ChainSafe · LesnyRumcajs · Apr 15, 2026 · Apr 15, 2026
@@ -0,0 +1,9 @@
+---
+# Configuration for actionlint (https://github.com/rhysd/actionlint).
+# Run locally via: `mise run lint:actions`.
+
+self-hosted-runner:
+  # WarpBuild self-hosted runners used by performance-sensitive jobs.
+  labels:
+    - warp-ubuntu-2404-arm64-8x
+    - warp-ubuntu-2404-x64-8x
@@ -0,0 +1,33 @@
+name: GitHub Actions lint
+permissions:
+  contents: read
+
+# Cancel workflow if there is a new change to the branch.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+on:
+  merge_group:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/**"
+      - ".github/actionlint.yaml"
+      - "mise.toml"
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/**"
+      - ".github/actionlint.yaml"
+      - "mise.toml"
+
+jobs:
+  actions-lint:
+    runs-on: ubuntu-slim
+    steps:
+      - uses: actions/checkout@v6
+      - uses: jdx/mise-action@v4
+      - run: mise run lint:actions
@@ -18,8 +18,8 @@ jobs:
         if: failure()
         run: |
           export WORKFLOW_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-          echo ${WORKFLOW_URL}
-          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> $GITHUB_ENV
+          echo "${WORKFLOW_URL}"
+          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> "$GITHUB_ENV"
       - uses: JasonEtco/create-an-issue@v2
         if: failure()
         env:

@@ -26,9 +26,11 @@ jobs:
         run: |
           # External PRs do not have access to 'vars' or 'secrets'.
           if [[ "${{secrets.AWS_ACCESS_KEY_ID}}" != "" ]]; then
-            echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}" >> $GITHUB_ENV
-            echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV
-            echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV
+            {
+              echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}"
+              echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}"
+              echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}"
+            } >> "$GITHUB_ENV"
           fi
       - name: Checkout Sources
         uses: actions/checkout@v6
@@ -42,8 +44,8 @@ jobs:
         if: failure()
         run: |
           export WORKFLOW_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-          echo ${WORKFLOW_URL}
-          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> $GITHUB_ENV
+          echo "${WORKFLOW_URL}"
+          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> "$GITHUB_ENV"
       - uses: JasonEtco/create-an-issue@v2
         if: failure()
         env:

@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v6
       - name: Update checkpoints
         run: |
-          docker run --rm -v $PWD:/app -w /app --entrypoint forest-dev ghcr.io/chainsafe/forest:edge update-checkpoints
+          docker run --rm -v "$PWD":/app -w /app --entrypoint forest-dev ghcr.io/chainsafe/forest:edge update-checkpoints
       # This is needed in order to have the commits signed.
       - uses: actions/create-github-app-token@v3
         id: generate-token

@@ -71,9 +71,11 @@ jobs:
         run: |
           # External PRs do not have access to 'vars' or 'secrets'.
           if [[ "${{secrets.AWS_ACCESS_KEY_ID}}" != "" ]]; then
-            echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}" >> $GITHUB_ENV
-            echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV
-            echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV
+            {
+              echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}"
+              echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}"
+              echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}"
+            } >> "$GITHUB_ENV"
           fi
       - name: Setup sccache
         uses: mozilla-actions/sccache-action@v0.0.9
@@ -96,8 +98,8 @@ jobs:
       - name: Fetch proof params and RPC test snapshots
         run: |
           # Use the same profile to re-use some compilation artifacts and speed up the entire job.
-          cargo llvm-cov run --profile codecov --no-report --bin forest-dev --no-default-features -- fetch-test-snapshots --actor-bundle $FOREST_ACTOR_BUNDLE_PATH
-          ls -ahl $FIL_PROOFS_PARAMETER_CACHE
+          cargo llvm-cov run --profile codecov --no-report --bin forest-dev --no-default-features -- fetch-test-snapshots --actor-bundle "$FOREST_ACTOR_BUNDLE_PATH"
+          ls -ahl "$FIL_PROOFS_PARAMETER_CACHE"
       - name: Generate code coverage
         run: mise codecov
         env:

@@ -49,9 +49,11 @@ jobs:
         run: |
           # External PRs do not have access to 'vars' or 'secrets'.
           if [[ "${{secrets.AWS_ACCESS_KEY_ID}}" != "" ]]; then
-            echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}" >> $GITHUB_ENV
-            echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV
-            echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV
+            {
+              echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}"
+              echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}"
+              echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}"
+            } >> "$GITHUB_ENV"
           fi
       - name: Checkout Sources
         uses: actions/checkout@v6
@@ -84,11 +86,13 @@ jobs:
         run: |
           # External PRs do not have access to 'vars' or 'secrets'.
           if [[ "${{secrets.AWS_ACCESS_KEY_ID}}" != "" ]]; then
-            echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}" >> $GITHUB_ENV
-            echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV
-            echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV
+            {
+              echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}"
+              echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}"
+              echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}"
+            } >> "$GITHUB_ENV"
           fi
-          echo "SCCACHE_S3_KEY_PREFIX=aarch64" >> $GITHUB_ENV
+          echo "SCCACHE_S3_KEY_PREFIX=aarch64" >> "$GITHUB_ENV"
       - name: Checkout Sources
         uses: actions/checkout@v6
         if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')

@@ -22,8 +22,8 @@ jobs:
         if: always()
         run: |
           export WORKFLOW_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-          echo ${WORKFLOW_URL}
-          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> $GITHUB_ENV
+          echo "${WORKFLOW_URL}"
+          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> "$GITHUB_ENV"
       - uses: JasonEtco/create-an-issue@v2
         if: failure()
         env:

@@ -48,11 +48,13 @@ jobs:
         run: |
           # External PRs do not have access to 'vars' or 'secrets'.
           if [[ "$AWS_ACCESS_KEY_ID" != "" ]]; then
-            echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}" >> $GITHUB_ENV
-            echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV
-            echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV
+            {
+              echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}"
+              echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}"
+              echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}"
+            } >> "$GITHUB_ENV"
           fi
-          echo "SCCACHE_S3_KEY_PREFIX=macos" >> $GITHUB_ENV
+          echo "SCCACHE_S3_KEY_PREFIX=macos" >> "$GITHUB_ENV"
       - name: Checkout Sources
         uses: actions/checkout@v6
       - name: Setup sccache
@@ -75,9 +77,11 @@ jobs:
         run: |
           # External PRs do not have access to 'vars' or 'secrets'.
           if [[ "${{secrets.AWS_ACCESS_KEY_ID}}" != "" ]]; then
-            echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}" >> $GITHUB_ENV
-            echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV
-            echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV
+            {
+              echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}"
+              echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}"
+              echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}"
+            } >> "$GITHUB_ENV"
           fi
       - name: Checkout Sources
         uses: actions/checkout@v6
@@ -473,8 +477,8 @@ jobs:
           docker volume create devnet_filecoin-proofs
           docker run --rm \
             -v devnet_filecoin-proofs:/proofs \
-            -v $FIL_PROOFS_PARAMETER_CACHE:/cache \
-            $SHELL_IMAGE \
+            -v "$FIL_PROOFS_PARAMETER_CACHE":/cache \
+            "$SHELL_IMAGE" \
             sh -c "cp /cache/* /proofs"
       - uses: actions/checkout@v6
       - uses: actions/download-artifact@v8
@@ -494,63 +498,10 @@ jobs:
         run: |
           docker run --rm \
             -v devnet_filecoin-proofs:/proofs \
-            -v $FIL_PROOFS_PARAMETER_CACHE:/cache \
-            $SHELL_IMAGE \
+            -v "$FIL_PROOFS_PARAMETER_CACHE":/cache \
+            "$SHELL_IMAGE" \
             sh -c "cp /proofs/* /cache"
-          sudo chmod -R 755 $FIL_PROOFS_PARAMETER_CACHE
-  local-devnet-curio-check:
-    # Disabling this job as it is not providing any value until the curio setup is fixed. See: https://github.com/ChainSafe/forest/issues/5171
-    if: false
-    name: Devnet Curio checks
-    runs-on: ubuntu-24.04
-    needs:
-      - build-ubuntu
-    env:
-      # We use a custom Dockerfile for CI to speed up the build process.
-      FOREST_DOCKERFILE_OVERRIDE: scripts/devnet/forest_ci.dockerfile
-    steps:
-      - uses: actions/cache@v5
-        id: cache
-        with:
-          path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}"
-          key: proof-params-2k
-      - name: Load cache into volume
-        if: steps.cache.outputs.cache-hit == 'true'
-        run: |
-          docker volume create devnet_filecoin-proofs
-          docker run --rm \
-            -v devnet_filecoin-proofs:/proofs \
-            -v $FIL_PROOFS_PARAMETER_CACHE:/cache \
-            $SHELL_IMAGE \
-            sh -c "cp /cache/* /proofs"
-      - uses: actions/checkout@v6
-      - uses: actions/download-artifact@v8
-        with:
-          name: "forest-${{ runner.os }}"
-      - name: Devnet setup
-        run: |
-          cp ./scripts/devnet/setup.sh ./scripts/devnet-curio/setup.sh
-          chmod +x ./scripts/devnet-curio/setup.sh
-          ./scripts/devnet-curio/setup.sh
-        timeout-minutes: ${{ fromJSON(env.SCRIPT_TIMEOUT_MINUTES) }}
-      - name: Devnet check
-        run: |
-          cp ./scripts/devnet/check.sh ./scripts/devnet-curio/check.sh
-          chmod +x ./scripts/devnet-curio/check.sh
-          ./scripts/devnet-curio/check.sh
-        timeout-minutes: ${{ fromJSON(env.SCRIPT_TIMEOUT_MINUTES) }}
-      - name: Dump docker logs
-        if: always()
-        uses: jwalton/gh-docker-logs@v2
-      - name: Prepare cache folder for uploading
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: |
-          docker run --rm \
-            -v devnet_filecoin-proofs:/proofs \
-            -v $FIL_PROOFS_PARAMETER_CACHE:/cache \
-            $SHELL_IMAGE \
-            sh -c "cp /proofs/* /cache"
-          sudo chmod -R 755 $FIL_PROOFS_PARAMETER_CACHE
+          sudo chmod -R 755 "$FIL_PROOFS_PARAMETER_CACHE"
   bootstrap-checks-forest:
     needs:
       - build-ubuntu
@@ -663,8 +614,8 @@ jobs:
         if: always()
         run: |
           export WORKFLOW_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-          echo ${WORKFLOW_URL}
-          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> $GITHUB_ENV
+          echo "${WORKFLOW_URL}"
+          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> "$GITHUB_ENV"
       - uses: JasonEtco/create-an-issue@v2
         if: github.ref == 'refs/heads/main' && failure()
         env:

