shared-actions/.github/workflows/validate-shared-actions.yml

name: validate-shared-actions

on:
  pull_request:
    types: [opened, reopened, synchronize]

permissions:
  contents: read

jobs:
  validate-shared-actions:
    runs-on: ubuntu-latest
    env:
      ACTIONLINT_VERSION: "1.7.8"
    steps:
      - name: Checkout
        uses: https://code.forgejo.org/actions/checkout@v4

      - name: Restore actionlint cache
        id: cache-actionlint
        uses: https://data.forgejo.org/actions/cache/restore@v4
        with:
          path: .cache/tools/actionlint
          key: actionlint-${{ runner.os }}-${{ env.ACTIONLINT_VERSION }}

      - name: Install actionlint (pinned + checksum)
        if: ${{ steps.cache-actionlint.outputs.cache-hit != 'true' }}
        shell: bash
        run: |
          set -euo pipefail

          VERSION="${ACTIONLINT_VERSION}"
          OS="linux"
          ARCH="amd64"
          BASE_URL="https://github.com/rhysd/actionlint/releases/download/v${VERSION}"
          TAR="actionlint_${VERSION}_${OS}_${ARCH}.tar.gz"
          CHECKSUMS="checksums.txt"

          INSTALL_DIR=".cache/tools/actionlint/${VERSION}"
          mkdir -p "${INSTALL_DIR}"

          curl -fsSL "${BASE_URL}/${TAR}" -o "/tmp/${TAR}"
          curl -fsSL "${BASE_URL}/${CHECKSUMS}" -o "/tmp/${CHECKSUMS}"

          grep " ${TAR}$" "/tmp/${CHECKSUMS}" > "/tmp/actionlint-sha256.txt"
          (cd /tmp && sha256sum -c actionlint-sha256.txt)

          tar -xzf "/tmp/${TAR}" -C "${INSTALL_DIR}" actionlint
          chmod +x "${INSTALL_DIR}/actionlint"

      - name: Save actionlint cache
        if: ${{ steps.cache-actionlint.outputs.cache-hit != 'true' }}
        uses: https://data.forgejo.org/actions/cache/save@v4
        with:
          path: .cache/tools/actionlint
          key: actionlint-${{ runner.os }}-${{ env.ACTIONLINT_VERSION }}

      - name: Lint workflows with actionlint
        shell: bash
        run: |
          set -euo pipefail

          ACTIONLINT_BIN=".cache/tools/actionlint/${ACTIONLINT_VERSION}/actionlint"
          if [ ! -x "${ACTIONLINT_BIN}" ]; then
            echo "actionlint binary missing: ${ACTIONLINT_BIN}"
            exit 1
          fi

          if compgen -G ".github/workflows/*.yml" > /dev/null || compgen -G ".github/workflows/*.yaml" > /dev/null; then
            "${ACTIONLINT_BIN}" -color
          else
            echo "No workflow files found in .github/workflows; skipping actionlint workflow lint"
          fi