|
1 | 1 | name: Actionlint |
2 | 2 |
|
| 3 | +# Lints GitHub Actions workflow YAML for syntax errors, expression typos, |
| 4 | +# unused vars, and deprecated patterns, then validates remote action pins. |
| 5 | + |
3 | 6 | on: |
4 | 7 | push: |
5 | 8 | branches: [main] |
| 9 | + paths: |
| 10 | + - '.github/workflows/**' |
| 11 | + - '.github/actions/**' |
| 12 | + - 'scripts/validate_action_pins.py' |
6 | 13 | pull_request: |
7 | 14 | branches: [main] |
| 15 | + paths: |
| 16 | + - '.github/workflows/**' |
| 17 | + - '.github/actions/**' |
| 18 | + - 'scripts/validate_action_pins.py' |
8 | 19 | workflow_dispatch: |
9 | 20 |
|
10 | | -permissions: |
11 | | - contents: read |
| 21 | +permissions: {} |
12 | 22 |
|
13 | 23 | concurrency: |
14 | 24 | group: actionlint-${{ github.workflow }}-${{ github.ref }} |
|
19 | 29 | name: Actionlint |
20 | 30 | runs-on: ubuntu-latest |
21 | 31 | timeout-minutes: 10 |
| 32 | + permissions: |
| 33 | + contents: read |
22 | 34 | steps: |
| 35 | + - name: Harden runner (egress block + explicit allowlist) |
| 36 | + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 |
| 37 | + with: |
| 38 | + egress-policy: block |
| 39 | + allowed-endpoints: > |
| 40 | + agent.api.stepsecurity.io:443 |
| 41 | + api.github.com:443 |
| 42 | + github.com:443 |
| 43 | + codeload.github.com:443 |
| 44 | + objects.githubusercontent.com:443 |
| 45 | + release-assets.githubusercontent.com:443 |
| 46 | +
|
23 | 47 | - name: Checkout |
24 | 48 | uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
25 | | - - name: Validate action pins |
26 | | - run: python3 scripts/validate_action_pins.py |
| 49 | + with: |
| 50 | + persist-credentials: false |
27 | 51 |
|
| 52 | + - name: Download actionlint (pinned + checksum-verified) |
| 53 | + run: | |
| 54 | + set -euo pipefail |
| 55 | + # actionlint v1.7.12 - Linux amd64 tarball SHA256 from upstream |
| 56 | + # https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt |
| 57 | + ACTIONLINT_VERSION='1.7.12' |
| 58 | + ACTIONLINT_SHA256='8aca8db96f1b94770f1b0d72b6dddcb1ebb8123cb3712530b08cc387b349a3d8' |
| 59 | + curl -fsSL -o /tmp/actionlint.tar.gz \ |
| 60 | + "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" |
| 61 | + echo "${ACTIONLINT_SHA256} /tmp/actionlint.tar.gz" | sha256sum -c - |
| 62 | + tar -xzf /tmp/actionlint.tar.gz -C /tmp actionlint |
| 63 | + install -m 0755 /tmp/actionlint /usr/local/bin/actionlint |
| 64 | + actionlint --version |
| 65 | +
|
| 66 | + - name: Run actionlint on all workflows |
| 67 | + run: actionlint -color |
| 68 | + |
| 69 | + - name: Validate remote action pins |
| 70 | + run: python3 scripts/validate_action_pins.py |
0 commit comments