Skip to content

ci: Add GitHub action linting workflow #749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

ci: Add GitHub action linting workflow #749

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0a67362
ci: Add GitHub action linting workflow
devin-ai-integration[bot] Sep 4, 2025
ef9f493
fix: Add permissions block and remove push triggers
devin-ai-integration[bot] Sep 5, 2025
722aa7e
fix: Add fail_on_error to block CI on actionlint failures
devin-ai-integration[bot] Sep 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .github/workflows/actionlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: GitHub action linting

on:
pull_request:
paths:
- '.github/workflows/**'

permissions:
contents: read
pull-requests: write

jobs:
actionlint:
name: actionlint
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
Comment on lines +17 to +18
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Pin actions/checkout to a commit SHA and avoid persisting credentials

For supply-chain hardening, could we pin to a specific commit SHA and avoid persisting credentials? Also, shallow history can confuse diff-based annotations; consider fetching full history (or at least the merge base), wdyt?

Example:

-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@<commit-sha-for-v4>
+        with:
+          persist-credentials: false
+          fetch-depth: 0

I can fetch the current recommended SHA if helpful.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout code
uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@<commit-sha-for-v4>
with:
persist-credentials: false
fetch-depth: 0
🤖 Prompt for AI Agents 
.github/workflows/actionlint.yml around lines 18-19: the workflow currently uses
actions/checkout@v4; pin this to a specific commit SHA and disable persisting
credentials to harden the supply chain and avoid leaking tokens, and adjust
fetch depth to ensure needed history for diff-based annotations (e.g., set
fetch-depth: 0 or at least fetch-depth: 2/merge-base). Replace the uses value
with actions/checkout@<commit-sha> (use the recommended SHA or ask reviewer for
it), add a with block setting persist-credentials: false and fetch-depth: 0 (or
another minimal depth that includes the merge-base).

- name: Run actionlint
uses: reviewdog/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-review
level: error
Comment on lines +20 to +24
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Prevent failures on push events by using an appropriate reporter

reporter: github-pr-review cannot comment on push to main, which can cause the step to fail or be a no-op on those runs. Could we conditionally use github-check for non-PR events and keep github-pr-review for PRs, and also fail the job when errors are found (so CI is actionable), wdyt?

Apply this change:

       - name: Run actionlint
-        uses: reviewdog/[email protected]
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          reporter: github-pr-review
-          level: error
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: reviewdog/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-pr-review
+          level: error
+          fail_on_error: true
+
+      - name: Run actionlint (checks for non-PR events)
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: reviewdog/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-check
+          level: error
+          fail_on_error: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: reviewdog/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-review
level: error
- name: Run actionlint
if: ${{ github.event_name == 'pull_request' }}
uses: reviewdog/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-review
level: error
fail_on_error: true
- name: Run actionlint (checks for non-PR events)
if: ${{ github.event_name != 'pull_request' }}
uses: reviewdog/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-check
level: error
fail_on_error: true
🧰 Tools
🪛 GitHub Check: CodeQL

[warning] 15-25: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

🤖 Prompt for AI Agents 
In .github/workflows/actionlint.yml around lines 21-25, the action uses a fixed
reporter that fails on push events; change the reporter to pick github-pr-review
for pull_request events and github-check for others using a GitHub Actions
expression (e.g. reporter: ${{ github.event_name == 'pull_request' &&
'github-pr-review' || 'github-check' }}), and add the action input
fail_on_error: true so the job fails when actionlint finds errors.

fail_on_error: true
Loading