chore(deps): bump github/codeql-action from cb4e075f119f8bccbc942d49655b2cd4dc6e615a to a899987af240c0578ed84ce13c02319a693e168f #82
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - '.github/*.md' | |
| - '.github/ISSUE_TEMPLATE/**' | |
| - 'LICENSE' | |
| pull_request: | |
| branches: [main] | |
| paths-ignore: | |
| - '**.md' | |
| - 'docs/**' | |
| - '.github/*.md' | |
| - '.github/ISSUE_TEMPLATE/**' | |
| - 'LICENSE' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| validate-changelog: | |
| name: Validate CHANGELOG | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Validate CHANGELOG format | |
| shell: bash | |
| run: | | |
| echo "Validating CHANGELOG.md format..." | |
| if [[ ! -f CHANGELOG.md ]]; then | |
| echo "::error::CHANGELOG.md not found" | |
| exit 1 | |
| fi | |
| if ! grep -qE "^## \[Unreleased\]" CHANGELOG.md; then | |
| echo "::error::CHANGELOG.md missing '## [Unreleased]' section" | |
| exit 1 | |
| fi | |
| echo "CHANGELOG.md format valid" | |
| actionlint: | |
| name: Action Lint | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| release-assets.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Install actionlint | |
| shell: bash | |
| run: | | |
| version="1.7.7" | |
| checksum="023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757" | |
| tarball="actionlint_${version}_linux_amd64.tar.gz" | |
| curl -sLO "https://github.com/rhysd/actionlint/releases/download/v${version}/${tarball}" | |
| echo "${checksum} ${tarball}" | sha256sum -c - | |
| tar xzf "${tarball}" actionlint | |
| rm -f "${tarball}" | |
| - name: Run actionlint | |
| shell: bash | |
| run: ./actionlint -color | |
| ci-status: | |
| name: CI Status | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| if: always() | |
| needs: [validate-changelog, actionlint] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| - name: Check CI status | |
| shell: bash | |
| run: | | |
| if [[ "${{ needs.validate-changelog.result }}" != "success" ]] || \ | |
| [[ "${{ needs.actionlint.result }}" != "success" ]]; then | |
| echo "::error::One or more CI jobs failed" | |
| exit 1 | |
| fi | |
| echo "All CI jobs passed successfully" |