fix: linting

jmeridth · jmeridth · commit 378e6a0e23b6 · 2025-09-11T13:54:28.000-05:00
- ensure credentials are not persisted past checkout of code
- add zizmor.yml file to linters to allow pull_request_target in actions for auto-labeler to work on fork pull requests
- add trivy.yml file to linters to ignore mypy_cache directory
- add HEALTHCHECK and non-root user to Dockerfile

Signed-off-by: jmeridth &lt;jmeridth@gmail.com&gt;
diff --git a/.github/linters/trivy.yaml b/.github/linters/trivy.yaml
@@ -0,0 +1,3 @@
+scan:
+  skip-dirs:
+    - .mypy_cache
diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml
@@ -0,0 +1,6 @@
+rules:
+  dangerous-triggers: # to allow pull_request_target for auto-labelling fork pull requests
+    ignore:
+      - auto-labeler.yml
+      - pr-title.yml
+      - release.yml
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -27,9 +27,11 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5.6.0
+        uses: actions/setup-python@v6.0.0
         with:
           python-version: 3.12
 
diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml
@@ -15,5 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
       - name: Build the Docker image
         run: docker build . --file Dockerfile --platform linux/amd64
diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5.6.0
+        uses: actions/setup-python@v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml
@@ -22,8 +22,9 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Setup Python
-        uses: actions/setup-python@v5.6.0
+        uses: actions/setup-python@v6.0.0
         with:
           python-version: "3.12"
       - name: Install dependencies
diff --git a/Dockerfile b/Dockerfile
@@ -9,7 +9,17 @@ COPY requirements.txt *.py /action/workspace/
 RUN python3 -m pip install --no-cache-dir -r requirements.txt \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.39.5-0+deb12u2 \
-    && rm -rf /var/lib/apt/lists/*
+    && rm -rf /var/lib/apt/lists/* \
+    && addgroup --system appuser \
+    && adduser --system --ingroup appuser --home /action/workspace --disabled-login appuser \
+    && chown -R appuser:appuser /action/workspace
+
+# Run the action as a non-root user
+USER appuser
+
+# Add a simple healthcheck to satisfy container scanners
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+  CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/evergreen.py') else 1)"
 
 CMD ["/action/workspace/evergreen.py"]
 ENTRYPOINT ["python3", "-u"]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+scan:`
	`2`	`+ skip-dirs:`
	`3`	`+ - .mypy_cache`