LotusGuild/matrix
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ed15de5ce40e50fe534d8db851a1850accc326a
matrix/.gitea/workflows/lint.yml
T
jared 8effb24761
Lint / Shell (shellcheck) (push) Successful in 8s
Details
Lint / JS (eslint) (push) Successful in 7s
Details
Lint / Python (ruff) (push) Successful in 5s
Details
Lint / Python deps (pip-audit) (push) Successful in 48s
Details
Lint / Secret scan (gitleaks) (push) Successful in 5s
Details
ci: fix pip-audit — restore --local, explicitly ignore pip's own CVE 
-r requirements.txt causes pip-audit to spawn an internal venv which
calls ensurepip, failing with exit 127 on the standalone Python build.
--local avoids the venv. CVE-2026-3219 is in pip itself (not our deps)
so we ignore it explicitly with --ignore-vuln.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-26 15:46:16 -04:00

96 lines
3.1 KiB
YAML
Raw Blame History

name: Lint
on:
push:
branches: ["**"]
pull_request:
branches: ["**"]
jobs:
shell-lint:
name: Shell (shellcheck)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install shellcheck
run: apt-get update -qq && apt-get install -y -qq shellcheck
- name: Run shellcheck
run: find . -name "*.sh" -exec shellcheck {} +
js-lint:
name: JS (eslint)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install ESLint
run: npm install --save-dev eslint@8
- name: Run ESLint
run: npx eslint --ext .js hookshot/
python-lint:
name: Python (ruff)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install ruff
run: |
curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \
| tar -xz --strip-components=1
mv ruff /usr/local/bin/ruff
- name: Check syntax errors
run: ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
- name: Run full lint
run: ruff check matrixbot/ --output-format=github
python-audit:
name: Python deps (pip-audit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Python 3.10 and pip-audit
run: |
# Debian Bullseye only ships Python 3.9; use a prebuilt standalone binary
curl -sSL "https://github.com/indygreg/python-build-standalone/releases/download/20241002/cpython-3.10.15+20241002-x86_64-unknown-linux-gnu-install_only.tar.gz" \
| tar -xz -C /opt
# Install bot deps + pip-audit into the same env; --local below avoids
# pip-audit creating an internal venv (ensurepip fails on standalone builds)
/opt/python/bin/pip install --upgrade pip setuptools
/opt/python/bin/pip install pip-audit -r matrixbot/requirements.txt
- name: Audit matrixbot dependencies
# --local scans the env without spawning a venv (required for standalone Python)
# CVE-2026-3219 is in pip itself, not our code — ignore it explicitly
run: /opt/python/bin/pip-audit --local --ignore-vuln CVE-2026-3219
secret-scan:
name: Secret scan (gitleaks)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install gitleaks
run: |
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
| tar -xz gitleaks
mv gitleaks /usr/local/bin/gitleaks
- name: Scan for secrets
run: |
# Scan application code directories — deploy/ is excluded because
# it contains intentional Gitea webhook HMAC secrets in hooks-lxc*.json
for dir in matrixbot/ hookshot/ .gitea/ systemd/ cinny/ landing/; do
[ -d "$dir" ] || continue
gitleaks detect --source "$dir" --no-git --config .gitleaks.toml \
--redact --exit-code 1
done
Reference in New Issue View Git Blame Copy Permalink