Create security_baseline.md #1499
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check Spelling | |
# Comment management is handled through a secondary job, for details see: | |
# https://github.com/check-spelling/check-spelling/wiki/Feature%3A-Restricted-Permissions | |
# | |
# `jobs.comment-push` runs when a push is made to a repository and the `jobs.spelling` job needs to make a comment | |
# (in odd cases, it might actually run just to collapse a comment, but that's fairly rare) | |
# it needs `contents: write` in order to add a comment. | |
# | |
# `jobs.comment-pr` runs when a pull_request is made to a repository and the `jobs.spelling` job needs to make a comment | |
# or collapse a comment (in the case where it had previously made a comment and now no longer needs to show a comment) | |
# it needs `pull-requests: write` in order to manipulate those comments. | |
# Updating pull request branches is managed via comment handling. | |
# For details, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-expect-list | |
# | |
# These elements work together to make it happen: | |
# | |
# `on.issue_comment` | |
# This event listens to comments by users asking to update the metadata. | |
# | |
# `jobs.update` | |
# This job runs in response to an issue_comment and will push a new commit | |
# to update the spelling metadata. | |
# | |
# `with.experimental_apply_changes_via_bot` | |
# Tells the action to support and generate messages that enable it | |
# to make a commit to update the spelling metadata. | |
# | |
# `with.ssh_key` | |
# In order to trigger workflows when the commit is made, you can provide a | |
# secret (typically, a write-enabled github deploy key). | |
# | |
# For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key | |
# Sarif reporting | |
# | |
# Access to Sarif reports is generally restricted (by GitHub) to members of the repository. | |
# | |
# Requires enabling `security-events: write` | |
# and configuring the action with `use_sarif: 1` | |
# | |
# For information on the feature, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Sarif-output | |
# Minimal workflow structure: | |
# | |
# on: | |
# push: | |
# ... | |
# pull_request_target: | |
# ... | |
# jobs: | |
# # you only want the spelling job, all others should be omitted | |
# spelling: | |
# # remove `security-events: write` and `use_sarif: 1` | |
# # remove `experimental_apply_changes_via_bot: 1` | |
# ... otherwise adjust the `with:` as you wish | |
on: | |
push: | |
branches: | |
- "**" | |
tags-ignore: | |
- "**" | |
pull_request_target: | |
branches: | |
- "**" | |
types: | |
- 'opened' | |
- 'reopened' | |
- 'synchronize' | |
issue_comment: | |
types: | |
- 'created' | |
jobs: | |
spelling: | |
name: Check Spelling | |
permissions: | |
contents: read | |
pull-requests: read | |
actions: read | |
outputs: | |
followup: ${{ steps.spelling.outputs.followup }} | |
runs-on: ubuntu-latest | |
if: ${{ contains(github.event_name, 'pull_request') || github.event_name == 'push' }} | |
concurrency: | |
group: spelling-${{ github.event.pull_request.number || github.ref }} | |
# note: If you use only_check_changed_files, you do not want cancel-in-progress | |
cancel-in-progress: true | |
steps: | |
- name: check-spelling | |
id: spelling | |
uses: check-spelling/check-spelling@v0.0.21 | |
with: | |
suppress_push_for_open_pull_request: 1 | |
checkout: true | |
check_file_names: 1 | |
spell_check_this: ossf/tac@main | |
post_comment: 0 | |
use_magic_file: 1 | |
quit_without_error: 1 | |
only_check_changed_files: 1 | |
extra_dictionary_limit: 10 | |
dictionary_source_prefixes: | | |
{"cspell": "https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/", "cspell1": "https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20230509/dictionaries/"} | |
extra_dictionaries: | |
cspell1:software-terms/dict/softwareTerms.txt | |
cspell1:aws/aws.txt | |
cspell1:k8s/dict/k8s.txt | |
cspell1:filetypes/filetypes.txt | |
check_extra_dictionaries: '' | |
comment-push: | |
name: Report (Push) | |
# If your workflow isn't running on push, you can remove this job | |
runs-on: ubuntu-latest | |
needs: spelling | |
permissions: | |
contents: write | |
if: ${{ | |
(success() || failure()) && | |
github.repository_owner != 'ossf' && | |
needs.spelling.outputs.followup && | |
github.event_name == 'push' | |
}} | |
steps: | |
- name: comment | |
uses: check-spelling/check-spelling@main | |
with: | |
checkout: true | |
quit_without_error: 1 | |
spell_check_this: check-spelling/spell-check-this@prerelease | |
only_check_changed_files: 1 | |
task: ${{ needs.spelling.outputs.followup }} | |
comment-pr: | |
name: Report (PR) | |
# If you workflow isn't running on pull_request*, you can remove this job | |
runs-on: ubuntu-latest | |
needs: spelling | |
permissions: | |
pull-requests: write | |
if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request') | |
steps: | |
- name: comment | |
uses: check-spelling/check-spelling@main | |
with: | |
checkout: true | |
quit_without_error: 1 | |
spell_check_this: check-spelling/spell-check-this@prerelease | |
only_check_changed_files: 1 | |
task: ${{ needs.spelling.outputs.followup }} |