dflook
diff --git a/‎.config/.markdownlint.yaml
Lines changed: 8 additions & 0 deletions b/‎.config/.markdownlint.yaml
Lines changed: 8 additions & 0 deletions
diff --git a/‎.config/changelog.markdownlint.yaml
Lines changed: 11 additions & 0 deletions b/‎.config/changelog.markdownlint.yaml
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/actionlint.yaml
Lines changed: 43 additions & 0 deletions b/‎.github/actionlint.yaml
Lines changed: 43 additions & 0 deletions
diff --git a/‎.github/workflows/base-image.yaml
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/base-image.yaml
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/pull_request_review.yaml
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/pull_request_review.yaml
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 9 additions & 7 deletions b/‎.github/workflows/release.yaml
Lines changed: 9 additions & 7 deletions
diff --git a/‎.github/workflows/repository_dispatch.yaml
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/repository_dispatch.yaml
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/retain-images.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/retain-images.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test-cloud.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/test-cloud.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test-plan.yaml
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/test-plan.yaml
Lines changed: 6 additions & 6 deletions
@@ -0,0 +1,8 @@
+line-length:
+  line_length: 200
+  tables: false
+no-inline-html:
+  allowed_elements: ['p', 'img']
+ul-style:
+  style: sublist
+
@@ -0,0 +1,11 @@
+line-length:
+  line_length: 300
+no-inline-html:
+  allowed_elements: ['p', 'img']
+ul-style:
+  style: sublist
+no-duplicate-heading:
+  siblings_only: true
+blanks-around-headings:
+  lines_below: 0
+blanks-around-lists: false
@@ -0,0 +1,43 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels: []
+
+# Configuration variables in array of strings defined in your repository or
+# organization. `null` means disabling configuration variables check.
+# Empty array means no configuration variable is allowed.
+config-variables: []
+
+# Configuration for file paths. The keys are glob patterns to match to file
+# paths relative to the repository root. The values are the configurations for
+# the file paths. Note that the path separator is always '/'.
+# The following configurations are available.
+#
+# "ignore" is an array of regular expression patterns. Matched error messages
+# are ignored. This is similar to the "-ignore" command line option.
+paths:
+  .github/workflows/*.yaml:
+    ignore:
+      - 'file "/entrypoints/.*\.sh" does not exist'
+      - 'property "output_string" is not defined in object type'
+      - 'property "my.*" is not defined in object type'
+      - 'property "from_.*" is not defined in object type'
+      - 'property "complex_output" is not defined in object type'
+      - 'property "v" is not defined in object type'
+      - 'property "test" is not defined in object type'
+      - 'property "default" is not defined in object type'
+      - 'property "len" is not defined in object type'
+      - 'property "https" is not defined in object type'
+      - 'property "git_https" is not defined in object type'
+      - 'property "awkward_.*" is not defined in object type'
+      - 'property "word" is not defined in object type'
+  .github/workflows/test-target-replace.yaml:
+    ignore:
+      - 'property "count" is not defined in object type'
+      - 'property "foreach" is not defined in object type'
+  .github/workflows/release.yaml:
+    ignore:
+      - 'Useless cat.'
+  .github/workflows/test-version.yaml:
+    ignore:
+      - 'property "random" is not defined in object type'
+      - 'property "acme" is not defined in object type'
@@ -33,19 +33,19 @@ jobs:
         env:
           DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
         run: |
-          echo $DOCKER_TOKEN | docker login --username danielflook --password-stdin
+          echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - name: Base image
         id: build-and-push
         run: |
           docker buildx build \
-            --tag danielflook/terraform-github-actions-base:$GITHUB_RUN_ID \
+            --tag "danielflook/terraform-github-actions-base:$GITHUB_RUN_ID" \
             --tag danielflook/terraform-github-actions-base:latest  \
             --platform linux/amd64,linux/arm64 \
-            --attest type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID \
+            --attest "type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
             --annotation "index,manifest:org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%z')" \
             --annotation "index,manifest:org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
             --annotation "index,manifest:org.opencontainers.image.revision=${{ github.sha }}" \
 
@@ -3,6 +3,9 @@ name: Test pull_request_review event
 on:
   - pull_request_review
 
