name: CI - File health on: [pull_request, push] permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: ${{ github.head_ref != '' }} jobs: ci: name: Check runs-on: ubuntu-latest permissions: security-events: write steps: - name: Checkout repository uses: actions/checkout@v4 with: persist-credentials: false - name: Setup python uses: actions/setup-python@v5 with: python-version: "*" - name: Check files uses: pre-commit/action@v3.0.1 - name: Check doc env: pandoc_path: "${{ github.workspace }}/../pandoc" run: | # install pandoc curl \ -L \ -o "${{ runner.temp }}/pandoc.tar.gz" \ "https://github.com/jgm/pandoc/releases/download/3.6/pandoc-3.6-linux-amd64.tar.gz" tar -xf "${{ runner.temp }}/pandoc.tar.gz" -C "${{ github.workspace }}/.." mv "${{ github.workspace }}/.."/pandoc-* "${{ env.pandoc_path }}" # run pandoc for lang in doc/*/; do "${{ env.pandoc_path }}/bin/pandoc" -f markdown -t man -s "$lang/qbittorrent.1.md" -o "$lang/qbittorrent.1" "${{ env.pandoc_path }}/bin/pandoc" -f markdown -t man -s "$lang/qbittorrent-nox.1.md" -o "$lang/qbittorrent-nox.1" done # check diff, ignore "Automatically generated by ..." part git diff -I '\.\\".*' --exit-code - name: Check GitHub Actions workflow env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | pip install zizmor IGNORE_RULEID='(.ruleId != "template-injection") and (.ruleId != "unpinned-uses")' IGNORE_ID='(.id != "template-injection") and (.id != "unpinned-uses")' zizmor \ --format sarif \ --pedantic \ ./ \ | jq "(.runs[].results |= map(select($IGNORE_RULEID))) | (.runs[].tool.driver.rules |= map(select($IGNORE_ID)))" \ > "${{ runner.temp }}/zizmor_results.sarif" - name: Upload zizmor results uses: github/codeql-action/upload-sarif@v3 with: category: zizmor sarif_file: "${{ runner.temp }}/zizmor_results.sarif"