From a7bfc8d6ac515a1322d500035a6875e50fa39901 Mon Sep 17 00:00:00 2001 From: JP Lomas Date: Wed, 11 Sep 2024 21:32:06 +0100 Subject: [PATCH] Check workflows for issues during CI (#1916) * Check workflows for issues during CI This PR adds an Actionlint workflow to validate GH actions as per #1866 This is an updated version of PR #1880, taking into account the discussion on that contribution. Signed-off-by: JP Lomas * CONTRIBUTING.md update Documents actionlint use as part of CI basic workflow including instructions of running locally. Signed-off-by: JP Lomas * Update .github/workflows/basic.yml Co-authored-by: Spencer Wilson Signed-off-by: JP Lomas --------- Signed-off-by: JP Lomas Signed-off-by: JP Lomas Co-authored-by: Spencer Wilson --- .github/actionlint.yaml | 14 ++++++++++++++ .github/workflows/basic.yml | 14 +++++++++++++- CONTRIBUTING.md | 17 ++++++++++++++--- 3 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 .github/actionlint.yaml diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 000000000..6ba90d657 --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,14 @@ +# Labels of self-hosted runner in array of strings. + +# NB. oqs-arm64 is not self-hosted but this configuration +# is required for liboqs to lint correctly with actionlint v1.7.1 + +self-hosted-runner: + # Labels of self-hosted runner in array of string + labels: + - oqs-arm64 +# Configuration variables in array of strings defined in your repository or organization +config-variables: + # - DEFAULT_RUNNER + # - JOB_NAME + # - ENVIRONMENT_STAGE diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index 3364ec77e..49063219d 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -7,8 +7,19 @@ on: [workflow_call, workflow_dispatch] jobs: + workflowcheck: + name: Check validity of GitHub workflows + runs-on: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Ensure GitHub actions are valid + run: actionlint -shellcheck "" # run *without* shellcheck + stylecheck: name: Check code formatting + needs: [ workflowcheck ] runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest steps: @@ -23,6 +34,7 @@ jobs: upstreamcheck: name: Check upstream code is properly integrated + needs: [ workflowcheck ] runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest steps: @@ -47,7 +59,7 @@ jobs: buildcheck: name: Check that code passes a basic build - needs: [ stylecheck, upstreamcheck ] + needs: [ workflowcheck, stylecheck, upstreamcheck ] runs-on: ubuntu-latest container: openquantumsafe/ci-ubuntu-latest:latest env: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b87108e37..a467d9c45 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -56,6 +56,20 @@ GitHub CI jobs. When executed in the main `liboqs` directory, When installing `act` as a GitHub extension, prefix the commands with `gh `. +## Modifications to CI + +Modifications to GitHub Actions workflows are checked with [actionlint](https://github.com/rhysd/actionlint) during the [basic.yml](.github/workflows/basic.yml) job, protecting the CI chain and against wrong approval decisions based on improper CI runs. Changes to these workflows can be validated locally with `actionlint`: + +```bash +actionlint .github/workflows/*.yml +``` + +or running the CI locally (as above): + +```bash +act workflow_call -W '.github/workflows/basic.yml' +``` + ### New features Any PR introducing a new feature is expected to contain a test of this feature @@ -70,6 +84,3 @@ add a tag to one or more of our [most active contributors](https://github.com/op If you feel like contributing but don't know what specific topic to work on, please check the [open issues tagged "good first issue" or "help wanted"](https://github.com/open-quantum-safe/liboqs/issues). - - -