Add and sync actionlint workflow #198
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
| @@ -0,0 +1,81 @@ | |||
| # This file is synced from the `.github` repository, do not modify it directly. | |||
| name: Workflow Syntax | |||
There was a problem hiding this comment.
Can this have Actionlint in the name so it better matches the filename?
| brew | ||
| homebrew-core |
There was a problem hiding this comment.
What's custom in the actionlint workflow for these two?
There was a problem hiding this comment.
They reuse the clones made by setup-homebrew (and homebrew-core has core: true there). The brew workflow also runs on changes to .github/actionlint.yaml (which is different from .github/workflows/actionlint.yml). homebrew-core has some handling for shell: /bin/bash.
| test-bot: false | ||
|
|
||
| - name: Install tools | ||
| run: brew install actionlint shellcheck zizmor |
There was a problem hiding this comment.
Will actionlint call overlap with brew style or brew tap-syntax in any of those repos?
There was a problem hiding this comment.
Probably for brew style, not for brew tap-syntax. But running it inside brew style doesn't seem to work properly anyway -- we're getting new actionlint errors now. (Unless we weren't running brew style or brew tap-syntax where that happened, but I don't think that was the case.)
There was a problem hiding this comment.
Actually, I just double checked:
- it won't overlap, because we skip
actionlintfor repos with anactionlint.ymlworkflow - the new errors are from the
-ignorewe pass inbrew style, so the new errors are not evidence ofbrew stylenot working properly.
| - name: Set up actionlint | ||
| run: echo "::add-matcher::$(brew --repository)/.github/actionlint-matcher.json" | ||
|
|
||
| - run: actionlint |
There was a problem hiding this comment.
Should ignore the matrix.container error to avoid failures in homebrew-portable-ruby and actions.
There was a problem hiding this comment.
Pushed fixes to avoid the error instead of ignoring it -- adding -ignore isn't great since it means you can't run actionlint directly from the command-line.
|
Actionlint can remain for private repos, but code scanning via zizmor won't work (unless we make it fail the job on errors instead) as code scanning is not even an base enterprise feature but one that requries "GitHub Advanced Security". |
|
@carlocab thanks for explaining! |
This makes sure we run
actionlintandzizmoracross all our repos.