v1.1.0

Pull Requests | Issues | v1.0.0...v1.1.0

Features

#650 Support a glob pattern in action_name

https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/008.md

About the pattern syntax, please see https://pkg.go.dev/path#Match .

e.g.

excludes:
  - policy_name: action_ref_should_be_full_length_commit_sha
    action_name: suzuki-shunsuke/tfaction/* # glob pattern
``

v1.1.0-0

v1.0.0...v1.1.0-0

v1.0.0

Pull Requests | Issues | v0.2.12...v1.0.0

🎉 v1 is out

This is a major update, but there is no significant change.

Others

⚠️ #566 Change the asset format for Windows to zip
Update Go to 1.23.2
#556 Create GitHub Artifact Attestations

https://github.com/suzuki-shunsuke/ghalint/attestations

You can verify downloaded assets from GitHub Releases using GitHub CLI.

gh release download -R suzuki-shunsuke/ghalint v1.0.0 -p ghalint_1.0.0_darwin_arm64.tar.gz
gh attestation verify ghalint_1.0.0_darwin_arm64.tar.gz \
  -R suzuki-shunsuke/ghalint \
  --signer-workflow suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml

v1.0.0-1

v0.2.12...v1.0.0-1

v0.2.12

Pull Requests | Issues | v0.2.11...v0.2.12

Features

#488 Add a policy job_timeout_minutes_is_required

https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/012.md

All jobs should set timeout-minutes.

Examples

❌

jobs:
  foo: # The job doesn't have `timeout-minutes`
    runs-on: ubuntu-latest
    steps:
      - run: echo hello

⭕

jobs:
  foo:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - run: echo hello

Why?

https://exercism.org/docs/building/github/gha-best-practices#h-set-timeouts-for-workflows

By default, GitHub Actions kills workflows after 6 hours if they have not finished by then. Many workflows don't need nearly as much time to finish, but sometimes unexpected errors occur or a job hangs until the workflow run is killed 6 hours after starting it. Therefore it's recommended to specify a shorter timeout.

The ideal timeout depends on the individual workflow but 30 minutes is typically more than enough for the workflows used in Exercism repos.

This has the following advantages:

PRs won't be pending CI for half the day, issues can be caught early or workflow runs can be restarted.
The number of overall parallel builds is limited, hanging jobs will not cause issues for other PRs if they are cancelled early.

Exceptions

1. All steps set timeout-minutes

jobs:
  foo: # The job is missing `timeout-minutes`, but it's okay because all steps set timeout-minutes
    runs-on: ubuntu-latest
    steps:
      - run: echo hello
        timeout-minutes: 5
      - run: echo bar
        timeout-minutes: 5

2. A job uses a reusable workflow

When a reusable workflow is called with uses, timeout-minutes is not available.

jobs:
  foo:
    uses: suzuki-shunsuke/renovate-config-validator-workflow/.github/workflows/validate.yaml@v0.2.3

v0.2.11

Pull Requests | Issues | v0.2.10...v0.2.11

Bug Fixes

#472 run-action: Fix a bug that github_app_should_limit_repositories can't be excluded

Others

#469 Add policy name to error log

v0.2.10

Pull Requests | Issues | v0.2.9...v0.2.10

Features

#463 #464 Support excluding deny_inherit_secrets

To access Environment Secrets in a reusable workflow, you need to use secrets: inherit.

actions/runner#1490 (comment)

So this release allows us to exclude deny_inherit_secrets.

e.g.

ghalint.yaml

excludes:
  - policy_name: deny_inherit_secrets
    workflow_file_path: .github/workflows/actionlint.yaml
    job_name: actionlint

policy_name, workflow_file_path, and job_name are required.

v0.2.10-1

v0.2.9...v0.2.10-1

v0.2.9

Pull Requests | Issues | v0.2.8...v0.2.9

Features

#281 Add a policy action_shell_is_required

v0.2.8

Pull Requests | Issues | v0.2.7...v0.2.8

Features

#275 #280 Support validating action.ya?ml

Others

#279 Refactoring