ci(repo): add actionlint workflow check (#8874)

jacekradko · web-flow · commit 4e96a222e563 · 2026-06-25T21:51:14.000-05:00
diff --git a/.changeset/sdk-79-actionlint.md b/.changeset/sdk-79-actionlint.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,9 @@
+# Configuration for actionlint (run by .github/workflows/actionlint.yml).
+# See SDK-79 / Monorepo Supply-Chain Hardening.
+
+self-hosted-runner:
+  # Blacksmith self-hosted runner labels. actionlint cannot know custom runner
+  # labels, so declare them here to avoid false "unknown runner label" errors.
+  labels:
+    - blacksmith-8vcpu-ubuntu-2204
+    - blacksmith-6vcpu-macos-26
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -0,0 +1,43 @@
+name: Actionlint
+
+# Lint GitHub Actions workflows for syntax errors, unsafe patterns, and shell
+# bugs. Part of SDK-79 / Monorepo Supply-Chain Hardening. Runs on every PR so it
+# always reports a status and can be wired up as a required check.
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  actionlint:
+    name: Lint workflows
+    runs-on: ${{ vars.RUNNER_NORMAL || 'ubuntu-latest' }}
+    timeout-minutes: ${{ vars.TIMEOUT_MINUTES_SHORT && fromJSON(vars.TIMEOUT_MINUTES_SHORT) || 5 }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+          show-progress: false
+          sparse-checkout: .github
+          sparse-checkout-cone-mode: false
+
+      - name: Run actionlint
+        # Pinned by digest (immutable). rhysd/actionlint 1.7.12; the image bundles a
+        # matching shellcheck. Bump the version and refresh the digest together.
+        uses: docker://rhysd/actionlint@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667
+        env:
+          # Intentional word-splitting ($TURBO_ARGS etc., SC2086) and minor style
+          # (SC2129, SC2162) are excluded; every other shellcheck rule stays on.
+          SHELLCHECK_OPTS: --exclude=SC2086,SC2129,SC2162
+        with:
+          args: -color
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -498,7 +498,6 @@ jobs:
           E2E_CLERK_UI_VERSION: "latest"
           E2E_NEXTJS_VERSION: ${{ matrix.next-version }}
           E2E_PROJECT: ${{ matrix.test-project }}
-          E2E_CLERK_ENCRYPTION_KEY: ${{ matrix.clerk-encryption-key }}
           INTEGRATION_INSTANCE_KEYS: ${{ secrets.INTEGRATION_INSTANCE_KEYS }}
           NODE_EXTRA_CA_CERTS: ${{ github.workspace }}/integration/certs/rootCA.pem
           VERCEL_AUTOMATION_BYPASS_SECRET: ${{ secrets.VERCEL_AUTOMATION_BYPASS_SECRET }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -224,7 +224,16 @@ jobs:
       - name: Generate notification payload
         id: notification
         if: steps.changesets.outputs.published == 'true'
-        run: payload=$(node scripts/notify.mjs '${{ steps.changesets.outputs.publishedPackages }}' '${{ github.actor }}') && echo ::set-output name=payload::${payload//$'\n'/'%0A'}
+        env:
+          PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
+          GH_ACTOR: ${{ github.actor }}
+        run: |
+          payload="$(node scripts/notify.mjs "$PUBLISHED_PACKAGES" "$GH_ACTOR")"
+          {
+            echo 'payload<<__NOTIFY_EOF__'
+            echo "$payload"
+            echo '__NOTIFY_EOF__'
+          } >> "$GITHUB_OUTPUT"
 
       - name: Send commit log to Slack
         id: slack
