name: actionlint on: push: branches: - master pull_request: paths: - '.github/workflows/*.ya?ml' - '.github/actionlint.yaml' env: HOMEBREW_DEVELOPER: 1 HOMEBREW_NO_AUTO_UPDATE: 1 HOMEBREW_NO_ENV_HINTS: 1 defaults: run: shell: bash -xeuo pipefail {0} concurrency: group: "actionlint-${{ github.ref }}" cancel-in-progress: ${{ github.event_name == 'pull_request' }} permissions: {} jobs: workflow_syntax: if: github.repository_owner == 'Homebrew' runs-on: ubuntu-latest steps: - name: Set up Homebrew id: setup-homebrew uses: Homebrew/actions/setup-homebrew@master with: core: false cask: false test-bot: false - name: Install tools run: brew install actionlint shellcheck zizmor - name: Set up GITHUB_WORKSPACE env: HOMEBREW_REPOSITORY: ${{ steps.setup-homebrew.outputs.repository-path }} run: | # Annotations work only relative to GITHUB_WORKSPACE (shopt -s dotglob; rm -rf "${GITHUB_WORKSPACE:?}"/*; mv "${HOMEBREW_REPOSITORY:?}"/* "$GITHUB_WORKSPACE") rmdir "$HOMEBREW_REPOSITORY" ln -vs "$GITHUB_WORKSPACE" "$HOMEBREW_REPOSITORY" echo "::add-matcher::.github/actionlint-matcher.json" - run: | # NOTE: exit code intentionally suppressed here zizmor --format sarif . > results.sarif || true - name: Upload SARIF file uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: results.sarif path: results.sarif - run: actionlint upload_sarif: needs: workflow_syntax runs-on: ubuntu-latest permissions: contents: read security-events: write steps: - name: Download SARIF file uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: results.sarif path: results.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 with: sarif_file: results.sarif category: zizmor