From c7e222b4cbf9a1c9ee6be2cfa630eda33f8eec75 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 25 Mar 2026 14:26:37 +0000 Subject: [PATCH] Add GitHub Actions workflows with minimum required permissions Co-authored-by: mtracz <22484267+mtracz@users.noreply.github.com> Agent-Logs-Url: https://github.com/blumilksoftware/environment/sessions/69e50561-ff6b-4bb5-9c02-c267ce4476e3 --- .github/workflows/check-pr-title.yml | 17 ++++++++++++++++ .github/workflows/lint-shell-scripts.yml | 22 +++++++++++++++++++++ .github/workflows/validate-yaml.yml | 25 ++++++++++++++++++++++++ .yamllint.yml | 14 +++++++++++++ Taskfile-init.yml | 10 +++++----- scripts/add-ca-to-trust-store.sh | 16 +++++++-------- 6 files changed, 91 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/check-pr-title.yml create mode 100644 .github/workflows/lint-shell-scripts.yml create mode 100644 .github/workflows/validate-yaml.yml create mode 100644 .yamllint.yml diff --git a/.github/workflows/check-pr-title.yml b/.github/workflows/check-pr-title.yml new file mode 100644 index 0000000..0a739be --- /dev/null +++ b/.github/workflows/check-pr-title.yml @@ -0,0 +1,17 @@ +name: Check PR title + +on: + pull_request: + branches: ["main"] + types: [opened, edited, synchronize, ready_for_review, reopened] + +permissions: {} + +jobs: + check-pr-title: + name: Check PR title + runs-on: ubuntu-24.04 + permissions: + pull-requests: read + steps: + - uses: blumilksoftware/action-pr-title@e05fc76a1cc45b33644f1de51218be43ac121dd0 # v1.2.0 # https://github.com/blumilksoftware/action-pr-title diff --git a/.github/workflows/lint-shell-scripts.yml b/.github/workflows/lint-shell-scripts.yml new file mode 100644 index 0000000..88fa66f --- /dev/null +++ b/.github/workflows/lint-shell-scripts.yml @@ -0,0 +1,22 @@ +name: Lint shell scripts + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + +permissions: {} + +jobs: + shellcheck: + name: ShellCheck + runs-on: ubuntu-24.04 + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 # https://github.com/actions/checkout + + - name: Run ShellCheck + run: find . -name "*.sh" -print0 | xargs -0 shellcheck diff --git a/.github/workflows/validate-yaml.yml b/.github/workflows/validate-yaml.yml new file mode 100644 index 0000000..802756f --- /dev/null +++ b/.github/workflows/validate-yaml.yml @@ -0,0 +1,25 @@ +name: Validate YAML files + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + +permissions: {} + +jobs: + validate-yaml: + name: Validate YAML files + runs-on: ubuntu-24.04 + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 # https://github.com/actions/checkout + + - name: Install yamllint + run: pip install yamllint + + - name: Validate YAML files + run: yamllint --strict . diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100644 index 0000000..d0dd1cc --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,14 @@ +--- +extends: default + +rules: + document-start: disable + line-length: disable + comments: + min-spaces-from-content: 1 + trailing-spaces: enable + brackets: + min-spaces-inside: 0 + max-spaces-inside: 1 + truthy: + allowed-values: ["true", "false", "on", "off", "yes", "no"] diff --git a/Taskfile-init.yml b/Taskfile-init.yml index 82d19c6..5ef2261 100644 --- a/Taskfile-init.yml +++ b/Taskfile-init.yml @@ -21,7 +21,7 @@ tasks: {{ .INITIALIZED_MSG }} use --force flag or remove {{ .INIT_FILENAME }} file - + WARNING: Run init again will overwrite previous generated files! cmds: @@ -96,9 +96,9 @@ tasks: PORTAINER_ADMIN_PASSWORD_FILENAME: portainer-admin-password-file cmds: - cmd: | - echo "Creating Portainer {{ .PORTAINER_ADMIN_PASSWORD_FILENAME }} file" + echo "Creating Portainer {{ .PORTAINER_ADMIN_PASSWORD_FILENAME }} file" cp {{ .PORTAINER_ADMIN_PASSWORD_FILENAME }}.example {{ .PORTAINER_ADMIN_PASSWORD_FILENAME }} - sed --in-place "s/PORTAINER_ADMIN_PASSWORD_PLACEHOLDER/{{ .PORTAINER_ADMIN_INIT_PASSWORD }}/" {{ .PORTAINER_ADMIN_PASSWORD_FILENAME }} + sed --in-place "s/PORTAINER_ADMIN_PASSWORD_PLACEHOLDER/{{ .PORTAINER_ADMIN_INIT_PASSWORD }}/" {{ .PORTAINER_ADMIN_PASSWORD_FILENAME }} echo "Done" _init-dnsmasq-files: @@ -110,7 +110,7 @@ tasks: cmds: - cmd: | echo "Creating Dnsmasq {{ .DNSMASQ_CONFIG_FILENAME }} file" - cp {{ .DNSMASQ_CONFIG_FILENAME }}.example {{ .DNSMASQ_CONFIG_FILENAME }} + cp {{ .DNSMASQ_CONFIG_FILENAME }}.example {{ .DNSMASQ_CONFIG_FILENAME }} sed --in-place \ --expression "s/TRAEFIK_CONTAINER_IP_PLACEHOLDER/{{ .TRAEFIK_IP }}/" \ --expression "s/TLD_PLACEHOLDER/{{ .TLD }}/" \ @@ -126,7 +126,7 @@ tasks: SYSTEMD_RESOLVED_CONF_DIR_PATH: /etc/systemd/resolved.conf.d cmds: - cmd: | - echo "Creating DNS resolver {{ .DNS_RESOLVER_CONFIG_FILENAME }} file" + echo "Creating DNS resolver {{ .DNS_RESOLVER_CONFIG_FILENAME }} file" cp {{ .DNS_RESOLVER_CONFIG_FILENAME }}.example {{ .DNS_RESOLVER_CONFIG_FILENAME }} sed --in-place \ --expression "s/DNS_CONTAINER_IP_PLACEHOLDER/{{ .DNS_IP }}/" \ diff --git a/scripts/add-ca-to-trust-store.sh b/scripts/add-ca-to-trust-store.sh index dc4b374..110d429 100755 --- a/scripts/add-ca-to-trust-store.sh +++ b/scripts/add-ca-to-trust-store.sh @@ -20,18 +20,18 @@ certname="My Root CA" ### For cert8 (legacy - DBM) ### -for certDB in $(find ~/ -name "cert8.db") +while IFS= read -r -d '' certDB do - certdir=$(dirname ${certDB}); - certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir} -done + certdir=$(dirname "${certDB}") + certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i "${certfile}" -d dbm:"${certdir}" +done < <(find ~/ -name "cert8.db" -print0) ### ### For cert9 (SQL) ### -for certDB in $(find ~/ -name "cert9.db") +while IFS= read -r -d '' certDB do - certdir=$(dirname ${certDB}); - certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir} -done \ No newline at end of file + certdir=$(dirname "${certDB}") + certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i "${certfile}" -d sql:"${certdir}" +done < <(find ~/ -name "cert9.db" -print0)