ci: harden workflow action input handling

2026-02-19 18:39:20 -05:00 · 2026-02-19 15:27:41 +01:00
parent efca61e3ac
commit 9130fd2b06
6 changed files with 132 additions and 9 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -368,7 +368,7 @@ jobs:
          test -s dist/plugin-sdk/index.js

      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: 22.x
          check-latest: true
--- a/.github/workflows/install-smoke.yml
+++ b/.github/workflows/install-smoke.yml
@@ -34,7 +34,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: 22.x
          check-latest: true
--- a/.github/workflows/workflow-sanity.yml
+++ b/.github/workflows/workflow-sanity.yml
@@ -40,3 +40,24 @@ jobs:
              print(f"- {path}")
            sys.exit(1)
          PY
+
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install actionlint
+        shell: bash
+        run: |
+          set -euo pipefail
+          ACTIONLINT_VERSION="1.7.11"
+          archive="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
+          curl -sSfL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/${archive}" | tar -xz actionlint
+          sudo mv actionlint /usr/local/bin/actionlint
+
+      - name: Lint workflows
+        run: actionlint
+
+      - name: Disallow direct inputs interpolation in composite run blocks
+        run: python3 scripts/check-composite-action-input-interpolation.py