From 9c77e1e22118c1e38375487206297582ef1985bf Mon Sep 17 00:00:00 2001
From: Alexander Bayandin <alexander@neon.tech>
Date: Sat, 7 Dec 2024 14:20:50 +0000
Subject: [PATCH] Add actions-linters

---
 actions-linters/action.yml              | 61 +++++++++++++++++++++++++
 actions-linters/actionlint-matcher.json | 17 +++++++
 2 files changed, 78 insertions(+)
 create mode 100644 actions-linters/action.yml
 create mode 100644 actions-linters/actionlint-matcher.json

diff --git a/actions-linters/action.yml b/actions-linters/action.yml
new file mode 100644
index 0000000..282ab31
--- /dev/null
+++ b/actions-linters/action.yml
@@ -0,0 +1,61 @@
+name: "GitHub Actions linters"
+description: "A set of linters for GitHub Actions workflows"
+
+runs:
+  using: "composite"
+  steps:
+    - name: actionlint
+      if: ${{ !cancelled() }}
+      shell: bash -euo pipefail {0}
+      env:
+        # SC2046 - Quote this to prevent word splitting. - https://www.shellcheck.net/wiki/SC2046
+        # SC2086 - Double quote to prevent globbing and word splitting. - https://www.shellcheck.net/wiki/SC2086
+        SHELLCHECK_OPTS: --exclude=SC2046,SC2086
+      run: |
+        echo "::group::actionlint"
+        echo "::add-matcher::${GITHUB_ACTION_PATH}/actionlint-matcher.json"
+        actionlint || actionlint_exit_code=$?
+        echo "::remove-matcher owner=actionlint::"
+        echo "::endgroup::"
+
+        exit ${actionlint_exit_code:-0}
+
+    - name: zizmor
+      if: ${{ !cancelled() }}
+      shell: bash -euo pipefail {0}
+      run: |
+        echo "::group::zizmor"
+        zizmor --format json . > zizmor.json || zizmor_exit_code=$?
+        jq --raw-output --arg GITHUB_WORKSPACE "$(pwd)" '
+          .[] as $item
+          | $item.locations[]
+          | select(.symbolic.annotation != "this step")
+          | "::error file=\(.symbolic.key.Local.path | sub("^" + $GITHUB_WORKSPACE; "")),line=\(.concrete.location.start_point.row),endLine=\(.concrete.location.end_point.row),title=\($item.determinations.severity): \($item.desc)::\(.symbolic.annotation) - \($item.url)"
+        ' zizmor.json
+
+        # Run `zizmor` one more time to get output in the console,
+        # in case of any bugs in json parsing above
+        zizmor --no-exit-codes .
+
+        echo "::endgroup::"
+
+        exit ${zizmor_exit_code:-0}
+
+    - name: Disallow '*-latest' runners
+      if: ${{ !cancelled() }}
+      shell: bash -euo pipefail {0}
+      run: |
+        echo "::group::runs-on: *-latest"
+        PAT='^\s*runs-on:.*-latest'
+        if grep -ERq $PAT .github/workflows; then
+          grep -ERl $PAT .github/workflows |\
+          while read -r f; do
+            l=$(grep -nE $PAT $f | awk -F: '{print $1}' | head -1)
+            echo "::error file=$f,line=$l::Use verioned runner (like 'ubuntu-22.04' / 'macos-15') instead of '*-latest'"
+          done
+
+          exit_code=1
+        fi
+        echo "::endgroup::"
+
+        exit ${exit_code:-0}
diff --git a/actions-linters/actionlint-matcher.json b/actions-linters/actionlint-matcher.json
new file mode 100644
index 0000000..4613e16
--- /dev/null
+++ b/actions-linters/actionlint-matcher.json
@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}