diff --git a/.githooks/pre-push b/.githooks/pre-push index 32c2749..8831d07 100755 --- a/.githooks/pre-push +++ b/.githooks/pre-push @@ -9,16 +9,16 @@ changed_workflows=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\ if [ -n "$changed_workflows" ]; then echo "🔍 Linting GitHub Actions workflows..." + # Check actionlint if ! command -v actionlint &> /dev/null; then echo "⚠ actionlint not found. Installing via mise..." mise install actionlint fi - # Lint the changed workflows if actionlint -oneline $changed_workflows; then - echo "✅ Workflows lint passed!" + echo "✅ Actionlint passed!" else - echo "❌ Workflow lint failed. Fix the errors above and try again." + echo "❌ Actionlint failed. Fix the errors above and try again." exit 1 fi else diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index e945cea..a26567b 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -10,9 +10,26 @@ on: jobs: actionlint: + permissions: + contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Run actionlint - uses: raven-actions/actionlint@v2 + uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2 + + zizmor: + permissions: + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor security check + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 diff --git a/.vscode/settings.json b/.vscode/settings.json index 98dbaf7..1727f0b 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -3,6 +3,7 @@ "git add": true, "git commit": true, "gh": true, - "git push": true + "git push": true, + "mise": true } } diff --git a/README.md b/README.md index c982f54..f7f4ee9 100644 --- a/README.md +++ b/README.md @@ -16,4 +16,4 @@ Cette commande installe toutes les dĂ©pendances du projet dĂ©finies dans `mise.t .githooks/install.sh ``` -Cela configure les git hooks locaux pour automatiser les vĂ©rifications avant les commits/pushes. \ No newline at end of file +Cela configure les git hooks locaux pour automatiser les vĂ©rifications avant les commits/pushes.