feat(ci,deps): lint workflow files; check deps are pinned (#2005)

Author: danceratopz

.github/actionlint.yaml

@@ -0,0 +1,6 @@
+self-hosted-runner:
+  labels:
+    - self-hosted-ghr
+    - size-l-x64
+    - size-xl-x64
+    - size-gigachungus-x64

.github/actions/build-fixtures/action.yaml

@@ -1,4 +1,5 @@
 name: Build and Package Fixture Release
+description: Build test fixtures and package them for release
 inputs:
   release_name:
     description: "Name of the fixture release"

.github/workflows/release_fixture_feature.yaml

@@ -23,8 +23,8 @@ jobs:
           FEATURE_PREFIX="${GITHUB_REF_NAME//@*/}"
           FEATURE_NAME="${FEATURE_PREFIX#tests-}"
           names=$(grep -Po "^${FEATURE_NAME}(?=:)" .github/configs/feature.yaml | jq  --raw-input .  | jq -c --slurp .)
-          echo names=${names}
-          echo names=${names} >> "$GITHUB_OUTPUT"
+          echo "names=${names}"
+          echo "names=${names}" >> "$GITHUB_OUTPUT"
 
   build:
     needs: feature-names

.github/workflows/release_fixture_full.yaml

@@ -19,7 +19,7 @@ jobs:
         run: |
           # Get all features without `feature_only: true`
           grep -Po "^[0-9a-zA-Z_\-]+" ./.github/configs/feature.yaml | \
-          while read feature; do
+          while read -r feature; do
             if ! awk "/^$feature:/{flag=1; next} /^[[:alnum:]]/{flag=0} flag && /feature_only:.*true/{exit 1}" \
                   ./.github/configs/feature.yaml; then
               continue

.github/workflows/test.yaml

@@ -20,6 +20,8 @@ jobs:
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
         with:
           submodules: recursive
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6124774845927d14c601359ab8138699fa5b70c3 # v4.0.1
       - name: Setup Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
         with:
@@ -31,6 +33,18 @@ jobs:
           pip install 'tox>=4.11,<5' requests
       - name: Run static checks
         run: tox -e static
+      - name: Setup uv
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
+      - name: Validate workflow config variables
+        run: |
+          cat >> .github/actionlint.yaml << 'EOF'
+
+          # CI-only: validate vars.* references
+          config-variables:
+            - DEFAULT_PYTHON_VERSION
+            - UV_VERSION
+          EOF
+          uvx --from actionlint-py actionlint
 
   py3:
     runs-on: [self-hosted-ghr, size-xl-x64]

pyproject.toml

@@ -182,6 +182,11 @@ lint = [
     "vulture==2.14.0",
     "types-requests>=2.31,<2.33",
 ]
+actionlint = [
+    "actionlint-py>=1.7",
+    "pyflakes>=3.0",
+    "shellcheck-py>=0.10",
+]
 doc = [
     "docc>=0.3.0,<0.4.0",
     "fladrif>=0.2.0,<0.3.0",
@@ -210,6 +215,7 @@ mkdocs = [
 dev = [
     { include-group = "test" },
     { include-group = "lint" },
+    { include-group = "actionlint" },
     { include-group = "doc" },
     { include-group = "mkdocs" },
     "ethereum-execution[optimized]",

tox.ini

@@ -34,6 +34,7 @@ commands =
     mypy
     ethereum-spec-lint
     uv lock --check
+    actionlint -pyflakes pyflakes -shellcheck "shellcheck -S warning"
 
 [testenv:tests_pytest_py3]
 description = Run the testing package unit tests (with Python)