feat(ci): add actionlint workflow + self-hosted runner whitelist#12
Merged
Conversation
Catches GitHub Actions expression / shell / yaml errors at PR review
time instead of post-merge tag-push.
Today's marketplace-publish.yml regression — an `\${{ }}` literal
embedded in a shell `#` comment that GitHub evaluated as an empty
expression — failed silently at workflow-load (referenced_workflows:
[], 0 jobs ran) and took 4 canary attempts to diagnose. actionlint
caught the issue locally with a precise file:line:col error pointing
at the comment.
This workflow:
- Runs on every PR + every push to main
- Lints all 4 workflow files this repo owns (marketplace-publish,
plugin-ci, validate-plugin-manifest, actionlint itself)
- Uses upstream rhysd/actionlint installer pinned to v1.7.12
- shellcheck bundled by default — also catches `run:` block issues
`.github/actionlint.yaml` whitelists the `oracle` self-hosted runner
label so the linter doesn't false-positive flag it (the rest of our
labels — `self-hosted`, `linux`, `arm64` — are already known to
actionlint).
Verified: locally ran `./actionlint -no-color` against all 4
workflow files post-config — clean.
Closes lvis-project/.github P3 follow-up from the
reusable-workflow-rollout retro.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…comment fix
Self-review LOW items applied:
1. Installer script ref `main` → `v1.7.12` — pinning the binary
version arg alone left upstream free to rewrite the installer
script itself. Both refs now pinned to the same release.
2. Explicit `permissions: { contents: read }` block. Inheriting from
org default works today but the explicit block makes the
read-only intent self-documenting in the workflow file.
3. Header comment "three reusable workflows" → "three + this
actionlint.yml itself" since actionlint auto-discovers all
.github/workflows/*.yml from the repo root and lints itself too.
No behavior change beyond the supply-chain tightening.
CI ran the workflow and actionlint exited 2 with a help dump because `-color=never` is not a recognized flag. The actionlint CLI uses boolean toggles: `-color` (force on) and `-no-color` (force off) — no `=value` form. Caught by the workflow itself on first PR run, exactly the kind of issue this workflow exists to surface (though it caught its own typo rather than other workflows', which is also fine).
actionlint's bundled shellcheck flags SC2016 ("Expressions don't
expand in single quotes") on the resolver step's `node -e '...'`
block. False positive — the `$` chars inside the single-quoted JS
body are regex anchors (`/(^|\/)\.env($|\.|\/)/` etc.) and
`process.env.X` accesses, not shell variable interpolation.
Adds inline `# shellcheck disable=SC2016` directive scoped to that
single run block. Comment explains the false-positive context so
future readers know why the rule is suppressed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
요약
`actionlint` workflow 추가 — 모든 PR + main push 에서 `marketplace-publish.yml` / `plugin-ci.yml` / `validate-plugin-manifest.yml` 검증.
동기
오늘 reusable workflow 도입 시 발생한 회귀:
변경
검증
P3 follow-up 항목 1/3
오늘 회기 마무리 P3 중 highest leverage 항목. 나머지 2개: