Add workflow to run actionlint (#4468)

[actionlint](https://github.com/rhysd/actionlint) is a static checker for GitHub Actions workflow files. This PR adds a workflow that runs `actionlint` to check `.yml` files in `.github/workflows`. It also cleans up some issues flagged by `shellcheck`, a linter for shell scripts `actionlint` calls out to. --------- Co-authored-by: Bruce Collie <[email protected]>
runtimeverification · Jun 24, 2024 · 1ee5abb · 1ee5abb
1 parent 78a82dc
commit 1ee5abb
Show file tree

Hide file tree

Showing 7 changed files with 118 additions and 89 deletions.
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
@@ -0,0 +1,5 @@
+self-hosted-runner:
+  labels:
+    - MacM1
+    - normal
+    - performance
diff --git a/.github/workflows/develop.yml b/.github/workflows/develop.yml
@@ -27,7 +27,7 @@ jobs:
           git checkout -B master origin/master
           old_develop="$(git merge-base origin/develop origin/master)"
           new_develop="$(git rev-parse origin/develop)"
-          if git diff --exit-code ${old_develop} ${new_develop} -- package/version; then
+          if git diff --exit-code "${old_develop}" "${new_develop}" -- package/version; then
             git merge --no-edit origin/develop
             ./package/version.sh bump
           else
@@ -55,41 +55,41 @@ jobs:
         run: |
           set -euxo pipefail
           workspace=$(pwd)
-          docker run --name k-posting-profiling-tests-${GITHUB_SHA}            \
-            --rm -it --detach                                                  \
-            -e BENCHER_API_TOKEN=$BENCHER_API_TOKEN                            \
-            -e BENCHER_PROJECT=$BENCHER_PROJECT                                \
-            -e BENCHER_ADAPTER=$BENCHER_ADAPTER                                \
-            -e GITHUB_HEAD_REF=$GITHUB_HEAD_REF                                \
-            -e GITHUB_BASE_REF=$GITHUB_BASE_REF                                \
-            -e GITHUB_TOKEN=$GITHUB_TOKEN                                      \
-            -e GITHUB_ACTIONS=true                                             \
-            -e GITHUB_EVENT_NAME=$GITHUB_EVENT_NAME                            \
-            -e GITHUB_EVENT_PATH=$GITHUB_EVENT_PATH                            \
-            -e GITHUB_REPOSITORY=$GITHUB_REPOSITORY                            \
-            -e GITHUB_REF=$GITHUB_REF                                          \
-            -e GITHUB_SHA=${GITHUB_SHA}                                        \
-            --workdir /opt/workspace                                           \
-            -v "${workspace}:/opt/workspace"                                   \
-            -v "${GITHUB_EVENT_PATH}:${GITHUB_EVENT_PATH}"                     \
-            ${BASE_OS}:${BASE_DISTRO}
+          docker run --name "k-posting-profiling-tests-${GITHUB_SHA}" \
+            --rm -it --detach                                         \
+            -e BENCHER_API_TOKEN="$BENCHER_API_TOKEN"                 \
+            -e BENCHER_PROJECT="$BENCHER_PROJECT"                     \
+            -e BENCHER_ADAPTER="$BENCHER_ADAPTER"                     \
+            -e GITHUB_HEAD_REF="$GITHUB_HEAD_REF"                     \
+            -e GITHUB_BASE_REF="$GITHUB_BASE_REF"                     \
+            -e GITHUB_TOKEN="$GITHUB_TOKEN"                           \
+            -e GITHUB_ACTIONS=true                                    \
+            -e GITHUB_EVENT_NAME="$GITHUB_EVENT_NAME"                 \
+            -e GITHUB_EVENT_PATH="$GITHUB_EVENT_PATH"                 \
+            -e GITHUB_REPOSITORY="$GITHUB_REPOSITORY"                 \
+            -e GITHUB_REF="$GITHUB_REF"                               \
+            -e GITHUB_SHA="$GITHUB_SHA"                               \
+            --workdir /opt/workspace                                  \
