From debf8a2d3a4550bdc2b2132d9599dc7a7c9b0b59 Mon Sep 17 00:00:00 2001 From: Tigran TIKSN Torosyan Date: Mon, 25 Aug 2025 19:07:03 -0500 Subject: [PATCH] Fix Super Linter errors --- .github/workflows/cicd.yml | 14 ++++++++++++-- .github/workflows/lint.yml | 5 +++-- .github/workflows/release-drafter.yml | 2 +- .trivyignore | 4 ++++ lint.ps1 | 1 + trivy.yaml | 7 +++++++ 6 files changed, 28 insertions(+), 5 deletions(-) create mode 100644 .trivyignore create mode 100644 trivy.yaml diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index b1797137..07770ab7 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -10,8 +10,6 @@ on: - published workflow_dispatch: -permissions: read-all - env: DOTNET_NOLOGO: true DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true @@ -21,12 +19,18 @@ jobs: ci: name: CI runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + statuses: write + packages: read steps: - name: 'Checkout' uses: actions/checkout@v5 with: lfs: true fetch-depth: 0 + persist-credentials: false - name: 'Install InvokeBuild Module' shell: pwsh run: Install-Module -Name InvokeBuild -Force @@ -63,12 +67,18 @@ jobs: name: 'DockerHub' url: https://hub.docker.com/r/tiksn/fossa-ui runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + statuses: write + packages: read steps: - name: 'Checkout' uses: actions/checkout@v5 with: lfs: true fetch-depth: 0 + persist-credentials: false - name: 'Download Artefact' uses: actions/download-artifact@v5.0.0 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 33d0589a..5fb96235 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,8 +7,6 @@ on: pull_request: workflow_dispatch: -permissions: read-all - env: DOTNET_NOLOGO: true DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true @@ -20,6 +18,8 @@ jobs: runs-on: ubuntu-latest permissions: + contents: read + packages: read statuses: write steps: @@ -27,6 +27,7 @@ jobs: uses: actions/checkout@v5 with: fetch-depth: 0 + persist-credentials: false - name: 'Install InvokeBuild Module' shell: pwsh diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 8ffbd688..a4690ca9 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -12,7 +12,7 @@ on: - synchronize workflow_dispatch: -permissions: read-all +permissions: {} jobs: update_release_draft: diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 00000000..cf841cf0 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,4 @@ +node_modules/ +**/node_modules/ +node_modules/** +**/node_modules/** \ No newline at end of file diff --git a/lint.ps1 b/lint.ps1 index 749d0cf6..024374e2 100644 --- a/lint.ps1 +++ b/lint.ps1 @@ -10,6 +10,7 @@ docker run --rm ` -e FIX_DOTNET_SLN_FORMAT_STYLE=true ` -e FIX_DOTNET_SLN_FORMAT_WHITESPACE=true ` -e FIX_ENV=true ` + -e FIX_GITHUB_ACTIONS_ZIZMOR=true ` -e FIX_JAVASCRIPT_ES=true ` -e FIX_JAVASCRIPT_PRETTIER=true ` -e FIX_JSON=true ` diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 00000000..f9a8172f --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,7 @@ +scan: + skip-dirs: + - 'node_modules' + skip-files: + - 'node_modules/**' + - '**/node_modules/**' + - '**/node_modules/**/*.Dockerfile'