fix(ci): resolve super-linter failures

- Set DEFAULT_BRANCH to current branch to fix 'master not found' error - Use fetch-depth: 0 so GITHUB_BEFORE_SHA can be resolved - Set update_etl.sh executable bit (BASH_EXEC) - Fix .codespellrc tab indentation (EDITORCONFIG) - Add .gitleaks.toml allowlist for GA4 Measurement Protocol API secret (GITLEAKS) - Fix .markdown-lint.yml: disable MD030/MD013/MD033/MD041/MD051 to match existing repo style (MARKDOWN)
2 months ago · db4253f002
5 changed files with 21 additions and 15 deletions
--- a/.github/linters/.gitleaks.toml
+++ b/.github/linters/.gitleaks.toml
@ -0,0 +1,9 @@
+title = "LinuxGSM Gitleaks Config"
+
+[allowlist]
+  description = "Known false positives"
+  regexes = [
+    # Google Analytics 4 Measurement Protocol API secret - not a sensitive credential,
+    # it is intentionally embedded in client-side code and is safe to be public.
+    '''apisecret="[A-Za-z0-9_\-]+"''',
+  ]
--- a/.github/linters/.markdown-lint.yml
+++ b/.github/linters/.markdown-lint.yml
@ -12,12 +12,9 @@ MD013: false
 # MD033: The main README uses inline HTML for badges.
 MD033: false

-# Match existing list formatting in this repo.
+# MD007: Repo uses 2-space indentation for nested lists.
 MD007:
-  indent: 4
+  indent: 2

-MD030:
-  ul_single: 3
-  ol_single: 2
-  ul_multi: 3
-  ol_multi: 2
+# MD030: Repo mixes 1-space unordered and 2-space ordered list markers.
+MD030: false
--- a/.github/workflows/action-super-linter.yml
+++ b/.github/workflows/action-super-linter.yml
@ -27,9 +27,8 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
-          # Shallow clone reduces transient fetch failures (HTTP 500) from GitHub.
-          # We lint the whole codebase instead of relying on git history.
-          fetch-depth: 1
+          # Full clone required so super-linter can resolve GITHUB_BEFORE_SHA.
+          fetch-depth: 0
          fetch-tags: false
          persist-credentials: false

@ -42,6 +41,7 @@ jobs:
        env:
          # To report GitHub Actions status checks
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BRANCH: ${{ github.ref_name }}
          VALIDATE_BIOME_FORMAT: false
          VALIDATE_BIOME_LINT: false
          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
--- a/lgsm/modules/update_etl.sh
+++ b/lgsm/modules/update_etl.sh