@@ -32,8 +32,7 @@ jobs:
         with:
           python-version: "3.12"
       - run: pip install black flake8
-      - name: Run Python linters
-        uses: wearerequired/lint-action@v2
-        with:
-          black: true
-          flake8: true
+      - name: Run black
+        run: black --check scripts/
+      - name: Run flake8
+        run: flake8 scripts/
@@ -41,7 +41,7 @@ jobs:
       - name: Pack artifacts
         run: |
           for bin in forest-${{ github.ref_name }}/*; do
-            sha256sum $bin > $bin.sha256
+            sha256sum "$bin" > "$bin".sha256
           done
           cp -rv CHANGELOG.md LICENSE-APACHE LICENSE-MIT README.md forest-${{ github.ref_name }}
           zip -r ${{ matrix.file }} forest-${{ github.ref_name }}

@@ -45,7 +45,7 @@ jobs:
       - name: Pack artifacts
         run: |
           for bin in forest-${{ github.event.inputs.tag }}/*; do
-            sha256sum $bin > $bin.sha256
+            sha256sum "$bin" > "$bin".sha256
           done
           cp -rv CHANGELOG.md LICENSE-APACHE LICENSE-MIT README.md forest-${{ github.event.inputs.tag }}
           zip -r ${{ matrix.file }} forest-${{ github.event.inputs.tag }}

@@ -52,8 +52,8 @@ jobs:
         if: always()
         run: |
           export WORKFLOW_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-          echo ${WORKFLOW_URL}
-          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> $GITHUB_ENV
+          echo "${WORKFLOW_URL}"
+          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> "$GITHUB_ENV"
       - uses: JasonEtco/create-an-issue@v2
         if: github.ref == 'refs/heads/main' && failure()
         env:

@@ -50,8 +50,8 @@ jobs:
         if: always()
         run: |
           export WORKFLOW_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-          echo ${WORKFLOW_URL}
-          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> $GITHUB_ENV
+          echo "${WORKFLOW_URL}"
+          echo "WORKFLOW_URL=${WORKFLOW_URL}" >> "$GITHUB_ENV"
       - uses: JasonEtco/create-an-issue@v2
         if: github.ref == 'refs/heads/main' && failure()
         env: