Skip to content

ci: add ghactor lint + doctor gate for workflow changes #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kdairatchi merged 1 commit into from
Apr 18, 2026
Merged

ci: add ghactor lint + doctor gate for workflow changes #21

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions .github/workflows/ghactor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: ghactor

# Gates every change to GitHub Actions workflows through ghactor's
# security-first lint + supply-chain audit. Fails CI on any issue so
# workflow drift is caught at PR time rather than after merge.

on:
push:
branches: [main]
paths:
- '.github/workflows/**'
pull_request:
branches: [main]
paths:
- '.github/workflows/**'
schedule:
# Weekly sweep so upstream action releases surface as a PR-able delta
# even when no workflow file changes.
- cron: '17 5 * * 1'

permissions:
contents: read

jobs:
audit:
name: Lint + doctor
runs-on: ubuntu-latest
timeout-minutes: 5

steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Setup Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.23'
cache: false

- name: Install ghactor
env:
# Required because kdairatchi/ghactor is a private module until
# the user flips it public. GOPRIVATE keeps go from hitting the
# public proxy and GONOSUMCHECK skips sum.golang.org.
GOPRIVATE: github.com/kdairatchi/*
GONOSUMCHECK: 'off'
GH_TOKEN: ${{ secrets.GHACTOR_INSTALL_TOKEN || secrets.GITHUB_TOKEN }}
run: |
# Tell go to authenticate via gh to github.com for private repos.
git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
go install github.com/kdairatchi/ghactor/cmd/ghactor@v0.2.0

- name: ghactor doctor
run: ghactor doctor

- name: ghactor lint
run: ghactor lint

- name: ghactor update (report only)
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
ghactor update --changelog /tmp/ghactor-updates.md || true
if [ -s /tmp/ghactor-updates.md ]; then
echo "## Upstream action updates available" >> "$GITHUB_STEP_SUMMARY"
cat /tmp/ghactor-updates.md >> "$GITHUB_STEP_SUMMARY"
else
echo "All actions current or unresolvable." >> "$GITHUB_STEP_SUMMARY"
fi
Loading