Merge pull request #907 from cybozu-go/lint-ci

Add linters for GHA

Author: yamatcha

.github/actions/dbtest/action.yaml

@@ -17,7 +17,11 @@ runs:
       uses: ./.github/actions/setup-aqua
     - run: make setup
       shell: bash
-    - run: make test-bkop MYSQL_VERSION=${{ inputs.mysql-version }}
+    - env:
+        MYSQL_VERSION: ${{ inputs.mysql-version }}
+      run: make test-bkop MYSQL_VERSION="$MYSQL_VERSION"
       shell: bash
-    - run: make test-dbop MYSQL_VERSION=${{ inputs.mysql-version }}
+    - env:
+        MYSQL_VERSION: ${{ inputs.mysql-version }}
+      run: make test-dbop MYSQL_VERSION="$MYSQL_VERSION"
       shell: bash

.github/actions/e2e/action.yaml

@@ -28,10 +28,15 @@ runs:
     - run: sudo mkdir /mnt/local-path-provisioner0 /mnt/local-path-provisioner1 /mnt/local-path-provisioner2
       shell: bash
     - name: Setup test cluster
-      run: make start KUBERNETES_VERSION=${{ inputs.k8s-version }} MYSQL_VERSION=${{ inputs.mysql-version }} KIND_CONFIG=kind-config_actions.yaml
       working-directory: e2e
+      env:
+        KUBERNETES_VERSION: ${{ inputs.k8s-version }}
+        MYSQL_VERSION: ${{ inputs.mysql-version }}
+      run: make start KUBERNETES_VERSION="$KUBERNETES_VERSION" MYSQL_VERSION="$MYSQL_VERSION" KIND_CONFIG=kind-config_actions.yaml
       shell: bash
-    - run: make test MYSQL_VERSION=${{ inputs.mysql-version }}
+    - env:
+        MYSQL_VERSION: ${{ inputs.mysql-version }}
+      run: make test MYSQL_VERSION="$MYSQL_VERSION"
       working-directory: e2e
       shell: bash
     - run: make logs

.github/workflows/build-fluent-bit-container.yaml

@@ -14,9 +14,14 @@ on:
       - ".github/workflows/build-fluent-bit-container.yaml"
       - "!**.md"
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ${{ vars.IMAGE_BUILD_RUNNER || 'ubuntu-24.04' }}
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@v6
       - uses: docker/setup-qemu-action@v3

.github/workflows/build-mysql-container.yaml

@@ -14,9 +14,13 @@ on:
       - ".github/workflows/build-mysql-container.yaml"
       - "!**.md"
 
+permissions: {}
+
 jobs:
   filter:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     outputs:
       mysql-versions: ${{ steps.filter.outputs.mysql-versions }}
     steps:
@@ -42,6 +46,8 @@ jobs:
     if: ${{ (github.event_name == 'pull_request') && (needs.filter.outputs.mysql-versions != '[]') }}
     needs: filter
     runs-on: ${{ vars.IMAGE_BUILD_RUNNER || 'ubuntu-22.04' }}
+    permissions:
+      contents: read
     strategy:
       matrix:
         mysql-version: ${{ fromJson(needs.filter.outputs.mysql-versions) }}
@@ -59,8 +65,10 @@ jobs:
       - name: Export TAG file
         id: tag
         working-directory: containers
+        env:
+          MYSQL_VERSION: ${{ matrix.mysql-version }}
         run: |
-          TAG=$(cat ./mysql/${{ matrix.mysql-version }}/TAG)
+          TAG=$(cat "./mysql/$MYSQL_VERSION/TAG")
           echo "tag: $TAG"
           echo "tag=$TAG" >> "$GITHUB_OUTPUT"
 
@@ -80,8 +88,10 @@ jobs:
             && chmod +x container-structure-test-linux-amd64 \
             && sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
       - name: Run Container Structure Tests
+        env:
+          MYSQL_VERSION: ${{ matrix.mysql-version }}
         run: |
-          container-structure-test test --image ghcr.io/cybozu-go/moco/mysql:${{ matrix.mysql-version }} --config ./containers/mysql/${{ matrix.mysql-version }}/container-structure-test.yaml
+          container-structure-test test --image "ghcr.io/cybozu-go/moco/mysql:$MYSQL_VERSION" --config "./containers/mysql/$MYSQL_VERSION/container-structure-test.yaml"
 
       - run: |
           swapon > swapon.txt
@@ -93,7 +103,10 @@ jobs:
         uses: ./.github/actions/setup-aqua
 
