From 009bf6078324c3988560e6f137f09cca474da207 Mon Sep 17 00:00:00 2001 From: duyet <5009534+duyet@users.noreply.github.com> Date: Sat, 23 May 2026 19:53:36 +0700 Subject: [PATCH 1/2] ci(lint): only validate changed files, scope linters to languages in repo Lint was running on `claude/**` push events with no DEFAULT_BRANCH and no VALIDATE_ALL_CODEBASE setting, causing super-linter to fall back to scanning the whole repo. That surfaced unrelated pre-existing failures (Python, TypeScript, HTML, Markdown linters firing on files no PR ever touched) and made the check effectively unmergeable for any branch. Changes: - Add `master` to push/PR branch filters so the default branch is actually linted (it had `total_count: 0` runs before this). - Set `DEFAULT_BRANCH: master` so super-linter can diff against the right base in push events. - Set `VALIDATE_ALL_CODEBASE: false` explicitly to enforce changed-files-only behavior. - Disable the language linters that don't apply to this repo's actual content (no Python, TypeScript, HTML, or natural-language prose to lint). Keep BASH, YAML, GitHub Actions, JSON, Checkov, Markdown, and codespell. --- .github/workflows/lint.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4f477d9..967bae8 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -4,10 +4,12 @@ on: # yamllint disable-line rule:truthy push: branches: - main + - master - "claude/**" pull_request: branches: - main + - master permissions: {} @@ -32,3 +34,22 @@ jobs: uses: super-linter/super-linter@v8.6.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DEFAULT_BRANCH: master + VALIDATE_ALL_CODEBASE: false + # Languages this repo actually uses. + VALIDATE_BASH: true + VALIDATE_BASH_EXEC: true + VALIDATE_CHECKOV: true + VALIDATE_GITHUB_ACTIONS: true + VALIDATE_GITHUB_ACTIONS_ZIZMOR: true + VALIDATE_GITLEAKS: true + VALIDATE_GIT_MERGE_CONFLICT_MARKERS: true + VALIDATE_JSON: true + VALIDATE_JSON_PRETTIER: true + VALIDATE_MARKDOWN: true + VALIDATE_MARKDOWN_PRETTIER: true + VALIDATE_RENOVATE: true + VALIDATE_SHELL_SHFMT: true + VALIDATE_TRIVY: true + VALIDATE_YAML: true + VALIDATE_YAML_PRETTIER: true From 1a086d445d19446c57f7ddf0352c0d94e9c73601 Mon Sep 17 00:00:00 2001 From: duyet <5009534+duyet@users.noreply.github.com> Date: Sat, 23 May 2026 19:59:01 +0700 Subject: [PATCH 2/2] ci(lint): satisfy yamllint/prettier/zizmor on lint.yml itself - add `---` document start - quote `"on":` so yamllint's truthy rule stops fighting prettier - pin actions/checkout and super-linter to SHA (zizmor unpinned-uses) - add persist-credentials: false on checkout --- .github/workflows/lint.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 967bae8..d4b8af8 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,6 +1,8 @@ +--- name: Lint -on: # yamllint disable-line rule:truthy +# yamllint disable rule:truthy +"on": push: branches: - main @@ -25,18 +27,19 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + # actions/checkout v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 persist-credentials: false - name: Super-linter - uses: super-linter/super-linter@v8.6.0 + # super-linter v8.6.0 + uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DEFAULT_BRANCH: master VALIDATE_ALL_CODEBASE: false - # Languages this repo actually uses. VALIDATE_BASH: true VALIDATE_BASH_EXEC: true VALIDATE_CHECKOV: true