Open
Conversation
daniel-noland
added
ci
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors GitHub Actions workflows to rely on a reusable “use nix shell” setup (instead of wrapping commands in nix-shell --run ...) and adds an actionlint configuration to enable workflow linting.
Changes:
- Add
.github/actionlint.ymlto configure actionlint checks and ignores. - Introduce
rrbutani/use-nix-shell-action@v1+ a “cache nix shell” warmup step across workflows and thenix-setupcomposite action. - Replace several
nix-shell --run ...wrappers with directbash/justinvocations.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/version-bump.yml | Switches version bump step to run directly after setting up nix shell. |
| .github/workflows/dev.yml | Adds reusable nix shell setup steps and updates container push commands to run directly. |
| .github/workflows/bump.yml | Refactors dependency bump workflow to run commands directly after nix shell setup. |
| .github/actions/nix-setup/action.yml | Updates composite action to set up nix shell via action and run registry logins without nix-shell --run. |
| .github/actionlint.yml | Adds actionlint configuration (checks, runner labels, ignore patterns). |
daniel-noland
force-pushed
the
pr/daniel-noland/actionlint
branch
2 times, most recently
from
dcacd51 to
1417a7c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Enables actionlint in CI and adjusts GitHub Actions workflows/composite actions to rely on an exported Nix shell environment instead of wrapping commands in nix-shell --run.
Changes:
- Add
actionlintto the Nix dev shell and introduce anactionlintworkflow + config. - Use
rrbutani/use-nix-shell-action@v1in several workflows (andnix-setup) to export the Nix shell environment into the job, removingnix-shell --runwrappers. - Refactor some workflow run steps to be plain bash scripts (no nested quoting via
nix-shell --run).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| default.nix | Adds actionlint to the dev shell toolset. |
| .github/workflows/lint-actionlint.yml | New workflow to run actionlint in CI. |
| .github/actionlint.yml | New actionlint configuration (enables additional checkers and sets ignores). |
| .github/workflows/version-bump.yml | Switches to exported Nix shell env; removes nix-shell --run wrapper. |
| .github/workflows/bump.yml | Switches to exported Nix shell env; removes nix-shell --run wrappers. |
| .github/workflows/dev.yml | Removes nix-shell --run wrappers in affected steps and refactors container push args. |
| .github/actions/nix-setup/action.yml | Exports Nix shell env during setup; removes nix-shell --run usage for cache warming and oras login. |
| .github/actions/just/action.yml | Runs just directly (expects nix-setup to have exported the environment). |
Comments suppressed due to low confidence (1)
default.nix:130
confidence: 7
tags: [logic]
`actionlint` is now included in the dev shell, but `.github/actionlint.yml` enables `run-step-shellcheck` and `run-step-pyflakes`. Those checks require `shellcheck` and `pyflakes` to be available on `PATH`; currently the dev shell package set here doesn’t include them, which can make CI depend on whatever happens to be installed on the self-hosted runner (or fail if they’re missing). Add the required tools to the nix shell (or disable these checkers in the actionlint config) to keep the lint workflow deterministic.
++ (with pkgs.pkgsBuildHost; [
actionlint
bash
cargo-bolero
cargo-deny
cargo-depgraph
</details>
08c04d1 to
ecf8540
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enables actionlint in CI and updates the nix-based tooling setup so GitHub Actions steps can run tools directly (without wrapping everything in nix-shell --run), while also adding shellcheck/pyflakes integration via actionlint’s config.
Changes:
- Add
actionlint(plusshellcheckandpyflakes) to the nix dev shell toolset. - Introduce an
actionlintworkflow and repo-level.github/actionlint.ymlconfiguration enabling additional checks. - Update several workflows/actions to use
rrbutani/use-nix-shell-action@v1and run commands directly instead ofnix-shell --run ....
