Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add and sync actionlint workflow #198

Merged
merged 2 commits into from
Oct 31, 2024
Merged

Add and sync actionlint workflow #198

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ac25cd9
Add and sync actionlint workflow
carlocab Oct 31, 2024
96457e1
Merge branch 'master' into actionlint
ZhongRuoyu Oct 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/actions/sync/shared-config.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ def git(*args)
rubocop_yaml = ".rubocop.yml"
dependabot_yaml = ".github/dependabot.yml"
docs_workflow_yaml = ".github/workflows/docs.yml"
actionlint_workflow_yaml = ".github/workflows/actionlint.yml"
vale_ini = ".vale.ini"

target_gemfile_lock = target_directory_path/"Gemfile.lock"
Expand Down Expand Up @@ -98,6 +99,10 @@ def git(*args)
rubydoc.brew.sh
ruby-macho
].freeze
custom_actionlint_repos = %w[
brew
homebrew-core
Comment on lines +103 to +104
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's custom in the actionlint workflow for these two?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They reuse the clones made by setup-homebrew (and homebrew-core has core: true there). The brew workflow also runs on changes to .github/actionlint.yaml (which is different from .github/workflows/actionlint.yml). homebrew-core has some handling for shell: /bin/bash.

]
rejected_docs_basenames = %w[
_config.yml
CNAME
Expand All @@ -116,6 +121,7 @@ def git(*args)
rubocop_yaml,
dependabot_yaml,
deprecated_lock_threads,
actionlint_workflow_yaml,
".github/workflows/stale-issues.yml",
].each do |path|
target_path = target_directory_path/path
Expand Down Expand Up @@ -166,6 +172,10 @@ def git(*args)
next unless docs_path.directory?

FileUtils.cp homebrew_docs_workflow_yaml, target_path
when actionlint_workflow_yaml
next if custom_actionlint_repos.include?(repository_name)

FileUtils.cp actionlint_workflow_yaml, target_path
when vale_ini
next if custom_docs_repos.include?(repository_name)

Expand Down
81 changes: 81 additions & 0 deletions .github/workflows/actionlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# This file is synced from the `.github` repository, do not modify it directly.
name: Workflow Syntax
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this have Actionlint in the name so it better matches the filename?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#200


on:
push:
branches:
- main
paths:
- '.github/workflows/*.ya?ml'
pull_request:
paths:
- '.github/workflows/*.ya?ml'

defaults:
run:
shell: bash -xeuo pipefail {0}

concurrency:
group: "actionlint-${{ github.ref }}"
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

env:
HOMEBREW_DEVELOPER: 1
HOMEBREW_NO_AUTO_UPDATE: 1
HOMEBREW_NO_ENV_HINTS: 1

permissions: {}

jobs:
workflow_syntax:
if: github.repository_owner == 'Homebrew'
runs-on: ubuntu-latest
steps:
- name: Set up Homebrew
id: setup-homebrew
uses: Homebrew/actions/setup-homebrew@master
with:
core: false
cask: false
test-bot: false

- name: Install tools
run: brew install actionlint shellcheck zizmor
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will actionlint call overlap with brew style or brew tap-syntax in any of those repos?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably for brew style, not for brew tap-syntax. But running it inside brew style doesn't seem to work properly anyway -- we're getting new actionlint errors now. (Unless we weren't running brew style or brew tap-syntax where that happened, but I don't think that was the case.)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I just double checked:

  • it won't overlap, because we skip actionlint for repos with an actionlint.yml workflow
  • the new errors are from the -ignore we pass in brew style, so the new errors are not evidence of brew style not working properly.


- uses: actions/checkout@v4
with:
persist-credentials: false

- run: zizmor --format sarif . >results.sarif

- name: Upload SARIF file
uses: actions/upload-artifact@v4
with:
name: results.sarif
path: results.sarif

- name: Set up actionlint
run: echo "::add-matcher::$(brew --repository)/.github/actionlint-matcher.json"

- run: actionlint
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should ignore the matrix.container error to avoid failures in homebrew-portable-ruby and actions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pushed fixes to avoid the error instead of ignoring it -- adding -ignore isn't great since it means you can't run actionlint directly from the command-line.


upload_sarif:
needs: workflow_syntax
# We want to always upload this even if `actionlint` failed.
if: always() && !contains(fromJSON('[["cancelled", "skipped"]]'), needs.workflow_syntax.result)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Download SARIF file
uses: actions/download-artifact@v4
with:
name: results.sarif
path: results.sarif

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: zizmor
12 changes: 9 additions & 3 deletions .github/workflows/sync-shared-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,8 @@ jobs:
id: detect_changes
env:
HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
run: ./.github/actions/sync/shared-config.rb 'target/${{ matrix.repo }}' '/home/linuxbrew/.linuxbrew/Homebrew'
TARGET: target/${{ matrix.repo }}
run: ./.github/actions/sync/shared-config.rb "${TARGET}" '/home/linuxbrew/.linuxbrew/Homebrew'

- name: Create pull request
if: github.ref == 'refs/heads/master' && steps.detect_changes.outputs.pull_request == 'true'
Expand All @@ -118,12 +119,14 @@ jobs:
-X GET \
--header 'Accept: application/vnd.github+json' \
--header 'X-GitHub-Api-Version: 2022-11-28' \
/repos/{owner}/{repo}/pulls \
"/repos/${GH_REPO}/pulls" \
-f head=Homebrew:sync-shared-config \
-f state=open |
jq --exit-status 'length == 0'
then
git push --set-upstream --force origin sync-shared-config
# We don't want backticks to be expanded.
# shellcheck disable=SC2016
gh pr create --head sync-shared-config --title "Synchronize shared configuration" --body 'This pull request was created automatically by the [`sync-shared-config`](https://github.com/Homebrew/.github/blob/HEAD/.github/actions/sync/shared-config.rb) workflow.'
else
git fetch origin sync-shared-config
Expand All @@ -141,4 +144,7 @@ jobs:
if: always()
steps:
- name: Result
run: ${{ needs.sync.result == 'success' }}
env:
RESULT: ${{ needs.sync.result }}
run: |
[[ "${RESULT}" == success ]]