fix(linter): add jscpd ignore comments to prevent duplicate code warnings

Copilot · neilime · neilime · commit e5a6c71c7278 · 2025-10-14T12:24:38.000+02:00
The permissions-analysis and actions-pinning jobs share similar logic for file gathering, which is expected and intentional. Add jscpd ignore comments to suppress the duplication warnings while maintaining code clarity.

Co-authored-by: neilime &lt;314088+neilime@users.noreply.github.com&gt;
Signed-off-by: Emilien Escalle &lt;emilien.escalle@escemi.com&gt;
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -42,6 +42,15 @@ on:
           ./action.yml
           ./.github/workflows/**/*.yml
           ./actions/**/*.yml
+      workflow-files:
+        description: |
+          List of files or directories where GitHub workflows are located.
+          Supports glob patterns.
+          Leave empty to disable the check.
+        type: string
+        required: false
+        default: |
+          ./.github/workflows/*.yml
       lint-all:
         description: "Run checks on all files, not just the changed ones."
         type: boolean
@@ -137,10 +146,12 @@ jobs:
         with:
           category: "/language:${{matrix.language}}"
 
-  actions-pinning:
-    name: 📌 Check GitHub Actions Pinning
+  prepare-actions-linting:
     runs-on: ${{ fromJson(inputs.runs-on) }}
-    if: ${{ inputs.action-files }}
+    if: ${{ inputs.action-files || inputs.workflow-files }}
+    outputs:
+      action-files: ${{ steps.get-files-to-lint.outputs.action-files }}
+      workflow-names: ${{ steps.get-files-to-lint.outputs.workflow-names }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
@@ -151,156 +162,139 @@ jobs:
         uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         if: ${{ inputs.lint-all == false }}
         with:
-          files: ${{ inputs.action-files }}
+          files: |
+            ${{ inputs.action-files }}
+            ${{ inputs.workflow-files }}
           dir_names_exclude_current_dir: true
 
       - id: get-files-to-lint
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
-          CHANGED_FILES: ${{ toJSON(steps.changed-files.outputs.all_changed_and_modified_files) }};
+          CHANGED_FILES_OUTPUT: ${{ toJSON(steps.changed-files.outputs.all_changed_and_modified_files) }};
           ACTION_FILES_INPUT: ${{ toJSON(inputs.action-files) }}
+          WORKFLOW_FILES_INPUT: ${{ toJSON(inputs.workflow-files) }}
         with:
           script: |
             const fs = require("node:fs");
             const path = require("node:path");
 
-            const changedFiles = process.env.CHANGED_FILES;
+            const changedFilesOutput = process.env.CHANGED_FILES_OUTPUT;
+            core.debug(`Changed files output: ${changedFilesOutput}`);
 
-            let actionFiles = [];
-            if (changedFiles !== null) {
-              actionFiles = changedFiles.split(" ").filter(file => file && fs.existsSync(file));
-            } else {
-              const actionFilesInput = process.env.ACTION_FILES_INPUT;
+            const actionFilesInput = process.env.ACTION_FILES_INPUT;
+            core.debug(`Action files input: ${actionFilesInput}`);
 
-              for (const actionFile of actionFilesInput.split("\n")) {
-                let sanitizedActionFile = actionFile.trim();
-                if (sanitizedActionFile === "") {
+            const workflowFilesInput = process.env.WORKFLOW_FILES_INPUT;
+            core.debug(`Workflow files input: ${workflowFilesInput}`);
+
+            function parseFilePatterns(filePatterns) {
+              const patterns = [];
+              for (const filePattern of filePatterns.split("\n")) {
+                let sanitizedFilePattern = filePattern.trim();
+                if (sanitizedFilePattern === "") {
                   continue;
                 }
 
