From b58ed5ec74e2c63000ca7843cdaf8222e041f9ac Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Wed, 11 Mar 2026 08:26:41 +0100 Subject: [PATCH] Upgrade super-linter to v8.5.0 - Pin super-linter to v8.5.0 (SHA 61abc07d) - Pin actions/checkout and azure/setup-helm to SHAs - Add persist-credentials: false to checkout steps - Add dependabot cooldown configuration and grouping - Disable new linters: BIOME_FORMAT, BIOME_LINT, NATURAL_LANGUAGE, SPELL_CODESPELL - Add zizmor ignore comments for reusable workflow refs --- .github/dependabot.yml | 6 ++++++ .github/workflows/helm-lint.yml | 6 ++++-- .github/workflows/helm-unittest.yml | 4 +++- .github/workflows/superlinter.yml | 9 +++++++-- .github/workflows/update-helm-repo.yml | 8 ++++---- 5 files changed, 24 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ce740cc..c8ebeb2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,9 @@ updates: directory: "/" schedule: interval: "weekly" + groups: + github-actions: + patterns: + - "*" + cooldown: + default-days: 7 diff --git a/.github/workflows/helm-lint.yml b/.github/workflows/helm-lint.yml index cfe39a1..3c59043 100644 --- a/.github/workflows/helm-lint.yml +++ b/.github/workflows/helm-lint.yml @@ -17,10 +17,12 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 with: version: 'v3.14.0' diff --git a/.github/workflows/helm-unittest.yml b/.github/workflows/helm-unittest.yml index 1a975ae..aa2d1e8 100644 --- a/.github/workflows/helm-unittest.yml +++ b/.github/workflows/helm-unittest.yml @@ -18,7 +18,9 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Run make helmlint run: | diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml index f2cabc7..09876c6 100644 --- a/.github/workflows/superlinter.yml +++ b/.github/workflows/superlinter.yml @@ -13,24 +13,29 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 + persist-credentials: false ################################ # Run Linter against code base # ################################ - name: Lint Code Base - uses: super-linter/super-linter/slim@v7 + uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0 env: VALIDATE_ALL_CODEBASE: true DEFAULT_BRANCH: main GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # These are the validation we disable atm + VALIDATE_BIOME_FORMAT: false + VALIDATE_BIOME_LINT: false VALIDATE_JSON_PRETTIER: false VALIDATE_KUBERNETES_KUBECONFORM: false VALIDATE_MARKDOWN: false VALIDATE_MARKDOWN_PRETTIER: false + VALIDATE_NATURAL_LANGUAGE: false + VALIDATE_SPELL_CODESPELL: false VALIDATE_YAML: false VALIDATE_YAML_PRETTIER: false diff --git a/.github/workflows/update-helm-repo.yml b/.github/workflows/update-helm-repo.yml index e684b77..2fb0832 100644 --- a/.github/workflows/update-helm-repo.yml +++ b/.github/workflows/update-helm-repo.yml @@ -19,12 +19,12 @@ on: jobs: helmlint: - uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@workflow-stable + uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@workflow-stable # zizmor: ignore[unpinned-uses] permissions: contents: read update-helm-repo: needs: [helmlint] - uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@workflow-stable - permissions: read-all - secrets: inherit + uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@workflow-stable # zizmor: ignore[unpinned-uses] + permissions: read-all # zizmor: ignore[excessive-permissions] + secrets: inherit # zizmor: ignore[secrets-inherit]