93 lines
3.3 KiB
YAML
93 lines
3.3 KiB
YAML
name: Lint Release Workflows
|
|
|
|
# Runs actionlint + shellcheck against the release / create-pr, release /
|
|
# publish, and canary / publish pipelines and the scripts they call. Keeps
|
|
# these critical, retry-sensitive files from silently regressing on shell or
|
|
# action-syntax bugs.
|
|
#
|
|
# Scope is intentionally narrow: only the release workflows and
|
|
# scripts/release/*. Expanding later is cheap; starting narrow avoids
|
|
# drowning unrelated changes in pre-existing lint noise.
|
|
#
|
|
# Workflow mapping (cpk):
|
|
# release / create-pr -> .github/workflows/stable-release.yml
|
|
# release / publish -> .github/workflows/publish-release.yml
|
|
# canary / publish -> .github/workflows/canary.yml
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- ".github/workflows/stable-release.yml"
|
|
- ".github/workflows/publish-release.yml"
|
|
- ".github/workflows/canary.yml"
|
|
- ".github/workflows/lint-release-workflows.yml"
|
|
- "scripts/release/**"
|
|
- "release.config.json"
|
|
- "nx.json"
|
|
pull_request:
|
|
paths:
|
|
- ".github/workflows/stable-release.yml"
|
|
- ".github/workflows/publish-release.yml"
|
|
- ".github/workflows/canary.yml"
|
|
- ".github/workflows/lint-release-workflows.yml"
|
|
- "scripts/release/**"
|
|
- "release.config.json"
|
|
- "nx.json"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
actionlint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run actionlint on release workflows
|
|
uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0
|
|
with:
|
|
reporter: github-check
|
|
level: error
|
|
fail_level: error
|
|
actionlint_flags: >-
|
|
.github/workflows/stable-release.yml
|
|
.github/workflows/publish-release.yml
|
|
.github/workflows/canary.yml
|
|
.github/workflows/lint-release-workflows.yml
|
|
|
|
shellcheck:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
|
|
with:
|
|
persist-credentials: false
|
|
- name: Install shellcheck
|
|
run: sudo apt-get update && sudo apt-get install -y shellcheck
|
|
- name: Run shellcheck on release scripts
|
|
run: |
|
|
set -euo pipefail
|
|
shopt -s nullglob globstar
|
|
files=(scripts/release/**/*.sh)
|
|
if [ ${#files[@]} -eq 0 ]; then
|
|
echo "No shell scripts under scripts/release/"
|
|
exit 0
|
|
fi
|
|
shellcheck --severity=warning "${files[@]}"
|
|
|
|
release-scope-dropdown-sync:
|
|
# Verifies the workflow_dispatch `scope` choice dropdowns in
|
|
# stable-release.yml, publish-release.yml, and canary.yml match
|
|
# release.config.json's `.scopes` keys. These option lists are
|
|
# hand-maintained and drift from the config (newly-enrolled packages
|
|
# weren't canary-selectable; stale scopes lingered), so this guard fails
|
|
# CI whenever they diverge again.
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
|
|
with:
|
|
persist-credentials: false
|
|
- name: Verify release scope dropdowns match release.config.json
|
|
run: bash scripts/release/verify-release-scope-dropdowns.sh
|