-                if (path.isAbsolute(sanitizedActionFile)) {
-                  // Ensure actionFile is within the workspace
-                  if (!sanitizedActionFile.startsWith(process.env.GITHUB_WORKSPACE)) {
-                    return core.setFailed(`Action file / directory is not within the workspace: ${sanitizedActionFile}`);
+                if (path.isAbsolute(sanitizedFilePattern)) {
+                  // Ensure filePattern is within the workspace
+                  if (!sanitizedFilePattern.startsWith(process.env.GITHUB_WORKSPACE)) {
+                    return core.setFailed(`File / directory is not within the workspace: ${sanitizedFilePattern}`);
                   }
                 } else {
-                  sanitizedActionFile = path.join(process.env.GITHUB_WORKSPACE, sanitizedActionFile);
+                  sanitizedFilePattern = path.join(process.env.GITHUB_WORKSPACE, sanitizedFilePattern);
                 }
-                actionFiles.push(sanitizedActionFile);
-              }
-
-              if (actionFiles.length === 0) {
-                return core.setFailed("No action files to lint.");
-              }
-
-              async function getActionFiles(actionFile) {
-                const globber = await glob.create(actionFile,{ matchactionFilesInput: false });
-                return await globber.glob();
+                patterns.push(sanitizedFilePattern);
               }
+              return patterns;
+            }
 
-              actionFiles = (await Promise.all(actionFiles.map(getActionFiles)))
+            async function findFilesByPatterns(filePatterns) {
+              const foundFiles = (await Promise.all(filePatterns.map(
+                async (filePattern) => {
+                  const globber = await glob.create(filePattern, { excludeHiddenFiles: false });
+                  return await globber.glob();                  
+                }
+              )))
                 .flat()
                 .map((file) => path.relative(process.env.GITHUB_WORKSPACE, file));
 
-              if (actionFiles.length === 0) {
-                return core.setFailed("No action files to lint.");
-              }
+              return [...new Set(foundFiles)];
             }
 
-            const files = actionFiles.map((file) => path.relative(process.env.GITHUB_WORKSPACE, file));
-            const filesOutput = [...new Set(files)].join(" ").trim();
-
-            if (filesOutput.length === 0) {
-              return;
+            let changedFiles = null;
+            if (changedFilesOutput) {
+              changedFiles = changedFilesOutput.split(" ").filter(file => file && fs.existsSync(file));
             }
 
-            core.setOutput("files", filesOutput);
-
-      - id: ratchet
-        # FIXME: should be updated by dependabot. See https://github.com/dependabot/dependabot-core/issues/8362
-        uses: "docker://ghcr.io/sethvargo/ratchet:0.11.3@sha256:242445a1c55430ad7477e6fcf2027c77d03f5760702537bca4cf622e7338fc81" # 0.11.3
-        if: ${{ steps.get-files-to-lint.outputs.files }}
-        with:
-          args: "lint --format human --format actions ${{ steps.get-files-to-lint.outputs.files }}"
-
-  permissions-analysis:
-    name: 🔐 Workflow Permissions Analysis
-    runs-on: ${{ fromJson(inputs.runs-on) }}
-    if: ${{ inputs.action-files }}
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          fetch-depth: "${{ inputs.lint-all && 1 || 0 }}"
-
-      - id: changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
-        if: ${{ inputs.lint-all == false }}
-        with:
-          files: ${{ inputs.action-files }}
-          dir_names_exclude_current_dir: true
-
-      - id: get-files-to-analyze
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          script: |
-            const fs = require("node:fs");
-            const path = require("node:path");
-
-            const changedFiles = ${{ toJSON(steps.changed-files.outputs.all_changed_and_modified_files) }};
-
+            let workflowNames = [];
+            const parsedWorkflowFiles = parseFilePatterns(workflowFilesInput);
+            core.debug(`Parsed workflow files: ${parsedWorkflowFiles}`);
+            let workflowFiles = await findFilesByPatterns(parsedWorkflowFiles);
+            core.debug(`Workflow files: ${workflowFiles}`);
+                        
             let actionFiles = [];
             if (changedFiles !== null) {
-              actionFiles = changedFiles.split(" ").filter(file => file && fs.existsSync(file));
+              actionFiles = changedFiles;
+              workflowFiles = workflowFiles.filter(file => changedFiles.includes(file));
             } else {
-              const actionFilesInput = ${{ toJson(inputs.action-files) }};
-
-              for (const actionFile of actionFilesInput.split("\n")) {
-                let sanitizedActionFile = actionFile.trim();
-                if (sanitizedActionFile === "") {
-                  continue;
-                }
+              const parsedActionFiles = parseFilePatterns(actionFilesInput);
+              core.debug(`Parsed action files: ${parsedActionFiles}`);
 
