Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

action.yml: reformat comments-before #580

Merged
merged 10 commits into from
May 7, 2024
Merged

action.yml: reformat comments-before #580

merged 10 commits into from
May 7, 2024

Conversation

thypon
Copy link
Member

@thypon thypon commented May 7, 2024

No description provided.

@thypon thypon requested a review from a team as a code owner May 7, 2024 13:12
@thypon thypon marked this pull request as draft May 7, 2024 13:12
@thypon thypon force-pushed the features/lint branch 25 times, most recently from 3fc1f72 to bcf01aa Compare May 7, 2024 15:09
@thypon thypon marked this pull request as ready for review May 7, 2024 18:04
@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024

[puLL-Merge] - brave/security-action@580

Description

This PR cleans up YAML formatting and syntax across various GitHub Actions workflows and Semgrep rules. It also adds a new lint GitHub Actions workflow to lint and audit the JavaScript code. The motivation seems to be to improve code quality and consistency.

Changes

Changes

  • .github/workflows/*.yml: Cleaned up YAML formatting and syntax across multiple workflow files.
  • action.yml: Cleaned up YAML formatting. Extracted some GitHub API calls into separate JavaScript modules.
  • assets/reviewdog/reviewdog.yml: Cleaned up some multi-line strings.
  • assets/semgrep_rules/**/*.yaml: Cleaned up YAML formatting and long lines across multiple Semgrep rule files.
  • .github/workflows/lint.yml: Added a new workflow to lint and audit the JavaScript code on push/PRs to main branch.
  • package.json: Added lint and lint-fix npm scripts. Added standard as a dev dependency.
  • run.js, src/*.js: Linted all the JavaScript files.

Security Hotspots

  1. action.yml: The extraction of GitHub API calls into separate modules slightly increases the attack surface, as untrusted data passed to those modules needs to be validated. However, the risk is relatively low.
  2. assets/semgrep_rules/**/*.yaml: Changes to Semgrep rules can potentially weaken the static analysis security checks if not reviewed carefully. However, the changes here look like just formatting cleanup.
  3. .github/workflows/lint.yml: The new linting workflow has access to GitHub Actions secrets. Need to ensure it doesn't leak them in logs or artifacts.

Overall, while this PR touches many security-sensitive files, the changes look like code cleanup and hardening with low risk. Still, it deserves a careful review given the breadth of changes. Let me know if you would like me to elaborate on any part of the review!

@thypon thypon force-pushed the features/lint branch 3 times, most recently from 6df2c9b to e9d21d3 Compare May 7, 2024 18:17
@thypon thypon merged commit d5c688b into main May 7, 2024
8 checks passed
@thypon thypon deleted the features/lint branch May 7, 2024 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@diracdeltas diracdeltas diracdeltas approved these changes

Assignees

@thypon thypon

@bcaller bcaller

Labels
needs-security-review puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thypon @diracdeltas @bcaller