Add actionlint validation for packaged workflows

[coisa]

Objective

Add actionlint validation for both repository workflows and packaged GitHub Actions workflow stubs.

Current Limitation

The project ships reusable workflows under .github/workflows and consumer stubs under resources/github-actions, but workflow syntax and GitHub Actions expression mistakes are not validated by a dedicated GitHub Actions linter.

Proposed Work

Integrate actionlint into the development workflow so workflow changes are validated locally and in CI.

Scope

• Validate .github/workflows/*.yml.
• Validate resources/github-actions/*.yml.
• Decide whether validation belongs in composer dev-tools code-style, composer dev-tools standards, a dedicated command, or CI-only first.
• Ensure packaged stubs are linted with the same quality gate as repository workflows.
• Document how contributors can run the validation locally.

Non-goals

• Rewriting workflow behavior.
• Replacing existing YAML lint checks.
• Adding a custom GitHub Actions parser.

Acceptance Criteria

Functional Criteria

• Workflow files under .github/workflows are validated by actionlint.
• Workflow stubs under resources/github-actions are validated by actionlint.
• CI fails when workflow syntax or expression validation fails.
• Local developer instructions mention how to run the validation.
• Existing valid workflows continue to pass.

Architectural / Isolation Criteria

• The validation is integrated with existing dev-tools commands or CI gates without duplicating workflow file lists in many places.
• The implementation remains deterministic and does not require network access during linting.

[coisa]

I investigated whether we could implement this issue without introducing an external non-PHP dependency.

Conclusion: I could not find a maintained PHP library that provides GitHub Actions workflow validation comparable to actionlint, especially for workflow syntax, GitHub Actions expressions, and action input validation.

What I checked:

• the official actionlint project, which explicitly positions itself as the GitHub Actions static checker and exposes a Go API rather than a PHP one
• Packagist searches for PHP libraries targeting GitHub Actions workflow validation

Given that constraint, implementing this issue would couple fast-forward/dev-tools to an external Go-based tool, which does not fit the package boundary we want here.

For now, I recommend closing this as not planned and relying on GitHub-native validation/editor feedback or a dedicated CI concern outside the PHP package boundary if we want stronger workflow linting later.