Skip to content

chore(deps): bump the actions-weekly group across 1 directory with 3 updates #86

chore(deps): bump the actions-weekly group across 1 directory with 3 updates

chore(deps): bump the actions-weekly group across 1 directory with 3 updates #86

name: Workflow Validation
permissions: {}
on:
push:
branches: [main, master]
paths:
- .github/workflows/**
pull_request:
branches: [main, master]
paths:
- .github/workflows/**
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
actionlint:
name: actionlint
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Install actionlint
run: |
set -euo pipefail
version=1.7.8
expected_sha256="be92c2652ab7b6d08425428797ceabeb16e31a781c07bc388456b4e592f3e36a"
curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${version}/actionlint_${version}_linux_amd64.tar.gz" -o /tmp/actionlint.tgz
actual_sha256=$(sha256sum /tmp/actionlint.tgz | cut -d' ' -f1)
if [ "$actual_sha256" != "$expected_sha256" ]; then
echo "::error::actionlint checksum mismatch: expected $expected_sha256, got $actual_sha256"
exit 1
fi
tar -xzf /tmp/actionlint.tgz -C /tmp
sudo mv /tmp/actionlint /usr/local/bin/actionlint
- name: Run actionlint
run: actionlint -color
workflow-policy:
name: workflow policy
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Enforce workflow security and fork-safety invariants
run: |
set -euo pipefail
echo "Checking for mutable action refs..."
if grep -REn "uses:[[:space:]]+[^#]+@(main|master)$" .github/workflows; then
echo "::error::Found mutable action ref (@main/@master). Pin to a commit SHA."
exit 1
fi
echo "Checking changelog fork behavior..."
grep -n "if: github.event.pull_request.head.repo.full_name != github.repository" .github/workflows/changelog.yml >/dev/null
grep -n "if: github.event.pull_request.head.repo.full_name == github.repository" .github/workflows/changelog.yml >/dev/null
echo "Checking tempo-lints fork-safe mode..."
grep -n "post-comment:[[:space:]]\+false" .github/workflows/lint.yml >/dev/null
echo "Checking pr-audit pinning and trust gate..."
if grep -n "tempoxyz/gh-actions/.github/workflows/pr-audit.yml@main" .github/workflows/pr-audit.yml; then
echo "::error::pr-audit reusable workflow must be pinned to a commit SHA."
exit 1
fi
grep -n "contains(fromJson('\[\"OWNER\",\"MEMBER\",\"COLLABORATOR\"\]'), github.event.comment.author_association)" .github/workflows/pr-audit.yml >/dev/null
echo "Checking pull_request_target hardening..."
grep -n "pull_request_target:" .github/workflows/changelog-generate.yml >/dev/null
grep -n "if: steps.source.outputs.same_repo == 'true'" .github/workflows/changelog-generate.yml >/dev/null
# The push must go to the validated branch ref via an authenticated URL
# (App-token), since persist-credentials=false on the checkout step.
grep -n "git push \"https://x-access-token:\${APP_TOKEN}@github.com/\${GITHUB_REPOSITORY}.git\" \"HEAD:" .github/workflows/changelog-generate.yml >/dev/null
if grep -n "git checkout -b \$\{\{ github.event.pull_request.head.ref \}\}" .github/workflows/changelog-generate.yml; then
echo "::error::Unsafe branch checkout pattern detected in changelog generation workflow."
exit 1
fi
echo "Workflow policy checks passed."