ci: Add GHA linting (#4933)

.github/actionlint-matcher.json

@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}

.github/workflows/approval-comment.yaml

@@ -16,9 +16,7 @@ jobs:
           REVIEW_BODY: ${{ github.event.review.body }}
         run: |
           mkdir -p /tmp/artifacts
-          echo $REVIEW_BODY >> /tmp/artifacts/metadata.txt
-          echo ${{ github.event.pull_request.number }} >> /tmp/artifacts/metadata.txt
-          echo ${{ github.event.review.commit_id }} >> /tmp/artifacts/metadata.txt
+          { echo "$REVIEW_BODY"; echo ${{ github.event.pull_request.number }}; echo ${{ github.event.review.commit_id }}; } >> /tmp/artifacts/metadata.txt
           cat /tmp/artifacts/metadata.txt
       - uses: actions/upload-artifact@v3
         with:

.github/workflows/ci.yaml

@@ -10,4 +10,6 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - uses: ./.github/actions/install-deps
+    - name: Enable the actionlint matcher
+      run: echo "::add-matcher::.github/actionlint-matcher.json"
     - run: make ci-non-test

.github/workflows/codegen.yaml

@@ -1,14 +1,11 @@
 name: "APICodeGen"
-
 on:
   schedule:
     - cron: '0 13 * * MON'
-
 permissions:
   id-token: write # aws-actions/configure-aws-credentials@v4.0.1
   pull-requests: write # name: Create Pull Request
   contents: write # name: Create Pull Request
-
 jobs:
   codegen:
     if: github.repository == 'aws/karpenter'
@@ -30,7 +27,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ENABLE_GIT_PUSH: true
       - id: detect-changes
-        run: cat /tmp/codegen-updates && echo APICodeGenUpdate=true >> $GITHUB_OUTPUT
+        run: cat /tmp/codegen-updates && echo APICodeGenUpdate=true >> "$GITHUB_OUTPUT"
       - name: Create Pull Request
         if: steps.detect-changes.outputs.APICodeGenUpdate == 'true'
         uses: actions/github-script@v6

.github/workflows/e2e-upgrade.yaml

@@ -79,7 +79,7 @@ jobs:
         run: |
           CLUSTER_NAME="upgrade-$RANDOM$RANDOM"
           echo "Using cluster name \"$CLUSTER_NAME\""
-          echo CLUSTER_NAME=$CLUSTER_NAME >> $GITHUB_OUTPUT
+          echo CLUSTER_NAME="$CLUSTER_NAME" >> "$GITHUB_OUTPUT"
       - name: create eks cluster '${{ steps.generate-cluster-name.outputs.CLUSTER_NAME }}'
         uses: ./.github/actions/e2e/create-cluster
         with:

.github/workflows/e2e.yaml

@@ -102,12 +102,12 @@ jobs:
       - name: add jitter on cluster creation
         run: |
           # Creating jitter so that we can stagger cluster creation to avoid throttling
-          sleep $(( $RANDOM % 300 + 1 ))
+          sleep $(( RANDOM % 300 + 1 ))
       - id: generate-cluster-name
         run: |
-          CLUSTER_NAME=$(echo ${{ inputs.suite }}-$RANDOM$RANDOM | awk '{print tolower($0)}' | tr / -)
-          echo "Using cluster name \"$CLUSTER_NAME\""
-          echo CLUSTER_NAME=$CLUSTER_NAME >> $GITHUB_OUTPUT
+          CLUSTER_NAME="$(echo ${{ inputs.suite }}-"$RANDOM$RANDOM" | awk '{print tolower($0)}' | tr / -)"
+          echo Using cluster name "$CLUSTER_NAME"
+          echo CLUSTER_NAME="$CLUSTER_NAME" >> "$GITHUB_OUTPUT"
       - name: create eks cluster '${{ steps.generate-cluster-name.outputs.CLUSTER_NAME }}'
         uses: ./.github/actions/e2e/create-cluster
         with:

.github/workflows/pr-snapshot.yaml

@@ -16,10 +16,10 @@ jobs:
       - uses: ./.github/actions/download-artifact
       - id: metadata
         run: |
-          pr_number=$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)
-          pr_commit=$(tail -n 1 /tmp/artifacts/metadata.txt)
-          echo "PR_COMMIT=$pr_commit" >> $GITHUB_OUTPUT
-          echo "PR_NUMBER=$pr_number" >> $GITHUB_OUTPUT
+          pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)"
+          pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"
+          echo PR_COMMIT="$pr_commit" >> "$GITHUB_OUTPUT"
+          echo PR_NUMBER="$pr_number" >> "$GITHUB_OUTPUT"
       - uses: actions/checkout@v4
         with:
           ref: ${{ steps.metadata.outputs.PR_COMMIT }}

.github/workflows/release.yaml

@@ -21,8 +21,8 @@ jobs:
           prerelease: false
       - id: tag
         run: |
-          TAG=$(git describe --tags --exact-match)
-          echo "TAG=${TAG}" >> $GITHUB_OUTPUT
+          TAG="$(git describe --tags --exact-match)"
+          echo TAG="${TAG}" >> "$GITHUB_OUTPUT"
       - uses: ./.github/actions/install-deps
       - uses: aws-actions/configure-aws-credentials@v4.0.1
         with:

