d0a935a8bc
GitHub torrentclaw org is shadow-banned; CI is hosted at git.torrentclaw.com now. Move workflows into the runner's natively-watched .forgejo/workflows/ tree and adapt steps to run in the available 'docker'-labeled Forgejo runner without GitHub-only tooling (gh CLI, third-party marketplace actions). - Use container: image to ship the toolchain (no actions/setup-* needed). - Drop GitHub-only marketplace actions in favour of upstream installers invoked over curl/apt. - Where a workflow created a GitHub Release (release.yml), substitute the step with a curl call against the Forgejo Releases API (POST /repos/<owner>/<repo>/releases).
86 lines
2.6 KiB
YAML
86 lines
2.6 KiB
YAML
name: CI
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
push:
|
|
branches: [main]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
lint-commits:
|
|
name: Lint commits
|
|
runs-on: docker
|
|
container:
|
|
image: docker.io/library/ubuntu:24.04
|
|
if: github.event_name == 'pull_request'
|
|
steps:
|
|
- name: Install git + grep
|
|
run: apt-get update && apt-get install -y --no-install-recommends git ca-certificates
|
|
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Validate conventional commits
|
|
run: |
|
|
base="${{ github.event.pull_request.base.sha }}"
|
|
head="${{ github.event.pull_request.head.sha }}"
|
|
pattern='^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\(.+\))?(!)?: .{1,}$'
|
|
|
|
failed=0
|
|
while IFS= read -r msg; do
|
|
first_line=$(echo "$msg" | head -1)
|
|
if ! echo "$first_line" | grep -qE "$pattern"; then
|
|
echo "FAIL: $first_line"
|
|
failed=1
|
|
fi
|
|
done < <(git log --format="%s" "$base".."$head")
|
|
|
|
if [ "$failed" -eq 1 ]; then
|
|
echo ""
|
|
echo "Some commits do not follow Conventional Commits format."
|
|
echo "Expected: <type>[scope][!]: <description>"
|
|
echo "See: https://www.conventionalcommits.org/"
|
|
exit 1
|
|
fi
|
|
echo "All commits follow Conventional Commits format."
|
|
|
|
lint-scripts:
|
|
name: Lint shell scripts
|
|
runs-on: docker
|
|
container:
|
|
image: docker.io/library/ubuntu:24.04
|
|
steps:
|
|
- name: Install shellcheck
|
|
run: apt-get update && apt-get install -y --no-install-recommends shellcheck git ca-certificates
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Run ShellCheck
|
|
run: shellcheck scripts/*.sh
|
|
|
|
security-check:
|
|
name: Security patterns check
|
|
runs-on: docker
|
|
container:
|
|
image: docker.io/library/ubuntu:24.04
|
|
steps:
|
|
- name: Install grep + git
|
|
run: apt-get update && apt-get install -y --no-install-recommends git grep ca-certificates
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Check for unsafe string interpolation in curl payloads
|
|
run: |
|
|
# Flag inline JSON in double quotes (allows shell interpolation).
|
|
# Safe patterns: curl -d '{}' (single quotes) or curl -d "$var" (pre-built payload).
|
|
if grep -rPn 'curl.*-d\s*"[{]' scripts/*.sh; then
|
|
echo ""
|
|
echo "ERROR: Found curl -d with inline JSON in double quotes."
|
|
echo "Use jq --arg to build JSON safely and pass via variable."
|
|
exit 1
|
|
fi
|
|
echo "No unsafe curl patterns found."
|