+permissions:
+  contents: read
+
 jobs:
   apply:
     runs-on: ubuntu-24.04
 
@@ -38,11 +38,11 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
         run: |
-          echo $GITHUB_TOKEN | docker login ghcr.io --username dflook --password-stdin
-          echo $DOCKER_TOKEN | docker login --username danielflook --password-stdin
+          echo "$GITHUB_TOKEN" | docker login ghcr.io --username dflook --password-stdin
+          echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - name: Build action image
         id: image_build
@@ -51,7 +51,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           BASE_TAG=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:latest --format '{{json .}}' | jq -r '.manifest.annotations."ref.tag"')
-          BASE_DIGEST=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:$BASE_TAG --format '{{json .}}' | jq -r '.manifest.digest')
+          BASE_DIGEST=$(docker buildx imagetools inspect "danielflook/terraform-github-actions-base:$BASE_TAG" --format '{{json .}}' | jq -r '.manifest.digest')
           
           gh attestation verify --repo dflook/terraform-github-actions "oci://index.docker.io/danielflook/terraform-github-actions-base@$BASE_DIGEST"
           
@@ -63,7 +63,7 @@ jobs:
             --tag "danielflook/terraform-github-actions:$RELEASE_TAG" \
             --tag "ghcr.io/dflook/terraform-github-actions:$RELEASE_TAG" \
             --platform linux/amd64,linux/arm64 \
-            --attest type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID \
+            --attest "type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
             --annotation "index,manifest:org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%z')" \
             --annotation "index,manifest:org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
             --annotation "index,manifest:org.opencontainers.image.revision=${{ github.sha }}" \
@@ -125,8 +125,10 @@ jobs:
           RELEASE_TAG: "${{ github.event.release.tag_name }}"
           IMAGE_DIGEST: ${{ needs.image.outputs.digest }}
         run: |
-          export major=$(echo "$RELEASE_TAG" | cut -d. -f1)
-          export minor=$(echo "$RELEASE_TAG" | cut -d. -f2)
+          major=$(echo "$RELEASE_TAG" | cut -d. -f1)
+          minor=$(echo "$RELEASE_TAG" | cut -d. -f2)
+          export major
+          export minor
 
           function prepare_release() {
               rsync -r "$GITHUB_WORKSPACE/$action/" "$HOME/$action"
 
@@ -1,6 +1,7 @@
 name: Repository Dispatch
 
-on: [repository_dispatch]
+on:
+  repository_dispatch:
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -24,6 +24,6 @@ jobs:
       - name: docker pull
         run: |
           for tag in $(git tag); do
-            docker pull --quiet danielflook/terraform-github-actions:$tag
+            docker pull --quiet "danielflook/terraform-github-actions:$tag"
             docker system prune --all --force
           done
@@ -616,7 +616,7 @@ jobs:
             exit 1
           fi
 
-          if ! grep -q "Terraform will perform the following actions" $SAVED_PLAN_TEXT_PLAN_PATH; then
+          if ! grep -q "Terraform will perform the following actions" "$SAVED_PLAN_TEXT_PLAN_PATH"; then
             echo "::error:: text_plan_path not set correctly"
             exit 1
           fi
 
@@ -33,7 +33,7 @@ jobs:
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
           PLAN_PATH: ${{ steps.plan.outputs.plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           echo "changes=$CHANGES"
 
@@ -94,7 +94,7 @@ jobs:
         env:
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           cat "$JSON_PLAN_PATH"
           if [[ $(jq -r .format_version "$JSON_PLAN_PATH") != "1.2" ]]; then
@@ -656,7 +656,7 @@ jobs:
         env:
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           cat "$JSON_PLAN_PATH"
           if [[ $(jq -r .output_changes.s.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then
@@ -699,7 +699,7 @@ jobs:
         env:
           OUTCOME: ${{ steps.plan.outcome }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           if [[ "$OUTCOME" != "failure" ]]; then
             echo "Plan did not fail correctly"
@@ -754,7 +754,7 @@ jobs:
           OUTCOME: ${{ steps.plan.outcome }}
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           if [[ "$OUTCOME" != "failure" ]]; then
             echo "Plan did not fail correctly"
@@ -800,7 +800,7 @@ jobs:
           OUTCOME: ${{ steps.plan.outcome }}
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           if [[ "$OUTCOME" != "failure" ]]; then
             echo "Plan did not fail correctly"