Add actionlint workflow

[Czaki]

To validate workflows on PRs.

[brisvag]

Is this the proper way to do it? bash+curl?

[Czaki]

curl is printing downloaded file to stdout.

<(command) redirect command output to stdout of command

It is equivalent of: curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash | bash

[brisvag]

Sorry I wasn't clear; I know that's what's happening :P I mean in terms of security, isn't this generally frowned upon? Are we ok with doing it in our workflow? Pointing to a main, unversioned?

[Czaki]

It is working this way in the napari main repo.

Code also has no permissions.

It will be better to pin the version, but we need an automatic bumper then. And I do not have any idea how to do this.

[brisvag]

ok. Let's get this in like this then for now.

[willingc]

I think it is fine with permissions = {} and no credentials persisted.

In the future, this may be a cleaner way to avoid bash execution. The risk as is is likely minimal.

        env:
          ACTIONLINT_VERSION: 1.7.12
        run: |
          curl --fail --silent --show-error --location \
            "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
            | tar xz actionlint
          ./actionlint -color -ignore SC2129

[Czaki]

I'm not sure if we will remember to bump the version

[willingc]

I think it is fine with permissions = {} and no credentials persisted.

In the future, this may be a cleaner way to avoid bash execution. The risk as is is likely minimal.

        env:
          ACTIONLINT_VERSION: 1.7.12
        run: |
          curl --fail --silent --show-error --location \
            "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
            | tar xz actionlint
          ./actionlint -color -ignore SC2129