ci(security): add actionlint check to PR static-analysis job (#89) #92
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!92
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "89-actionlint-ci"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #89. Sister to #88 (lefthook pre-commit hook, already merged).
What this does
Adds two sibling steps inside the existing
static-analysisjob inpr.yml:/usr/local/bin/. Same install pattern asOSV_SCANNER_VERSIONandTRIVY_VERSIONuse below.actionlint .forgejo/workflows/*.yml. Exit code is non-zero on any finding; the human-readable text output renders cleanly in the run UI.ACTIONLINT_VERSION: 1.7.12lives in the workflow'senv:block alongside the other tool pins, chosen to match whatbrew install actionlintcurrently installs — so the pre-commit hook from #88 and CI run the same version on a fresh dev setup.The job itself is renamed from "Static analysis (Semgrep)" to just "Static analysis" since it now covers both tools.
Scope choice
actionlint's default text output is already terse and contextual (line + column + the offending snippet). Thesecurity-summary.mjshelper exists to normalize JSON output from heterogeneous scanners; actionlint is a single tool with one output shape, so a custom summarizer would be pure overhead.Test plan
actionlint .forgejo/workflows/*.ymlagainst this branch passes clean — the pr.yml content lints itself green.main) fires on this commit's staged pr.yml; both gitleaks and actionlint pass before push, demonstrating the dual-layer in practice.${{ github.no_such_context }}) fails this step with the same line+column message the local hook produces.Coordination
#88 has merged; this PR closes the dual-layer loop. After this lands, the README "Setup" section and
ADR-0011-style "dual triggers" rationale carry over naturally to the actionlint pair — no further docs change needed for the immediate cycle.