+            -v "${workspace}:/opt/workspace"                          \
+            -v "${GITHUB_EVENT_PATH}:${GITHUB_EVENT_PATH}"            \
+            "${BASE_OS}:${BASE_DISTRO}"
       - name: 'Setting up dependencies'
         run: |
           set -euxo pipefail
-          docker exec -t k-posting-profiling-tests-${GITHUB_SHA} /bin/bash -c './k-distribution/tests/profiling/setup_profiling.sh SKIP_K_BUILD'
+          docker exec -t "k-posting-profiling-tests-${GITHUB_SHA}" /bin/bash -c './k-distribution/tests/profiling/setup_profiling.sh SKIP_K_BUILD'
       - name: 'Getting Performance Tests Results'
         run: |
           set -euxo pipefail
-          docker exec -t k-posting-profiling-tests-${GITHUB_SHA} /bin/bash -c './k-distribution/tests/profiling/post_results_to_develop.py ${GITHUB_SHA}'
+          docker exec -t "k-posting-profiling-tests-${GITHUB_SHA}" /bin/bash -c './k-distribution/tests/profiling/post_results_to_develop.py "${GITHUB_SHA}"'
       - name: 'Posting Performance Tests Results'
         run: |
           set -euxo pipefail
-          docker exec -t k-posting-profiling-tests-${GITHUB_SHA} /bin/bash -c 'bencher run            \
+          docker exec -t "k-posting-profiling-tests-${GITHUB_SHA}" /bin/bash -c 'bencher run            \
             --if-branch "develop" --else-if-branch "master"                    \
             --file .profiling-results.json --err --ci-only-on-alert            \
             --github-actions "${GITHUB_TOKEN}" "echo Exporting report"'
       - name: 'Tear down Docker'
         if: always()
         run: |
-          docker stop --time=0 k-posting-profiling-tests-${GITHUB_SHA}
-          docker container rm --force k-posting-profiling-tests-${GITHUB_SHA} || true
+          docker stop --time=0 "k-posting-profiling-tests-${GITHUB_SHA}"
+          docker container rm --force "k-posting-profiling-tests-${GITHUB_SHA}" || true
diff --git a/.github/workflows/master-pr.yml b/.github/workflows/master-pr.yml
@@ -25,8 +25,8 @@ jobs:
         run: |
           set -x
           pull_number=$(jq --raw-output .pull_request.number "${GITHUB_EVENT_PATH}")
-          curl -X PATCH                                                             \
-            -H "Accept: application/vnd.github+json"                                \
-            -H "Authorization: Bearer ${GITHUB_TOKEN}"                              \
-            https://api.github.com/repos/runtimeverification/k/pulls/${pull_number} \
+          curl -X PATCH                                                               \
+            -H "Accept: application/vnd.github+json"                                  \
+            -H "Authorization: Bearer ${GITHUB_TOKEN}"                                \
+            "https://api.github.com/repos/runtimeverification/k/pulls/${pull_number}" \
             -d '{"base":"develop"}'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: 'Get release_id'
-        run: echo "release_id=$(jq --raw-output '.release.id' $GITHUB_EVENT_PATH)" >> ${GITHUB_OUTPUT}
+        run: echo "release_id=$(jq --raw-output '.release.id' "$GITHUB_EVENT_PATH")" >> "${GITHUB_OUTPUT}"
         id: release
     outputs:
       release_id: ${{ steps.release.outputs.release_id }}
@@ -35,13 +35,14 @@ jobs:
           set -x
           version=$(cat package/version)
           tarball=kframework-${version}-src.tar.gz
+          # shellcheck disable=SC2038
           find . -name .git | xargs rm -r
           CURDIR=$(pwd)
           cd ..
-          tar czvf ${tarball} $(basename ${CURDIR})
-          mv ${tarball} ${CURDIR}/
-          cd ${CURDIR}
-          gh release upload --repo runtimeverification/k --clobber v${version} ${tarball}
+          tar czvf "${tarball}" "$(basename "${CURDIR}")"
+          mv "${tarball}" "${CURDIR}/"
+          cd "${CURDIR}"
+          gh release upload --repo runtimeverification/k --clobber "v${version}" "${tarball}"
 
