Skip to content

Add GitHub Actions workflow validation system #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
diberry merged 6 commits into from
Dec 5, 2025
Merged

Add GitHub Actions workflow validation system #23

diberry merged 6 commits into from
Dec 5, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 5, 2025
edited
Loading

Purpose

Implements automated validation for GitHub Actions workflows to ensure actions remain available and up-to-date.

  • Validates workflow YAML syntax and structure using actionlint
  • Verifies all referenced actions exist and are accessible via GitHub API
  • Detects outdated action versions by comparing against latest releases
  • Generates audit reports with action inventory
  • Runs weekly (Mondays 9:00 UTC) plus on workflow changes

Does this introduce a breaking change?

[ ] Yes
[x] No

Pull Request Type

[ ] Bugfix
[x] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code
# Validate workflows locally
curl -sL https://github.com/rhysd/actionlint/releases/download/v1.7.9/actionlint_1.7.9_linux_amd64.tar.gz -o actionlint.tar.gz
tar xzf actionlint.tar.gz
./actionlint .github/workflows/*.yml

# Build the project
npm run build

What to Check

Verify that the following are valid

  • Workflow validation job runs and completes successfully
  • CI build job completes without errors
  • Action availability check identifies all actions in use
  • Weekly schedule trigger is configured correctly
  • Explicit permissions are set on all jobs (principle of least privilege)
  • Downloadable report artifact is generated

Other Information

Implementation Details:

  • actionlint v1.7.9 pinned with SHA256 checksum verification
  • GitHub REST API 2022-11-28 with authentication for rate limits
  • jq for robust JSON parsing
  • Handles actions with and without explicit versions

Security:

  • Explicit contents: read permissions on all jobs
  • Checksum verification for downloaded tools
  • No secrets exposed in logs
  • CodeQL validated (0 alerts)
Original prompt

This section details on the original issue you should resolve

<issue_title>Validate workflow files</issue_title>
<issue_description>- create workflow to validate all gh actions and workflows

  • verify actions are still available and using the lastest version of the action
  • what else? </issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI self-assigned this Dec 5, 2025
Copilot AI and others added 5 commits December 5, 2025 17:53
@diberry
Add workflow validation system with actionlint and action version che…
1ddc86f 
…cking

Co-authored-by: diberry <41597107+diberry@users.noreply.github.com>
@diberry
Fix workflow validation issues - use GitHub API, pin actionlint versi…
50d3a04 
…on, remove invalid package

Co-authored-by: diberry <41597107+diberry@users.noreply.github.com>
@diberry
Add checksum verification, improve JSON parsing with jq, and handle a…
c0ae7dd 
…ctions without versions

Co-authored-by: diberry <41597107+diberry@users.noreply.github.com>
@diberry
Update GitHub API to use current REST API version
ac687f2 
Co-authored-by: diberry <41597107+diberry@users.noreply.github.com>
@diberry
Add explicit permissions to workflows following principle of least pr…
dfbdd1a 
…ivilege

Co-authored-by: diberry <41597107+diberry@users.noreply.github.com>
Copilot AI changed the title [WIP] Add workflow to validate GitHub actions Add GitHub Actions workflow validation system Dec 5, 2025
Copilot AI requested a review from diberry December 5, 2025 18:22
@diberry diberry marked this pull request as ready for review December 5, 2025 20:34
@diberry diberry merged commit d2720a0 into main Dec 5, 2025
12 checks passed
@diberry diberry deleted the copilot/validate-workflow-files branch December 5, 2025 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@diberry diberry diberry approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@diberry diberry

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Validate workflow files

2 participants

@diberry