best-practices-badge/.github/workflows/codespell.yml at f8689cf8e1ce140e1ae6ed1256ace721d3ba3dea · coreinfrastructure/best-practices-badge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
---
name: Codespell

# Limit permissions per OpenSSF Scorecard best practices.
# Since we set "permissions", anything unset has access "none".
permissions:
  contents: read

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  codespell:
    name: Check for spelling errors
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        # Pin to commit SHA to prevent supply chain attacks via tag mutation.
        # Verify: curl -s https://api.github.com/repos/actions/checkout/git/ref/tags/v5.0.0
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      # OSPS-BR-01.02: Validate branch name before use in pipeline
      # This protects against potential future use of branch names in commands
      # GITHUB_REF_NAME is the short ref name (e.g., "main" not "refs/heads/main")
      - name: Validate branch name
        run: script/validate_branch_name "$GITHUB_REF_NAME"
      - name: Codespell
        # Pin to commit SHA to prevent supply chain attacks via tag mutation.
        # Verify: curl -s https://api.github.com/repos/codespell-project/actions-codespell/git/ref/tags/v2
        uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2
        with:
          ignore_words_file: .codespellignore