diff --git a/.github/actionlint-matcher.json b/.github/actionlint-matcher.json new file mode 100644 index 0000000..4613e16 --- /dev/null +++ b/.github/actionlint-matcher.json @@ -0,0 +1,17 @@ +{ + "problemMatcher": [ + { + "owner": "actionlint", + "pattern": [ + { + "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$", + "file": 1, + "line": 2, + "column": 3, + "message": 4, + "code": 5 + } + ] + } + ] +} diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 0000000..b24efa8 --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,22 @@ +self-hosted-runner: + # Labels of self-hosted runner in array of strings. + labels: [] + +# Configuration variables in array of strings defined in your repository or +# organization. `null` means disabling configuration variables check. +# Empty array means no configuration variable is allowed. +config-variables: null + +# Configuration for file paths. The keys are glob patterns to match to file +# paths relative to the repository root. The values are the configurations for +# the file paths. Note that the path separator is always '/'. +# The following configurations are available. +# +# "ignore" is an array of regular expression patterns. Matched error messages +# are ignored. This is similar to the "-ignore" command line option. +paths: + .github/workflows/**/*.{yml,yaml}: + # List of regular expressions to filter errors by the error messages. + ignore: + # Ignore the specific error from shellcheck + - 'shellcheck reported issue in this script: SC2129:.+' diff --git a/.github/workflows/claude-org-wide.yml b/.github/workflows/claude-org-wide.yml index 549a426..847b13d 100644 --- a/.github/workflows/claude-org-wide.yml +++ b/.github/workflows/claude-org-wide.yml @@ -49,7 +49,8 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 permissions: - contents: read + contents: write + pull-requests: write strategy: fail-fast: false max-parallel: 10 @@ -86,9 +87,10 @@ jobs: COMMENT_BODY: ${{ github.event.comment.body }} run: | REQUEST=$(echo "$COMMENT_BODY" | sed 's|@phpstan-bot||g' | sed 's/^[[:space:]]*//') - echo "request<> "$GITHUB_OUTPUT" + delimiter="$(openssl rand -hex 16)" + echo "request<<${delimiter}" >> "$GITHUB_OUTPUT" echo "$REQUEST" >> "$GITHUB_OUTPUT" - echo "EOF" >> "$GITHUB_OUTPUT" + echo "${delimiter}" >> "$GITHUB_OUTPUT" - name: "Run Claude Code on repository" uses: anthropics/claude-code-action@v1 diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml new file mode 100644 index 0000000..c9e4e5b --- /dev/null +++ b/.github/workflows/lint-workflows.yml @@ -0,0 +1,41 @@ +name: Lint GitHub Actions workflows +on: + pull_request: + push: + branches: + - "main" + +permissions: {} + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Check workflow files + run: | + echo "::add-matcher::.github/actionlint-matcher.json" + bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) + ./actionlint -color + shell: bash + + octoscan: + name: Octoscan + runs-on: ubuntu-latest + permissions: + security-events: write # Required for codeql-action/upload-sarif to upload SARIF files. + timeout-minutes: 10 + steps: + - uses: actions/checkout@v6 + - name: Run octoscan + id: octoscan + uses: synacktiv/action-octoscan@v1 + with: + filter_triggers: '' + + - name: Upload SARIF file to GitHub + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: "${{steps.octoscan.outputs.sarif_output}}" + category: octoscan + wait-for-processing: false