflow by trying again and incorporating their changes back, it's ok, and that's how I expect a template generator to work.

@echoix
Copy link
Collaborator

echoix commented Dec 6, 2023

And a title that better describes what that PR ended up being :)

@Jayllyz
Copy link
Contributor

Jayllyz commented Feb 19, 2024

Any update on this fix ?
Waiting this PR to be merged to fix this one : #3049

@github-actions
Copy link
Contributor

This pull request has been automatically marked as stale because it has not had recent activity.
It will be closed in 14 days if no further activity occurs.
Thank you for your contributions.

If you think this pull request should stay open, please remove the O: stale 🤖 label or comment on the pull request.

@github-actions github-actions bot added the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label Feb 14, 2025
@github-actions github-actions bot closed this Feb 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update Github_actions code O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Reduce generated permissions to read-all at top level for generated workflow file

5 participants