articulate / actions-markdownlint Goto Github PK

I am trying to add one file and one directory to the ignore input. I tried, separation with a space, with a comma and putting the input in paranthesis as well as brackets. Nothing worked. The parenthesis and the brackets were rejected and with space or comma separation, only the first entry is ignored.

This is my workflow file.

Currently this action just grabs the latest version of markdownlint-cli, which most of the time is fine, but sometimes it could be broken (eg. igorshubovych/markdownlint-cli#210 ), in which case you really which you could have locked down to a specific (known good) release.

It would be nice to have an optional property that allowed setting a specific version

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: markdown-lint # articulate/actions-markdownlint
# GITHUB_TOKEN not used

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.

I am in the process of deploying this to my company's documentation repository. However, the config file I would like to use appears to be ignored.
https://github.com/ringcentral/ringcentral-api-docs/actions/runs/5363287621/jobs/9730747097

I did notice that the Docker file copies over the static config file:

Is this right? Should it not copy over my personal config?