build(ci): replace MegaLinter with per-tool GitHub Actions lint workflows#240
build(ci): replace MegaLinter with per-tool GitHub Actions lint workflows#240WilliamBerryiii merged 11 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR replaces the repository’s MegaLinter-based linting with a set of reusable, per-tool GitHub Actions workflows, and rewires the PR + main CI orchestrators to run these lint jobs in parallel. It also updates package.json scripts/dependencies to remove mega-linter-runner usage and run tools directly.
Changes:
- Added 8 reusable lint workflows (
workflow_call) covering shell, Terraform, Bicep, docs, code-quality, PowerShell, security, and YAML/Helm/Dockerfile linting. - Updated
pr-validation.ymlandmain.ymlto remove MegaLinter jobs and invoke the new lint workflows in parallel. - Migrated npm lint scripts away from
mega-linter-runnerand removed MegaLinter config/workflow files.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Removes mega-linter-runner usage; adds direct tool invocations and new deps (cspell/eslint). |
| .mega-linter.yml | Deletes MegaLinter configuration. |
| .github/workflows/megalinter.yml | Deletes MegaLinter reusable workflow. |
| .github/workflows/pr-validation.yml | Replaces MegaLinter job with parallel per-tool lint workflow calls; adjusts needs graph. |
| .github/workflows/main.yml | Replaces MegaLinter job with parallel per-tool lint workflow calls; adjusts needs graph. |
| .github/workflows/shell-lint.yml | New reusable shell lint workflow (bash -n, ShellCheck, shfmt). |
| .github/workflows/terraform-lint.yml | New reusable Terraform lint workflow (fmt + TFLint). |
| .github/workflows/bicep-lint.yml | New reusable Bicep validation workflow (az bicep build across repo). |
| .github/workflows/docs-lint.yml | New reusable docs lint workflow (markdownlint, table formatter check, cspell). |
| .github/workflows/code-quality-lint.yml | New reusable code-quality workflow (ESLint + Prettier JSON check). |
| .github/workflows/powershell-lint.yml | New reusable PowerShell lint workflow (PSScriptAnalyzer). |
| .github/workflows/security-scan.yml | New reusable security workflow (gitleaks, grype, secretlint + SARIF upload). |
| .github/workflows/yaml-lint.yml | New reusable YAML/Helm/Dockerfile workflow (yamllint, helm lint, hadolint). |
| .github/workflows/resource-provider-pwsh-tests.yml | Updates a stale MegaLinter reference in usage example comment. |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
katriendg
left a comment
katriendg
left a comment
There was a problem hiding this comment.
Thank you 🙏 🙏 🙏 for this one, it's going to be such an improvement!
I have a few comments, the one I would push to a new issue + PR potentially is the cleanup of -devcontainer & bicep lint, mostly because it requires updating a few docs. For now just removing the two lines would already be good?
bindsi
left a comment
bindsi
left a comment
There was a problem hiding this comment.
Thanks for this nice PR and the tremendous improvement we´ll achieve during the pipeline runs. 🙏
|
@WilliamBerryiii I see .megalinter.yaml is removed but the new individual linters don´t have own config files --> would this make sense for quick change of rules? Or do you intend to update the configuration in a workflow step of the linter then by passing the right parameter? |
All the linters should have their own configs when we are not using the defaults. The prior two PRs should have finished that out. |
|
Follow-up issue created for the |
- add shell, terraform, bicep, docs, code-quality, powershell, security, yaml lint workflows - rewire pr-validation.yml and main.yml to call 8 parallel lint jobs - migrate npm scripts from mega-linter-runner to direct tool invocations - remove megalinter.yml workflow and .mega-linter.yml config 🔧 - Generated by Copilot
- Remove dependency-scan gating from all 8 lint jobs in both workflows - Remove codeql-analysis gate from dependency-scan in PR workflow - Remove lint-job gates from downstream docs and version-check jobs - Narrow matrix-changes dependency to docs-automation only - Remove soft-fail: true from main branch lint jobs (enforce quality) - Standardize soft-fail to env var indirection in 4 workflows - Standardize artifact retention to 30 days across all workflows - Fix corrupted hashicorp/setup-terraform SHA in terraform-lint.yml 🔧 - Generated by Copilot
…stall - microsoft enterprise policy blocks third-party actions not in the allowed list - replace uses: terraform-linters/setup-tflint with curl-based pinned v0.54.0 install 🔧 - Generated by Copilot
…r step - markdown-table-formatter CLI has no --ignore option - use find with -not -path exclusions piped via xargs instead 🔧 - Generated by Copilot
