Add a starter workflow for ansible-lint

[ssbarnea]

See https://github.com/actions/starter-workflows/

[yongyan-gh]

@ssbarnea we work with GitHub on Sarif ecosystem and help static analysis tools to onboard to GitHub starter workflow. The PRs (https://github.com/actions/starter-workflows/pulls/yongyan-gh) we created for other tools. I am happy to help to create the starter workflow for ansible-lint.

The starter workflow requires the tool to upload the scan/analysis results in Sarif format to generate code scanning alerts in GitHub.

I have added the native Sarif output support to the ansible-lint through this PR ansible/ansible-lint#2062

We need a way to tell the ansible-lint-action to generate the Sarif output. I saw recently change in ansible-lint-action #97 removed the args. Can we add an parameter e.g. "format" to the action?

cc @EasyRhinoMSFT @eddynaka

[ssbarnea]

I am bit inclined to avoid extra parameters as they would create extra maintenance but in this case it might make sense.

Do you know that the tool is producing github annotations when run under GHA, it activates this based on presence of environment variables, so nobody needs to configure it to activate annotations. I wonder if a similar approach could be done for sarif, so we avoid adding options. If not suitable, make a pull request to add format and make the default match linter option, which is rich if I remember correctly.

The problem with this is that once we add an argument, we are forced to pass it args, even when the user does not define it in the action. That would override in-repo configuration. I guess that now you see why adding options might prevent users from using their own configuration.

I will release a new version of the linter with sarif format feature soon, followed by the update co creator-ee container, so we can make use of it here.

Just let me know what else I can do to help.

[yongyan-gh]

@ssbarnea thanks for explaining your concern and the advise of using environment variables.

I will propose a change in ansible-lint to generate SARIF output if run the lint action in a workflow, and env variable GITHUB_SARIF is set

        # If SARIF env variable is set in Github workflow/action
        # generate SARIF output and stop generating other outputs.
        if os.getenv("GITHUB_ACTIONS") == "true" and os.getenv("GITHUB_WORKFLOW") and \
           os.getenv("GITHUB_SARIF"):
            formatter = formatters.SarifFormatter(self.options.cwd, True)
            console.print(
                formatter.format_result(matches), markup=False, highlight=False
            )
            return

So user can get SARIF output by setting env variable in the workflow e.g.:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      - name: Run ansible-lint
        uses: ansible-community/ansible-lint-action@main
        # optional:
        # with:
        #   path: "playbooks/"  # <-- only one value is allowed
        env:
          GITHUB_SARIF: "ansiblelint_results.sarif"

Please let me know what do you think?

Next question is how the ansible-lint-action generate a file based on env variable?
Ideally it can be accomplished by redirect the command output into a file e.g.:
ansiblelint $path > $outputfile

I usually see an entrypoint.sh file in other docker actions which can handle how to run the command. I do not see how ansible-lint-action deal with the parameters. What should we do to let the action output to a specified file?