src,permission: add --permission-audit #79881
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Linters | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| push: | |
| branches: | |
| - main | |
| - v[0-9]+.x-staging | |
| - v[0-9]+.x | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| PYTHON_VERSION: '3.14' | |
| NODE_VERSION: lts/* | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint-addon-docs: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Use Node.js ${{ env.NODE_VERSION }} | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Environment Information | |
| run: npx envinfo | |
| - name: Lint addon docs | |
| run: NODE=$(command -v node) make lint-addon-docs | |
| lint-cpp: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python ${{ env.PYTHON_VERSION }} | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| allow-prereleases: true | |
| - name: Environment Information | |
| run: npx envinfo | |
| - name: Lint C/C++ files | |
| run: make lint-cpp | |
| format-cpp: | |
| if: ${{ github.event.pull_request && github.event.pull_request.draft == false && github.base_ref == github.event.repository.default_branch }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Use Node.js ${{ env.NODE_VERSION }} | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Set up Python ${{ env.PYTHON_VERSION }} | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| allow-prereleases: true | |
| - name: Environment Information | |
| run: npx envinfo | |
| - name: Format C/C++ files | |
| run: | | |
| make format-cpp-build | |
| # The `make format-cpp` error code is intentionally ignored here | |
| # because it is irrelevant. We already check if the formatter produced | |
| # a diff in the next line. | |
| # Refs: https://github.com/nodejs/node/pull/42764 | |
| CLANG_FORMAT_START="$(git merge-base HEAD refs/remotes/origin/$GITHUB_BASE_REF)" \ | |
| make format-cpp || true | |
| git --no-pager diff --exit-code && EXIT_CODE="$?" || EXIT_CODE="$?" | |
| if [ "$EXIT_CODE" != "0" ] | |
| then | |
| echo | |
| echo 'ERROR: Please run:' | |
| echo | |
| echo " CLANG_FORMAT_START="$\(git merge-base HEAD ${GITHUB_BASE_REF}\)" make format-cpp" | |
| echo | |
| echo 'to format the commits in your branch.' | |
| exit "$EXIT_CODE" | |
| fi | |
| lint-js-and-md: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Use Node.js ${{ env.NODE_VERSION }} | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Environment Information | |
| run: npx envinfo | |
| - name: Lint JavaScript files | |
| run: | | |
| set +e | |
| NODE=$(command -v node) make lint-js | |
| EXIT_CODE="$?" | |
| if [ "$EXIT_CODE" != "0" ]; then | |
| echo | |
| echo 'ERROR: The JavaScript lint validation failed (the errors are logged above).' | |
| echo ' Please fix the lint errors.' | |
| if NODE=$(command -v node) make lint-js-fix > /dev/null 2>&1; then | |
| echo ' Run:' | |
| echo ' make lint-js-fix' | |
| echo ' to fix the lint issues.' | |
| git --no-pager diff | |
| elif git diff --quiet --exit-code; then | |
| echo ' None of the issue is auto-fixable, so manual fixes for' | |
| echo ' all of the issues are required.' | |
| else | |
| echo ' Run:' | |
| echo ' make lint-js-fix' | |
| echo ' to fix the auto-fixable lint issues.' | |
| echo ' Note that some manual fixes are also required.' | |
| fi | |
| echo | |
| exit "$EXIT_CODE" | |
| fi | |
| - name: Get release version numbers | |
| if: ${{ github.event.pull_request && github.event.pull_request.base.ref == github.event.pull_request.base.repo.default_branch }} | |
| id: get-released-versions | |
| run: ./tools/lint-md/list-released-versions-from-changelogs.mjs >> $GITHUB_OUTPUT | |
| - name: Lint markdown files | |
| run: | | |
| echo "::add-matcher::.github/workflows/remark-lint-problem-matcher.json" | |
| NODE=$(command -v node) make lint-md | |
| env: | |
| NODE_RELEASED_VERSIONS: ${{ steps.get-released-versions.outputs.NODE_RELEASED_VERSIONS }} | |
| lint-nix: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: '*.nix' | |
| sparse-checkout-cone-mode: false | |
| - uses: cachix/install-nix-action@456688f15bc354bef6d396e4a35f4f89d40bf2b7 # v31.8.2 | |
| - name: Lint Nix files | |
| run: | | |
| nix-shell -I nixpkgs=./tools/nix/pkgs.nix -p 'nixfmt-tree' --run ' | |
| treefmt --quiet --fail-on-change | |
| ' || git --no-pager diff --exit-code | |
| lint-py: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python ${{ env.PYTHON_VERSION }} | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| allow-prereleases: true | |
| - name: Environment Information | |
| run: npx envinfo | |
| - name: Lint Python | |
| run: | | |
| make lint-py-build | |
| make lint-py | |
| lint-yaml: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Use Python ${{ env.PYTHON_VERSION }} | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| allow-prereleases: true | |
| - name: Environment Information | |
| run: npx envinfo | |
| - name: Lint YAML | |
| run: | | |
| make lint-yaml-build || true | |
| make lint-yaml | |
| lint-sh: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - run: shellcheck -V | |
| - name: Lint Shell scripts | |
| run: tools/lint-sh.mjs . | |
| lint-codeowners: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f | |
| with: | |
| checks: files,duppatterns | |
| lint-pr-url: | |
| if: ${{ github.event.pull_request }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 2 | |
| persist-credentials: false | |
| # GH Actions squashes all PR commits, HEAD^ refers to the base branch. | |
| - run: git diff HEAD^ HEAD -G"pr-url:" -- "*.md" | ./tools/lint-pr-url.mjs ${{ github.event.pull_request.html_url }} | |
| lint-readme: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Get team members if possible | |
| if: ${{ (github.event.pull_request && github.event.pull_request.base.ref == github.event.pull_request.base.repo.default_branch) || github.event.ref == github.event.repository.default_branch }} | |
| id: team_members | |
| run: | | |
| get_list_members() { | |
| TEAM="$1" | |
| QUOTE='"' | |
| gh api "/orgs/nodejs/teams/$TEAM/members" -X GET -f per_page=100 --jq "map(.login) | ${QUOTE}${TEAM}=\(tojson)${QUOTE}" | |
| } | |
| [ -z "$GITHUB_TOKEN" ] || ( | |
| get_list_members "collaborators" | |
| get_list_members "issue-triage" | |
| get_list_members "tsc" | |
| ) >> "$GITHUB_OUTPUT" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }} | |
| - run: tools/lint-readme-lists.mjs "$TEAMS" | |
| env: | |
| TEAMS: ${{ tojson(steps.team_members.outputs) }} |