From b0373417c0f9c29a76a68678b98a964a2475d32b Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Thu, 14 Nov 2024 22:32:07 -0800
Subject: [PATCH] feat: add link validation (#579)

---
 .github/workflows/config/linkspector.yml |  5 +++++
 .github/workflows/linkspector.yml        | 18 ++++++++++++++++++
 docs/CONTRIBUTING.md                     |  1 -
 docs/README.md                           |  2 +-
 docs/USERNS.md                           |  2 +-
 5 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/config/linkspector.yml
 create mode 100644 .github/workflows/linkspector.yml

diff --git a/.github/workflows/config/linkspector.yml b/.github/workflows/config/linkspector.yml
new file mode 100644
index 0000000..74b3b86
--- /dev/null
+++ b/.github/workflows/config/linkspector.yml
@@ -0,0 +1,5 @@
+dirs:
+  - .
+useGitIgnore: true
+ignorePatterns:
+  - pattern: '^generate_secureblue_iso.sh$'
\ No newline at end of file
diff --git a/.github/workflows/linkspector.yml b/.github/workflows/linkspector.yml
new file mode 100644
index 0000000..edb1728
--- /dev/null
+++ b/.github/workflows/linkspector.yml
@@ -0,0 +1,18 @@
+name: Linkspector
+on: 
+  pull_request:
+    branches:
+      - live
+jobs:
+  check-links:
+    name: Linkspector
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Run linkspector
+        uses: umbrelladocs/action-linkspector@fc382e19892aca958e189954912fe379a8df270c # v1.2.4
+        with:
+          filter_mode: nofilter
+          reporter: github-pr-review
+          fail_on_error: true
+          config_file: .github/workflows/config/linkspector.yml
\ No newline at end of file
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 191b2fd..6a615e9 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -27,7 +27,6 @@ All types of contributions are encouraged and valued. See the [Table of Contents
 - [Building Locally](#building-locally)
 - [Styleguides](#styleguides)
 - [Commit Messages](#commit-messages)
-- [Join The Project Team](#join-the-project-team)
 
 ## Code of Conduct
 
diff --git a/docs/README.md b/docs/README.md
index e1db63b..cd72044 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -9,7 +9,7 @@
 
 [![secureblue](https://github.com/secureblue/secureblue/actions/workflows/build.yml/badge.svg)](https://github.com/secureblue/secureblue/actions/workflows/build.yml)
 [![Discord](https://img.shields.io/discord/1202086019298500629?style=flat&logo=discord&logoColor=white&label=Discord&labelColor=%235F6AE9&color=%2333CB56)](https://discord.com/invite/qMTv5cKfbF)
-[![Donate](https://img.shields.io/badge/Donate-blue.svg)](https://github.com/secureblue/secureblue/blob/live/DONATE.md)
+[![Donate](https://img.shields.io/badge/Donate-blue.svg)](DONATE.md)
 
 This repo uses [BlueBuild](https://blue-build.org/) to generate hardened operating system images, using [Fedora Atomic Desktop](https://fedoraproject.org/atomic-desktops/)'s [base images](https://pagure.io/workstation-ostree-config) as a starting point.
 
diff --git a/docs/USERNS.md b/docs/USERNS.md
index 7aac482..3347988 100644
--- a/docs/USERNS.md
+++ b/docs/USERNS.md
@@ -4,7 +4,7 @@
 
 There is a [long history](https://madaidans-insecurities.github.io/linux.html#kernel) of vulnerabilities made possible by allowing this functionality for unprivileged users ever since its [introduction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction). Given this history, you might think we should just disable this functionality altogether. However if this functionality is disabled, then flatpak can't function without the suid bit set on the bubblewrap binary. In this scenario bubblewrap creates namespaces on behalf of the user instead of the kernel, by running as root. This means trusting bubblewrap (a significantly less battle-tested piece of software than the kernel) to run as root. However, some see this as still a preferable tradeoff (trusting one small program with root in exchange for reducing the kernel's attack surface).
 
-Ultimately we leave both options available because it's a tradeoff and neither is demonstrably preferable from a security standpoint. It should also be noted that podman, toolbox, and distrobox require unprivileged user namespaces to function and are therefore [removed in the non-userns images](https://github.com/secureblue/secureblue/blob/live/recipes/common/disableuserns-packages.yml).
+Ultimately we leave both options available because it's a tradeoff and neither is demonstrably preferable from a security standpoint. It should also be noted that podman, toolbox, and distrobox require unprivileged user namespaces to function and are therefore not included in the non-userns images.
 
 Canonical considers user namespaces to be a substantial risk, too, and has restricted them via a global AppArmor policy [since 23.10 by opt-in](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626) and [since 24.04 by default](https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts).