Skip to content

Latest commit

 

History

History
94 lines (72 loc) · 3.98 KB

README.md

File metadata and controls

94 lines (72 loc) · 3.98 KB

OpenSSF Scorecard

actionlint

Action wrapper for rhysd/actionlint to make using it easier (using an action with automatic version updates instead of manual link + manual update process).

This action will run your repository through actionlint and detect common errors like:

  • Calling an output or needs object that has not been defined: also prevents typos
  • Run shell check on all run commands
  • And more, check the actionlint documentation for more information

Note

Actionlint does not check for external output, like usage of ${{ input.name }} into the shell commands. The reasoning is that to be able to inject something, you need to have write access to the repo (inputs come either from workflow files or workflow_dispatch events.

Note

Actionlint unfortunately does not support (composite) action definition files.

Results

If there are no errors from actionlint, this action will succeed. If there are errors, this action will fail and output the errors in the logs.

If running in a Pull Request context, then the action will also annotate the changed files with the errors. This is useful to see what errors were introduced by the Pull Request. Note: this only works if you include the pull-requests: write permission in your workflow file.

Usage:

jobs:
  run-actionlint:
    runs-on: ubuntu-latest
    permissions:
      # needed for the checkout action
      contents: read
      # needed to annotate the files in a pull request with comments
      pull-requests: write
    steps: 
    # checkout the source code to analyze
    - uses: actions/checkout@v4 # v4

    # run the actionlinter, will fail on errors
    - uses: devops-actions/actionlint@e7ee33fbf5aa8c9f9ee1145137f3e52e25d6a35b #v0.1.3

Usage with results file:

If you want to pick up the results file and use its contents somewhere else, then use it as follows:

on:
  push: 

  workflow_dispatch:

permissions:
  contents: read
  pull-requests: write

jobs:
  job-1:
    runs-on: ubuntu-latest
    steps:       
    - uses: actions/checkout@v4

    - uses: devops-actions/actionlint@e7ee33fbf5aa8c9f9ee1145137f3e52e25d6a35b #v0.1.3
      continue-on-error: true
      id: action-lint
    
    - uses: actions/upload-artifact@v4
      with:
        name: actionlint-results
        path: ${{ steps.action-lint.outputs.results-file }}

Errors

No project was found in any parent directories

Error message: no project was found in any parent directories of ".". check workflows directory is put correctly in your Git repository Solution: Add a uses: actions/checkout@v4 # v4 to your workflow file, so the repository can be analyzed

Configuration

If you want to hide certain warnings from shellcheck, then you can use the directives as shown in their docs here:

# shellcheck disable=code

Another option is to pass in extra shellcheck_opts for the warnings you want to skip:

  steps:       
    - uses: actions/checkout@v4

    - uses: devops-actions/actionlint@e7ee33fbf5aa8c9f9ee1145137f3e52e25d6a35b #v0.1.3
      continue-on-error: true
      id: action-lint
      with:
        shellcheck_opts: '-e SC2129'

In some cases the directives are not picked up (might be depending on the shell it is checking. It can then help to add the shell: your-shell-here specification to your workflow file. I've seen this confusion happening with PowerShell code on a Windows based runner. Shellcheck was analyzing the script of the run step as if it where bash. The shell keyword was not needed for the workflow to run, as the default shell on the Windows runner was PowerShell already. Shellcheck cannot handle that. Specifying the keyword stopped the 'errors' from being reported.