ci: improve workflow linting and job names

[willkill07]

Overview

Add actionlint to pre-commit and make CI job display names clearer in the GitHub Actions sidebar.

• I confirm this contribution is my own work, or I have the right to submit it under this project's license.
• I searched existing issues and open pull requests, and this does not duplicate existing work.

Details

• Add the rhysd/actionlint pre-commit hook for workflow files, local action metadata, and .github/actionlint.yaml changes.
• Replace slash-separated CI job names with parenthesized labels so matrix entries render as Test (linux-amd64) instead of duplicate platform-only leaves.
• Remove a push-only workflow concurrency reference to github.event.pull_request.
• Validated with targeted actionlint/pre-commit runs and the commit-time pre-commit hooks.

Where should the reviewer start?

Start with .pre-commit-config.yaml for the new actionlint hook, then .github/workflows/ci_node.yml for the matrix job naming pattern applied across CI workflows.

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

• Relates to: none

Summary by CodeRabbit

• Chores
  • Standardized CI job names and display formats across platforms for consistency.
  • Adjusted workflow run grouping key affecting how runs are grouped for cancellation.
  • Updated artifact publish step titles to a unified format.
  • Added workflow linting via a pre-commit hook to validate workflow YAML files.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: c0c0323a-263d-4c98-a2ab-be92f4859b00

📥 Commits

Reviewing files that changed from the base of the PR and between 7f1a800 and 7aeb0a2.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Check / Run

🧰 Additional context used

📓 Path-based instructions (4)

.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/maintain-ci/SKILL.md)

.github/workflows/**/*.{yml,yaml}: Put permissions: on each job that needs token access in GitHub Actions workflows
Avoid workflow-level permissions unless the repository intentionally centralizes them and the inheritance tradeoff is documented
Keep third-party actions pinned to full commit SHAs and preserve the readable version comment after the SHA
Prefer action-native or ecosystem-native caching over generic actions/cache in GitHub Actions workflows
Use lockfiles or dependency manifests to drive cache invalidation in GitHub Actions workflows
Keep deploy and publish permissions isolated to the jobs that need them
Read both caller and callee when a workflow uses workflow_call in GitHub Actions
Put release-tag validation in the earliest practical caller job when the pipeline has tag-based publish behavior
Keep release-tag policy aligned with RELEASING.md: raw SemVer tags only, no leading v
contents: read is the default minimum for checkout-based build, test, docs, and packaging jobs
pull-requests: read is required for PR metadata lookup jobs in GitHub Actions workflows
pages: write and id-token: write should be limited to Pages deployment jobs and any caller that invokes them through a reusable workflow
For reusable workflows, the caller must grant every permission the called jobs require and the callee cannot elevate beyond what the caller provides
Prefer astral-sh/setup-uv cache support with cache-dependency-glob anchored to uv.lock for Python dependency caching
Prefer Swatinem/rust-cache with explicit shared-key and workspaces instead of ad hoc target-directory caching
Avoid caching generated outputs that can hide stale behavior unless the repo already relies on them deliberately
Ensure each job has the minimum permissions it needs during GitHub Actions CI review
Ensure reusable workflow callers grant only the scopes their callees require
Ensure every external action is pinned to a full SHA in GitHub Actions workflows
Ensure cache ...

Files:

• .github/workflows/ci.yaml

{.github/workflows/**/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow package name references consistent with local package configurations

Files:

• .github/workflows/ci.yaml

{.github/**/*.{yml,yaml},*.patch,scripts/**/*,*.sh,*.bat,Dockerfile*}

📄 CodeRabbit inference engine (.agents/skills/rename-surfaces/SKILL.md)

Update CI configuration, patch files, and build scripts with new functional identifiers after rename operations

Files:

• .github/workflows/ci.yaml

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

• .github/workflows/ci.yaml

🔇 Additional comments (3)

.github/workflows/ci.yaml (3)

17-17: Concurrency expression fix is correct and safer for push-only runs.

This removes a push-context hazard while preserving intended cancellation grouping.

---

90-94: $GITHUB_OUTPUT write pattern is solid.

Grouped printf writes are robust and avoid quoting/formatting pitfalls from ad hoc echo usage.

---

303-303: Publish job name normalization looks good.

This is a non-breaking display-name improvement and keeps publish behavior unchanged.

Also applies to: 359-359, 380-380

---

Walkthrough

Renames CI job IDs/display names across language-specific workflows to Test/Package/Consolidate, updates dependent needs/success checks, simplifies the main workflow concurrency.group expression, reformats several publish step titles, and adds an actionlint pre-commit hook for workflow files.

Changes

CI Workflow & Linting updates

Layer / File(s)	Summary
Job ID & Display Name Updates .github/workflows/ci_go.yml, .../ci_rust.yml, .../ci_wasm.yml, .../ci_node.yml, .../ci_python.yml	Renamed test jobs to Test; renamed package/consolidate jobs to Package/Consolidate; standardized job name formatting from Test / ${{ matrix.platform }} to Test (${{ matrix.platform }}).
Dependency Wiring .github/workflows/ci_node.yml, .../ci_python.yml, .../ci_wasm.yml	Updated needs references and success-condition checks to new job IDs (e.g., needs.Test.result instead of needs.test-python.result).
Concurrency Grouping .github/workflows/ci.yaml	Changed concurrency.group expression from `${{ github.event.pull_request.head.label
Publish Step Titles .github/workflows/ci.yaml	Reformatted publish step titles from `Publish / crates.io
Workflow Policy Output Logic .github/workflows/ci.yaml	Rewrote the Derive workflow policy step output assignment to emit full_ci, publish_docs, and publish_packages via a grouped brace block of printf calls to $GITHUB_OUTPUT.
Pre-commit Hook .pre-commit-config.yaml	Added rhysd/actionlint (rev: v1.7.12) hook targeting .github/workflows/ and .github/actions/ YAML paths with pass_filenames: false.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with 'ci' type and concise summary. It accurately captures the main changes: adding actionlint linting and standardizing CI job names.
Description check	✅ Passed	The description includes all required template sections (Overview with checkboxes, Details, Where to start, Related Issues) and provides comprehensive context about the changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 8/10 reviews remaining, refill in 6 minutes and 53 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}