Skip to content

From cold to hot

A cold but sunny start to this week should turn into a mini heatwave by the weekend (maybe). No excuse to go cycling several times this week.

Practicalli work this week was on the Sustainable Life and Cycling books.

The Megalinter GitHub workflow generated a failing issues on the Practicalli Journal repository yesterday, indicating it failed because it couldnt find something to check.

Its an opportunity to review linters Practicalli uses to support quality of docs and code.

Took the Bianchi in to get a new bottom bracket fitted. The bike has lasted 20 years and a lot of kilometers. Unfortunately there wasn't a Strava back in 2006 when i got the Bianchi bike, so most of the distance on the bike was never captured until 2019.

Practicalliλ︎

I updated Practicalli Sustainable Life book with a recipe for pickled turnips and an overview of the different types of pickling vinegars.

I also updated the book build to use Zensical, both locally and by switching to the .github/workflow/docs.yaml workflow.

Megalinterλ︎

Megalinter is an excellent way to add a range of formatting and syntax analysis tools to the continuous integration workflow of a project.

As the title suggests, there is a very large range of linters available.

Use a specific flavour of Megalinter in the CI workflow to only run linters relevant to the project, e.g. Documentation, Java, etc. A custom set of linters can also be configured.

Which Linters to useλ︎

Practicalli has two kinds of projects and uses a different Megalinter flavour for each:

  • Documentation is used for books and blog websites
  • Java is used for Clojure projects

In each of the megalinter.yaml configurations for these flavours, linters not required are set not to run (although they are included in the docker megalinter image for that flavour).

Repository - 🔴 checkov: Infrastructure as Code security check - Not relevant - 🔴 devskim: detect security vulnerabilities & anti-patterns in source code - no Clojure support - ❔ dustilock: dependency vulnerability scanner - supports Maven (not Clojars) - ✅ git diff: scan files for Git conflict markers and other merge-related characters - ✅ gitleaks: detect secrets (passwords, API keys, tokens) in the full history of the git repository - ✅ Grype: dependencies vulnerability scanner, detecting CVE's multiple vulnerability databases (e.g Debian packages, Maven dependencies) - 🔴 KICS Infrastructure as Code security scanner - disabled due to compromised supply chain - ✅ ls-lint: check consistent naming of files & directories (e.g. snake,camel,kebab case) - check snake case used for Clojure source and test files - ❔ OSV-Scanner: detect OSV database known vulnerabilities in open-source dependencies - Debian packages, Java jars (fails on documentation projects) - ❔ SecretLint secrets detection (API keys, passwords, and tokens) - use gitleas instead? - 🔴 Semgrep: AI-powered static analysis tool, find bugs, detect security vulnerabilities, and enforces code standards - no Clojure support - 🔴 Syft: Software Bill of Materials (SBOM) generation tool - not relevant

  • ✅ Trivy detects vulnerabilities, misconfiguration, secrets, and license issues in container images, filesystems, and git repositories.

  • 🔴 Trivy SBOM: Software Bill of Materials (SBOM) for enhanced supply chain security and compliance - not relevant

  • ❔ TruffleHog: git repository secrets scanner files (password, API key, etc.) - Practicalli set errors as warnings
  • ✅ kingfisher: (Rust) secret-scanning with language-aware parsing

Key:

  • ✅ use linter
  • ❔ maybe use linter
  • 🔴 dont use linter

Output from the Practicalli Journal repository

+----SUMMARY----+--------------------------+---------------+-------+-------+--------+----------+--------------+
| Descriptor    | Linter                   | Mode          | Files | Fixed | Errors | Warnings | Elapsed time |
+---------------+--------------------------+---------------+-------+-------+--------+----------+--------------+
| ⚠️ MARKDOWN   | markdownlint             | list_of_files |   175 |       |    883 |        0 | 5.43s        |
| ⚠️ MARKDOWN   | markdown-table-formatter | list_of_files |   179 |       |      1 |        0 | 0.48s        |
| ✅ REPOSITORY | gitleaks                 | project       |   n/a |       |      0 |        0 | 359.34s      |
| ✅ REPOSITORY | grype                    | project       |   n/a |       |      0 |        0 | 61.61s       |
| ❌ REPOSITORY | osv-scanner              | project       |   n/a |       |      1 |        0 | 0.4s         |
| ✅ REPOSITORY | syft                     | project       |   n/a |       |      0 |        0 | 3.69s        |
| ✅ REPOSITORY | trivy                    | project       |   n/a |       |      0 |        0 | 13.8s        |
| ✅ REPOSITORY | trivy-sbom               | project       |   n/a |       |      0 |        0 | 0.18s        |
| ✅ REPOSITORY | trufflehog               | project       |   n/a |       |      0 |        0 | 3.88s        |
| ✅ YAML       | v8r                      | list_of_files |     8 |       |      0 |        0 | 5.0s         |
+---------------+--------------------------+---------------+-------+-------+--------+----------+--------------+

Current Practicalli configuration for documentation projects

.github/config/megalinter.yaml
ENABLE:  # ENABLE specific linters, all other linters automatically disabled
  #  - CLOJURE
  - CREDENTIALS
  # - DOCKERFILE
  - MAKEFILE
  - MARKDOWN
  - GIT
  # - SPELL
  - YAML
  - REPOSITORY

REPOSITORY_GITLEAKS_CONFIG_FILE: ".github/config/gitleaks.toml"
REPOSITORY_TRUFFLEHOG_DISABLE_ERRORS: true # Errors only as warnings

DISABLE_LINTERS:
  - REPOSITORY_GIT_DIFF # warnings about LF to CRLF
  - REPOSITORY_SECRETLINT # reporting errors in its own config file
  - REPOSITORY_DEVSKIM # unnecessary URL TLS checks
  - REPOSITORY_CHECKOV # fails on root user in Dockerfile
  - REPOSITORY_SECRETLINT

Cyclingλ︎

Dropped the Bianchi bike in for a replacement bottom bracket. Its surprising how smooth the gears are even though the front chain rings have a noticeable wobble.

Wednesday the Bianchi was fixed and running perfectly. Erick also replaced the stem plug, which was missing a piece apparently. This explains why I needed to keep the cap connected to the plug so I could fit it back in.

I have been thinking about new wheels for the Ribble Endurance bike. I did buy Superteam Carbon wheels with a 50mm depth and they were very nice, lighter than the stock wheels I have. The 50mm depth wheels did catch the wind quite a bit, but otherwise the wheels were great.

Unfortunately on the way back from a round trip to Brighton, I got a puncture and the rim of the rear wheel had a split down the side. I managed to bodge a repair, but the experience has really put me off carbon wheels.

This week I was looking for some equivalent aluminium wheels, ideally with a good width to minimise balooning / mushrooming of the tyre to give a more efficient tyre profile.

I looked for DT Swiss wheels, but their website is really hard to find my preferred type of wheel.

As I was riding the Bianchi to get the bottom bracket repaired, I decide to look for Fulcrum wheels with bladed spokes. The Racing Zero model was a disc brake version of the wheels on the Bianchi (but even lighter and stronger).

The Racing Zero Competition model was as light as the carbon wheels I previously bought and has bladed spokes. The only downside was the cost, approximately 1,250 GBP. That was too much.

I did a search for the wheels and found an ex-demo wheelset that were as new, but for half the price. I made an offer for the wheels, 50 GBP less than the asking price and the seller accepted.

Thank you.

🌐 Practical.li Website

Practical.li GitHub Org practicalli-johnny profile

@practicalli@clj.social