Skip to content

ci(lint): add checks: write + fix path filter on actionlint workflow#373

Merged
kotakanbe merged 1 commit intomainfrom
ci/actionlint-workflow
May 4, 2026
Merged

ci(lint): add checks: write + fix path filter on actionlint workflow#373
kotakanbe merged 1 commit intomainfrom
ci/actionlint-workflow

Conversation

@kotakanbe
Copy link
Copy Markdown
Member

@kotakanbe kotakanbe commented May 2, 2026
edited
Loading

Summary

Reworked from the original "create lint.yml" form to a modification of the existing lint.yml that #370 introduced. Three functional changes versus current main.

Context: this PR was opened before #370 merged and originally created lint.yml from scratch (39 → 69 lines). After #370 landed lint.yml on main, the change was rebased to the diff form below.

Functional changes vs. main

1. permissions: — add checks: write

Required for reviewdog's github-pr-check reporter to publish inline annotations via the Checks API. Without it, findings only appear in the run log, not on the PR diff — a silent degradation that defeats the point of the github-pr-check reporter.

2. paths:.github/actions/**.github/actionlint.yaml

actionlint's default invocation does not lint composite actions under .github/actions/, so the previous path filter triggered the workflow on changes that never affected lint output. The new filter tracks the actionlint config file (which DOES affect lint results when it exists).

A note in the file header documents that composite actions need explicit actionlint_flags paths if they are added in the future.

3. Documentation

  • Caveats: set -euo pipefail × var=$(... | jq ...) exit-propagation gap that shellcheck does not model — referenced as || true guard pattern in copilot-clean-label.yml stuck-detector.
  • Composite-action lint coverage gap (point 2 above).
  • Per-setting rationale on checks: write, the v1.72.0 SHA pin, and actionlint_flags: -color.

Synced from vuls-saas/vuls-reach PR #9.

Test plan

  • git diff origin/main is a pure modification (no add/add file conflict)
  • After merge: open a PR that introduces an intentional actionlint violation and verify the check fails with inline annotation on the PR diff (the bit that requires checks: write)
  • Verify the workflow fires when .github/actionlint.yaml is touched (currently absent — can be tested by adding an empty config)
  • Verify the workflow does not fire on .github/actions/** changes (no composite actions exist yet, so this is a no-op verification — leave a TODO for when one is added)

🤖 Generated with Claude Code

@kotakanbe kotakanbe requested a review from Copilot May 2, 2026 22:44
Copilot AI reviewed May 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a dedicated GitHub Actions workflow to statically lint other workflows using actionlint (via reviewdog/action-actionlint), to catch common GitHub Actions YAML issues and ShellCheck findings in run: blocks early during PR review.

Changes:

  • Introduce .github/workflows/lint.yml to run actionlint on workflow/config changes only (path-filtered).
  • Configure reviewdog reporting via Checks API annotations and fail the workflow on any finding.
  • Apply least-privilege permissions at workflow/job level and pin actions to SHAs.

@kotakanbe @claude
ci(lint): add checks: write + fix path filter on actionlint workflow
90bb41f 
Reworked from the original "create lint.yml" form (#373 v1) to a
modification of the existing lint.yml that #370 introduced.

Functional changes vs. main:

1. permissions: + `checks: write` — required for reviewdog's
   `github-pr-check` reporter to publish inline annotations via the
   Checks API. Without it, findings only show up in the run log, not
   on the PR diff (silent degradation).

2. paths filter: `.github/actions/**` → `.github/actionlint.yaml`.
   actionlint's default invocation does NOT lint composite actions
   under `.github/actions/`, so the previous filter triggered the
   workflow on changes that never affected lint output. The new
   filter tracks the actionlint config (which DOES affect lint
   results).

3. Documentation: caveats around `set -euo pipefail` × `$(... | jq ...)`
   exit-propagation gaps, composite-action coverage, and per-setting
   rationale.

Synced from `vuls-saas/vuls-reach` PR #9.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@kotakanbe kotakanbe force-pushed the ci/actionlint-workflow branch from 0ed59de to 90bb41f Compare May 4, 2026 19:09
@kotakanbe kotakanbe requested a review from Copilot May 4, 2026 19:09
@kotakanbe kotakanbe changed the title ci: add actionlint workflow for static GitHub Actions / bash linting ci(lint): add checks: write + fix path filter on actionlint workflow May 4, 2026
@kotakanbe kotakanbe merged commit e238411 into main May 4, 2026
11 checks passed
@kotakanbe kotakanbe deleted the ci/actionlint-workflow branch May 4, 2026 19:11
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kotakanbe