name: Lint on: push: branches: [main] pull_request: jobs: ksvalidate: name: Kickstart syntax runs-on: ubuntu-24.04 container: image: registry.fedoraproject.org/fedora:43 steps: # Pinned to last v4 tag confirmed to ship on node20. - uses: actions/checkout@v4.1.7 - run: dnf -y install pykickstart - run: ksvalidator kickstart/veilor-os.ks shellcheck: name: Shell scripts runs-on: ubuntu-24.04 steps: # Pinned to last v4 tag confirmed to ship on node20. - uses: actions/checkout@v4.1.7 - uses: ludeeus/action-shellcheck@master with: severity: warning ignore_paths: build/cache .github brand-leak: name: No personal/onyx leaks runs-on: ubuntu-24.04 steps: # Pinned to last v4 tag confirmed to ship on node20. - uses: actions/checkout@v4.1.7 - name: Grep for leaks run: | set -e # Scope: ship-state source dirs only. Audit reports, CHANGELOG, # PR templates, test checklists, and the lint workflow itself # legitimately quote the forbidden strings as findings/examples # — they don't ship in the ISO, so they're out of scope. MATCHES=$(grep -rIni \ -e 'onyx' \ -e '192\.168\.0\.' \ -e 'fedora\.local' \ -e 'xynki\.dev' \ kickstart/ overlay/ scripts/ assets/ build/ \ || true) # Filter self-referencing sanity-grep lines: the kickstart and # post-install scripts run their own brand-leak scan against the # installed /etc — those grep invocations literally contain the # forbidden strings as patterns, not as leaked data. LEAKS=$(echo "$MATCHES" | grep -v \ -e "grep .*'onyx" \ -e '# Sanity:' \ -e 'brand leak' \ || true) if [[ -n "$LEAKS" ]]; then echo "::error::Brand leaks detected" echo "$LEAKS" exit 1 fi echo "no leaks ✓"