Merge pull request #1 from step-security/release

forked from upstream

Author: Raj-StepSecurity

.github/dependabot.yml

@@ -0,0 +1,10 @@
+# See: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#about-the-dependabotyml-file
+version: 2
+
+updates:
+  # Configure check for outdated GitHub Actions actions in workflows.
+  # See: https://docs.github.com/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
+  - package-ecosystem: github-actions
+    directory: / # Check the repository's workflows under /.github/workflows/
+    schedule:
+      interval: daily

.github/workflows/actions_release.yml

@@ -0,0 +1,22 @@
+name: Release GitHub Actions
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag for the release"
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+
+    uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
+    with:
+      tag: "${{ github.event.inputs.tag }}"

.github/workflows/docker_image.yml

@@ -0,0 +1,44 @@
+name: Publish stable image
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Tag to release (e.g. v1.2.3)'
+        required: true
+        type: string
+
+jobs:
+  publish_image:
+    name: Publish Docker image to ghcr.io
+    runs-on: ubuntu-latest
+    if: startsWith(github.event.inputs.release_tag, 'v')
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Validate tag format
+        run: |
+          TAG=${{ github.event.inputs.release_tag }}
+          if ! echo "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "❌ Invalid tag format: $TAG"
+            exit 1
+          fi
+          echo "✅ Valid semver tag: $TAG"
+
+      - name: Build Docker image
+        run: |
+          IMAGE_NAME=ghcr.io/${{ github.repository }}/stable:${{ github.event.inputs.release_tag }}
+          docker build -t $IMAGE_NAME .
+
+      - name: Log in to GitHub Container Registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push Docker image
+        run: |
+          IMAGE_NAME=ghcr.io/${{ github.repository }}/stable:${{ github.event.inputs.release_tag }}
+          docker push $IMAGE_NAME

.github/workflows/testing.yml

@@ -0,0 +1,112 @@
+name: Testing
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    name: Run tests
+    runs-on: ubuntu-latest
+    continue-on-error: ${{ matrix.experimental }}
+    strategy:
+      fail-fast: false
+      matrix:
+        codespell_pip_version: ['codespell']
+        experimental: [false]
+        include:
+          - codespell_pip_version: 'git+https://github.com/codespell-project/codespell.git'
+            # Set this to true if git master is breaking the action's tests
+            experimental: false
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install codespell via pip using ${{ matrix.codespell_pip_version }}
+        run: pip install ${{ matrix.codespell_pip_version }}
+
+      - name: Check codespell
+        run: codespell --version
+
+      - name: Install Bats
+        run: |
+          git clone --quiet https://github.com/bats-core/bats-core.git
+          cd bats-core
+          git fetch --tags
+          # Checkout the latest tag
+          git checkout --quiet $(git describe --tags `git rev-list --tags --max-count=1`)
+          sudo ./install.sh "/usr/local" > /dev/null
+
+      - name: Run Bats tests
+        run: bats "./test"
+
+  run_action:
+    name: Test run action
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: ./
+      with:
+        path: test/testdata
+        only_warn: 1
+
+  codespell:
+    name: Check for spelling errors
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: ./
+      with:
+        check_filenames: true
+        check_hidden: true
+        # When using this Action in other repos, the --skip option below can be removed
+        skip: ./.git,./codespell-problem-matcher/test,./test,./README.md,./.github/workflows/testing.yml,./.pre-commit-config.yaml
+    # Check our README (and this workflow) ignoring the two intentional typos
+    - uses: ./
+      with:
+        check_filenames: true
+        check_hidden: true
+        path: ./README.md,./.github/workflows/testing.yml
+        ignore_words_list: abandonned,ackward
+
+  diagnose_bats:
+    name: Diagnose bats
+    needs: test
+    if: always() && needs.test.result == 'failure'
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        codespell_pip_version: ['codespell']
+        include:
+          - codespell_pip_version: 'git+https://github.com/codespell-project/codespell.git'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+      - run: pip3 --quiet --quiet install ${{ matrix.codespell_pip_version }}
+      - run: |
+          # Simulate the Dockerfile COPY command
+          [ -d "${RUNNER_TEMP}/code/" ] || sudo mkdir -p ${RUNNER_TEMP}/code/
+          [ -f "${RUNNER_TEMP}/code/codespell-matcher.json" ] || sudo cp codespell-problem-matcher/codespell-matcher.json ${RUNNER_TEMP}/code/
+          #ls -alR ${RUNNER_TEMP}/code/
+          [ -d "/code/" ] || sudo mkdir -p /code/
+          [ -f "/code/codespell-matcher.json" ] || sudo cp codespell-problem-matcher/codespell-matcher.json /code/
+          #ls -alR /code/
+          # Add a random place BATS tries to put it
+          [ -d "/github/workflow/" ] || sudo mkdir -p /github/workflow/ && sudo chmod 777 /github/workflow/
+          #ls -alR /github/workflow/
+          export INPUT_CHECK_FILENAMES=""
+          export INPUT_CHECK_HIDDEN=""
+          export INPUT_EXCLUDE_FILE=""
+          export INPUT_SKIP=""
+          export INPUT_IGNORE_WORDS_FILE="./test/ignore-words-file.txt"
+          export INPUT_IGNORE_WORDS_LIST=""
+          export INPUT_PATH="./test/testdata"
+          export INPUT_ONLY_WARN=""
+          ./entrypoint.sh || echo $?

