actionlint icon indicating copy to clipboard operation
actionlint copied to clipboard

Published 20 hours ago verified publisher icon rhysd

Provide a proper GitHub action of actionlint

Open toast-gear opened this issue 2 years ago • 6 comments

👋

I know you document how to use actionlint in a pipeline, it's also handy being able to run it locally.

We use actionlint in our pipelines and actionlint not being a proper action means keeping on top of bumping is hacky or we just pull down latest constantly and hope nothing ever breaks. If there was a proper action for this then GitHub native tools like dependabot could be used to bump the action automating the process with a known off the shelf tool whilst retaining the determinism of version pinning. If you don't want to spend the time making this repository work as an action too like https://github.com/mikefarah/yq then you could just produce a wrapper repository like https://github.com/bridgecrewio/checkov-action and just automate bumping the underlying container.

toast-gear avatar Feb 25 '22 12:02 toast-gear

I'm using https://github.com/reviewdog/action-actionlint which do the job.

Ameausoone avatar Apr 29 '22 13:04 Ameausoone

Neat I didin't know that existed! Certainly helpful and perhaps @rhysd could take inspiration from it and produce a "official" action for actionlint 😅😄

toast-gear avatar Apr 29 '22 13:04 toast-gear

There is already a lot of users :

image

But it would be interesting to integrate reviewdog/action-actionlint in this repo. And in addition, if you would add an automatic semantic release action, cli and github action would be released as soon as you merge on main (cf https://github.com/marketplace/actions/release-that , https://goreleaser.com/cookbooks/semantic-release/) 👌

Ameausoone avatar May 18 '22 08:05 Ameausoone

Hmm, honestly I don't think dedicated action only for setup for actionlint since we already have the download script.

https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions

However, this issue gained some upvotes and I understood actually some users want an action. I will consider it.

But it would be interesting to integrate reviewdog/action-actionlint in this repo.

Putting an action in rhysd/actionlint repository is not possible because currently this repository is already using Git tags for releases. But an action also requires Git tags for releases. Versions of actionlint and versions of the action should be separated. So they will have conflicts. I think separate repository is necessary.

rhysd avatar May 20 '22 12:05 rhysd

If there was a proper action for this then GitHub native tools like dependabot could be used to bump the action automating the process with a known off the shelf tool whilst retaining the determinism of version pinning.

Does this mean the action provides a feature like below?

  1. Check all uses: in steps of given workflows
  2. When a version of action in uses:, actionlint raises an error
  3. The action generates a PR to bump the versions

If my understanding is correct, this would need more consideration.

  • actionlint is focusing on catching a mistake. However, using old versions of actions is not a mistake
  • actionlint does not provide 'fixers' so it does not know how to fix errors
  • Users of GitHub Actions usually specify only major version such as actions/checkout@v3. In the case, detecting version bump means the next major version like actions/checkout@v4. IMO bumping major version should be done carefully since it usually contains breaking changes. Providing a PR which allows single click to bump all major versions would be dangerous.

rhysd avatar May 20 '22 13:05 rhysd

Hmm, honestly I don't think dedicated action only for setup for actionlint since we already have the download script.

main/docs/usage.md#use-actionlint-on-github-actions

However, this issue gained some upvotes and I understood actually some users want an action. I will consider it.

[...]

If there was a proper action for this then GitHub native tools like dependabot could be used to bump the action automating the process with a known off the shelf tool whilst retaining the determinism of version pinning.

[...]

Chiming in here related to this point: per my understanding of the install script it will always download the latest version of actionlint. This can be undesirable as this means builds are not reproducible. The most notable way in which this manifest itself is that the job using actionlint might start failing without having changed any workflows.

Admittedly, this reproducibility problem can be avoided by using the Docker image or using go install (if go is set up for the job). However, as far as I know, neither of these approaches has support for version updates by tools like Dependabot.

For these reasons, I believe having a "proper GitHub action" would be preferable - I believe this is also what the original issue author was getting at, specifically:

Does this mean the action provides a feature like below?

  • Check all uses: in steps of given workflows
  • When a version of action in uses:, actionlint raises an error
  • The action generates a PR to bump the versions

No, these things would all be carried out by Dependabot (or similar).

ericcornelissen avatar Dec 05 '22 21:12 ericcornelissen