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
default.nix |
Adds actionlint, shellcheck, and pyflakes to the dev shell toolset. |
.github/workflows/version-bump.yml |
Switches to exported nix-shell env; removes nix-shell --run wrapper for version bump step. |
.github/workflows/lint-actionlint.yml |
New workflow that runs actionlint on PRs. |
.github/workflows/dev.yml |
Removes nix-shell --run wrappers in push steps; adds exported nix-shell env setup in publish flow. |
.github/workflows/bump.yml |
Switches to exported nix-shell env; removes nix-shell --run wrappers across steps. |
.github/actions/nix-setup/action.yml |
Uses use-nix-shell-action to export the nix-shell env into the job, and runs registry logins without a nix-shell wrapper. |
.github/actions/just/action.yml |
Runs just directly (expects nix-setup already exported env), removing nix-shell --run. |
.github/actionlint.yml |
New actionlint configuration enabling shellcheck/pyflakes/env/action checks and targeted ignores. |
daniel-noland
force-pushed
the
pr/daniel-noland/actionlint
branch
from
ecf8540 to
34979ae
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Enables actionlint for GitHub Actions hygiene and refactors workflows to reuse a shared nix+Cachix+dev-shell bootstrap, reducing duplicated setup logic.
Changes:
- Add an
actionlintworkflow plus.github/actionlint.ymlconfiguration, and install required linters in the nix dev-shell. - Introduce a new lightweight composite action (
.github/actions/nix-shell) and update multiple workflows to use it instead of inline nix/cachix setup. - Simplify several workflow
run:blocks now that the dev-shell is exported into the job environment.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
default.nix |
Adds actionlint, shellcheck, and pyflakes to the dev-shell so CI can run actionlint with extra checkers. |
.github/workflows/version-bump.yml |
Replaces inline nix+cachix setup and nix-shell --run wrappers with the shared nix-shell action and direct commands. |
.github/workflows/lint-opengrep.yml |
Switches to nix-shell action and runs opengrep directly under bash. |
.github/workflows/lint-cargo-fmt.yml |
Switches to nix-shell action and runs just fmt --check directly under bash. |
.github/workflows/lint-actionlint.yml |
Adds a new workflow that runs actionlint in CI. |
.github/workflows/dev.yml |
Removes nix-shell --run wrappers and simplifies push-container logic using bash arrays. |
.github/workflows/bump.yml |
Removes nix-shell --run wrappers and uses the nix-shell action for tooling availability. |
.github/actions/nix-shell/action.yml |
New composite action encapsulating nix install + Cachix + exporting the dev-shell env to the job. |
.github/actions/nix-setup/action.yml |
Refactors to call nix-shell and focuses nix-setup on registry logins. |
.github/actions/just/action.yml |
Updates to run just directly (no nix-shell --run) assuming dev-shell env already exported. |
.github/actionlint.yml |
New actionlint configuration enabling shellcheck/pyflakes and a couple schema ignores. |
Comments suppressed due to low confidence (1)
.github/actions/just/action.yml:49
confidence: 7
tags: [logic]
With actionlint configured to run ShellCheck (`run-step-shellcheck: true`), this `just ${JUST_VARS} ... ${RECIPE_ARGS}` line will trigger SC2086 (unquoted variables with intentional word-splitting/globbing). That will likely cause the new actionlint workflow to fail. Either refactor to pass args safely (e.g., build an array) or add a targeted `# shellcheck disable=SC2086` with a brief justification for both expansions.
set -euo pipefail
just ${JUST_VARS} "${RECIPE}" ${RECIPE_ARGS}
</details>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enables actionlint in CI and standardizes GitHub workflow nix bootstrap by introducing a lightweight nix-shell composite action (reused across lint/bump workflows) while keeping nix-setup for jobs that also require registry logins.
