mirror of
https://github.com/apache/superset.git
synced 2026-07-01 20:35:35 +00:00
49 lines
1.4 KiB
YAML
49 lines
1.4 KiB
YAML
name: Validate All GitHub Actions
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- "master"
|
|
- "[0-9].[0-9]*"
|
|
pull_request:
|
|
branches:
|
|
- "**"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
# cancel previous workflow jobs for PRs
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
validate-all-ghas:
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
contents: read
|
|
# Required for the zizmor action to upload its SARIF results to
|
|
# GitHub code scanning (advanced-security is enabled by default).
|
|
security-events: write
|
|
steps:
|
|
- name: Checkout Repository
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: "20"
|
|
|
|
- name: Install Dependencies
|
|
# Versions are pinned to avoid ad-hoc, unpinned package installs
|
|
# (zizmor adhoc-packages). Bump deliberately when upgrading.
|
|
run: npm install -g @action-validator/core@0.6.0 @action-validator/cli@0.6.0
|
|
|
|
- name: Run Script
|
|
run: bash .github/workflows/github-action-validator.sh
|
|
|
|
- name: Check for security issues on GHA workflows
|
|
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
|