.pre-commit-config.yaml

@@ -0,0 +1,8 @@
+repos:
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.4.0
+    hooks:
+      - id: codespell
+        args: [--ignore-words-list, "abandonned,ackward,bu"]
+        additional_dependencies:
+          - tomli

Dockerfile

@@ -0,0 +1,13 @@
+FROM python:3.8-alpine
+
+COPY LICENSE \
+        README.md \
+        entrypoint.sh \
+        codespell-problem-matcher/codespell-matcher.json \
+        requirements.txt \
+        /code/
+
+RUN pip install -r /code/requirements.txt
+
+ENTRYPOINT ["/code/entrypoint.sh"]
+CMD []

LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Peter Newman. Based on flake8 code copyright 2019, Patric "TrueBrain" Stout
+Copyright (c) 2025 StepSecurity
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -1 +1,137 @@
-# actions-codespell
+# Codespell with GitHub Actions -- including annotations for Pull Requests
+
+This GitHub Actions runs codespell over your code.
+Any warnings or errors will be annotated in the Pull Request.
+
+## Usage
+
+```yml
+uses: step-security/actions-codespell@v2
+```
+
+### Parameter: check_filenames
+
+If set, check file names for spelling mistakes as well.
+
+This parameter is optional; by default `codespell` will only check the file contents.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  check_filenames: true
+```
+
+### Parameter: check_hidden
+
+If set, check hidden files (those starting with ".") for spelling mistakes as well.
+
+This parameter is optional; by default `codespell` will not check hidden files.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  check_hidden: true
+```
+
+### Parameter: exclude_file
+
+File with lines that should not be checked for spelling mistakes.
+
+This parameter is optional; by default `codespell` will check all lines.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  exclude_file: src/foo
+```
+
+### Parameter: skip
+
+Comma-separated list of files to skip (it accepts globs as well).
+
+This parameter is optional; by default `codespell` won't skip any files.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  skip: foo,bar
+```
+
+### Parameter: builtin
+
+Comma-separated list of builtin dictionaries to use.
+
+This parameter is optional; by default `codespell` will use its default selection of built in dictionaries.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  builtin: clear,rare
+```
+
+### Parameter: ignore_words_file
+
+File that contains words which will be ignored by `codespell`. File must contain one word per line.
+Words are case sensitive based on how they are written in the dictionary file.
+
+This parameter is optional; by default `codespell` will check all words for typos.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  ignore_words_file: .codespellignore
+```
+
+### Parameter: ignore_words_list
+
+Comma-separated list of words which will be ignored by `codespell`.
+Words are case sensitive based on how they are written in the dictionary file.
+
+This parameter is optional; by default `codespell` will check all words for typos.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  ignore_words_list: abandonned,ackward
+```
+
+### Parameter: uri_ignore_words_list
+
+Comma-separated list of words which will be ignored by `codespell` in URIs and emails only.
+Words are case sensitive based on how they are written in the dictionary file.
+If set to "*", all misspelling in URIs and emails will be ignored.
+
+This parameter is optional; by default `codespell` will check all URIs and emails for typos.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  uri_ignore_words_list: abandonned
+```
+
+### Parameter: path
+
+Indicates the path to run `codespell` in.
+This can be useful if your project has code you don't want to spell check for some reason.
+
+This parameter is optional; by default `codespell` will run on your whole repository.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  path: src
+```
+
+### Parameter: only_warn
+
+Only warn about problems.
+All errors and warnings are annotated in Pull Requests, but it will act like everything was fine anyway.
+(In other words, the exit code is always 0.)
+
+This parameter is optional; setting this to any value will enable it.
+
+```yml
+uses: step-security/actions-codespell@v2
+with:
+  only_warn: 1
+```

SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to [email protected]