Skip to content

feat(ci): add YAML and GitHub Actions lint analysis for PRs #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bedatty merged 49 commits into from
Mar 19, 2026
+1,678 −1
Merged

feat(ci): add YAML and GitHub Actions lint analysis for PRs #148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
274b868
feat(ci): add YAML and GitHub Actions lint analysis for PRs
bedatty Mar 17, 2026
29ec34c
fix(ci): scope yamllint and actionlint to changed files only
bedatty Mar 17, 2026
3d80351
fix(ci): register blacksmith runner label for actionlint
bedatty Mar 17, 2026
4e446f5
feat(ci): add pinned actions check, markdown link check, typos, and s…
bedatty Mar 17, 2026
49cd047
refactor(ci): merge self-pr-analysis into self-pr-validation
bedatty Mar 17, 2026
b7f000d
feat(lint): add lint composites and refactor self-pr-validation
bedatty Mar 17, 2026
9a69bfb
feat(config): extract changed-workflows composite from self-pr-valida…
bedatty Mar 17, 2026
b492d3c
fix(ci): add changed-files dependency to typos job
bedatty Mar 17, 2026
f334a50
fix(config): fix find operator precedence and require github-token in…
bedatty Mar 18, 2026
e35c14b
feat(lint): add step summaries to all lint and detection composites
bedatty Mar 18, 2026
dde24f4
refactor(lint): replace step summaries with log output in lint compos…
bedatty Mar 18, 2026
b04d411
refactor(lint): add file count and list to log step in lint composites
bedatty Mar 18, 2026
71a64ce
refactor(lint): use group annotations and sed for file log in lint co…
bedatty Mar 18, 2026
7770a1c
fix(changed-workflows): replace while loop with sed to fix step summa…
bedatty Mar 18, 2026
53c4beb
fix(lint): action-files csv, actionlint covers src/ composites, log c…
bedatty Mar 18, 2026
830e2f6
feat(notify): add pr-lint-reporter composite and lint-report job to p…
bedatty Mar 18, 2026
1be31df
refactor(notify): replace files collapse with failures collapse in pr…
bedatty Mar 18, 2026
a97179d
feat(lint): scope spelling check to changed files only, add all-files…
bedatty Mar 18, 2026
ec3908f
feat(notify): fetch job annotations to show per-file errors in failur…
bedatty Mar 18, 2026
d5b0f2e
fix(lint): use env vars for input interpolation in run blocks, fix gr…
bedatty Mar 18, 2026
279fb61
fix(lint): scope actionlint to workflow files only to avoid composite…
bedatty Mar 18, 2026
ad251f9
fix(notify): filter only failure-level annotations in lint reporter t…
bedatty Mar 18, 2026
fae22b3
chore(deps): upgrade actions/checkout to v6 in self-pr-validation
bedatty Mar 18, 2026
d8f0c23
feat(lint): enforce full semver pinning in pinned-actions check
bedatty Mar 18, 2026
2cae85a
feat(lint): warn on internal unpinned actions instead of failing in p…
bedatty Mar 18, 2026
2056850
feat(lint): restrict external actions to final releases only, allow p…
bedatty Mar 18, 2026
b260707
feat(lint): warn on internal pre-release tags (beta/rc) instead of al…
bedatty Mar 18, 2026
cde8430
fix(lint): anchor uses: grep to start of line to avoid false matches …
bedatty Mar 18, 2026
34f1df0
fix(lint): align pinned-actions description and error message with ac…
bedatty Mar 18, 2026
156d6d9
chore(lint): clean up markdown-link-check and yamllint configs
bedatty Mar 18, 2026
fff0a94
ci(self): remove edited trigger to prevent reruns on CodeRabbit updates
bedatty Mar 18, 2026
2f653c0
fix(lint): tighten markdown config, fix pinned-actions grep pattern, …
bedatty Mar 18, 2026
c489cdb
fix(lint): add pull-requests read to changed-files job, strip inline …
bedatty Mar 18, 2026
ed313b6
feat(lint): add shellcheck and readme-check composites to PR lint pip…
bedatty Mar 18, 2026
45b99b0
fix(lint): quote shellcheck description, add pr-lint-reporter README
bedatty Mar 18, 2026
db6baab
fix(lint): quote step name containing run: in shellcheck composite
bedatty Mar 18, 2026
2a51bbc
fix(lint): remove GHA expression syntax from Python comment in shellc…
bedatty Mar 18, 2026
7906317
fix(lint): use shell variable placeholder for GHA expressions, exclud…
bedatty Mar 18, 2026
24a5ddf
fix(lint): respect shell type and count all severity findings in shel…
bedatty Mar 18, 2026
6ade279
fix(lint): fix GHA regex for nested braces, correct shellcheck line o…
bedatty Mar 18, 2026
81f4a9d
feat(lint): add composite-schema lint to validate input conventions
bedatty Mar 19, 2026
4691736
fix(lint): scope composite-schema to src/ action files only via dedic…
bedatty Mar 19, 2026
c2f8b05
feat(lint): extend composite-schema with name, description, steps, ke…
bedatty Mar 19, 2026
feecc51
feat(lint): validate composite directory depth matches src/<capabilit…
bedatty Mar 19, 2026
cba4fd8
fix(lint): apply directory depth check only after confirming composit…
bedatty Mar 19, 2026
152be7c
fix(lint): gate validation job to PR events, harden composite-schema …
bedatty Mar 19, 2026
6a50cce
fix(lint): add actions:read permission, harden composite-schema type …
bedatty Mar 19, 2026
cfa10e4
fix(lint): fix inputs normalization false-negative and double-count, …
bedatty Mar 19, 2026
94766c0
fix(lint): treat YAML parse errors as violations, enforce action.yml …
bedatty Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/actionlint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
self-hosted-runner:
labels:
- blacksmith-4vcpu-ubuntu-2404
13 changes: 12 additions & 1 deletion .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,12 +103,23 @@ updates:
- "minor"
- "patch"

