Add checks for GitHub Actions workflows (#969)

quantumlib · Feb 14, 2025 · b598312 · b598312
1 parent a315711
commit b598312
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 3 deletions.
diff --git a/.github/problem-matchers/README.md b/.github/problem-matchers/README.md
@@ -17,3 +17,9 @@ license. The version of the files at the time they were copied was 2025.1.2.
 
 - [`pylint.json`](https://github.com/home-assistant/core/blob/dev/.github/workflows/matchers/pylint.json)
 - [`yamllint.json`](https://github.com/home-assistant/core/blob/dev/.github/workflows/matchers/yamllint.json)
+
+The following problem matcher JSON file came from the
+[actionlint](https://github.com/rhysd/actionlint/blob/v1.7.7/docs/usage.md)
+documentation (copied on 2025-02-12, version 1.7.7):
+
+- [`actionlint.json`](https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json)
diff --git a/.github/problem-matchers/actionlint.json b/.github/problem-matchers/actionlint.json
@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -85,6 +85,8 @@ jobs:
       yaml_files: ${{steps.filter.outputs.yaml_files}}
       cff: ${{steps.filter.outputs.cff}}
       cff_files: ${{steps.filter.outputs.cff_files}}
+      gha: ${{steps.filter.outputs.gha}}
+      gha_files: ${{steps.filter.outputs.gha_files}}
     steps:
       # When invoked manually, use the given SHA to figure out the change list.
       - if: github.event_name == 'workflow_dispatch'
@@ -121,15 +123,19 @@ jobs:
           list-files: 'shell'
           # The outputs will be variables named "foo_files" for a filter "foo".
           filters: |
+            cff:
+              - added|modified:
+                  - '**/CITATION.cff'
             python:
               - '**/*.py'
+            gha:
+              - added|modified:
+                  - './.github/workflows/*.yaml'
+                  - './.github/workflows/*.yml'
             yaml:
               - added|modified:
                   - '**/*.yaml'
                   - '**/*.yml'
-            cff:
-              - added|modified:
-                  - '**/CITATION.cff'
 
   setup:
     if: needs.changes.outputs.python == 'true'
@@ -423,3 +429,33 @@ jobs:
       - name: Run cffconvert in validation mode
         run: |
           cffconvert --validate
+
+  workflow-validation:
+    if: needs.changes.outputs.gha == 'true'
+    name: Validate GitHub Actions file(s)
+    needs: [changes, yaml-lint]
+    # This uses a Mac runner because actionlint isn't available via Linux apt.
+    runs-on: macos-14
+    timeout-minutes: 5
+    env:
+      changed_files: ${{needs.changes.outputs.gha_files}}
+    steps:
+      - name: Check out a copy of the git repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      # The next action simply fails if there are any unpinned actions.
+      - name: Verify that all workflow actions have pinned versions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@99589360fda82ecfac331cc6bfc9d7d74487359c
+
+      # If we didn't fail the previous check, go on to more time-consuming ones.
+      - name: Install actionlint
+        run: |
+          HOMEBREW_NO_AUTO_UPDATE=1 brew install actionlint
+
+      - name: Set up actionlint output problem matcher
+        run: |
+          echo "::add-matcher::.github/problem-matchers/actionlint.json"
+
+      - name: Verify that all GitHub Actions workflows are valid
+        run: |
+          /opt/homebrew/bin/actionlint -color