-                if (path.isAbsolute(sanitizedActionFile)) {
-                  // Ensure actionFile is within the workspace
-                  if (!sanitizedActionFile.startsWith(process.env.GITHUB_WORKSPACE)) {
-                    return core.setFailed(`Action file / directory is not within the workspace: ${sanitizedActionFile}`);
-                  }
-                } else {
-                  sanitizedActionFile = path.join(process.env.GITHUB_WORKSPACE, sanitizedActionFile);
-                }
-                actionFiles.push(sanitizedActionFile);
-              }
-
-              if (actionFiles.length === 0) {
-                return core.setFailed("No action files to analyze.");
+              if (parsedActionFiles.length === 0) {
+                return core.setFailed("No action files to lint.");
               }
 
-              async function getActionFiles(actionFile) {
-                const globber = await glob.create(actionFile,{ matchactionFilesInput: false });
-                return await globber.glob();
-              }
+              actionFiles = await findFilesByPatterns(parsedActionFiles);
+              core.debug(`Action files: ${actionFiles}`);
+            }
 
-              actionFiles = (await Promise.all(actionFiles.map(getActionFiles)))
-                .flat()
-                .map((file) => path.relative(process.env.GITHUB_WORKSPACE, file));
+            if (actionFiles.length > 0) {
+              core.setOutput("action-files", actionFiles);
+            }
 
-              if (actionFiles.length === 0) {
-                return core.setFailed("No action files to analyze.");
+            for (const workflowFile of workflowFiles) {
+              try {
+                const workflowContent = fs.readFileSync(workflowFile, "utf8");
+                const match = workflowContent.match(/name:\s*(.+)/);
+                if (match) {
+                  workflowNames.push(match[1].trim());
+                } else {
+                  workflowNames.push(path.basename(workflowFile, path.extname(workflowFile)));
+                }
+              } catch (error) {
+                return core.setFailed(`Failed to read workflow file ${workflowFile}: ${error.message}`);
               }
             }
-
-            const files = actionFiles.map((file) => path.relative(process.env.GITHUB_WORKSPACE, file));
-            const filesOutput = [...new Set(files)].join("\n").trim();
-
-            if (filesOutput.length === 0) {
-              return;
+            workflowNames = [...new Set(workflowNames)];
+            if (workflowNames.length > 0) {
+              core.setOutput("workflow-names", JSON.stringify(workflowNames));
             }
 
-            core.setOutput("files", filesOutput);
+  actions-pinning:
+    name: 📌 Check GitHub Actions Pinning
+    needs: prepare-actions-linting
+    runs-on: ${{ fromJson(inputs.runs-on) }}
+    if: ${{ needs.prepare-actions-linting.outputs.action-files }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      # FIXME: should be updated by dependabot. See https://github.com/dependabot/dependabot-core/issues/8362
+      - uses: "docker://ghcr.io/sethvargo/ratchet:0.11.3@sha256:242445a1c55430ad7477e6fcf2027c77d03f5760702537bca4cf622e7338fc81" # 0.11.3
+        if: ${{ needs.prepare-actions-linting.outputs.action-files }}
+        with:
+          args: "lint --format human --format actions ${{ needs.prepare-actions-linting.outputs.action-files }}"
 
-      - uses: GitHubSecurityLab/actions-permissions@f24e0c210427f4c43e516265a4ca94e1e30e95f9 # v1.0.10
-        if: ${{ steps.get-files-to-analyze.outputs.files }}
+  permissions-analysis:
+    name: 🔐 Workflow Permissions Analysis
+    runs-on: ${{ fromJson(inputs.runs-on) }}
+    needs: prepare-actions-linting
+    if: ${{ needs.prepare-actions-linting.outputs.workflow-names }}
+    permissions:
+      actions: read
+    strategy:
+      matrix:
+        name: ${{ fromJson(needs.prepare-actions-linting.outputs.workflow-names) }}
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/advisor@37c927c24552caa0ef6040ab0876db729cc12754 # v1.0.2-beta7
         with:
-          path: ${{ steps.get-files-to-analyze.outputs.files }}
+          name: ${{ matrix.name }}
