7974ed7a6e
forgejo-runner v6.4.0 ships a node20 javascript engine. v4.2+ of actions/checkout and v2.0.5+ of softprops/action-gh-release moved to node24, which the runner refuses to exec. Pin both to last node20 release. Pairs with a runner-side config change (separately deployed on nullstone /home/docker/forgejo-runner/conf/config.yaml) that adds `-v /var/run/docker.sock:/var/run/docker.sock` to per-job container options + whitelists the socket via valid_volumes — without that addnab/docker-run-action@v3 inside the catthehacker/ubuntu job container can't reach the docker engine. - actions/checkout v4 -> v4.1.7 - softprops/action-gh-release v2 -> v2.0.4 - addnab/docker-run-action v3 unchanged (composite/docker, no node) - ludeeus/action-shellcheck@master unchanged (docker-based)
67 lines
2 KiB
YAML
67 lines
2 KiB
YAML
name: Lint
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
|
|
jobs:
|
|
ksvalidate:
|
|
name: Kickstart syntax
|
|
runs-on: ubuntu-24.04
|
|
container:
|
|
image: registry.fedoraproject.org/fedora:43
|
|
steps:
|
|
# Pinned to last v4 tag confirmed to ship on node20.
|
|
- uses: actions/checkout@v4.1.7
|
|
- run: dnf -y install pykickstart
|
|
- run: ksvalidator kickstart/veilor-os.ks
|
|
|
|
shellcheck:
|
|
name: Shell scripts
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
# Pinned to last v4 tag confirmed to ship on node20.
|
|
- uses: actions/checkout@v4.1.7
|
|
- uses: ludeeus/action-shellcheck@master
|
|
with:
|
|
severity: warning
|
|
ignore_paths: build/cache .github
|
|
|
|
brand-leak:
|
|
name: No personal/onyx leaks
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
# Pinned to last v4 tag confirmed to ship on node20.
|
|
- uses: actions/checkout@v4.1.7
|
|
- name: Grep for leaks
|
|
run: |
|
|
set -e
|
|
# Scope: ship-state source dirs only. Audit reports, CHANGELOG,
|
|
# PR templates, test checklists, and the lint workflow itself
|
|
# legitimately quote the forbidden strings as findings/examples
|
|
# — they don't ship in the ISO, so they're out of scope.
|
|
MATCHES=$(grep -rIni \
|
|
-e 'onyx' \
|
|
-e '192\.168\.0\.' \
|
|
-e 'fedora\.local' \
|
|
-e 'xynki\.dev' \
|
|
kickstart/ overlay/ scripts/ assets/ build/ \
|
|
|| true)
|
|
|
|
# Filter self-referencing sanity-grep lines: the kickstart and
|
|
# post-install scripts run their own brand-leak scan against the
|
|
# installed /etc — those grep invocations literally contain the
|
|
# forbidden strings as patterns, not as leaked data.
|
|
LEAKS=$(echo "$MATCHES" | grep -v \
|
|
-e "grep .*'onyx" \
|
|
-e '# Sanity:' \
|
|
-e 'brand leak' \
|
|
|| true)
|
|
|
|
if [[ -n "$LEAKS" ]]; then
|
|
echo "::error::Brand leaks detected"
|
|
echo "$LEAKS"
|
|
exit 1
|
|
fi
|
|
echo "no leaks ✓"
|