Check workflows for issues during CI (#1916)

* Check workflows for issues during CI This PR adds an Actionlint workflow to validate GH actions as per #1866 This is an updated version of PR #1880, taking into account the discussion on that contribution. Signed-off-by: JP Lomas <[email protected]> * CONTRIBUTING.md update Documents actionlint use as part of CI basic workflow including instructions of running locally. Signed-off-by: JP Lomas <[email protected]> * Update .github/workflows/basic.yml Co-authored-by: Spencer Wilson <[email protected]> Signed-off-by: JP Lomas <[email protected]> --------- Signed-off-by: JP Lomas <[email protected]> Signed-off-by: JP Lomas <[email protected]> Co-authored-by: Spencer Wilson <[email protected]>
open-quantum-safe · Sep 11, 2024 · a7bfc8d · a7bfc8d
1 parent b37c937
commit a7bfc8d
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 4 deletions.
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,14 @@
+# Labels of self-hosted runner in array of strings.
+
+# NB. oqs-arm64 is not self-hosted but this configuration
+#     is required for liboqs to lint correctly with actionlint v1.7.1
+
+self-hosted-runner:
+  # Labels of self-hosted runner in array of string
+  labels:
+    - oqs-arm64
+# Configuration variables in array of strings defined in your repository or organization
+config-variables:
+  # - DEFAULT_RUNNER
+  # - JOB_NAME
+  # - ENVIRONMENT_STAGE
diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml
@@ -7,8 +7,19 @@ on: [workflow_call, workflow_dispatch]
 
 jobs:
 
+  workflowcheck:
+    name: Check validity of GitHub workflows
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Ensure GitHub actions are valid
+        run: actionlint -shellcheck "" # run *without* shellcheck
+
   stylecheck:
     name: Check code formatting
+    needs: [ workflowcheck ]
     runs-on: ubuntu-latest
     container: openquantumsafe/ci-ubuntu-latest:latest
     steps:
@@ -23,6 +34,7 @@ jobs:
 
   upstreamcheck:
     name: Check upstream code is properly integrated
+    needs: [ workflowcheck ]
     runs-on: ubuntu-latest
     container: openquantumsafe/ci-ubuntu-latest:latest
     steps:
@@ -47,7 +59,7 @@ jobs:
 
   buildcheck:
     name: Check that code passes a basic build
-    needs: [ stylecheck, upstreamcheck ]
+    needs: [ workflowcheck, stylecheck, upstreamcheck ]
     runs-on: ubuntu-latest
     container: openquantumsafe/ci-ubuntu-latest:latest
     env:

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -56,6 +56,20 @@ GitHub CI jobs. When executed in the main `liboqs` directory,
 
 When installing `act` as a GitHub extension, prefix the commands with `gh `.
 
+## Modifications to CI
+
+Modifications to GitHub Actions workflows are checked with [actionlint](https://github.com/rhysd/actionlint) during the [basic.yml](.github/workflows/basic.yml) job, protecting the CI chain and against wrong approval decisions based on improper CI runs.  Changes to these workflows can be validated locally with `actionlint`:
+
+```bash
+actionlint .github/workflows/*.yml
+```
+
+or running the CI locally (as above):
+
+```bash
+act workflow_call -W '.github/workflows/basic.yml'
+```
+
 ### New features
 
 Any PR introducing a new feature is expected to contain a test of this feature
@@ -70,6 +84,3 @@ add a tag to one or more of our [most active contributors](https://github.com/op
 
 If you feel like contributing but don't know what specific topic to work on,
 please check the [open issues tagged "good first issue" or "help wanted"](https://github.com/open-quantum-safe/liboqs/issues).
-
-
-