Changes:
- Add an
actionlintlint workflow plus repo-level.github/actionlint.ymlconfiguration (including ShellCheck/Pyflakes integration). - Introduce
.github/actions/nix-shelland refactor multiple workflows to use it instead of inlining nix+Cachix setup. - Add
actionlint,shellcheck, andpyflakesto the nix dev-shell toolset.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
default.nix |
Adds actionlint, shellcheck, and pyflakes to the dev-shell so CI steps can run them directly. |
.github/workflows/version-bump.yml |
Switches to the shared nix-shell action and runs just directly in the exported dev-shell env. |
.github/workflows/lint-opengrep.yml |
Switches to nix-shell and runs opengrep directly under bash strict mode. |
.github/workflows/lint-cargo-fmt.yml |
Switches to nix-shell and runs formatting checks directly under bash strict mode. |
.github/workflows/lint-actionlint.yml |
Adds a new workflow that runs actionlint on PRs. |
.github/workflows/dev.yml |
Removes duplicated nix bootstrap in favor of shared actions and fixes the container push invocation to avoid empty args. |
.github/workflows/bump.yml |
Switches to nix-shell and runs bump scripts/just directly in the exported dev-shell env. |
.github/actions/nix-shell/action.yml |
New composite action: install nix + configure Cachix + export the repo dev-shell environment into the job. |
.github/actions/nix-setup/action.yml |
Refactors to compose nix-shell and keeps registry login responsibilities in nix-setup. |
.github/actions/just/action.yml |
Updates to run just directly (no nix-shell --run) assuming the dev-shell env is already exported. |
.github/actionlint.yml |
Adds actionlint configuration, enabling ShellCheck and Pyflakes for run: steps and basic workflow validation. |
Two workflow changes bundled together. 1. Lint GitHub Actions with actionlint. Add .github/actionlint.yml (register the "lab" self-hosted runner label, enable the shellcheck and pyflakes checkers) and .github/workflows/lint-actionlint.yml running actionlint on pull requests and in the merge queue. Pull actionlint plus shellcheck and pyflakes (which actionlint delegates to for `run:` steps) into the dev-shell so local runs match CI. 2. Stop wrapping each step in `nix-shell --run "..."`. Extract the install-nix + Cachix + use-nix-shell-action bootstrap into a shared ./.github/actions/nix-shell composite. The nix-setup composite now calls it and layers ghcr.io + image-cache registry logins on top; bump.yml, version-bump.yml, lint-actionlint.yml, lint-cargo-fmt.yml, lint-opengrep.yml, and dev.yml's publish job consume the new composite directly. Every `nix-shell --run "..."` wrapper across these workflows and the `just` composite is replaced with a direct call, since use-nix-shell-action exports the dev-shell environment into the job for subsequent steps. This halves the per-job nixpkgs evaluation cost and removes a layer of nested quoting. Along the way, unroll the two-iteration "push container" loop in the build job. Quoting $v to satisfy shellcheck SC2086 would feed `just` a literal empty string on the first iteration, which `just` parses as a recipe name; two explicit calls dodge both the empty-arg bug and the lint. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
daniel-noland
force-pushed
the
pr/daniel-noland/actionlint
branch
from
34979ae to
beaaa1d
Compare
qmonnet
reviewed
Apr 20, 2026
| # Make sure we don't have obvious vulns / anti patterns in our code or | ||
| # actions config. | ||
|
|
||
| name: "lint-actionlint.yml" |
Member
There was a problem hiding this comment.
I thought the recently-added opengrep workflow was already to validate our GitHub Actions/Workflow files. How does this one articulate with opengrep, I suppose they run different checks?
|
|
||
| - [Main Development Workflow](#main-development-workflow-devyml) | ||
| - [Linting and Validation Workflows](#linting-and-validation-workflows) | ||
| - [Linting and Validation Workflows](#linting-and-validation-workflows-for-pull-requests) |
Member
There was a problem hiding this comment.
Should we also extend this section (or add a new one) with the new workflows that you added to validate the GitHub Actions/Workflows files?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Spiritual follow on to #1476 because @Frostman pointed out actionlint in the slack and addressing its lints actually did a nice job cleaning up our actions.