Lint actions (#147)

purcell · web-flow · commit e5d5dbcd43b2 · 2026-06-23T01:05:09.000+12:00
* Pin Actions

* Limit workflow permissions

* Don't persist GH credentials from checkout

* Fix actionlint issues

* Enable Actions linting with zizmor and actionlint

* Enable dependabot
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,9 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  directory: "/"
+  commit-message:
+    prefix: "chore"
+    include: "scope"
+  cooldown:
+    default-days: 7
diff --git a/.github/workflows/keycloak.yml b/.github/workflows/keycloak.yml
@@ -22,10 +22,14 @@ jobs:
   integration-tests:
     name: Run Integration Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Setup LocalStack and extension
         run: |
@@ -37,7 +41,7 @@ jobs:
 
           make install
           make dist
-          localstack extensions -v install file://$(ls ./dist/localstack_keycloak-*.tar.gz)
+          localstack extensions -v install file://"$(ls ./dist/localstack_keycloak-*.tar.gz)"
 
           DEBUG=1 localstack start -d
           localstack wait
diff --git a/.github/workflows/lint_workflows.yml b/.github/workflows/lint_workflows.yml
@@ -0,0 +1,39 @@
+name: Lint GitHub Actions workflows
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/**'
+      - '.github/dependabot.yml'
+      - '.github/zizmor.yml'
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/dependabot.yml'
+      - '.github/zizmor.yml'
+
+permissions: {}
+
+jobs:
+  lint_workflows:
+    name: "Run linters"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Run actionlint
+        uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          # Don't integrate with GitHub Advanced Security
+          advanced-security: false
diff --git a/.github/workflows/miniflare.yml b/.github/workflows/miniflare.yml
@@ -21,9 +21,11 @@ jobs:
   tests-miniflare:
     name: Run extension tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: true
 
@@ -36,7 +38,7 @@ jobs:
 
           make install
           make dist
-          localstack extensions -v install file://$(ls ./dist/localstack_extension_miniflare-*.tar.gz)
+          localstack extensions -v install file://"$(ls ./dist/localstack_extension_miniflare-*.tar.gz)"
 
           DEBUG=1 localstack start -d
           localstack wait
diff --git a/.github/workflows/paradedb.yml b/.github/workflows/paradedb.yml
@@ -22,10 +22,14 @@ jobs:
   integration-tests:
     name: Run Integration Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Setup LocalStack and extension
         run: |
@@ -38,7 +42,7 @@ jobs:
           make install
           make lint
           make dist
-          localstack extensions -v install file://$(ls ./dist/localstack_extension_paradedb-*.tar.gz)
+          localstack extensions -v install file://"$(ls ./dist/localstack_extension_paradedb-*.tar.gz)"
 
           DEBUG=1 localstack start -d
           localstack wait
diff --git a/.github/workflows/typedb.yml b/.github/workflows/typedb.yml
@@ -22,10 +22,14 @@ jobs:
   integration-tests:
     name: Run Integration Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Setup LocalStack and extension
         run: |
@@ -38,7 +42,7 @@ jobs:
           make install
           make lint
           make dist
-          localstack extensions -v install file://$(ls ./dist/localstack_extension_typedb-*.tar.gz)
+          localstack extensions -v install file://"$(ls ./dist/localstack_extension_typedb-*.tar.gz)"
 
           DEBUG=1 localstack start -d
           localstack wait
diff --git a/.github/workflows/utils.yml b/.github/workflows/utils.yml
@@ -18,20 +18,24 @@ jobs:
   unit-tests:
     name: Run Unit Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 5
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.11"
 
       - name: Install dependencies
         run: |
           cd utils
-          pip install -e .[dev,test]
+          pip install -e '.[dev,test]'
 
       - name: Lint
         run: |
@@ -46,20 +50,24 @@ jobs:
   integration-tests:
     name: Run Integration Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.11"
 
       - name: Install dependencies
         run: |
           cd utils
-          pip install -e .[dev,test]
+          pip install -e '.[dev,test]'
 
       - name: Run integration tests
         run: |
diff --git a/.github/workflows/wiremock.yml b/.github/workflows/wiremock.yml
@@ -23,13 +23,17 @@ jobs:
   integration-tests:
     name: Run WireMock Extension Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
 
       - name: Set up LocalStack and extension
         run: |
@@ -43,7 +47,7 @@ jobs:
           make install
           make lint
           make dist
-          localstack extensions -v install file://$(ls ./dist/localstack_wiremock-*.tar.gz)
+          localstack extensions -v install file://"$(ls ./dist/localstack_wiremock-*.tar.gz)"
 
           DEBUG=1 localstack start -d
           localstack wait
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env:
+    disable: true

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+rules:`
	`2`	`+ secrets-outside-env:`
	`3`	`+ disable: true`