claude-code-toolbox/.github/workflows/lint.yml at 7f0cb0b9e7b2cedd90a598f845e1cccc0cee1eec · alex-feel/claude-code-toolbox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: Lint and Validate

on:
  pull_request:
  workflow_dispatch:

permissions:
  contents: read
  security-events: write

jobs:
  powershell:
    name: PowerShell Script Analysis
    runs-on: windows-latest

    steps:
    - name: Skip for Release Please
      if: ${{ startsWith(github.head_ref, 'release-please--branches--') }}
      run: echo "Skipping PowerShell analysis for Release Please PR"

    - uses: actions/checkout@v5
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}

    - name: Run PSScriptAnalyzer
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}
      uses: microsoft/psscriptanalyzer-action@v1.1
      with:
        path: ./scripts/windows
        recurse: true
        output: results.sarif
        ignorePattern: '\.git|\.github'

    - name: Upload PSScriptAnalyzer results
      uses: github/codeql-action/upload-sarif@v3
      if: ${{ always() && ! startsWith(github.head_ref, 'release-please--branches--') }}
      with:
        sarif_file: results.sarif

  shellcheck:
    name: Shell Script Analysis
    runs-on: ubuntu-latest

    steps:
    - name: Skip for Release Please
      if: ${{ startsWith(github.head_ref, 'release-please--branches--') }}
      run: echo "Skipping Shell Script analysis for Release Please PR"

    - uses: actions/checkout@v5
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}

    - name: Run ShellCheck
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}
      uses: ludeeus/action-shellcheck@master
      with:
        scandir: './scripts'
        ignore_paths: 'scripts/windows'
        severity: warning

  markdown:
    name: Markdown Lint
    runs-on: ubuntu-latest

    steps:
    - name: Skip for Release Please
      if: ${{ startsWith(github.head_ref, 'release-please--branches--') }}
      run: echo "Skipping Markdown lint for Release Please PR"

    - uses: actions/checkout@v5
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}

    - name: Run markdownlint
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}
      uses: DavidAnson/markdownlint-cli2-action@v20
      with:
        globs: |
          **/*.md
          !node_modules/**
          !CHANGELOG.md

  json-yaml:
    name: JSON/YAML Validation
    runs-on: ubuntu-latest

    steps:
    - name: Skip for Release Please
      if: ${{ startsWith(github.head_ref, 'release-please--branches--') }}
      run: echo "Skipping JSON/YAML validation for Release Please PR"

    - uses: actions/checkout@v5
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}

    - name: Validate JSON files
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}
      run: |
        find . -name "*.json" -type f -not -path "./node_modules/*" | while read file; do
          echo "Validating $file"
          python -m json.tool "$file" > /dev/null || exit 1
        done
        echo "All JSON files are valid"

    - name: Setup Python
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}
      uses: actions/setup-python@v5
      with:
        python-version: '3.x'

    - name: Validate YAML files
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}
      run: |
        pip install pyyaml
        find . -name "*.yml" -o -name "*.yaml" -type f -not -path "./node_modules/*" | while read file; do
          echo "Validating $file"
          python -c "import yaml; yaml.safe_load(open('$file'))" || exit 1
        done
        echo "All YAML files are valid"

  security:
    name: Security Scan
    runs-on: ubuntu-latest

    steps:
    - name: Skip for Release Please
      if: ${{ startsWith(github.head_ref, 'release-please--branches--') }}
      run: echo "Skipping Trivy security scan for Release Please PR"

    - uses: actions/checkout@v5
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}

    - name: Run Trivy security scanner
      if: ${{ ! startsWith(github.head_ref, 'release-please--branches--') }}
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        scan-ref: '.'
        format: 'sarif'
        output: 'trivy-results.sarif'

    - name: Upload Trivy results to GitHub Security
      uses: github/codeql-action/upload-sarif@v3
      if: ${{ always() && ! startsWith(github.head_ref, 'release-please--branches--') }}
      with:
        sarif_file: 'trivy-results.sarif'