[🤖] Update Latest Dependency #14765
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Static Analysis | |
| on: # yamllint disable-line rule:truthy | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Default permissions for all jobs | |
| permissions: {} | |
| jobs: | |
| build: | |
| name: build | |
| runs-on: ubuntu-24.04 | |
| container: ghcr.io/datadog/images-rb/engines/ruby:3.3-gnu-gcc | |
| outputs: | |
| lockfile: ${{ steps.bundle-cache.outputs.lockfile }} | |
| cache-key: ${{ steps.bundle-cache.outputs.cache-key }} | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Prepare bundle cache | |
| id: bundle-cache | |
| uses: ./.github/actions/bundle-cache | |
| rubocop: | |
| name: rubocop/lint | |
| runs-on: ubuntu-24.04 | |
| needs: ['build'] | |
| container: ghcr.io/datadog/images-rb/engines/ruby:3.3-gnu-gcc | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Restore bundle cache | |
| uses: ./.github/actions/bundle-restore | |
| with: | |
| lockfile: ${{ needs.build.outputs.lockfile }} | |
| cache-key: ${{ needs.build.outputs.cache-key }} | |
| - run: bundle exec rake rubocop | |
| standard: | |
| name: standard/lint | |
| runs-on: ubuntu-24.04 | |
| needs: ['build'] | |
| container: ghcr.io/datadog/images-rb/engines/ruby:3.3-gnu-gcc | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Restore bundle cache | |
| uses: ./.github/actions/bundle-restore | |
| with: | |
| lockfile: ${{ needs.build.outputs.lockfile }} | |
| cache-key: ${{ needs.build.outputs.cache-key }} | |
| - run: bundle exec rake standard | |
| frozen_string_literal: | |
| name: lint/frozen_string_literal | |
| runs-on: ubuntu-24.04 | |
| needs: ['build'] | |
| container: ghcr.io/datadog/images-rb/engines/ruby:3.3-gnu-gcc | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Restore bundle cache | |
| uses: ./.github/actions/bundle-restore | |
| with: | |
| lockfile: ${{ needs.build.outputs.lockfile }} | |
| cache-key: ${{ needs.build.outputs.cache-key }} | |
| - run: bundle exec rake lint:frozen_string_literal | |
| steep: | |
| name: steep/typecheck | |
| runs-on: ubuntu-24.04 | |
| needs: ['build'] | |
| container: ghcr.io/datadog/images-rb/engines/ruby:3.3-gnu-gcc | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Restore bundle cache | |
| uses: ./.github/actions/bundle-restore | |
| with: | |
| lockfile: ${{ needs.build.outputs.lockfile }} | |
| cache-key: ${{ needs.build.outputs.cache-key }} | |
| - name: Check for stale signature files | |
| run: bundle exec rake rbs:stale | |
| - name: Check for missing signature files | |
| run: bundle exec rake rbs:missing | |
| - name: Check types | |
| run: bundle exec rake steep:check | |
| - name: Record stats | |
| run: bundle exec rake steep:stats[md] >> "$GITHUB_STEP_SUMMARY" | |
| semgrep: | |
| name: semgrep/ci | |
| runs-on: ubuntu-24.04 | |
| container: semgrep/semgrep # PENDING: Possible to be rate limited. | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - run: | | |
| semgrep ci \ | |
| --include=bin/* \ | |
| --include=ext/* \ | |
| --include=lib/* \ | |
| --exclude-rule=ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible | |
| env: | |
| SEMGREP_RULES: p/default | |
| # https://woodruffw.github.io/zizmor/ | |
| zizmor: | |
| name: zizmor | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Run zizmor 🌈 | |
| uses: docker://ghcr.io/woodruffw/zizmor:1.4.1 | |
| with: | |
| args: --min-severity low . | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| actionlint: | |
| name: actionlint | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Run actionlint | |
| uses: docker://rhysd/actionlint:1.7.7 | |
| with: | |
| args: -color | |
| yaml-lint: | |
| name: yaml-lint | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - run: pip install yamllint | |
| - name: Run yamllint | |
| run: yamllint --strict . | |
| complete: | |
| name: Static Analysis (complete) | |
| needs: | |
| - 'steep' | |
| - 'rubocop' | |
| - 'standard' | |
| - 'semgrep' | |
| - 'zizmor' | |
| - 'actionlint' | |
| - 'yaml-lint' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - run: echo "Done" |