Skip to content

ci: add ghactor lint + doctor gate for workflow changes#21

Merged
kdairatchi merged 1 commit intomainfrom
chore/ghactor-ci
Apr 18, 2026
Merged

ci: add ghactor lint + doctor gate for workflow changes#21
kdairatchi merged 1 commit intomainfrom
chore/ghactor-ci

Conversation

@kdairatchi
Copy link
Copy Markdown
Contributor

@kdairatchi kdairatchi commented Apr 18, 2026

What

Adds `.github/workflows/ghactor.yml` — a CI job that runs `ghactor` against every change to `.github/workflows/**`:

  • `ghactor doctor` — repo-wide workflow health report, fails on score regression
  • `ghactor lint` — actionlint + ghactor security rules
  • `ghactor update` — reports available upstream action bumps as a step summary (report-only, does not fail)

Also runs on a weekly cron (Mon 05:17 UTC) so upstream action releases surface as a PR-able delta even when no workflow file changes.

Why

Workflows drift. Unpinned SHAs, missing timeouts, over-broad permissions, stale actions — all become supply-chain blind spots if caught only at human review. ghactor encodes these as hard rules and runs them at PR time.

Current main is `100/100` via `ghactor doctor` — this wiring keeps it there.

Access note

Installs from the (currently private) `kdairatchi/ghactor` module. The job supports either:

  • A `GHACTOR_INSTALL_TOKEN` repo secret (PAT with read access), or
  • Fallback to `GITHUB_TOKEN` — which works as soon as the module is flipped public.

Recommend flipping `kdairatchi/ghactor` public and removing the fallback comment, or provisioning the secret.

Test plan

  • First run (this PR) must pass
  • Intentional regression on a branch (unpinned action / missing timeout) must fail the job
  • Weekly cron fires and reports upstream action updates in step summary

🤖 Generated with Claude Code

@kdairatchi
ci: add ghactor lint + doctor gate for workflow changes
589cbb1 
Gates every .github/workflows/** change through ghactor (kdairatchi/ghactor
v0.2.0) so supply-chain drift and workflow security regressions are caught
at PR time. Runs on push/PR when workflows change, plus a weekly schedule
so upstream action releases surface as a step-summary delta even without
a workflow-file change.

Note: installs ghactor from a private module — requires either the
GHACTOR_INSTALL_TOKEN secret (a PAT with repo:read on kdairatchi/ghactor)
or falls back to GITHUB_TOKEN (works once ghactor is public). Git URL
rewrite authenticates the go install fetch.
@kdairatchi kdairatchi merged commit dd688c4 into main Apr 18, 2026
1 of 2 checks passed
@kdairatchi kdairatchi deleted the chore/ghactor-ci branch April 18, 2026 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kdairatchi