Add actionlint check to PR CI #89
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#89
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
CI-side half of the dual-layer workflow linting plan. Sister to #88 (local hook).
The CI step catches the cases the local hook can't: a contributor without
actionlintinstalled,git commit --no-verify, force-push to a long-lived branch — same threat model gitleaks' CI workflow was built to cover (ADR-0011).Scope
static-analysisjob inpr.yml— minimal cost, runs after Semgrep, reuses the same runner image. Recommended.actionlint's install or output is meaningfully separate from Semgrep's.actionlintby pinned version from the upstream release URL (same pattern asOSV_SCANNER_VERSION/TRIVY_VERSIONinpr.yml'senv:block). Renovate'sgithub-actionsmanager covers Forgejo Actions but not arbitrary binary pins; add a smallregexManagersentry inrenovate.jsonif drift becomes painful.$GITHUB_STEP_SUMMARYso a failed run shows the findings inline — same pattern asscripts/ci/security-summary.mjs. May not need its own summarizer;actionlintexits non-zero with a readable text report..forgejo/workflows/*.ymlfile in the repo, not just diff-touched files. The set is tiny (4 files today) and rule-pack changes can expose new findings on files no PR touched.Acceptance criteria
${{ github.foo }}context expression in a workflow file fails CI with theactionlintfinding visible.env:block alongsideOSV_SCANNER_VERSIONand friends, with a comment matching the existing tone.Coordination
Should land alongside, or shortly after, #88 (local hook). ADR-0011's dual-layer rationale for gitleaks applies here too — local hook for fast feedback, CI step for enforcement against contributors who bypassed it.
Out of scope today: extending
actionlintto lint composite actions in this repo (we don't ship any yet), or integrating shellcheck findings into the existing security summary (actionlint already calls shellcheck under the hood).Part of epic #2.
actionlintpre-commit hook for.forgejo/workflows/#88