Deeper validation of workflow yamls (#169)

Extension to #168 - this installs a semantic checker for workflow yamls. (Not just YAML linter.) It runs a strict test on for the YAMLs for mistakes, and then an informational test with all the linting warnings about deprecations and such.
groundlight · Jan 24, 2025 · 063e8d3 · 063e8d3
1 parent 93b9261
commit 063e8d3
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 13 deletions.
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,23 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels: []
+
+# Configuration variables in array of strings defined in your repository or
+# organization. `null` means disabling configuration variables check.
+# Empty array means no configuration variable is allowed.
+config-variables: null
+
+# Configuration for file paths. The keys are glob patterns to match to file
+# paths relative to the repository root. The values are the configurations for
+# the file paths. Note that the path separator is always '/'.
+# The following configurations are available.
+# NOTE: Everything from here down is removed in the "Warnings" run of actionlint in the workflow.
+paths:
+  # "ignore" is an array of regular expression patterns. Matched error messages
+  # are ignored. This is similar to the "-ignore" command line option.
+  .github/workflows/**/*.{yml,yaml}:
+    ignore:
+      - '.*action is too old to run on GitHub Actions.*'
+      - '.*was deprecated.*'
+      - '.*shellcheck.*:warning:.*'
+      - '.*shellcheck.*:info:.*'
diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
@@ -1,6 +1,9 @@
 name: cicd
 on:
-  push:
+  pull_request:
+    branches:
+      - main
+    types: [opened, synchronize, reopened]
   workflow_dispatch:
     # This allows it to be triggered manually in the github console
     # You could put inputs here, but we don't need them.
@@ -10,7 +13,7 @@ concurrency:
   cancel-in-progress: true
 env:
   PYTHON_VERSION: "3.11"
-  POETRY_VERSION: "1.5.1"
+  POETRY_VERSION: "1.8.3"
   # This is the token associated with "prod-biggies" (with shared credentials on 1password)
   GROUNDLIGHT_API_TOKEN: ${{ secrets.GROUNDLIGHT_API_TOKEN }}
   # This is the NGINX proxy endpoint
@@ -24,6 +27,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Set up python
+        id: setup_python
         uses: actions/setup-python@v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
@@ -41,7 +45,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: .venv
-          key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{hashFiles('**/poetry.lock') }}
+          key: venv-${{ runner.os }}-${{ env.PYTHON_VERSION }}-${{ hashFiles('**/poetry.lock') }}
 
       - name: Install edge-endpoint's python dependencies
         run: |
@@ -217,7 +221,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: .venv
-          key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{hashFiles('**/poetry.lock') }}
+          key: venv-${{ runner.os }}-${{ env.PYTHON_VERSION }}-${{ hashFiles('**/poetry.lock') }}
 
       # Note that we're pulling the latest main from the SDK repo
       # This might be ahead of what's published to pypi, but it's useful to test things before they're released.

diff --git a/.github/workflows/validate-workflow-files.yaml b/.github/workflows/validate-workflow-files.yaml
@@ -1,29 +1,25 @@
 name: Workflow YAML check
+# This performs fairly detailed checks on all the .yaml workflow definitions
 # Note that without this, a single minor mistake in a workflow YAML
-# will cause github to SILENTLY FAIL.  It will:
+# will cause github to (almost) SILENTLY FAIL.  It will:
 # - Not run any part of the workflow
 # - Not even report that there was an error in the file
+# - Show a hard-to-find failure in the "Actions" tab of the repo.
 # This could cause a key set of checks to not run, and thus an important
 # error to slip by unnoticed.
 
-# TODO: It would be nice to validate the semantics of the workflow files
-# not just their basic syntax, but this is a good start.
-# e.g. if a job has a "needs:" field but nothing listed under it,
-# that will pass linting, but fail at GH.  I believe there's a GH API
-# we can post to that will validate the workflow files.
-
 on:
   pull_request:
     paths:
       - '.github/workflows/*.yaml'
-      - '.github/.yamllint.yaml'
+      - '.github/*.yaml'
     types: [opened, synchronize, reopened]
   push:
     branches:
       - main
     paths:
       - '.github/workflows/*.yaml'
-      - '.github/.yamllint.yaml'
+      - '.github/*.yaml'
 
 jobs:
   check-workflow-files:
@@ -49,3 +45,25 @@ jobs:
 
       - name: Run yamllint
         run: yamllint -c ../.yamllint.yaml *.yaml
+
+      - name: Set up Golang
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.21"
+
+      - name: Install actionlint
+        run: |
+          go install github.com/rhysd/actionlint/cmd/actionlint@latest
+          echo "${HOME}/go/bin" >> $GITHUB_PATH
+
+      - name: Run actionlint looking for serious errors
+        # Actionlint can't find the config file if it's not run from the root
+        working-directory: .
+        run: actionlint -oneline
+
+      - name: Run actionlint loosely for warnings
+        working-directory: .
+        run: |
+          # Delete all the "ignore" lines in the actionlint.yaml file
+          sed -i '/^paths:/,$d' .github/actionlint.yaml
+          actionlint -oneline || echo "actionlint has non-critical warnings"