Update GitHub Actions workflows to use specific action versions

[lionello]

Supersedes #6 by getting Go ver from go.mod.

The file actionlint-matcher.json comes from the actionlint repo at rhysd/actionlint@main/.github/actionlint-matcher.json (raw). See rhysd/actionlint@v1.7.12/docs/usage.md#problem-matchers

Summary by CodeRabbit

• Chores

  • Tightened CI: pinned actions, improved quoting, safer branch deletion, and expanded macOS test matrix.
  • Strengthened release/update flow with extra validations and checksum verification.

• New Features

  • Pre-commit hook to run action linting when workflow/action files change.
  • Added an actionlint problem matcher.
  • New CI job to lint GitHub Actions and fail on unpinned action usages.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a local pre-commit hook and problemMatcher for actionlint, a CI lint-actions workflow that installs and verifies a pinned actionlint and enforces SHA pins, pins several Actions and updates runners/artifact config, and enhances the formula-update workflow to compute tarball SHA256 and Go version.

Changes

Local and CI Actionlint Enforcement with Cross-Workflow Security Hardening

Layer / File(s)	Summary
Local pre-commit hook and problemMatcher .githooks/pre-commit, .github/actionlint-matcher.json	New pre-commit hook conditionally runs actionlint when staged files match .github/workflows/** or .github/actions/**, verifies the actionlint binary is on PATH, and aborts commits when appropriate. Adds actionlint problemMatcher JSON for GitHub Actions annotations.
Lint-actions workflow for PR validation .github/workflows/lint-actions.yml	New lint-actions workflow runs on PRs touching workflow/action paths, downloads a pinned actionlint release (v1.7.12), verifies its SHA-256, runs actionlint -color, and enforces that uses: entries are pinned to 40-character commit SHAs.
Workflow pinning and minor fixes .github/workflows/publish.yml, .github/workflows/tests.yml	Pins Homebrew/setup and related actions to specific commit SHAs, updates macos-13 → macos-14 in tests, quotes environment variables/branch refs, and pins the upload-artifact and cache action SHAs.
Formula update release processing .github/workflows/update-formula.yml	Adds repository_dispatch pre-check requiring version to start with v, parses tag_name and writes TAG_NAME/TARBALL_URL/SHA256 to env, derives GO_VERSION from the tagged go.mod, and updates the Homebrew formula url, sha256, and depends_on "go@...". Pins Slack notify action to a specific SHA.

sequenceDiagram
  participant PR as Pull Request
  participant Runner as GitHub Runner
  participant Checkout as actions/checkout
  participant Downloader as Tarball Downloader
  participant Actionlint as actionlint
  PR->>Runner: triggers lint-actions on PR touching workflows
  Runner->>Checkout: checkout repository (pinned)
  Runner->>Downloader: download actionlint v1.7.12 tarball
  Downloader->>Runner: verify SHA-256 & extract binary
  Runner->>Actionlint: run ./actionlint -color with matcher
  Actionlint->>Runner: emit findings (file, line, message)
  Runner->>Runner: scan `uses:` entries for 40-char SHA pinning
  Runner->>PR: fail workflow if actionlint errors or unpinned `uses:` found

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I nibble lines and chase the lints,
Hooks that run on staged commits,
CI pulls tarballs, checksums in sight,
Pinned actions march and files stay right,
Homebrew learns which Go to build tonight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main objective of the changeset: pinning GitHub Actions workflows to specific action versions across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch lio/update-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/lint-actions.yml:
- Line 16: The actions/checkout step currently uses
"actions/checkout@de0fac2e..." without disabling credential persistence; modify
the checkout step that references
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd to include the input
persist-credentials: false so the checkout action does not keep the workflow
token in the local git config for the remainder of the job.
- Around line 26-33: The Check for non-SHA-pinned actions step uses a grep
pattern ('^\s+uses:') that misses the common step syntax with a leading dash;
update the grep regex to allow optional leading dash and whitespace (e.g. change
the pattern to match lines like '- uses:') and also expand the grep targets to
include the repository's actions directory so composite actions are scanned as
well; adjust the grep invocation in the existing run block (the command that
currently uses '^\s+uses:' and searches the workflows directory) to use the new
regex and include the actions directory in its search list.

