From 589cbb1d2cd626325736725b5b398f0b04d38930 Mon Sep 17 00:00:00 2001
From: kdairatchi <96064915+kdairatchi@users.noreply.github.com>
Date: Sat, 18 Apr 2026 10:35:39 -0400
Subject: [PATCH] ci: add ghactor lint + doctor gate for workflow changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Gates every .github/workflows/** change through ghactor (kdairatchi/ghactor
v0.2.0) so supply-chain drift and workflow security regressions are caught
at PR time. Runs on push/PR when workflows change, plus a weekly schedule
so upstream action releases surface as a step-summary delta even without
a workflow-file change.

Note: installs ghactor from a private module — requires either the
GHACTOR_INSTALL_TOKEN secret (a PAT with repo:read on kdairatchi/ghactor)
or falls back to GITHUB_TOKEN (works once ghactor is public). Git URL
rewrite authenticates the go install fetch.
---
 .github/workflows/ghactor.yml | 69 +++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
 create mode 100644 .github/workflows/ghactor.yml

diff --git a/.github/workflows/ghactor.yml b/.github/workflows/ghactor.yml
new file mode 100644
index 0000000..914a713
--- /dev/null
+++ b/.github/workflows/ghactor.yml
@@ -0,0 +1,69 @@
+name: ghactor
+
+# Gates every change to GitHub Actions workflows through ghactor's
+# security-first lint + supply-chain audit. Fails CI on any issue so
+# workflow drift is caught at PR time rather than after merge.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '.github/workflows/**'
+  pull_request:
+    branches: [main]
+    paths:
+      - '.github/workflows/**'
+  schedule:
+    # Weekly sweep so upstream action releases surface as a PR-able delta
+    # even when no workflow file changes.
+    - cron: '17 5 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  audit:
+    name: Lint + doctor
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.23'
+          cache: false
+
+      - name: Install ghactor
+        env:
+          # Required because kdairatchi/ghactor is a private module until
+          # the user flips it public. GOPRIVATE keeps go from hitting the
+          # public proxy and GONOSUMCHECK skips sum.golang.org.
+          GOPRIVATE: github.com/kdairatchi/*
+          GONOSUMCHECK: 'off'
+          GH_TOKEN: ${{ secrets.GHACTOR_INSTALL_TOKEN || secrets.GITHUB_TOKEN }}
+        run: |
+          # Tell go to authenticate via gh to github.com for private repos.
+          git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+          go install github.com/kdairatchi/ghactor/cmd/ghactor@v0.2.0
+
+      - name: ghactor doctor
+        run: ghactor doctor
+
+      - name: ghactor lint
+        run: ghactor lint
+
+      - name: ghactor update (report only)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          ghactor update --changelog /tmp/ghactor-updates.md || true
+          if [ -s /tmp/ghactor-updates.md ]; then
+            echo "## Upstream action updates available" >> "$GITHUB_STEP_SUMMARY"
+            cat /tmp/ghactor-updates.md >> "$GITHUB_STEP_SUMMARY"
+          else
+            echo "All actions current or unresolvable." >> "$GITHUB_STEP_SUMMARY"
+          fi