mirror of
https://github.com/apache/superset.git
synced 2026-07-03 13:25:32 +00:00
50 lines
1.6 KiB
YAML
50 lines
1.6 KiB
YAML
name: Validate All GitHub Actions
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- "master"
|
|
- "[0-9].[0-9]*"
|
|
pull_request:
|
|
branches:
|
|
- "**"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
# cancel previous workflow jobs for PRs
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
validate-all-ghas:
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
contents: read
|
|
# Required for the zizmor action to upload its SARIF results to
|
|
# GitHub code scanning (advanced-security is enabled by default).
|
|
security-events: write
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: "20"
|
|
|
|
- name: Install Dependencies
|
|
# Versions are pinned to avoid ad-hoc, unpinned package installs.
|
|
# Bump deliberately when upgrading.
|
|
# zizmor: ignore[adhoc-packages] - @action-validator is a global CLI tool installed to validate the repo's workflows; a global CLI install has no application manifest/lockfile context, and the versions are pinned above
|
|
run: npm install -g @action-validator/core@0.6.0 @action-validator/cli@0.6.0
|
|
|
|
- name: Run Script
|
|
run: bash .github/workflows/github-action-validator.sh
|
|
|
|
- name: Check for security issues on GHA workflows
|
|
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
|