Skip to content
.github/workflows/validate-workflows.yml

Merge pull request #1513 from rodoHasArrived/claude/implement-improve… #2082

Sign in to view logs

Merge pull request #1513 from rodoHasArrived/claude/implement-improve…

Merge pull request #1513 from rodoHasArrived/claude/implement-improve… #2082

Workflow file for this run

.github/workflows/validate-workflows.yml at 42a2315
name: Validate Workflows

Check failure on line 1 in .github/workflows/validate-workflows.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/validate-workflows.yml

Invalid workflow file 

(Line: 114, Col: 12): The expression is not closed. An unescaped ${{ sequence was found, but the closing }} sequence was not found.
on:
pull_request:
paths:
- '.github/workflows/**'
- '.github/dependabot.yml'
- '.github/labeler.yml'
workflow_dispatch:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
validate-yaml:
name: Validate YAML Syntax
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v6.2.0
with:
python-version: '3.x'
- name: Install PyYAML
run: pip install pyyaml
- name: Validate workflow YAML files
run: |
EXIT_CODE=0
echo "Validating workflow YAML files..."
for file in .github/workflows/*.yml .github/workflows/*.yaml; do
if [ -f "$file" ]; then
echo "Checking $file..."
if python -c "import yaml; yaml.safe_load(open('$file'))" 2>/dev/null; then
echo " ✓ Valid"
else
echo " ✗ Invalid YAML syntax"
EXIT_CODE=1
fi
fi
done
echo ""
echo "Validating configuration YAML files..."
for file in .github/*.yml .github/*.yaml; do
if [ -f "$file" ]; then
echo "Checking $file..."
if python -c "import yaml; yaml.safe_load(open('$file'))" 2>/dev/null; then
echo " ✓ Valid"
else
echo " ✗ Invalid YAML syntax"
EXIT_CODE=1
fi
fi
done
exit $EXIT_CODE
- name: Validate issue template YAML files
run: |
EXIT_CODE=0
echo "Validating issue template YAML files..."
for file in .github/ISSUE_TEMPLATE/*.yml .github/ISSUE_TEMPLATE/*.yaml; do
if [ -f "$file" ]; then
echo "Checking $file..."
if python -c "import yaml; yaml.safe_load(open('$file'))" 2>/dev/null; then
echo " ✓ Valid"
else
echo " ✗ Invalid YAML syntax"
EXIT_CODE=1
fi
fi
done
exit $EXIT_CODE
- name: Validate prompt YAML files
run: |
EXIT_CODE=0
echo "Validating AI assistant prompt YAML files..."
for file in .github/prompts/*.yml .github/prompts/*.yaml; do
if [ -f "$file" ]; then
echo "Checking $file..."
if python -c "import yaml; yaml.safe_load(open('$file'))" 2>/dev/null; then
echo " ✓ Valid"
else
echo " ✗ Invalid YAML syntax"
EXIT_CODE=1
fi
fi
done
exit $EXIT_CODE
validate-actions:
name: Validate GitHub Actions
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Validate action references
run: |
echo "Checking for action references..."
EXIT_CODE=0
# Check for deprecated actions
if grep -r "actions/checkout@v[1-5]" .github/workflows/; then
echo "⚠️ Warning: Found deprecated checkout action versions"
echo " Consider upgrading to actions/checkout@v4"
fi
if grep -r "actions/setup-dotnet@v[1-4]" .github/workflows/; then
echo "⚠️ Warning: Found deprecated setup-dotnet action versions"
echo " Consider upgrading to actions/setup-dotnet@v5.1.0"
fi
if grep -r "actions/github-script@v[1-7]" .github/workflows/; then
echo "⚠️ Warning: Found deprecated github-script action versions"
echo " Consider upgrading to actions/github-script@v8"
fi
# Check for potentially insecure patterns
if grep -r "\${{.*github.event.issue.title" .github/workflows/; then
echo "❌ Error: Potential script injection via issue title"
EXIT_CODE=1
fi
if grep -r "\${{.*github.event.comment.body" .github/workflows/; then
echo "❌ Error: Potential script injection via comment body"
EXIT_CODE=1
fi
if [ $EXIT_CODE -eq 0 ]; then
echo "✓ No security issues found"
fi
exit $EXIT_CODE
- name: Run actionlint
uses: rhysd/actionlint@v1
check-permissions:
name: Check Workflow Permissions
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Analyze permissions
run: |
echo "Checking workflow permissions..."
# List workflows with write permissions
echo "Workflows with write permissions:"
grep -l "write" .github/workflows/*.yml | while read file; do
echo " - $(basename $file)"
grep -A 5 "permissions:" "$file" | head -10
done
echo ""
echo "✓ Permission audit complete"
validate-schedules:
name: Validate Cron Schedules
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check schedule syntax
run: |
echo "Validating cron schedules..."
# Extract and display all cron schedules
echo "Configured schedules:"
grep -r "cron:" .github/workflows/ | while read -r line; do
echo " $line"
done
echo ""
echo "✓ Schedule syntax check complete"
echo ""
echo "Note: Ensure cron schedules are distributed to avoid rate limits"
summary:
name: Validation Summary
needs: [validate-yaml, validate-actions, check-permissions, validate-schedules]
runs-on: ubuntu-latest
timeout-minutes: 5
if: always()
steps:
- name: Generate summary
run: |
echo "## Workflow Validation Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY
echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
echo "| YAML Syntax | ${{ needs.validate-yaml.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Action References | ${{ needs.validate-actions.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Permissions | ${{ needs.check-permissions.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Schedules | ${{ needs.validate-schedules.result }} |" >> $GITHUB_STEP_SUMMARY
if [[ "${{ needs.validate-yaml.result }}" == "failure" ]] || \
[[ "${{ needs.validate-actions.result }}" == "failure" ]]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "❌ Workflow validation failed. Please review the logs above." >> $GITHUB_STEP_SUMMARY
exit 1
else
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ All workflow validations passed!" >> $GITHUB_STEP_SUMMARY
fi