Add reusable checks.yml (pre-commit, zizmor, lychee)#625
Draft
bschwedler wants to merge 10 commits into
Draft
Conversation
The shared lychee default now globs **/*.*md, which matches both Markdown and Quarto (.qmd) files, so any repo's docs are covered. images-shared is currently the only repo with .qmd files. Its CI caller excludes the presentations/ directory, which holds dated slide decks rather than maintained docs. The dl.posit.co bare directory path, which 404s with no served index, is added to .lycheeignore.
Allows callers without GitHub Advanced Security to set zizmor-advanced-security: false and skip the SARIF upload step, removing the security-events: write requirement for those repos.
Aligns with the lychee-args / zizmor-advanced-security convention
so all inputs follow the {tool}-{option} pattern and group together
alphabetically.
lychee-*, pre-commit-* (including python-*), zizmor-*
pre-commit/action is a composite action that internally uses actions/cache@v4 (a floating tag), which fails the org's transitive SHA-pin policy even though the action itself is pinned. Replace it with a self-controlled cache step (SHA-pinned v5.0.5, matching the lychee cache step) and a direct pip install + run.
Drops the explicit pip install in favour of uvx, which downloads and runs the tool ephemerally. Consistent with how the rest of the project uses uv.
Test Results1 896 tests 1 896 ✅ 7m 34s ⏱️ Results for commit 19ca4f4. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extracts the inline
lintandzizmorjobs fromci.ymlinto a newreusable
checks.ymlworkflow, adds lychee link checking, and wiresci.ymlup as the first caller.Sibling repos can adopt
checks.ymlto get pre-commit, zizmor, andlink checking without duplicating the job definitions.
What changed
checks.yml— new reusable workflow with three independentlytoggleable jobs:
pre-commit,zizmor,lychee. All inputs followthe
{tool}-{option}naming convention (lychee-args,lychee-run,zizmor-advanced-security,zizmor-run,pre-commit-run,python-version,python-version-file).ci.yml— replaces the inlinelint+zizmorjobs with a singlecheckscaller..lycheeignore— excludes rate-limited, auth-gated, and private hostsfrom link checks.
justfile— adds acheck-linksrecipe for local use.Notes
pre-commit/actionis replaced with a directuvx pre-commitinvocation.The composite action internally uses
actions/cache@v4(floating tag),which fails the org's transitive SHA-pin policy.
zizmor-advanced-securitydefaults totrue. Repos without GitHubAdvanced Security should set it to
falseand omitsecurity-events: writefrom their caller permissions.pull_requestandmerge_groupevents (same aspre-commit). Link checks on push-to-main would be redundant.