       - name: Setup test cluster with local mysql image
-        run: make start KUBERNETES_VERSION=${{ matrix.k8s-version }} MYSQL_VERSION=${{ matrix.mysql-version }} KIND_CONFIG=kind-config_actions.yaml USE_LOCAL_MYSQL_IMAGE=1
+        env:
+          KUBERNETES_VERSION: ${{ matrix.k8s-version }}
+          MYSQL_VERSION: ${{ matrix.mysql-version }}
+        run: make start KUBERNETES_VERSION="$KUBERNETES_VERSION" MYSQL_VERSION="$MYSQL_VERSION" KIND_CONFIG=kind-config_actions.yaml USE_LOCAL_MYSQL_IMAGE=1
         working-directory: e2e
 
       - run: make test
@@ -111,6 +124,9 @@ jobs:
     if: ${{ (github.ref == 'refs/heads/main') && (needs.filter.outputs.mysql-versions != '[]') }}
     needs: filter
     runs-on: ${{ vars.IMAGE_BUILD_RUNNER || 'ubuntu-22.04' }}
+    permissions:
+      contents: read
+      packages: write
     strategy:
       matrix:
         mysql-version: ${{ fromJson(needs.filter.outputs.mysql-versions) }}
@@ -128,8 +144,10 @@ jobs:
       - name: Export TAG file
         id: tag
         working-directory: containers
+        env:
+          MYSQL_VERSION: ${{ matrix.mysql-version }}
         run: |
-          TAG=$(cat ./mysql/${{ matrix.mysql-version }}/TAG)
+          TAG=$(cat "./mysql/$MYSQL_VERSION/TAG")
           echo "tag: $TAG"
           echo "tag=$TAG" >> "$GITHUB_OUTPUT"
 

.github/workflows/build-mysqld-exporter-container.yaml

@@ -14,9 +14,14 @@ on:
       - ".github/workflows/build-mysqld-exporter-container.yaml"
       - "!**.md"
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ${{ vars.IMAGE_BUILD_RUNNER || 'ubuntu-24.04' }}
+    permissions:
+      contents: read
+      packages: write
     steps:
       - uses: actions/checkout@v6
       - uses: docker/setup-qemu-action@v3

.github/workflows/ci-e2e.yaml

@@ -11,13 +11,18 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   cache-version: 1
 
 # CI tests with supported MySQL version.
 jobs:
   dbtest:
     name: Integration tests with MySQL
+    permissions:
+      contents: read
+      pull-requests: read # Required for tj-actions/changed-files
     strategy:
       matrix:
         mysql-version: ["8.0.28", "8.0.43", "8.0.44", "8.0.45", "8.4.4", "8.4.8"]
@@ -38,6 +43,9 @@ jobs:
 
   e2e:
     name: Supported Kubernetes versions End-to-End Tests
+    permissions:
+      contents: read
+      pull-requests: read # Required for tj-actions/changed-files
     strategy:
       matrix:
         mysql-version: ["8.4.8"]
@@ -62,6 +70,9 @@ jobs:
 
   e2e-mysql:
     name: Supported MySQL versions End-to-End Tests
+    permissions:
+      contents: read
+      pull-requests: read # Required for tj-actions/changed-files
     strategy:
       matrix:
         mysql-version: ["8.0.28", "8.0.43", "8.0.44", "8.0.45", "8.4.4", "8.4.8"]
@@ -86,6 +97,9 @@ jobs:
 
   upgrade:
     name: Upgrade Test
+    permissions:
+      contents: read
+      pull-requests: read # Required for tj-actions/changed-files
     runs-on:
       group: moco
     steps:

.github/workflows/ci.yaml

@@ -10,13 +10,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   cache-version: 1
 
 jobs:
   build:
     name: Build binaries
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: actions/setup-go@v6
@@ -30,6 +34,8 @@ jobs:
   test:
     name: Small tests
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - uses: actions/setup-go@v6

.github/workflows/helm-release.yaml

@@ -5,9 +5,13 @@ on:
     tags:
       - 'chart-v*'
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -40,6 +44,8 @@ jobs:
     name: Publish charts on GitHub Pages
     runs-on: ubuntu-22.04
     needs: build
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v6
         with:

.github/workflows/helm.yaml

@@ -6,9 +6,13 @@ on:
       - "charts/**"
       - '!**.md'
 
+permissions: {}
+
 jobs:
   lint-test:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout

.github/workflows/mdbook.yaml

@@ -4,10 +4,15 @@ on:
   push:
     branches:
     - 'main'
+
+permissions: {}
+
 jobs:
   build:
     name: Build book
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - name: Setup Aqua
@@ -22,6 +27,8 @@ jobs:
     name: Publish book on GitHub Pages
     runs-on: ubuntu-22.04
     needs: build
+    permissions:
+      contents: write
     steps:
     - uses: actions/checkout@v6
       with: