refactor(ci): integrate actionlint workflow into ci.yml

[d-gubert]

Proposed changes (including videos or screenshots)

Remove standalone "Lint GitHub Actions workflows" and integrate the linting into the current "CI" workflow that is executed in PRs

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Chores
  • Integrated workflow linting into the main CI pipeline with conditional execution when workflow files change.
  • Removed the separate actionlint workflow to streamline CI and reduce duplication.

Task: ARCH-2121

[coderabbitai]

Walkthrough

Removes the standalone actionlint workflow and integrates actionlint into the main CI workflow. The CI job computes a github-actions-changed output by diffing PR files and conditionally runs an actionlint job that downloads, verifies, and executes a pinned actionlint binary when GitHub Actions files changed.

Changes

Cohort / File(s)	Summary
Workflow consolidation \.github/workflows/actionlint.yml, \.github/workflows/ci.yml	Deletes standalone actionlint.yml. Updates ci.yml to add jobs.release-versions.outputs.github-actions-changed (computed via gh pr diff) and a gated actionlint job that downloads a pinned actionlint release, verifies SHA-256 against release checksums, extracts the binary, and runs ./actionlint -color when Actions files changed.

Sequence Diagram(s)

sequenceDiagram
  participant PR as Pull Request
  participant CI as GitHub Actions (CI)
  participant Runner as Job Runner
  participant Releases as GitHub Releases

  PR->>CI: push / open PR triggers workflow
  CI->>Runner: start release-versions job
  Runner->>Runner: run `gh pr diff` -> compute github-actions-changed
  Runner-->>CI: set job output github-actions-changed
  CI->>Runner: conditionally start actionlint job if output=true
  Runner->>Releases: download pinned actionlint tarball + checksums
  Releases-->>Runner: tarball + checksums
  Runner->>Runner: verify SHA-256, extract binary
  Runner->>Runner: execute `./actionlint -color` on workflows
  Runner-->>CI: actionlint results (success/failure)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: chore

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: integrating the actionlint workflow from a standalone file into the ci.yml workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1543a80

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.83%. Comparing base (9498359) to head (1543a80).
⚠️ Report is 3 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #40321   +/-   ##
========================================
  Coverage    69.83%   69.83%           
========================================
  Files         3296     3296           
  Lines       119173   119173           
  Branches     21475    21501   +26     
========================================
+ Hits         83221    83229    +8     
- Misses       32645    32647    +2     
+ Partials      3307     3297   -10     

Flag	Coverage Δ
e2e	59.76% <ø> (+0.02%)	⬆️
e2e-api	46.23% <ø> (ø)
unit	70.58% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 493-517: The actionlint job is not wired into the Tests Done
aggregate so a failing actionlint won't block merges; update the CI workflow to
either add the job name actionlint to the tests-done job's needs array (so the
tests-done aggregate depends on it) or ensure branch protection lists the
actionlint job as a required status check; locate the actionlint job and the
tests-done job in .github/workflows/ci.yml and add "actionlint" to tests-done's
needs (or alternatively mark the actionlint job name as required in your repo's
branch protection rules).
- Around line 137-145: The diff step (id: diff) assumes GH_PR_NUM exists and can
fail on non-pull_request triggers; initialize the output to
"actions-changed=false", only run the PR-diff logic when github.event_name ==
'pull_request' (short-circuit the run), and set actions-changed to "true" only
when the grep finds changes; then gate the actionlint job by checking
outputs.diff == 'true' (explicit string comparison) instead of truthiness.
Update the step that sets GH_PR_NUM and the run block in step id "diff" and
change the actionlint job condition to use outputs.diff == 'true'.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6beb22cd-68de-4d25-aa1c-994feeeaa58f

📥 Commits

Reviewing files that changed from the base of the PR and between 9498359 and ae45a7d.

📒 Files selected for processing (2)

• .github/workflows/actionlint.yml
• .github/workflows/ci.yml

💤 Files with no reviewable changes (1)

• .github/workflows/actionlint.yml

📜 Review details

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-04-14T23:26:19.461Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40159
File: .github/actions/setup-node/action.yml:44-59
Timestamp: 2026-04-14T23:26:19.461Z
Learning: In RocketChat/Rocket.Chat's CI composite actions (e.g. `.github/actions/setup-node/action.yml`), writing resolved tool versions directly to `$GITHUB_ENV` via `echo "VAR=value" >> $GITHUB_ENV` (without multiline heredoc form or explicit empty-value guards) is an accepted, intentional pattern. The source files (`package.json` engines field and `.tool-versions`) are considered stable and trusted, so flagging the absence of newline/empty validation or the use of the heredoc form is not warranted.

Applied to files:

• .github/workflows/ci.yml

🔇 Additional comments (1)

.github/workflows/ci.yml (1)

503-512: Nice hardening on the download path.

Verifying the tarball against the published checksums before extraction is the right guard here.

[d-gubert]

/jira ARCH-2113