# Linting and code quality actions
linting:
patterns:
- "ibiqlik/action-yamllint"
- "raven-actions/actionlint"
- "crate-ci/typos"
- "tcort/github-action-markdown-link-check"
update-types:
- "major"
- "minor"
- "patch"

# Miscellaneous third-party utilities
utilities:
patterns:
- "amannn/action-semantic-pull-request"
- "actions/labeler"
- "tcort/github-action-markdown-link-check"
- "actions/github-script"
- "mikefarah/yq"
update-types:
Expand Down
4 changes: 4 additions & 0 deletions .github/labels.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,7 @@
- name: notify
color: "fbca04"
description: Changes to notification composite actions (src/notify/)

- name: lint
color: "7c3aed"
description: Changes to linting and code quality checks
26 changes: 26 additions & 0 deletions .github/markdown-link-check-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{
"ignorePatterns": [
{
"pattern": "^https://github\\.com/LerianStudio/github-actions-shared-workflows/actions/runs/"
},
{
"pattern": "^https://github\\.com/LerianStudio/github-actions-shared-workflows/pull/"
},
{
"pattern": "^https://github\\.com/<"
}
],
"httpHeaders": [
{
"urls": ["https://github.com"],
"headers": {
"Accept-Encoding": "br, gzip, deflate"
}
}
],
"timeout": "10s",
"retryOn429": true,
"retryCount": 3,
"fallbackRetryDelay": "5s",
"aliveStatusCodes": [200, 206, 301, 302, 307, 308]
}
214 changes: 214 additions & 0 deletions .github/workflows/self-pr-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
name: Self — PR Validation

on:
pull_request:
branches:
- develop
- main
types:
- opened
- synchronize
- reopened
workflow_dispatch:

permissions:
contents: read
checks: read

jobs:
# ----------------- PR Validation -----------------
validation:
if: github.event_name == 'pull_request'
permissions:
contents: read
pull-requests: write
issues: write
checks: read
uses: ./.github/workflows/pr-validation.yml
with:
check_changelog: false
enforce_source_branches: true
allowed_source_branches: "develop|hotfix/*"
target_branches_for_source_check: "main"
secrets: inherit