In @.github/workflows/update-formula.yml:
- Around line 61-65: The curl in the "Compute SHA256 checksum" step doesn't fail
on HTTP errors so sha256sum can end up hashing an error page; update the command
to use curl -fL --show-error (or --fail -L --show-error) and ensure the shell
fails on pipeline errors (e.g., set -o pipefail or run with bash -eo pipefail)
so the step exits if the download fails, then write SHA256 to GITHUB_ENV as
before (references: the SHA256 variable, the curl | sha256sum pipeline, and the
"$GITHUB_ENV" echo).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 80bf167d-f13c-467b-a734-29233a6d14ae

📥 Commits

Reviewing files that changed from the base of the PR and between 927b08d and 3054c48.

📒 Files selected for processing (6)

• .githooks/pre-commit
• .github/actionlint-matcher.json
• .github/workflows/lint-actions.yml
• .github/workflows/publish.yml
• .github/workflows/tests.yml
• .github/workflows/update-formula.yml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/update-formula.yml (2)

70-80: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add set -o pipefail to catch curl failures reliably.

The pipeline curl -fsSL "$GO_MOD_URL" | awk ... has the same pipefail issue: if curl fails, awk may still succeed with empty input, and while the empty check on line 74 will catch that specific case, the lack of pipefail means other failure modes (partial downloads, unexpected error responses) might go undetected.

🛡️ Proposed fix to ensure pipeline failures are caught

     - name: Determine required Go version from go.mod
       run: |
+        set -o pipefail
         GO_MOD_URL="https://raw.githubusercontent.com/DefangLabs/defang/$TAG_NAME/src/go.mod"
         GO_FULL=$(curl -fsSL "$GO_MOD_URL" | awk '/^go [0-9]/{print $2; exit}')
         if [ -z "$GO_FULL" ]; then
           echo "Failed to parse Go version from $GO_MOD_URL" >&2
           exit 1
         fi
         GO_VERSION=$(echo "$GO_FULL" | cut -d. -f1,2)
         echo "Detected Go version in go.mod: $GO_FULL -> go@$GO_VERSION"
         echo "GO_VERSION=$GO_VERSION" >> "$GITHUB_ENV"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-formula.yml around lines 70 - 80, The shell step
"Determine required Go version from go.mod" currently pipes curl into awk
without pipefail, so failures in curl can be masked; enable robust failure
detection by adding "set -o pipefail" (and keep "set -euo pipefail" if
consistent elsewhere) at the top of that run block so any failure in the
pipeline (affecting GO_MOD_URL -> GO_FULL) causes the step to fail; ensure the
variables referenced (GO_MOD_URL, GO_FULL, GO_VERSION) and the existing
empty-check for GO_FULL remain unchanged.

---

103-103: ⚠️ Potential issue | 🟠 Major

Correct the SHA version mismatch for rtCamp/action-slack-notify.

The pinned SHA e31e87e03dd19038e411e38ae27cbad084a90661 does not correspond to v2.3.3. The actual SHA for v2.3.3 is f43175ac92c1fb2e8f9cd89aa2984941ac0d30dc. Update the pin to use the correct SHA for the claimed version, or update the version comment to match the pinned commit.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-formula.yml at line 103, The pinned SHA for the
GitHub Action in the uses line is incorrect: update the action reference
"rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661" so the SHA
matches the claimed version v2.3.3 (replace the commit SHA with
f43175ac92c1fb2e8f9cd89aa2984941ac0d30dc), or alternatively change the "v2.3.3"
comment to reflect the actual version of the currently pinned commit; make this
fix where the uses: rtCamp/action-slack-notify@... entry appears.

♻️ Duplicate comments (1)

.github/workflows/lint-actions.yml (1)

32-32: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Include composite actions in the SHA-pinning scan.

Line 32 only scans .github/workflows/, so unpinned uses: in .github/actions/ can bypass this check.

