Extend linting (#1003)

- Add support for running CodeQL queries for GitHub Actions.
- Add markdownlint.
- Add PowerShell linting.
- Fix lint warnings.
- Bump actionlint to v1.7.7.
- Add `filter` and `show-progress:false` to checkout options.
- Use `${env:}` format to access environment variables for consistency.
- Avoid interpolation.
- Remove redundant quoting.
- Use single quotes in YAML.
- Refactor permissions.

Author: martincostello

.github/ISSUE_TEMPLATE.md

@@ -1,3 +1,7 @@
+---
+title: ''
+---
+
 ### Expected behaviour
 
 <!-- Explain what you expected to happen. -->

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,8 +1,8 @@
 ---
 name: Bug report
+title: Bug report
 about: Create a bug report to help us improve the library
 labels: bug
-
 ---
 
 ### Describe the bug

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,11 +1,11 @@
 ---
 name: Feature request
+title: Feature request
 about: Suggest an idea for a feature of this library
 labels: feature-request
-
 ---
 
-### Is your feature request related to a problem? Please describe.
+### Is your feature request related to a problem?
 
 <!--
 A clear and concise description of what the problem is. For example: _It would be useful if [...]_

.github/workflows/approve-and-merge.yml

@@ -5,15 +5,18 @@ on:
     branches: [ main, dotnet-vnext ]
 
 env:
+  POWERSHELL_YAML_VERSION: '0.4.12'
   REVIEWER_LOGIN: ${{ vars.REVIEWER_USER_NAME }}
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   review-pull-request:
     runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == vars.UPDATER_COMMIT_USER_NAME }}
+    if: github.event.pull_request.user.login == vars.UPDATER_COMMIT_USER_NAME
+
+    permissions:
+      contents: read
 
     steps:
 
@@ -23,31 +26,33 @@ jobs:
       with:
         application_id: ${{ secrets.REVIEWER_APPLICATION_ID }}
         application_private_key: ${{ secrets.REVIEWER_APPLICATION_PRIVATE_KEY }}
-        permissions: "contents:write, pull_requests:write"
+        permissions: 'contents:write, pull_requests:write'
 
     - name: Install powershell-yaml
       shell: pwsh
-      run: Install-Module -Name powershell-yaml -Force -MaximumVersion "0.4.7"
+      run: Install-Module -Name powershell-yaml -Force -MaximumVersion ${env:POWERSHELL_YAML_VERSION}
 
     - name: Check which dependencies were updated
       id: check-dependencies
       env:
         # This list of trusted package prefixes needs to stay in sync with include-nuget-packages in the update-dotnet-sdk workflow.
-        INCLUDE_NUGET_PACKAGES: "Microsoft.AspNetCore.,Microsoft.EntityFrameworkCore.,Microsoft.Extensions.,Microsoft.NET.Test.Sdk"
+        INCLUDE_NUGET_PACKAGES: 'Microsoft.AspNetCore.,Microsoft.EntityFrameworkCore.,Microsoft.Extensions.,Microsoft.NET.Test.Sdk'
         GH_TOKEN: ${{ steps.generate-application-token.outputs.token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+        UPDATER_COMMIT_USER_NAME: ${{ vars.UPDATER_COMMIT_USER_NAME }}
       shell: pwsh
       run: |
         # Replicate the logic in the dependabot/fetch-metadata action.
         # See https://github.com/dependabot/fetch-metadata/blob/aea2135c95039f05c64436f1d14638c300e10b2b/src/dependabot/update_metadata.ts#L29-L68.
         # Query the GitHub API to get the commits in the pull request.
         $commits = gh api `
-          /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits `
+          "/repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/commits" `
           --jq '.[] | { author: .author.login, message: .commit.message }' | ConvertFrom-Json
 
         # We should only approve pull requests that only contain commits from
         # the GitHub user we expected and only commits that contain the metadata
         # we need to determine what dependencies were updated by the other workflow.
-        $expectedUser = "${{ vars.UPDATER_COMMIT_USER_NAME }}"
+        $expectedUser = "${env:UPDATER_COMMIT_USER_NAME}"
         $onlyDependencyUpdates = $True
         $onlyChangesFromUser = $True
 