# ----------------- Changed Files Detection -----------------
changed-files:
name: Detect Changed Files
runs-on: blacksmith-4vcpu-ubuntu-2404
permissions:
contents: read
pull-requests: read
outputs:
yaml_files: ${{ steps.detect.outputs.yaml-files }}
workflow_files: ${{ steps.detect.outputs.workflow-files }}
action_files: ${{ steps.detect.outputs.action-files }}
composite_files: ${{ steps.detect.outputs.composite-files }}
markdown_files: ${{ steps.detect.outputs.markdown-files }}
all_files: ${{ steps.detect.outputs.all-files }}
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Detect changed files
id: detect
uses: ./src/config/changed-workflows
with:
github-token: ${{ github.token }}

# ----------------- YAML Lint -----------------
yamllint:
name: YAML Lint
runs-on: blacksmith-4vcpu-ubuntu-2404
needs: changed-files
if: needs.changed-files.outputs.yaml_files != ''
steps:
- name: Checkout
uses: actions/checkout@v6

- name: YAML Lint
uses: ./src/lint/yamllint
with:
file-or-dir: ${{ needs.changed-files.outputs.yaml_files }}

# ----------------- Action Lint -----------------
actionlint:
name: Action Lint
runs-on: blacksmith-4vcpu-ubuntu-2404
needs: changed-files
if: needs.changed-files.outputs.workflow_files != ''
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Action Lint
uses: ./src/lint/actionlint
with:
files: ${{ needs.changed-files.outputs.workflow_files }}

# ----------------- Pinned Actions Check -----------------
pinned-actions:
name: Pinned Actions Check
runs-on: blacksmith-4vcpu-ubuntu-2404
needs: changed-files
if: needs.changed-files.outputs.action_files != ''
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Pinned Actions Check
uses: ./src/lint/pinned-actions
with:
files: ${{ needs.changed-files.outputs.action_files }}

# ----------------- Markdown Link Check -----------------
markdown-link-check:
name: Markdown Link Check
runs-on: blacksmith-4vcpu-ubuntu-2404
needs: changed-files
if: needs.changed-files.outputs.markdown_files != ''
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Markdown Link Check
uses: ./src/lint/markdown-link-check
with:
file-path: ${{ needs.changed-files.outputs.markdown_files }}

# ----------------- Spelling Check -----------------
typos:
name: Spelling Check
needs: changed-files
if: needs.changed-files.outputs.all_files != ''
runs-on: blacksmith-4vcpu-ubuntu-2404
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Spelling Check
uses: ./src/lint/typos
with:
files: ${{ needs.changed-files.outputs.all_files }}

# ----------------- Shell Check -----------------
shellcheck:
name: Shell Check
runs-on: blacksmith-4vcpu-ubuntu-2404
needs: changed-files
if: needs.changed-files.outputs.action_files != ''
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Shell Check
uses: ./src/lint/shellcheck
with:
files: ${{ needs.changed-files.outputs.action_files }}

# ----------------- README Check -----------------
readme-check:
name: README Check
runs-on: blacksmith-4vcpu-ubuntu-2404
needs: changed-files
if: needs.changed-files.outputs.action_files != ''
steps:
- name: Checkout
uses: actions/checkout@v6

- name: README Check
uses: ./src/lint/readme-check
with:
files: ${{ needs.changed-files.outputs.action_files }}

