build(deps): bump cryptography from 46.0.5 to 46.0.6 in /patcher #161
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Static Checks | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| static-checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 | |
| with: | |
| enable-cache: true | |
| - name: Set up Python | |
| run: uv python install 3.13 | |
| - name: Lint GitHub Actions | |
| run: | | |
| # Install actionlint | |
| bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) | |
| ./actionlint -color | |
| - name: Security audit GitHub Actions | |
| run: | | |
| # Run zizmor in an isolated environment using uvx | |
| uvx zizmor .github/workflows/ | |
| - name: Check YAML files | |
| run: | | |
| python3 -c " | |
| import yaml | |
| from pathlib import Path | |
| for f in Path('.').rglob('*.yaml'): | |
| if 'deployment/k8s' not in str(f): | |
| list(yaml.safe_load_all(f.read_text())) | |
| for f in Path('.').rglob('*.yml'): | |
| if 'deployment/k8s' not in str(f): | |
| list(yaml.safe_load_all(f.read_text())) | |
| " | |
| - name: Check TOML files | |
| run: | | |
| python3 -c " | |
| import tomllib | |
| from pathlib import Path | |
| for f in Path('.').rglob('*.toml'): | |
| tomllib.load(f.open('rb')) | |
| " | |
| - name: Check JSON files | |
| run: | | |
| python3 -c " | |
| import json | |
| from pathlib import Path | |
| for f in Path('.').rglob('*.json'): | |
| json.load(f.open()) | |
| " | |
| - name: Check for merge conflicts | |
| run: | | |
| # Match exact git merge conflict markers: | |
| # - <<<<<<< (followed by space, e.g., "<<<<<<< HEAD") | |
| # - ======= (exactly 7 equals at end of line) | |
| # - >>>>>>> (followed by space, e.g., ">>>>>>> branch-name") | |
| ! grep -rE '^(<{7} |>{7} |={7}$)' --include='*.py' --include='*.yaml' --include='*.yml' --include='*.toml' --include='*.json' . || exit 1 | |
| - name: Lint shell scripts | |
| run: | | |
| shellcheck --version | |
| # Exclude external directories (node_data_storage contains cloned repos, external has vendored code) | |
| find . -name '*.sh' -type f \ | |
| ! -path './.git/*' \ | |
| ! -path '*/.venv/*' \ | |
| ! -path './node_data_storage/*' \ | |
| ! -path './external/*' \ | |
| -print0 | xargs -0 shellcheck | |
| - name: Lint Dockerfiles | |
| run: | | |
| # Install hadolint | |
| curl -sL -o hadolint "https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64" | |
| chmod +x hadolint | |
| ./hadolint --version | |
| # Exclude external directories (node_data_storage contains cloned repos, external has vendored code) | |
| find . -name 'Dockerfile*' -type f \ | |
| ! -path './.git/*' \ | |
| ! -path './node_data_storage/*' \ | |
| ! -path './external/*' \ | |
| -print0 | xargs -0 ./hadolint |