   cachix-release:
     name: 'k-framework-binary cachix release'
@@ -114,8 +115,8 @@ jobs:
         run: |
           set -x
           version=$(cat package/version)
-          cp kframework_amd64_ubuntu_jammy.deb kframework_${version}_amd64_ubuntu_jammy.deb
-          gh release upload --repo runtimeverification/k --clobber v${version} kframework_${version}_amd64_ubuntu_jammy.deb
+          cp kframework_amd64_ubuntu_jammy.deb "kframework_${version}_amd64_ubuntu_jammy.deb"
+          gh release upload --repo runtimeverification/k --clobber "v${version}" "kframework_${version}_amd64_ubuntu_jammy.deb"
       - name: 'Build, Test, and Push Dockerhub Image'
         shell: bash {0}
         env:
@@ -125,19 +126,19 @@ jobs:
           set -euxo pipefail
           version=$(cat package/version)
           version_tag=ubuntu-jammy-${version}
-          docker login --username rvdockerhub --password ${DOCKERHUB_PASSWORD}
-          docker image build . --file package/docker/Dockerfile.ubuntu-jammy --tag ${DOCKERHUB_REPO}:${version_tag}
-          docker run --name k-package-docker-test-jammy-${GITHUB_SHA} --rm -it --detach ${DOCKERHUB_REPO}:${version_tag}
-          docker exec -t k-package-docker-test-jammy-${GITHUB_SHA} bash -c 'cd ~ && echo "module TEST imports BOOL endmodule" > test.k'
-          docker exec -t k-package-docker-test-jammy-${GITHUB_SHA} bash -c 'cd ~ && kompile test.k --backend llvm'
-          docker exec -t k-package-docker-test-jammy-${GITHUB_SHA} bash -c 'cd ~ && kompile test.k --backend haskell'
-          docker exec -t k-package-docker-test-jammy-${GITHUB_SHA} bash -c 'cd ~ && pyk kompile test.k --backend llvm'
-          docker exec -t k-package-docker-test-jammy-${GITHUB_SHA} bash -c 'cd ~ && pyk kompile test.k --backend haskell'
-          docker image push ${DOCKERHUB_REPO}:${version_tag}
+          docker login --username rvdockerhub --password "${DOCKERHUB_PASSWORD}"
+          docker image build . --file package/docker/Dockerfile.ubuntu-jammy --tag "${DOCKERHUB_REPO}:${version_tag}"
+          docker run --name "k-package-docker-test-jammy-${GITHUB_SHA}" --rm -it --detach "${DOCKERHUB_REPO}:${version_tag}"
+          docker exec -t "k-package-docker-test-jammy-${GITHUB_SHA}" bash -c 'cd ~ && echo "module TEST imports BOOL endmodule" > test.k'
+          docker exec -t "k-package-docker-test-jammy-${GITHUB_SHA}" bash -c 'cd ~ && kompile test.k --backend llvm'
+          docker exec -t "k-package-docker-test-jammy-${GITHUB_SHA}" bash -c 'cd ~ && kompile test.k --backend haskell'
+          docker exec -t "k-package-docker-test-jammy-${GITHUB_SHA}" bash -c 'cd ~ && pyk kompile test.k --backend llvm'
+          docker exec -t "k-package-docker-test-jammy-${GITHUB_SHA}" bash -c 'cd ~ && pyk kompile test.k --backend haskell'
+          docker image push "${DOCKERHUB_REPO}:${version_tag}"
       - name: 'Clean up Docker Container'
         if: always()
         run: |
-          docker stop --time=0 k-package-docker-test-jammy-${GITHUB_SHA}
+          docker stop --time=0 "k-package-docker-test-jammy-${GITHUB_SHA}"
       - name: On Failure, Upload the kore-exec.tar.gz file to the Summary Page
         if: failure()
         uses: actions/upload-artifact@v4
@@ -193,7 +194,9 @@ jobs:
           # https://github.com/actions/runner-images/issues/6459
           # https://github.com/actions/runner-images/issues/6507
           # https://github.com/actions/runner-images/issues/2322
-          brew list -1 | grep python | while read formula; do brew unlink $formula; brew link --overwrite $formula; done
+
+          # shellcheck disable=SC2162
+          brew list -1 | grep python | while read formula; do brew unlink "$formula"; brew link --overwrite "$formula"; done
 