@@ -82,7 +87,7 @@ jobs:
         # Did we find at least one dependency?
         $isPatch = $dependencies.Length -gt 0
         $onlyTrusted = $dependencies.Length -gt 0
-        $trustedPackages = $env:INCLUDE_NUGET_PACKAGES.Split(',')
+        $trustedPackages = ${env:INCLUDE_NUGET_PACKAGES}.Split(',')
 
         foreach ($dependency in $dependencies) {
           $isPatch = $isPatch -And $dependency.Type -eq "version-update:semver-patch"
@@ -98,34 +103,38 @@ jobs:
         # Microsoft-published NuGet packages that were made by the GitHub
         # login we expect to make those changes in the other workflow.
         $isTrusted = (($onlyTrusted -And $isPatch) -And $onlyChangesFromUser) -And $onlyDependencyUpdates
-        "is-trusted-update=$isTrusted" >> $env:GITHUB_OUTPUT
+        "is-trusted-update=$isTrusted" >> ${env:GITHUB_OUTPUT}
 
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        filter: 'tree:0'
+        show-progress: false
 
       # As long as it's not already approved, approve the pull request and enable auto-merge.
       # Our CI tests coupled with required statuses should ensure that the changes compile
       # and that the application is still functional after the update; any bug that might be
       # introduced by the update should be caught by the tests. If that happens, the build
       # workflow will fail and the preconditions for the auto-merge to happen won't be met.
     - name: Approve pull request and enable auto-merge
-      if: ${{ steps.check-dependencies.outputs.is-trusted-update == 'true' }}
+      if: steps.check-dependencies.outputs.is-trusted-update == 'true'
       env:
         GH_TOKEN: ${{ steps.generate-application-token.outputs.token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
         PR_URL: ${{ github.event.pull_request.html_url }}
       shell: pwsh
       run: |
-        $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json
-        $approvals = $approvals | Where-Object { $_.user.login -eq $env:REVIEWER_LOGIN }
+        $approvals = gh api "/repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews" | ConvertFrom-Json
+        $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} }
         $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" }
 
         if ($approvals.Length -eq 0) {
-          gh pr checkout "$env:PR_URL"
-          gh pr review --approve "$env:PR_URL"
-          gh pr merge --auto --squash "$env:PR_URL"
+          gh pr checkout ${env:PR_URL}
+          gh pr review --approve ${env:PR_URL}
+          gh pr merge --auto --squash ${env:PR_URL}
         }
         else {
-          Write-Host "PR already approved.";
+          Write-Output "PR already approved.";
         }
 
     # If something was present in the pull request that isn't expected, then disable
@@ -134,27 +143,28 @@ jobs:
     # automatically if there's an unexpected change introduced. Any existing review
     # approvals that were made by the bot are also dismissed so human approval is required.
     - name: Disable auto-merge and dismiss approvals
-      if: ${{ steps.check-dependencies.outputs.is-trusted-update != 'true' }}
+      if: steps.check-dependencies.outputs.is-trusted-update != 'true'
       env:
         GH_TOKEN: ${{ steps.generate-application-token.outputs.token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
         PR_URL: ${{ github.event.pull_request.html_url }}
       shell: pwsh
       run: |
-        $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json
-        $approvals = $approvals | Where-Object { $_.user.login -eq $env:REVIEWER_LOGIN }
+        $approvals = gh api "/repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews" | ConvertFrom-Json
+        $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} }
         $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" }
 
         if ($approvals.Length -gt 0) {
-          gh pr checkout "$env:PR_URL"
-          gh pr merge --disable-auto "$env:PR_URL"
+          gh pr checkout ${env:PR_URL}
+          gh pr merge --disable-auto ${env:PR_URL}
           foreach ($approval in $approvals) {
             gh api `
               --method PUT `
-              /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews/$($approval.id)/dismissals `
+              "/repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews/$($approval.id)/dismissals" `
               -f message='Cannot approve as other changes have been introduced.' `
               -f event='DISMISS'
           }
         }
         else {
-          Write-Host "PR not already approved.";
+          Write-Output "PR not already approved.";
         }