.github/workflows/resolve-args.yaml

@@ -25,13 +25,13 @@ jobs:
       - id: resolve-step
         run: |
           if [[ "${{ github.event_name }}" == "workflow_run" ]]; then
-            if [[ $(head -n 1 /tmp/artifacts/metadata.txt) == *"${{ inputs.allowed_comment }}"* ]]; then
-               echo SHOULD_RUN=true >> $GITHUB_OUTPUT
+            if [[ "$(head -n 1 /tmp/artifacts/metadata.txt)" == *"${{ inputs.allowed_comment }}"* ]]; then
+               echo SHOULD_RUN=true >> "$GITHUB_OUTPUT"
             else
-               echo SHOULD_RUN=false >> $GITHUB_OUTPUT
+               echo SHOULD_RUN=false >> "$GITHUB_OUTPUT"
             fi
-            echo GIT_REF=$(tail -n 1 /tmp/artifacts/metadata.txt  ) >> $GITHUB_OUTPUT
+            echo GIT_REF="$(tail -n 1 /tmp/artifacts/metadata.txt)" >> "$GITHUB_OUTPUT"
           else
-            echo SHOULD_RUN=true >> $GITHUB_OUTPUT
-            echo GIT_REF="" >> $GITHUB_OUTPUT
+            echo SHOULD_RUN=true >> "$GITHUB_OUTPUT"
+            echo GIT_REF="" >> "$GITHUB_OUTPUT"
           fi

.golangci.yaml

@@ -37,6 +37,14 @@ linters-settings:
     min-complexity: 11
   govet:
     check-shadowing: true
+  revive:
+    rules:
+    - name: dot-imports
+      disabled: true
+  stylecheck:
+    dot-import-whitelist:
+      - "github.com/onsi/ginkgo/v2"
+      - "github.com/onsi/gomega"
   misspell:
     locale: US
     ignore-words: []

Makefile

@@ -134,6 +134,7 @@ verify: tidy download ## Verify code. Includes dependencies, linting, formatting
 		fi;}
 	@echo "Validating codegen/docgen build scripts..."
 	@find hack/code hack/docs -name "*.go" -type f -print0 | xargs -0 -I {} go build -o /dev/null {}
+	actionlint -oneline
 
 vulncheck: ## Verify code vulnerabilities
 	@govulncheck ./pkg/...

hack/toolchain.sh

@@ -21,6 +21,7 @@ tools() {
     go install -tags extended github.com/gohugoio/hugo@v0.110.0
     go install golang.org/x/vuln/cmd/govulncheck@latest
     go install github.com/onsi/ginkgo/v2/ginkgo@latest
+    go install github.com/rhysd/actionlint/cmd/actionlint@latest
 
     if ! echo "$PATH" | grep -q "${GOPATH:-undefined}/bin\|$HOME/go/bin"; then
         echo "Go workspace's \"bin\" directory is not in PATH. Run 'export PATH=\"\$PATH:\${GOPATH:-\$HOME/go}/bin\"'."

pkg/test/expectations/expectations.go

@@ -15,7 +15,7 @@ limitations under the License.
 package expectations
 
 import (
-	. "github.com/onsi/gomega" //nolint:revive,stylecheck
+	. "github.com/onsi/gomega"
 	"github.com/samber/lo"
 	v1 "k8s.io/api/core/v1"
 

test/pkg/debug/setup.go

@@ -22,7 +22,7 @@ import (
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	. "github.com/onsi/gomega" //nolint:revive,stylecheck
+	. "github.com/onsi/gomega"
 )
 
 const (

test/pkg/environment/aws/environment.go

@@ -33,7 +33,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/aws/aws-sdk-go/service/timestreamwrite"
 	"github.com/aws/aws-sdk-go/service/timestreamwrite/timestreamwriteiface"
-	. "github.com/onsi/ginkgo/v2" //nolint:revive,stylecheck
+	. "github.com/onsi/ginkgo/v2"
 	"github.com/samber/lo"
 	"k8s.io/utils/env"
 

test/pkg/environment/aws/expectations.go

@@ -28,8 +28,8 @@ import (
 	"github.com/aws/aws-sdk-go/service/ssm"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/mitchellh/hashstructure/v2"
-	. "github.com/onsi/ginkgo/v2" //nolint:revive,stylecheck
-	. "github.com/onsi/gomega"    //nolint:revive,stylecheck
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 	"github.com/samber/lo"
 	"go.uber.org/multierr"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

test/pkg/environment/aws/metrics.go

@@ -23,8 +23,8 @@ import (
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/service/timestreamwrite"
 	"github.com/aws/aws-sdk-go/service/timestreamwrite/timestreamwriteiface"
-	. "github.com/onsi/ginkgo/v2" //nolint:revive,stylecheck
-	. "github.com/onsi/gomega"    //nolint:revive,stylecheck
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 	"github.com/samber/lo"
 
 	"github.com/aws/karpenter/test/pkg/environment/common"

test/pkg/environment/aws/setup.go

@@ -15,7 +15,6 @@ limitations under the License.
 package aws
 
 import (
-	//nolint:revive,stylecheck
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 

test/pkg/environment/common/expectations.go

@@ -22,8 +22,8 @@ import (
 	"strings"
 	"time"
 
-	. "github.com/onsi/ginkgo/v2" //nolint:revive,stylecheck
-	. "github.com/onsi/gomega"    //nolint:revive,stylecheck
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 	"github.com/samber/lo"
 	appsv1 "k8s.io/api/apps/v1"
 	coordinationv1 "k8s.io/api/coordination/v1"

test/pkg/environment/common/setup.go

@@ -19,8 +19,8 @@ import (
 	"sync"
 	"time"
 
-	. "github.com/onsi/ginkgo/v2" //nolint:revive,stylecheck
-	. "github.com/onsi/gomega"    //nolint:revive,stylecheck
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 	"github.com/samber/lo"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"