       - name: Build brew bottle
         id: build
@@ -209,15 +212,16 @@ jobs:
           ROOT_URL='https://github.com/runtimeverification/k/releases/download'
           wget "$ROOT_URL/v${VERSION}/kframework-${VERSION}-src.tar.gz"
           cd homebrew-k
-          ../kframework/package/macos/brew-update-to-local ${PACKAGE} ${VERSION}
-          git commit Formula/$PACKAGE.rb -m "Update ${PACKAGE} to ${VERSION}: part 1"
-          ../kframework/package/macos/brew-build-and-update-to-local-bottle ${PACKAGE} ${VERSION} ${ROOT_URL}
+          ../kframework/package/macos/brew-update-to-local "${PACKAGE}" "${VERSION}"
+          git commit "Formula/$PACKAGE.rb" -m "Update ${PACKAGE} to ${VERSION}: part 1"
+          ../kframework/package/macos/brew-build-and-update-to-local-bottle "${PACKAGE}" "${VERSION}" "${ROOT_URL}"
           git reset HEAD^
-          LOCAL_BOTTLE_NAME=$(basename $(find . -name "kframework--${VERSION}.arm64_sonoma.bottle*.tar.gz"))
-          BOTTLE_NAME=$(echo ${LOCAL_BOTTLE_NAME#./} | sed 's!kframework--!kframework-!')
-          ../kframework/package/macos/brew-update-to-final ${PACKAGE} ${VERSION} ${ROOT_URL}
-          echo "path=${LOCAL_BOTTLE_NAME}" >> ${GITHUB_OUTPUT}
-          echo "path_remote=${BOTTLE_NAME}" >> ${GITHUB_OUTPUT}
+          LOCAL_BOTTLE_NAME=$(basename "$(find . -name "kframework--${VERSION}.arm64_sonoma.bottle*.tar.gz")")
+          # shellcheck disable=2001
+          BOTTLE_NAME=$(echo "${LOCAL_BOTTLE_NAME#./}" | sed 's!kframework--!kframework-!')
+          ../kframework/package/macos/brew-update-to-final "${PACKAGE}" "${VERSION}" "${ROOT_URL}"
+          echo "path=${LOCAL_BOTTLE_NAME}" >> "${GITHUB_OUTPUT}"
+          echo "path_remote=${BOTTLE_NAME}" >> "${GITHUB_OUTPUT}"
 
       - name: Upload bottle
         uses: actions/upload-artifact@v4
@@ -279,7 +283,9 @@ jobs:
           # https://github.com/actions/runner-images/issues/6459
           # https://github.com/actions/runner-images/issues/6507
           # https://github.com/actions/runner-images/issues/2322
-          brew list -1 | grep python | while read formula; do brew unlink $formula; brew link --overwrite $formula; done
+
+          # shellcheck disable=SC2162
+          brew list -1 | grep python | while read formula; do brew unlink "$formula"; brew link --overwrite "$formula"; done
 