# ----------------- Composite Schema Lint -----------------
composite-schema:
name: Composite Schema Lint
runs-on: blacksmith-4vcpu-ubuntu-2404
needs: changed-files
if: needs.changed-files.outputs.composite_files != ''
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Composite Schema Lint
uses: ./src/lint/composite-schema
with:
files: ${{ needs.changed-files.outputs.composite_files }}

# ----------------- Lint Report -----------------
lint-report:
name: Lint Report
runs-on: blacksmith-4vcpu-ubuntu-2404
permissions:
actions: read
contents: read
pull-requests: write
issues: write
checks: read
needs: [changed-files, yamllint, actionlint, pinned-actions, markdown-link-check, typos, shellcheck, readme-check, composite-schema]
if: always() && github.event_name == 'pull_request' && needs.changed-files.result == 'success'
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Post Lint Report
uses: ./src/notify/pr-lint-reporter
with:
github-token: ${{ secrets.MANAGE_TOKEN || github.token }}
yamllint-result: ${{ needs.yamllint.result }}
yamllint-files: ${{ needs.changed-files.outputs.yaml_files }}
actionlint-result: ${{ needs.actionlint.result }}
actionlint-files: ${{ needs.changed-files.outputs.workflow_files }}
pinned-actions-result: ${{ needs.pinned-actions.result }}
pinned-actions-files: ${{ needs.changed-files.outputs.action_files }}
markdown-result: ${{ needs.markdown-link-check.result }}
markdown-files: ${{ needs.changed-files.outputs.markdown_files }}
typos-result: ${{ needs.typos.result }}
typos-files: ${{ needs.changed-files.outputs.all_files }}
shellcheck-result: ${{ needs.shellcheck.result }}
shellcheck-files: ${{ needs.changed-files.outputs.action_files }}
readme-result: ${{ needs.readme-check.result }}
readme-files: ${{ needs.changed-files.outputs.action_files }}
composite-schema-result: ${{ needs.composite-schema.result }}
composite-schema-files: ${{ needs.changed-files.outputs.composite_files }}
20 changes: 20 additions & 0 deletions .yamllint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
extends: default

rules:
# GitHub Actions uses bare `on:` as top-level key — avoid truthy false positives
truthy:
allowed-values: ["true", "false"]
check-keys: false

# Workflow files have long run: blocks and action refs
line-length:
max: 200
level: warning

indentation:
spaces: 2
indent-sequences: whatever

# Not enforcing leading `---` — optional in workflow files
document-start: disable
52 changes: 52 additions & 0 deletions src/config/changed-workflows/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td><img src="https://github.com/LerianStudio.png" width="72" alt="Lerian" /></td>
<td><h1>changed-workflows</h1></td>
</tr>
</table>

Detect changed files in a pull request and categorize them by type for downstream lint jobs.

## Outputs

| Output | Format | Description |
|--------|--------|-------------|
| `yaml-files` | Space-separated | All changed `.yml` files |
| `workflow-files` | Comma-separated | Changed `.github/workflows/*.yml` files |
| `action-files` | Space-separated | Changed workflow and composite `.yml`/`.yaml` files |
| `markdown-files` | Comma-separated | Changed `.md` files |

On `workflow_dispatch`, falls back to scanning the full repository.

## Inputs

| Input | Description | Required | Default |
|-------|-------------|----------|---------|
| `github-token` | GitHub token for `gh` CLI access | No | `""` |

## Usage as composite step

```yaml
- name: Checkout
uses: actions/checkout@v4

- name: Detect changed files
id: changed
uses: LerianStudio/github-actions-shared-workflows/src/config/changed-workflows@v1.2.3
with:
github-token: ${{ github.token }}

- name: YAML Lint
if: steps.changed.outputs.yaml-files != ''
uses: LerianStudio/github-actions-shared-workflows/src/lint/yamllint@v1.2.3
with:
file-or-dir: ${{ steps.changed.outputs.yaml-files }}
```
## Required permissions
```yaml
permissions:
contents: read
pull-requests: read
```
Loading
Loading