Ameausoone
commented
2 years ago I'm using https://github.com/reviewdog/action-actionlint which do the job.
Open toast-gear opened 2 years ago
Ameausoone
commented
2 years ago I'm using https://github.com/reviewdog/action-actionlint which do the job.
toast-gear
commented
2 years ago Neat I didin't know that existed! Certainly helpful and perhaps @rhysd could take inspiration from it and produce a "official" action for actionlint 😅😄
Ameausoone
commented
2 years ago There is already a lot of users :
But it would be interesting to integrate reviewdog/action-actionlint in this repo. And in addition, if you would add an automatic semantic release action, cli and github action would be released as soon as you merge on main (cf https://github.com/marketplace/actions/release-that , https://goreleaser.com/cookbooks/semantic-release/) 👌
rhysd
commented
2 years ago Hmm, honestly I don't think dedicated action only for setup for actionlint since we already have the download script.
https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions
However, this issue gained some upvotes and I understood actually some users want an action. I will consider it.
But it would be interesting to integrate reviewdog/action-actionlint in this repo.
Putting an action in rhysd/actionlint repository is not possible because currently this repository is already using Git tags for releases. But an action also requires Git tags for releases. Versions of actionlint and versions of the action should be separated. So they will have conflicts. I think separate repository is necessary.
rhysd
commented
2 years ago If there was a proper action for this then GitHub native tools like dependabot could be used to bump the action automating the process with a known off the shelf tool whilst retaining the determinism of version pinning.
Does this mean the action provides a feature like below?
uses: in steps of given workflowsuses:, actionlint raises an errorIf my understanding is correct, this would need more consideration.
actions/checkout@v3. In the case, detecting version bump means the next major version like actions/checkout@v4. IMO bumping major version should be done carefully since it usually contains breaking changes. Providing a PR which allows single click to bump all major versions would be dangerous.
ericcornelissen
commented
1 year ago Hmm, honestly I don't think dedicated action only for setup for actionlint since we already have the download script.
main/docs/usage.md#use-actionlint-on-github-actions
However, this issue gained some upvotes and I understood actually some users want an action. I will consider it.
[...]
If there was a proper action for this then GitHub native tools like dependabot could be used to bump the action automating the process with a known off the shelf tool whilst retaining the determinism of version pinning.
[...]
Chiming in here related to this point: per my understanding of the install script it will always download the latest version of actionlint. This can be undesirable as this means builds are not reproducible. The most notable way in which this manifest itself is that the job using actionlint might start failing without having changed any workflows.
Admittedly, this reproducibility problem can be avoided by using the Docker image or using go install (if go is set up for the job). However, as far as I know, neither of these approaches has support for version updates by tools like Dependabot.
For these reasons, I believe having a "proper GitHub action" would be preferable - I believe this is also what the original issue author was getting at, specifically:
Does this mean the action provides a feature like below?
- Check all
uses:in steps of given workflows- When a version of action in
uses:, actionlint raises an error- The action generates a PR to bump the versions
No, these things would all be carried out by Dependabot (or similar).
👋
I know you document how to use actionlint in a pipeline, it's also handy being able to run it locally.
We use actionlint in our pipelines and actionlint not being a proper action means keeping on top of bumping is hacky or we just pull down latest constantly and hope nothing ever breaks. If there was a proper action for this then GitHub native tools like
dependabotcould be used to bump the action automating the process with a known off the shelf tool whilst retaining the determinism of version pinning. If you don't want to spend the time making this repository work as an action too like https://github.com/mikefarah/yq then you could just produce a wrapper repository like https://github.com/bridgecrewio/checkov-action and just automate bumping the underlying container.