       - name: 'Test brew bottle'
         id: test
@@ -324,8 +330,8 @@ jobs:
         run: |
           set -x
           version=$(cat k-homebrew-checkout/package/version)
-          mv homebrew-k-old/${BOTTLE_NAME} homebrew-k-old/${REMOTE_BOTTLE_NAME}
-          gh release upload --repo runtimeverification/k --clobber v${version} homebrew-k-old/${REMOTE_BOTTLE_NAME}
+          mv "homebrew-k-old/${BOTTLE_NAME}" "homebrew-k-old/${REMOTE_BOTTLE_NAME}"
+          gh release upload --repo runtimeverification/k --clobber "v${version}" "homebrew-k-old/${REMOTE_BOTTLE_NAME}"
 
       - run: |
           git config --global user.name rv-jenkins
@@ -385,16 +391,16 @@ jobs:
           MAVEN_PASSWORD: ${{ secrets.CLOUDREPO_PASSWORD }}
         run: |
           cat ~/.m2/settings.xml
-          docker exec -t k-release-ci-${GITHUB_SHA} bash -c 'mkdir -p /home/github-runner/.m2'
-          docker cp ~/.m2/settings.xml k-release-ci-${GITHUB_SHA}:/tmp/settings.xml
-          docker exec -t k-release-ci-${GITHUB_SHA} bash -c 'mv /tmp/settings.xml /home/github-runner/.m2/settings.xml'
-          docker exec -e MAVEN_USERNAME -e MAVEN_PASSWORD -t k-release-ci-${GITHUB_SHA} bash -c "mvn --batch-mode deploy"
+          docker exec -t "k-release-ci-${GITHUB_SHA}" bash -c 'mkdir -p /home/github-runner/.m2'
+          docker cp ~/.m2/settings.xml "k-release-ci-${GITHUB_SHA}:/tmp/settings.xml"
+          docker exec -t "k-release-ci-${GITHUB_SHA} bash" -c 'mv /tmp/settings.xml /home/github-runner/.m2/settings.xml'
+          docker exec -e MAVEN_USERNAME -e MAVEN_PASSWORD -t "k-release-ci-${GITHUB_SHA}" bash -c "mvn --batch-mode deploy"
 
       - name: 'Tear down Docker'
         if: always()
         run: |
-          docker stop --time=0 k-release-ci-${GITHUB_SHA}
-          docker container rm --force k-release-ci-${GITHUB_SHA} || true
+          docker stop --time=0 "k-release-ci-${GITHUB_SHA}"
+          docker container rm --force "k-release-ci-${GITHUB_SHA}" || true
 
       - name: Publish release
         uses: actions/github-script@v7
@@ -455,7 +461,7 @@ jobs:
             -H "Authorization: Bearer ${GITHUB_TOKEN}"                         \
             -H "X-GitHub-Api-Version: 2022-11-28"                              \
             https://api.github.com/repos/runtimeverification/devops/dispatches \
-            -d '{"event_type":"on-demand-test","client_payload":{"repo":"runtimeverification/k","version":"'${VERSION}'"}}'
+            -d '{"event_type":"on-demand-test","client_payload":{"repo":"runtimeverification/k","version":"'"${VERSION}"'"}}'
 
   pyk-build-docs:
     name: 'Build Pyk Documentation'
@@ -532,6 +538,7 @@ jobs:
           npm run build-sitemap
           cd -
           mv web/public_content ./
+          # shellcheck disable=SC2046
           rm -rf $(find . -maxdepth 1 -not -name public_content -a -not -name .git -a -not -path . -a -not -path .. -a -not -name CNAME)
           mv public_content/* ./
           rm -rf public_content

diff --git a/.github/workflows/run-actionlint.yml b/.github/workflows/run-actionlint.yml
@@ -0,0 +1,16 @@
+name: Lint GitHub Actions workflows
+on: pull_request
+
+jobs:
+  actionlint:
+    name: Run actionlint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        run: ${{ steps.get_actionlint.outputs.executable }} -color
+        shell: bash