name: Lint on: push: branches: ["**"] pull_request: branches: ["**"] jobs: shell-lint: name: Shell (shellcheck) runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Install shellcheck run: apt-get update -qq && apt-get install -y -qq shellcheck - name: Run shellcheck run: find . -name "*.sh" -exec shellcheck {} + js-lint: name: JS (eslint) runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Install ESLint run: npm install --save-dev eslint@8 - name: Run ESLint run: npx eslint --ext .js hookshot/ python-lint: name: Python (ruff) runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Install ruff run: | curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \ | tar -xz ruff mv ruff /usr/local/bin/ruff - name: Check syntax errors run: ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github - name: Run full lint run: ruff check matrixbot/ --output-format=github python-audit: name: Python deps (pip-audit) runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Install pip-audit run: | apt-get update -qq && apt-get install -y -qq python3-pip python3-venv python3 -m pip install pip-audit - name: Audit matrixbot dependencies run: python3 -m pip_audit -r matrixbot/requirements.txt secret-scan: name: Secret scan (gitleaks) runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 with: fetch-depth: 0 - name: Install gitleaks run: | curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \ | tar -xz gitleaks mv gitleaks /usr/local/bin/gitleaks - name: Scan for secrets run: | gitleaks detect --source . --redact --exit-code 1 \ --baseline-path .gitleaks-baseline.json