repo-template/.github/workflows/validate-template.yml at cfcf77f89da9ac54f0da4c1ade65af7780cd93d0 · vbonk/repo-template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# Template Validation (Meta-CI)
# Validates the template's own files: YAML, JSON, shell scripts, SHA pins, secrets.
# Remove this workflow after initializing from the template.

name: Validate Template

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  validate:
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Validate YAML files
        run: |
          echo "--- Validating YAML files ---"
          ERRORS=0
          for f in $(find . -name '*.yml' -o -name '*.yaml' | grep -v node_modules | sort); do
            if python3 -c "import yaml; yaml.safe_load(open('$f'))" 2>/dev/null; then
              echo "OK: $f"
            else
              echo "FAIL: $f"
              ERRORS=$((ERRORS + 1))
            fi
          done
          if [ "$ERRORS" -gt 0 ]; then
            echo "::error::$ERRORS YAML file(s) failed validation"
            exit 1
          fi

      - name: Validate JSON files
        run: |
          echo "--- Validating JSON files ---"
          ERRORS=0
          for f in $(find . -name '*.json' | grep -v node_modules | sort); do
            if python3 -c "import json; json.load(open('$f'))" 2>/dev/null; then
              echo "OK: $f"
            else
              echo "FAIL: $f"
              ERRORS=$((ERRORS + 1))
            fi
          done
          if [ "$ERRORS" -gt 0 ]; then
            echo "::error::$ERRORS JSON file(s) failed validation"
            exit 1
          fi

      - name: ShellCheck scripts
        run: |
          echo "--- Running ShellCheck ---"
          if ! command -v shellcheck &>/dev/null; then
            sudo apt-get update -qq && sudo apt-get install -qq -y shellcheck
          fi
          ERRORS=0
          for f in $(find . -name '*.sh' | grep -v node_modules | sort); do
            if shellcheck "$f"; then
              echo "OK: $f"
            else
              echo "FAIL: $f"
              ERRORS=$((ERRORS + 1))
            fi
          done
          if [ "$ERRORS" -gt 0 ]; then
            echo "::error::$ERRORS script(s) failed ShellCheck"
            exit 1
          fi

      - name: Verify all actions are SHA-pinned
        run: |
          echo "--- Checking SHA-pinned actions ---"
          # Find 'uses:' lines with @v* (not SHA-pinned)
          UNPINNED=$(grep -rn 'uses:.*@v[0-9]' .github/workflows/ \
            | grep -v '#' \
            | grep -v 'dependabot/fetch-metadata' \
            || true)
          if [ -n "$UNPINNED" ]; then
            echo "::error::Found actions pinned to tags instead of SHAs:"
            echo "$UNPINNED"
            exit 1
          fi
          echo "All actions are SHA-pinned."

      - name: Check for secrets patterns
        run: |
          echo "--- Scanning for secrets patterns ---"
          PATTERNS='(AKIA[0-9A-Z]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|-----BEGIN (RSA |EC )?PRIVATE KEY)'
          MATCHES=$(grep -rEn "$PATTERNS" --include='*.yml' --include='*.yaml' --include='*.json' --include='*.sh' --include='*.md' . || true)
          if [ -n "$MATCHES" ]; then
            echo "::error::Possible secrets detected:"
            echo "$MATCHES"
            exit 1
          fi
          echo "No secrets patterns found."