ci: add actionlint, zizmor, shellcheck to lint job#21127
Merged
Conversation
Adds three meta-linters to the existing lint workflow, running before the Go lint step so they give fast feedback independent of Go compilation: - actionlint: catches YAML type errors, wrong context references, and undefined step outputs in workflow files - zizmor: security linter that finds script injection via untrusted template expressions and other GitHub Actions anti-patterns - shellcheck: catches shell bugs (word-splitting, masked exit codes, etc.) in .sh files across the repo Includes .github/actionlint.yaml declaring the project's custom self-hosted runner labels so actionlint doesn't false-positive on them. Also fixes four pre-existing issues the linters found: - check-large-files.yml: route github.event.pull_request.base.sha through env to avoid script injection pattern - qa-rpc-performance-tests.yml, qa-rpc-performance-comparison-tests.yml: same fix for github.event.inputs.run_geth - qa-sync-test-bisection-tool.yml: add missing test_name input definition (was referenced at runtime but never declared)
The repo's QA workflow inline run: blocks have many pre-existing shellcheck warnings (SC2046, SC2034, SC1083, SC2188, etc.) that need a separate cleanup pass. Disabling the built-in integration unblocks the linter PR. .sh files are still covered by the dedicated shellcheck step. A tracking issue will capture the warning-level findings to fix.
unpinned-uses (SHA-pin policy) and artipacked (intentional Docker cache) are pre-existing decisions; disabling them lets zizmor catch real security findings like template-injection without false-positive noise.
- Rename artipacked → cache-poisoning (correct rule ID in v1.24.1) - Add --config .github/zizmor.yml explicitly (ensures config is loaded) - Use per-file ignores for template-injection and cache-poisoning instead of global disable, so new workflows still get full coverage - Add excessive-permissions ignore for ci-gate.yml (actions:write is intentional for merge-queue sibling cancellation) - All pre-existing findings tracked in issue #21132
zizmor exits 13 when it finds only warning-level findings (excessive-permissions in cache-warming.yml etc.) and 14 when it finds errors. Only exit 14 should fail CI; exit 13 means no actionable errors were found. Also rename the step to 'Actions security audit (zizmor)' so it's self-explanatory in the CI UI.
Globally disable excessive-permissions, credential-persistence, and secrets-inherit — all pre-existing across 40+ files. Add docker-image-remove, release, and test-all-erigon-race to template-injection ignore list. All findings documented in issue #21132.
credential-persistence → overprovisioned-secrets (correct audit ID in zizmor v1.24.1). Also expand the exit-code guard from == 13 to < 14 so exit 12 (medium-severity findings) is also treated as success; only exit 14 (error-level findings) should fail CI.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds additional CI meta-linters to the existing GitHub Actions lint workflow to provide faster, non-Go feedback on workflow correctness/security and shell scripts, along with configuration files for these linters and a few workflow hardening fixes.
Changes:
- Extend
.github/workflows/lint.ymlwith actionlint, zizmor, and shellcheck steps before Go linting. - Add linter configuration files:
.github/actionlint.yaml(runner labels) and.github/zizmor.yml(rule tuning/ignores). - Harden several workflows by routing GitHub expression values through
env:and define a missing workflow_dispatch input.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/zizmor.yml | Adds zizmor configuration (rule disables/ignores) for workflow security linting. |
| .github/workflows/qa-sync-test-bisection-tool.yml | Declares a previously-missing test_name workflow_dispatch input. |
| .github/workflows/qa-rpc-performance-tests.yml | Routes run_geth input through env to avoid direct expression interpolation in shell. |
| .github/workflows/qa-rpc-performance-comparison-tests.yml | Same env routing for run_geth input. |
| .github/workflows/lint.yml | Installs/runs actionlint + zizmor + shellcheck before Go lint. |
| .github/workflows/check-large-files.yml | Routes base.sha through env to avoid direct expression interpolation in shell. |
| .github/actionlint.yaml | Defines custom runner labels for actionlint validation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- torrent_hashes_update.sh: fix broken test syntax [ ! type gcloud ] → ! type gcloud - transition-test.sh: fix redirect order 2>&1 >/dev/null → >/dev/null 2>&1 - exec_bench.sh: remove unused timeout_seconds; split local+assign for log_file (SC2155) - recompress.sh: suppress SC2010 (ls|grep pattern used for complex multi-filter) - run_rpc_tests_local.sh: rename loop counter i → _ (counter not used in body)
- actionlint.yaml: add ARM64 runner label (used in release.yml matrix) - lint.yml: pin zizmor==1.24.1 for reproducible CI - qa-sync-test-bisection-tool.yml: pass inputs.chain as \$1 to bisect script (script uses \$1 as CHAIN; previously TEST_NAME was wrongly passed as \$1)
- cd without || exit (SC2164): add || exit 1 to three cd calls - Tilde in quotes (SC2088): replace "~/.ssh/vm_rsa" with "\$HOME/.ssh/vm_rsa"
AskAlexSharov
changed the title
Giulio2002
approved these changes
May 13, 2026
Collaborator
Giulio2002
left a comment
Giulio2002
left a comment
There was a problem hiding this comment.
LGTM — straightforward CI/lint workflow hardening plus small workflow input/env fixes.
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
lint.ymlworkflow, running before the Go lint step for fast feedback independent of Go compilation:--format github-actions.shfiles across the repo, severity ≥ warning.github/actionlint.yamldeclaring the project's custom self-hosted runner labels so actionlint doesn't false-positive on themAlso fixes four pre-existing issues the linters surfaced:
check-large-files.yml: routegithub.event.pull_request.base.shathroughenv:(script injection pattern)qa-rpc-performance-tests.yml,qa-rpc-performance-comparison-tests.yml: same fix forgithub.event.inputs.run_gethqa-sync-test-bisection-tool.yml: add missingtest_nameinput definition (was referenced at runtime but never declared)Test plan