diff --git a/.github/problem-matchers/README.md b/.github/problem-matchers/README.md index b210944f7..7813e721d 100644 --- a/.github/problem-matchers/README.md +++ b/.github/problem-matchers/README.md @@ -17,3 +17,9 @@ license. The version of the files at the time they were copied was 2025.1.2. - [`pylint.json`](https://github.com/home-assistant/core/blob/dev/.github/workflows/matchers/pylint.json) - [`yamllint.json`](https://github.com/home-assistant/core/blob/dev/.github/workflows/matchers/yamllint.json) + +The following problem matcher JSON file came from the +[actionlint](https://github.com/rhysd/actionlint/blob/v1.7.7/docs/usage.md) +documentation (copied on 2025-02-12, version 1.7.7): + +- [`actionlint.json`](https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json) diff --git a/.github/problem-matchers/actionlint.json b/.github/problem-matchers/actionlint.json new file mode 100644 index 000000000..4613e1617 --- /dev/null +++ b/.github/problem-matchers/actionlint.json @@ -0,0 +1,17 @@ +{ + "problemMatcher": [ + { + "owner": "actionlint", + "pattern": [ + { + "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$", + "file": 1, + "line": 2, + "column": 3, + "message": 4, + "code": 5 + } + ] + } + ] +} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1177f2092..6fcf1ec7f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -85,6 +85,8 @@ jobs: yaml_files: ${{steps.filter.outputs.yaml_files}} cff: ${{steps.filter.outputs.cff}} cff_files: ${{steps.filter.outputs.cff_files}} + gha: ${{steps.filter.outputs.gha}} + gha_files: ${{steps.filter.outputs.gha_files}} steps: # When invoked manually, use the given SHA to figure out the change list. - if: github.event_name == 'workflow_dispatch' @@ -121,15 +123,19 @@ jobs: list-files: 'shell' # The outputs will be variables named "foo_files" for a filter "foo". filters: | + cff: + - added|modified: + - '**/CITATION.cff' python: - '**/*.py' + gha: + - added|modified: + - './.github/workflows/*.yaml' + - './.github/workflows/*.yml' yaml: - added|modified: - '**/*.yaml' - '**/*.yml' - cff: - - added|modified: - - '**/CITATION.cff' setup: if: needs.changes.outputs.python == 'true' @@ -423,3 +429,33 @@ jobs: - name: Run cffconvert in validation mode run: | cffconvert --validate + + workflow-validation: + if: needs.changes.outputs.gha == 'true' + name: Validate GitHub Actions file(s) + needs: [changes, yaml-lint] + # This uses a Mac runner because actionlint isn't available via Linux apt. + runs-on: macos-14 + timeout-minutes: 5 + env: + changed_files: ${{needs.changes.outputs.gha_files}} + steps: + - name: Check out a copy of the git repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + # The next action simply fails if there are any unpinned actions. + - name: Verify that all workflow actions have pinned versions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@99589360fda82ecfac331cc6bfc9d7d74487359c + + # If we didn't fail the previous check, go on to more time-consuming ones. + - name: Install actionlint + run: | + HOMEBREW_NO_AUTO_UPDATE=1 brew install actionlint + + - name: Set up actionlint output problem matcher + run: | + echo "::add-matcher::.github/problem-matchers/actionlint.json" + + - name: Verify that all GitHub Actions workflows are valid + run: | + /opt/homebrew/bin/actionlint -color