Suggested fix

-          if grep -rPn '^\s+-?\suses:\s+\S+@(?![0-9a-f]{40}\b)' .github/workflows/; then
+          dirs=(.github/workflows/)
+          [ -d .github/actions ] && dirs+=(.github/actions/)
+          if grep -rPn '^\s+-?\suses:\s+\S+@(?![0-9a-f]{40}\b)' "${dirs[@]}"; then
             echo "::error::Found actions not pinned to a commit SHA. Use the full SHA with a version comment, e.g. actions/checkout@abc123...def # v6"
             exit 1
           fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint-actions.yml at line 32, The grep invocation that
currently scans only ".github/workflows/" (the pattern starting with grep -rPn
'^\s+-?\suses:\s+\S+@(?![0-9a-f]{40}\b)') must also include composite actions in
".github/actions/" — update the command to search both directories (e.g., change
the search path from just .github/workflows/ to include .github/actions/ or use
a recursive .github/**/ pattern) so unpinned uses: in .github/actions/ cannot
bypass the SHA-pinning scan.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-formula.yml:
- Around line 61-68: The pipeline can mask curl failures because the command
uses SHA256=$(curl -fsSL "$TARBALL_URL" | sha256sum | awk '{print $1}'); fix it
by enabling pipefail or by checking curl explicitly: either add a safe shell
mode (e.g., run the step with set -euo pipefail / set -o pipefail) before that
pipeline so any curl error fails the step, or change to download the tarball to
a temp file with curl -f -o /tmp/tarball && SHA256=$(sha256sum /tmp/tarball |
awk '{print $1}') and check curl’s exit code before writing to GITHUB_ENV;
reference the SHA256 variable, TARBALL_URL and the write to "$GITHUB_ENV" when
making the change.

---

Outside diff comments:
In @.github/workflows/update-formula.yml:
- Around line 70-80: The shell step "Determine required Go version from go.mod"
currently pipes curl into awk without pipefail, so failures in curl can be
masked; enable robust failure detection by adding "set -o pipefail" (and keep
"set -euo pipefail" if consistent elsewhere) at the top of that run block so any
failure in the pipeline (affecting GO_MOD_URL -> GO_FULL) causes the step to
fail; ensure the variables referenced (GO_MOD_URL, GO_FULL, GO_VERSION) and the
existing empty-check for GO_FULL remain unchanged.
- Line 103: The pinned SHA for the GitHub Action in the uses line is incorrect:
update the action reference
"rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661" so the SHA
matches the claimed version v2.3.3 (replace the commit SHA with
f43175ac92c1fb2e8f9cd89aa2984941ac0d30dc), or alternatively change the "v2.3.3"
comment to reflect the actual version of the currently pinned commit; make this
fix where the uses: rtCamp/action-slack-notify@... entry appears.

---

Duplicate comments:
In @.github/workflows/lint-actions.yml:
- Line 32: The grep invocation that currently scans only ".github/workflows/"
(the pattern starting with grep -rPn '^\s+-?\suses:\s+\S+@(?![0-9a-f]{40}\b)')
must also include composite actions in ".github/actions/" — update the command
to search both directories (e.g., change the search path from just
.github/workflows/ to include .github/actions/ or use a recursive .github/**/
pattern) so unpinned uses: in .github/actions/ cannot bypass the SHA-pinning
scan.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7d742cc4-4a5e-4bce-b8b0-7af6dd63b40a

📥 Commits

Reviewing files that changed from the base of the PR and between 3054c48 and d678b67.

📒 Files selected for processing (2)

• .github/workflows/lint-actions.yml
• .github/workflows/update-formula.yml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/update-formula.yml (1)

35-58: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use the dispatched tag instead of always resolving “latest”.

Lines 15-29 validate client_payload.version, but this step still calls getLatestRelease(). If a newer release appears before the workflow runs, or the dispatch intentionally targets a non-latest tag, the formula will be rewritten with the wrong tarball, SHA, and Go version.

Suggested fix

-      - name: Fetch the latest release from CLI repository
+      - name: Resolve release from CLI repository
         id: latest-release
         uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
-            const { data } = await github.rest.repos.getLatestRelease({
-              owner: process.env.GITHUB_REPOSITORY_OWNER,
-              repo: 'defang'
-              });
+            const requestedTag =
+              context.eventName === 'repository_dispatch'
+                ? context.payload.client_payload?.version
+                : null;
+
+            const { data } = requestedTag
+              ? await github.rest.repos.getReleaseByTag({
+                  owner: process.env.GITHUB_REPOSITORY_OWNER,
+                  repo: 'defang',
+                  tag: requestedTag,
+                })
+              : await github.rest.repos.getLatestRelease({
+                  owner: process.env.GITHUB_REPOSITORY_OWNER,
+                  repo: 'defang',
+                });
             return {
               tag_name: data.tag_name,
               tarball_url: data.tarball_url
             };

