jared
407e66e499
- !help Games section now includes !guess - !8ball description mentions --debug flag - pip-audit now scans only requirements.txt instead of --local (which was flagging CVE-2026-3219 in pip itself, not our dependencies) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
93 lines
2.8 KiB
YAML
93 lines
2.8 KiB
YAML
name: Lint
|
|
|
|
on:
|
|
push:
|
|
branches: ["**"]
|
|
pull_request:
|
|
branches: ["**"]
|
|
|
|
jobs:
|
|
shell-lint:
|
|
name: Shell (shellcheck)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Install shellcheck
|
|
run: apt-get update -qq && apt-get install -y -qq shellcheck
|
|
|
|
- name: Run shellcheck
|
|
run: find . -name "*.sh" -exec shellcheck {} +
|
|
|
|
js-lint:
|
|
name: JS (eslint)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Install ESLint
|
|
run: npm install --save-dev eslint@8
|
|
|
|
- name: Run ESLint
|
|
run: npx eslint --ext .js hookshot/
|
|
|
|
python-lint:
|
|
name: Python (ruff)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Install ruff
|
|
run: |
|
|
curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \
|
|
| tar -xz --strip-components=1
|
|
mv ruff /usr/local/bin/ruff
|
|
|
|
- name: Check syntax errors
|
|
run: ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
|
|
|
|
- name: Run full lint
|
|
run: ruff check matrixbot/ --output-format=github
|
|
|
|
python-audit:
|
|
name: Python deps (pip-audit)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Install Python 3.10 and pip-audit
|
|
run: |
|
|
# Debian Bullseye only ships Python 3.9; use a prebuilt standalone binary
|
|
curl -sSL "https://github.com/indygreg/python-build-standalone/releases/download/20241002/cpython-3.10.15+20241002-x86_64-unknown-linux-gnu-install_only.tar.gz" \
|
|
| tar -xz -C /opt
|
|
/opt/python/bin/pip install --upgrade pip setuptools
|
|
/opt/python/bin/pip install pip-audit
|
|
|
|
- name: Audit matrixbot dependencies
|
|
# Audit only our declared dependencies, not pip-audit itself or pip
|
|
run: /opt/python/bin/pip-audit -r matrixbot/requirements.txt
|
|
|
|
secret-scan:
|
|
name: Secret scan (gitleaks)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Install gitleaks
|
|
run: |
|
|
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
|
|
| tar -xz gitleaks
|
|
mv gitleaks /usr/local/bin/gitleaks
|
|
|
|
- name: Scan for secrets
|
|
run: |
|
|
# Scan application code directories — deploy/ is excluded because
|
|
# it contains intentional Gitea webhook HMAC secrets in hooks-lxc*.json
|
|
for dir in matrixbot/ hookshot/ .gitea/ systemd/ cinny/ landing/; do
|
|
[ -d "$dir" ] || continue
|
|
gitleaks detect --source "$dir" --no-git --config .gitleaks.toml \
|
|
--redact --exit-code 1
|
|
done
|