12 files changed, 64 insertions, 33 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 0f7ddb466..3fc71a299 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -13,6 +13,7 @@ on:
      - .github/pull_request_template.md
      - .github/workflows/build.yml
      - .github/workflows/codeql-analysis.yml
+      - .github/workflows/codespell.yml
      - .github/workflows/profile-checks.yml
      - .gitignore
      - .gitlab-ci.yml
@@ -35,6 +36,7 @@ on:
      - .github/pull_request_template.md
      - .github/workflows/build.yml
      - .github/workflows/codeql-analysis.yml
+      - .github/workflows/codespell.yml
      - .github/workflows/profile-checks.yml
      - .gitignore
      - .gitlab-ci.yml
@@ -163,25 +165,3 @@ jobs:
    - run: cppcheck --version
    - name: cppcheck
      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
-  codespell:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
-      with:
-        egress-policy: block
-        allowed-endpoints: >
-          archive.ubuntu.com:80
-          azure.archive.ubuntu.com:80
-          github.com:443
-          packages.microsoft.com:443
-          ppa.launchpadcontent.net:443
-          security.ubuntu.com:80
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
-    - name: update package information
-      run: sudo apt-get update -qy
-    - name: install dependencies
-      run: sudo apt-get install -qy codespell
-    - run: codespell --version
-    - name: codespell
-      run: make codespell
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cb2c15759..489ed4335 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,6 +9,7 @@ on:
      - .github/pull_request_template.md
      - .github/workflows/build-extra.yml
      - .github/workflows/codeql-analysis.yml
+      - .github/workflows/codespell.yml
      - .github/workflows/profile-checks.yml
      - .gitignore
      - .gitlab-ci.yml
@@ -26,6 +27,7 @@ on:
      - .github/pull_request_template.md
      - .github/workflows/build-extra.yml
      - .github/workflows/codeql-analysis.yml
+      - .github/workflows/codespell.yml
      - .github/workflows/profile-checks.yml
      - .gitignore
      - .gitlab-ci.yml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index a66266e30..344090cfd 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -18,6 +18,7 @@ on:
      - .github/pull_request_template.md
      - .github/workflows/build-extra.yml
      - .github/workflows/build.yml
+      - .github/workflows/codespell.yml
      - .github/workflows/profile-checks.yml
      - .gitignore
      - .gitlab-ci.yml
@@ -40,6 +41,7 @@ on:
      - .github/pull_request_template.md
      - .github/workflows/build-extra.yml
      - .github/workflows/build.yml
+      - .github/workflows/codespell.yml
      - .github/workflows/profile-checks.yml
      - .gitignore
      - .gitlab-ci.yml
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
new file mode 100644
index 000000000..e39755dbd
--- /dev/null
+++ b/.github/workflows/codespell.yml
@@ -0,0 +1,40 @@
+name: Codespell
+on:
+  push:
+    paths-ignore:
+      - 'm4/**'
+      - COPYING
+  pull_request:
+    paths-ignore:
+      - 'm4/**'
+      - COPYING
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+jobs:
+  codespell:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          azure.archive.ubuntu.com:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+    - name: update package information
+      run: sudo apt-get update -qy
+    - name: install dependencies
+      run: sudo apt-get install -qy codespell
+    - name: configure
+      run: ./configure || (cat config.log; exit 1)
+    - run: codespell --version
+    - name: codespell
+      run: make codespell
diff --git a/Makefile b/Makefile
index e3e0ad551..c04d721cf 100644
--- a/Makefile
+++ b/Makefile
@@ -366,9 +366,16 @@ cppcheck: clean
 scan-build: clean
        scan-build $(MAKE)
+# TODO: Old codespell versions (such as v2.1.0 in CI) have issues with
+# contrib/syscalls.sh
 .PHONY: codespell
-codespell: clean
+codespell:
-        codespell --ignore-regex "UE|creat|doas|ether|isplay|shotcut" src test
+        @printf 'Running %s...\n' $@
+        @codespell --ignore-regex 'UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \
+          -S *.gz,*.o,*.so \
+          -S COPYING,m4 \
+          -S ./contrib/syscalls.sh \
+          .
 .PHONY: print-env
 print-env:
diff --git a/RELNOTES b/RELNOTES
index d6ffdc3b2..50a4bd675 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -363,7 +363,7 @@ firejail (0.9.62) baseline; urgency=low
  * whitelisting /usr/share in a large number of profiles
  * new scripts in contrib: gdb-firejail.sh and sort.py
  * enhancement: whitelist /usr/share in some profiles
-  * added signal mediation ot apparmor profile
+  * added signal mediation to apparmor profile
  * new conditions: HAS_X11, HAS_NET
  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
  * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
@@ -758,7 +758,7 @@ firejail (0.9.44.4) baseline; urgency=low
 firejail (0.9.44.2) baseline; urgency=low
  * security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
-  * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
+  * security: TOCTOU exploit for --get and --put found by Daniel Hodson
  * security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
  * security: several security enhancements
  * bugfix: crashing VLC by pressing Ctrl-O
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py
index fcfe90eb7..070079e09 100755
--- a/contrib/jail_prober.py
+++ b/contrib/jail_prober.py
@@ -151,8 +151,8 @@ def run_firejail(program, all_args):
        if arg:
            myargs.insert(-1, arg)
        subprocess.call(myargs)
-        ans = input('Did %s run correctly? [y]/n ' % program)
+        answer = input('Did %s run correctly? [y]/n ' % program)
-        if ans in ['n', 'N']:
+        if answer in ['n', 'N']:
            bad_args.append(arg)
        elif arg:
            good_args.insert(-1, arg)
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 589811643..da430377e 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -5,7 +5,7 @@ include kwin_x11.local
 # Persistent global definitions
 include globals.local
-# fix automatical kwin_x11 sandboxing:
+# fix automatic kwin_x11 sandboxing:
 # echo KDEWM=kwin_x11 >> ~/.pam_environment
 noblacklist ${HOME}/.cache/kwin
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index 518dc95c7..16162f989 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -1,5 +1,5 @@
 # Firejail profile for tvbrowser
-# Description: java tv programm form tvbrowser.org
+# Description: java tv program form tvbrowser.org
 # This file is overwritten after every install/update
 # Persistent local customizations
 include tvbrowser.local
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index d53acdaf7..e2b8de12b 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -1,5 +1,5 @@
 # Firejail profile for twitch
-# Description: Unofficial electron based desktop warpper for Twitch
+# Description: Unofficial electron based desktop wrapper for Twitch
 # This file is overwritten after every install/update
 # Persistent local customizations
 include twitch.local
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index 4d1e9a063..bee309986 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -1,5 +1,5 @@
 # Firejail profile for youtube
-# Description: Unofficial electron based desktop warpper for YouTube
+# Description: Unofficial electron based desktop wrapper for YouTube
 # This file is overwritten after every install/update
 # Persistent local customizations
 include youtube.local
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index cfee8c426..d1bc4d5a2 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -1,5 +1,5 @@
 # Firejail profile for youtubemusic-nativefier
-# Description: Unofficial electron based desktop warpper for YouTube Music
+# Description: Unofficial electron based desktop wrapper for YouTube Music
 # This file is overwritten after every install/update
 # Persistent local customizations
 include youtube.local