markdown linting added

[kairveeehh]

Fixes #79
added the linting according to the rules discussed
in json

{
  "MD013": false,
  "MD033": false
}

[nirs]

bash

[nirs]

I asked before why we enable fix: true. What is the purpose of this option?

[kairveeehh]

not including this gives very basic error mistakes in readme like these , this is the flow run without fix :true
as the errors were really basic and have a option of auto-fixes I used this

[nirs]

And what is the output with fix: true?

It seems that we should add a comment like this to make it more clear:

# Enabled to improve reported errors
fix: true

(The comment may be improved, I guess the output include the suggested fix)

The existing comment "Enable auto-fixing" is not useful because it explains what the option does which is pretty clear. Comments should explain why we do stuff, which something the code cannot explain.

[kairveeehh]

with fix:true , these mistakes are not pointed out as errors and the check runs smoothly
I will update the comment

[nirs]

I already commented on the comment: This is not a personal config file. Please remove the comment.

[nirs]

The comment is not needed. Does it come from an example file?

[nirs]

solves (#79 ) added the linting according to the rules discussed in json

We already discussed this on another PR - please use the standard Fixes #79 format at the bottom of the pr message.

[kairveeehh]

@nirs kindly review

[jandubois]

As an OSSF best practice we prefer to specify actions by SHA and not by version. You can look up the version like this:

❯ gh api repos/DavidAnson/markdownlint-cli2-action/git/ref/tags/v19 | jq -r .object.sha
05f32210e84442804257b2a6f20b273450ec8265

Dependebot will take care of updating from then on.

Suggested change

	uses: DavidAnson/markdownlint-cli2-action@v19
	uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19

[kairveeehh]

Thanks , I'll fix it

[nirs]

@jandubois using digest looks good (I did not know that dependebot supports this) but do you have any references to this best practice?

[jandubois]

You can find it under pinned dependencies:

For GitHub workflows used in building and releasing your project, pin dependencies by hash. See main.yaml for example. To determine the permissions needed for your workflows, you may use StepSecurity's online tool by ticking the "Pin actions to a full length commit SHA". You may also tick the "Restrict permissions for GITHUB_TOKEN" to fix issues found by the Token-Permissions check.

[jandubois]

Dependebot will take care of updating from then on.

I just noticed that we have not set up dependabot for this repo yet; will create an issue for it.

[kairveeehh]

I have created a pullrequest for it as well :) and fixed this one too

[jandubois]

Note that I left the action version in a comment in my suggestion:

Suggested change

	uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265
	uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19

When dependabot creates a PR to update the SHA, it will update the comment with the version too. I don't know if it will add a comment, if there isn't one, so I think it will be safer to add it right away.

[jandubois]

See for example https://github.com/lima-vm/lima/pull/3291/files

[kairveeehh]

got it , did'nt know that dependabot updates it as well

[jandubois]

Thanks, LGTM

[jandubois]

I hope this works; the examples I have seen all have a space after the #. Unfortunately it isn't documented how exactly dependabot is updating comments.