Remove home-made gha shellcheck, use actionlint

Actionlint understands the interpolation syntax, so there won't be any
more false-positives for `${{ ... }}` in shell scripts embedded in
GitHub Actions workflow files.

Author: whi-tw

.github/actionlint-matcher.json

@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}

.github/actionlint.yaml

@@ -0,0 +1,4 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels:
+    - ubuntu-24.04-arm-alphagov

.github/workflows/actionlint.yml

@@ -0,0 +1,18 @@
+name: Actionlint
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - ".github/workflows/**"
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Check workflow files
+        run: |
+          echo "::add-matcher::.github/actionlint-matcher.json"
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+          ./actionlint -color
+        shell: bash

.github/workflows/shell-ci.yml

@@ -22,29 +22,6 @@ jobs:
               -path "*/.terraform/*" \
           | xargs -L1 shellcheck
 
-      - name: Lint shell scripts in GitHub actions
-        run: |
-          # This is not the usual/best way to get the script directory.
-          # We need to do this here because GitHub Actions writes the
-          # content of script blocks like these to a temp directory,
-          # which means the source code directory and the directory
-          # in which the script reside are different
-          script_dir="$(readlink -f "$(dirname .github)")"
-
-          while IFS= read -r -d '' workflow
-          do
-            for path in $(yq '.jobs[] | .steps[] | select(.|has("run")) | .run | "."+(path | join("."))' "${script_dir}/${workflow}");
-            do
-              pushd "$(mktemp -d)" >/dev/null || exit
-                  workflow_name="$(basename "${script_dir}/${workflow}")"
-                  file="${workflow_name}__${path}"
-                  touch "${file}"
-                  yq "${path}" "${script_dir}/${workflow}" > "${file}"
-                  shellcheck -s bash "${file}"
-              popd >/dev/null || exit
-            done
-          done <  <(find ".github/workflows" -type f \( -name "*.yml" -or -name "*.yaml" \) -print0)
-
       - name: Lint shell scripts in CodeBuild build specs
         run: |
           ./support/shellcheck_codebuild.sh

.github/workflows/update-provider-locks.yml

@@ -126,6 +126,7 @@ jobs:
           EOF
 
           # Remove any existing comments from this workflow
+          #shellcheck disable=SC2016
           old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and (.body | endswith($ENV.COMMENT_MARKER + "\n")))) | .[].id')
           for comment_id in $old_comment_ids; do
             gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
@@ -155,6 +156,7 @@ jobs:
           EOF
 
           # Remove any existing comments from this workflow
+          #shellcheck disable=SC2016
           old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and (.body | endswith($ENV.COMMENT_MARKER + "\n")))) | .[].id')
           for comment_id in $old_comment_ids; do
             gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
@@ -170,6 +172,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           # Remove any existing comments from this workflow since no changes are needed
+          #shellcheck disable=SC2016
           old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and ((.body | endswith($ENV.COMMENT_MARKER_MISSING + "\n")) or (.body | endswith($ENV.COMMENT_MARKER_DEPENDABOT + "\n"))))) | .[].id')
           for comment_id in $old_comment_ids; do
             echo "Removing stale comment: $comment_id"