Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Feature Request: Support linting action metadata files #46

Open
mike-stewart opened this issue Sep 2, 2021 · 8 comments
Open

Feature Request: Support linting action metadata files #46

mike-stewart opened this issue Sep 2, 2021 · 8 comments
Labels
enhancement New feature or request

Comments

@mike-stewart
Copy link

It would be great to have support for linting action files as well as workflow files.

Especially with the recent release of composite actions, it seems that building private actions will be a common way to DRY up workflow files. Currently there is a gap in linting, because the workflow files are covered but anything moved to an action is not.

@rhysd rhysd added the enhancement New feature or request label Sep 2, 2021
@rhysd rhysd changed the title Feature Request: Support linting action files Feature Request: Support linting action metadata files Sep 2, 2021
@steve-viso
Copy link

Hey, I was wondering if there is any plans to implement this?

@krisrecur
Copy link

krisrecur commented Jul 6, 2022

+1. This would be very useful!

@andyfeller
Copy link

andyfeller commented Oct 9, 2022

@rhysd : truly appreciate your good work here! ✨ 🙇

if someone was interested in contributing support for this feature, what would be some considerations for adding this that someone unfamiliar with the project might review?

  1. Would actionlint be invoked with an arbitrary path containing composite action(s) and workflows, not simply .github/workflows/?

    From /command.go, it seems this would need some minor rework as I'd would like to pass one or more directories on the command line to workflows and/or composite actions:

    func (cmd *Command) runLinter(args []string, opts *LinterOptions, initConfig bool) ([]*Error, error) {
       l, err := NewLinter(cmd.Stdout, opts)
       if err != nil {
     	  return nil, err
       }
    
       if initConfig {
     	  return nil, l.GenerateDefaultConfig(".")
       }
    
       if len(args) == 0 {
     	  return l.LintRepository(".")
       }
    
       if len(args) == 1 && args[0] == "-" {
     	  b, err := io.ReadAll(cmd.Stdin)
     	  if err != nil {
     		  return nil, fmt.Errorf("could not read stdin: %w", err)
     	  }
     	  n := "<stdin>"
     	  if opts.StdinFileName != "" {
     		  n = opts.StdinFileName
     	  }
     	  return l.Lint(n, b, nil)
       }
    
       return l.LintFiles(args, nil)
    }
  2. How difficult is it to account for a similar but different schema for composite actions versus a workflow file?

    It seems parser.go is very specifically for workflow parsing. Some of this would be useful for parsing and validating composite files, however I don't know how you might want to restructure the detection of files to be parsed to use the right parser.

Thank you for discussing what this might entail as I genuinely want to see if we can help explain to someone who might be willing and capable of doing the work. 😹

@SimonHeimberg
Copy link

SimonHeimberg commented Jul 26, 2023

Some ideas:

  • distinguish between workflow and action:
    • workflow has top level keys jobs and on
    • action has top level key runs
  • find action files:
    • maybe those referenced in the workflow files
    • maybe **/action.yaml (to find public actions)
    • maybe .github/action*/*.yaml
  • what to check:
    • runs.using is composite or a node version (nodeXX) or docker
    • runs.steps of composite actions like steps of a job (p.parseSteps()) (but shell is required if run is set)
    • ??? for docker actions
    • ??? for JavaScript actions
    • inputs (probably similar to inputs in "on")
    • outputs (for composite actions probably like output of jobs)
    • description exists (is mandatory)
    • ???

@karlbrown-va
Copy link

karlbrown-va commented Apr 22, 2024

one thing that might help is this: https://check-jsonschema.readthedocs.io/en/stable/usage.html

pre-commit example:

  - repo: https://github.com/python-jsonschema/check-jsonschema
    rev: 315c23f8562a5bafa15ab448ff542abe02d9e439  # frozen: 0.28.2
    hooks:
      - id: check-github-actions

Note however that this will not lint the inside of scripts, it will just confirm that your action.yaml schema is correct.

@ChrisCarini
Copy link
Contributor

I'm very interested in seeing this feature added. I started working on it, then realized that @msw-kialo already had a completely functional PR of it: #366

I pulled this PR locally, and merged in the ~250 updates from rhysd/actionlint (there were a handful of fairly easy merge conflicts to deal with), and was able to successfully test the PR locally.

I'd encourage others to also test the change and provide feedback in the PR.

@grahame-student
Copy link

Would be great to see this implemented, we've had a couple of issues with developers assuming that the shell commands contained in their composite actions' action.yml files are good because super-linter (being used to run actionlint indirectly) hasn't complained.

This has resulted in a couple of defects getting merged that might otherwise have been caught.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

9 participants