github-action-trunk-upgrade/.github/workflows/lint.yaml at 4cf1d38e591a42a4c71d6a0a1840b875000412d8 · masterpointio/github-action-trunk-upgrade · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
name: Lint

concurrency:
  group: lint-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

# Use pull_request_target to support fork PRs and enable `checks: write` permission
# This allows external contributors to get linting feedback on their PRs
on: pull_request_target

permissions:
  actions: read
  checks: write # Required to post check results back to the PR
  contents: read
  pull-requests: read

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      # SECURITY: With pull_request_target, checkout defaults to the base branch (main)
      # We must explicitly checkout the PR head to lint the actual changes
      - name: Check out Git repository
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          # Checkout the actual PR code, not the base branch
          ref: ${{ github.event.pull_request.head.sha }}
          # Support forks by using the head repository
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          # SECURITY: Disable credential persistence to prevent potential misuse
          persist-credentials: false

      - name: Trunk Check
        uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
        env:
          # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  conventional-title:
    runs-on: ubuntu-latest
    steps:
      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}