.github/workflows/build.yml

@@ -47,6 +47,9 @@ jobs:
 
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        filter: 'tree:0'
+        show-progress: false
 
     - name: Setup .NET SDK
       uses: actions/setup-dotnet@3951f0dfe7a07e2313ec93c75700083e2005cbab # v4.3.0
@@ -152,4 +155,6 @@ jobs:
         dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}
 
     - name: Push NuGet packages to NuGet.org
-      run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.NUGET_TOKEN }} --skip-duplicate --source https://api.nuget.org/v3/index.json
+      run: dotnet nuget push "*.nupkg" --api-key "${NUGET_API_KEY}" --skip-duplicate --source https://api.nuget.org/v3/index.json
+      env:
+        NUGET_API_KEY: ${{ secrets.NUGET_TOKEN }}

.github/workflows/bump-version.yml

@@ -34,6 +34,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          filter: 'tree:0'
+          show-progress: false
           token: ${{ steps.generate-application-token.outputs.token }}
 
       - name: Bump version
@@ -75,7 +77,7 @@ jobs:
 
           "" >> $properties
 
-          "version=${updatedVersion}" >> $env:GITHUB_OUTPUT
+          "version=${updatedVersion}" >> ${env:GITHUB_OUTPUT}
 
       - name: Push changes to GitHub
         id: push-changes
@@ -102,7 +104,7 @@ jobs:
           git rev-parse --verify --quiet "remotes/origin/${branchName}" | Out-Null
 
           if ($LASTEXITCODE -eq 0) {
-            Write-Host "Branch ${branchName} already exists."
+            Write-Output "Branch ${branchName} already exists."
             exit 0
           }
 
@@ -111,9 +113,9 @@ jobs:
           git commit -m "Bump version`n`nBump version to ${env:NEXT_VERSION} for the next release."
           git push -u origin $branchName
 
-          "branch-name=${branchName}" >> $env:GITHUB_OUTPUT
-          "updated-version=true" >> $env:GITHUB_OUTPUT
-          "version=${env:NEXT_VERSION}" >> $env:GITHUB_OUTPUT
+          "branch-name=${branchName}" >> ${env:GITHUB_OUTPUT}
+          "updated-version=true" >> ${env:GITHUB_OUTPUT}
+          "version=${env:NEXT_VERSION}" >> ${env:GITHUB_OUTPUT}
 
       - name: Create pull request
         if: steps.push-changes.outputs.updated-version == 'true'

.github/workflows/code-scan.yml

@@ -0,0 +1,66 @@
+name: codeql
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches:
+      - main
+      - dotnet-vnext
+      - dotnet-nightly
+  schedule:
+    - cron: '0 6 * * MON'
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  analysis:
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'actions', 'csharp' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        filter: 'tree:0'
+        show-progress: false
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+      with:
+        build-mode: none
+        languages: ${{ matrix.language }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+      with:
+        category: /language:${{ matrix.language }}
+
+  codeql:
+    if: ${{ !cancelled() }}
+    needs: [ analysis ]
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Report status
+      shell: bash
+      env:
+        SCAN_SUCCESS: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+      run: |
+        if [ "${SCAN_SUCCESS}" == "true" ]
+        then
+          echo 'CodeQL analysis successful ✅'
+        else
+          echo '::error title=CodeQL::CodeQL analysis failed ❌'
+          exit 1
+        fi

.github/workflows/codeql.yml

@@ -2,13 +2,15 @@ name: dependabot-approve
 
 on: pull_request_target
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+
+    permissions:
+      contents: read
 
     steps:
 
@@ -22,10 +24,13 @@ jobs:
         with:
           application_id: ${{ secrets.REVIEWER_APPLICATION_ID }}
           application_private_key: ${{ secrets.REVIEWER_APPLICATION_PRIVATE_KEY }}
-          permissions: "contents:write, pull_requests:write"
+          permissions: 'contents:write, pull_requests:write'
 
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          filter: 'tree:0'
+          show-progress: false
 
       - name: Approve pull request and enable auto-merge
         shell: bash