ci: harden workflow action input handling

2026-02-19 15:27:41 +01:00
parent efca61e3ac
commit 9130fd2b06
6 changed files with 132 additions and 9 deletions
--- a/.github/workflows/workflow-sanity.yml
+++ b/.github/workflows/workflow-sanity.yml
@@ -40,3 +40,24 @@ jobs:
              print(f"- {path}")
            sys.exit(1)
          PY
+
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install actionlint
+        shell: bash
+        run: |
+          set -euo pipefail
+          ACTIONLINT_VERSION="1.7.11"
+          archive="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
+          curl -sSfL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/${archive}" | tar -xz actionlint
+          sudo mv actionlint /usr/local/bin/actionlint
+
+      - name: Lint workflows
+        run: actionlint
+
+      - name: Disallow direct inputs interpolation in composite run blocks
+        run: python3 scripts/check-composite-action-input-interpolation.py