Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CI workflow checking #1880

Closed
wants to merge 4 commits into from
Closed

Add CI workflow checking #1880

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2cca297
Add workflow to lint workflows with Actionlint
jplomas Aug 3, 2024
0d18c0e
Add oqs-arm64 runner label to actionlint config
jplomas Aug 3, 2024
267c95e
Run Actionlint without shellcheck in workflow
jplomas Aug 3, 2024
06ba2e5
Merge branch 'open-quantum-safe:main' into main
jplomas Aug 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/actionlint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
self-hosted-runner:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically this isn't a self-hosted runner: it's a GitHub-hosted runner that we've configured. I'm not sure if that makes a difference in the config.

Copy link
Contributor Author

@jplomas jplomas Aug 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without this, the lint will fail with the error:

.github/workflows/unix.yml:86:21: label "oqs-arm64" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-14.0", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-13.0", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "macos-12.0", "macos-11", "macos-11.0", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. It looks like there's no other name for the actionlint config variable, but maybe we can add a comment saying that it's not self-hosted. A security audit asked about the oqs-arm64 being self-hosted, so it would be nice to not have any documentation that might make it appear to be.

# Labels of self-hosted runner in array of strings.
labels: [oqs-arm64]
# Configuration variables in array of strings defined in your repository or
# organization. `null` means disabling configuration variables check.
# Empty array means no configuration variable is allowed.
config-variables: null
17 changes: 17 additions & 0 deletions .github/workflows/actionlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Lint GitHub workflows

on: [push, pull_request]

jobs:
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3

- name: Install Actionlint
run: |
curl -sSL https://github.com/rhysd/actionlint/releases/download/v1.7.1/actionlint_1.7.1_linux_amd64.tar.gz | tar -xz -C /usr/local/bin
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if there's a way to do this so that we're not excecuting a file downloaded from a somewhat random URL. Perhaps we could

  • use a (somewhat) trusted method like apt-get (if supported),
  • host the archive somewhere on a URL we control so that we know it won't change silently, or
  • run this in one of our CI containers and bake actionlint into the image.

Tagging @planetf1 for ideas here as this is adjacent to the scorecard work.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also build Actionlint from source at a fixed commit in this Action

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also build Actionlint from source at a fixed commit in this Action

Quick reminder: We want to be a bit more responsible to the environment, so building things at each CI run seems to run counter to this goal. Also, for more reliability, I'd think this option by @SWilson4 is the most sensible way forward:

run this in one of our CI containers and bake actionlint into the image.


- name: Run Actionlint
run: actionlint -shellcheck "" # run *without* shellcheck
Loading