- pin Grype v0.80.0, Terraform v1.9.8, PSScriptAnalyzer v1.22.0, Helm v3.16.3 - fix gitleaks --exit-code and secretlint node_modules exclusions - add shellcheck/shfmt install step; fix find|xargs with -print0/-0/-r - add az bicep install in bicep-lint; align cspell exclusions across configs - add fail-on-severity threshold to .grype.yaml 🔒 - Generated by Copilot
- Add shell: bash to workflow summary steps - Fix POSIX compliance: == to = in test comparisons - Add \ default pattern for unset variables - Remove obsolete devcontainer lint scripts from package.json 🔧 - Generated by Copilot
WilliamBerryiii
force-pushed
the
feature/issue-235-replace-megalinter
branch
from
64d4d8f to
a1d208e
Compare
- add deleted credentials.yaml commit to gitleaks allowlist - upgrade existing short hashes to full 40-char hashes 🔒 - Generated by Copilot
- resolve CI failure from commit allowlist incompatibility with 8.21.2 🔧 - Generated by Copilot
- Previous v0.80.0 used a legacy DB feed no longer updated regularly - Stale DB (6 days old, max 5 allowed) was the sole remaining CI failure 🤖 - Generated by Copilot
…ties - ignore flatted 3.3.3 prototype pollution (GHSA-25h7-pfq9-p65f) - ignore aws-lc-sys 0.32.3 vulnerabilities (GHSA-65p9-r9h6-22vj, GHSA-hfpc-8r3f-gw53, GHSA-vw5v-4f2q-w9xf) 🔒 - Generated by Copilot
Description
Replaced the monolithic MegaLinter orchestration with 8 dedicated, per-tool reusable GitHub Actions workflows following hve-core modular build system patterns. Each workflow uses
workflow_callwith asoft-failboolean input, enabling the PR pipeline to fail on lint violations while the main branch can optionally warn. Both pr-validation.yml and main.yml orchestrators were rewired to call all lint jobs in parallel with zero dependency gates, maximizing CI throughput.Reusable Lint Workflows
Created 8 new reusable workflows in
.github/workflows/, each self-contained with tool installation, file discovery, lint execution, and artifact upload stages:-nsyntax check, ShellCheck, shfmtterraform fmtcheck, tflint with pinned SHAaz bicep buildvalidation across all bicep directoriesAll workflows share consistent patterns:
persist-credentials: falseon checkout,env: SOFT_FAILindirection for safe shell interpolation, and 30-day artifact retention.Orchestrator Rewiring
Updated both pipeline orchestrators to replace the single
mega-linterjob with 8 parallel lint job calls. Removed unnecessaryneeds:dependency gates from downstream jobs that had no data dependency on lint results:needs:fromdocs-automation,docs-check-terraform,docs-check-bicep,aio-version-check; narrowedmatrix-changesdependency to[docs-automation]onlyneeds:fromdocs-check-terraform-main,docs-check-bicep-main; preserveddeploy-pages-maindependency gate as a real deployment prerequisitenpm Script Migration
Replaced 7
mega-linter-runner-based npm scripts with direct tool invocations. Removed themega-linter-runnerdependency and added cspell and eslint as project dependencies.Cleanup
Deleted megalinter.yml (reusable workflow, 117 lines) and .mega-linter.yml (root config, 154 lines). Updated a stale
mega-lintercomment reference in resource-provider-pwsh-tests.yml.Related Issue
Related to #235
Type of Change
Implementation Details
The approach decomposes MegaLinter's 22-linter monolith into 8 focused workflows grouped by tool domain. Each workflow is a
workflow_calltarget that orchestrators invoke as parallel jobs. This replaces the serial MegaLinter execution (which ran all linters sequentially in a single container) with parallel native runners, reducing CI wall-clock time.The
soft-failinput on each workflow defaults tofalse(hard fail). The PR orchestrator passes no override (enforcing lint failures as blocking), while the main orchestrator also uses the default (enforcing quality on the main branch). Theenv: SOFT_FAILpattern avoids direct${{ inputs.soft-fail }}interpolation in shell blocks, following the GitHub Actions security recommendation for input handling.Testing Performed
Validation Steps
npm run lintexecutes the migrated script chain locallyChecklist
terraform fmton all Terraform codeterraform validateon all Terraform codeaz bicep formaton all Bicep codeaz bicep buildto validate all Bicep codemega-linter-runner)Additional Notes
.cspell.json,.gitignore,.github/copilot-instructions.md,.devcontainer/README.md,azure-pipelines.yml, etc.) — tracked as follow-up work, not in scope for this PRazure-pipelines.ymlMegaLinter template reference is a known follow-up item that may require separate ADO pipeline changesScreenshots (if applicable)
N/A — CI/CD pipeline changes with no UI impact