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-formula.yml around lines 35 - 58, The workflow
currently always calls getLatestRelease() (step id latest-release) and derives
TAG_NAME from that output, which can overwrite the formula with the wrong tag;
change the script to read the dispatched tag from
github.event.client_payload.version (or the appropriate dispatch payload) and
call github.rest.repos.getReleaseByTag({ owner, repo: 'defang', tag }) instead
of getLatestRelease(), return tag_name and tarball_url from that call, and
ensure the downstream env handling (LATEST_RELEASE/TAG_NAME/TARBALL_URL) uses
that returned tag so the tarball, SHA and Go version match the dispatched tag.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-formula.yml:
- Around line 90-98: The commit/tag step is not idempotent: git commit fails
when there are no changes and git push --tags fails if $TAG_NAME already exists;
update the step around the commands that touch Formula/defang.rb, $TAG_NAME, and
the commit/tag/push logic so it first checks for changes (e.g., test git
status/git diff for Formula/defang.rb or use git diff --quiet) and only runs git
commit when there is something to commit, and check for the existence of the tag
(locally and/or on origin via git rev-parse or git ls-remote) and only
create/push the tag if it does not already exist; also make pushes resilient
(push only created tag or tolerate already-pushed tag) to ensure reruns are
safe.

---

Duplicate comments:
In @.github/workflows/update-formula.yml:
- Around line 35-58: The workflow currently always calls getLatestRelease()
(step id latest-release) and derives TAG_NAME from that output, which can
overwrite the formula with the wrong tag; change the script to read the
dispatched tag from github.event.client_payload.version (or the appropriate
dispatch payload) and call github.rest.repos.getReleaseByTag({ owner, repo:
'defang', tag }) instead of getLatestRelease(), return tag_name and tarball_url
from that call, and ensure the downstream env handling
(LATEST_RELEASE/TAG_NAME/TARBALL_URL) uses that returned tag so the tarball, SHA
and Go version match the dispatched tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 34c734b5-8032-4dd3-9a58-4a61f7b17898

📥 Commits

Reviewing files that changed from the base of the PR and between d678b67 and 234f439.

📒 Files selected for processing (1)

• .github/workflows/update-formula.yml

[jordanstephens]

the coderabbit comment seems worth doing. I can't make sense of the actionlint matcher, so a comment would be helpful

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-formula.yml:
- Around line 95-104: The early exit inside the staged-change check (the block
using "if git diff --cached --quiet; then echo \"Formula already up to date\"
exit 0 fi") prevents the subsequent tag logic ("if ! git ls-remote --exit-code
--tags origin \"refs/tags/$TAG_NAME\" ...; then git tag \"$TAG_NAME\" git push
origin \"refs/tags/$TAG_NAME\" fi") from running on reruns where a commit
already exists but the tag was not pushed; change the sequence so that when the
working tree is unchanged you skip the commit/push steps but do NOT exit the
script—remove or replace the "exit 0" with logic that only skips "git commit -m"
and "git push" and lets the tag existence check and tag creation block always
run.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4dad7cd9-c690-49a9-870d-6e79726d8897

📥 Commits

Reviewing files that changed from the base of the PR and between 13e76b0 and f49a0e5.

📒 Files selected for processing (1)

• .github/workflows/update-formula.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Early exit bypasses tag creation in partial failure recovery scenarios.

If a previous run pushed the formula commit but failed before pushing the tag (e.g., network error between lines 100 and 103), a rerun will find no staged changes, exit at line 97, and never reach the tag creation logic at lines 101-104. This breaks idempotency for that recovery case.

🛡️ Proposed fix: Skip only the commit/push when formula is unchanged, but always check tag

          git add Formula/defang.rb
          if git diff --cached --quiet; then
            echo "Formula already up to date"
-           exit 0
+         else
+           git commit -m "Update Homebrew formula to version $TAG_NAME"
+           git push
          fi
-         git commit -m "Update Homebrew formula to version $TAG_NAME"
-         git push
          if ! git ls-remote --exit-code --tags origin "refs/tags/$TAG_NAME" >/dev/null 2>&1; then
            git tag "$TAG_NAME"
            git push origin "refs/tags/$TAG_NAME"
          fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-formula.yml around lines 95 - 104, The early exit
inside the staged-change check (the block using "if git diff --cached --quiet;
then echo \"Formula already up to date\" exit 0 fi") prevents the subsequent tag
logic ("if ! git ls-remote --exit-code --tags origin \"refs/tags/$TAG_NAME\"
...; then git tag \"$TAG_NAME\" git push origin \"refs/tags/$TAG_NAME\" fi")
from running on reruns where a commit already exists but the tag was not pushed;
change the sequence so that when the working tree is unchanged you skip the
commit/push steps but do NOT exit the script—remove or replace the "exit 0" with
logic that only skips "git commit -m" and "git push" and lets the tag existence
check and tag creation block always run.