Add Linting checks

.config/.markdownlint.yaml

@@ -0,0 +1,8 @@
+line-length:
+  line_length: 200
+  tables: false
+no-inline-html:
+  allowed_elements: ['p', 'img']
+ul-style:
+  style: sublist
+

.config/changelog.markdownlint.yaml

@@ -0,0 +1,11 @@
+line-length:
+  line_length: 300
+no-inline-html:
+  allowed_elements: ['p', 'img']
+ul-style:
+  style: sublist
+no-duplicate-heading:
+  siblings_only: true
+blanks-around-headings:
+  lines_below: 0
+blanks-around-lists: false

.github/actionlint.yaml

@@ -0,0 +1,43 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels: []
+
+# Configuration variables in array of strings defined in your repository or
+# organization. `null` means disabling configuration variables check.
+# Empty array means no configuration variable is allowed.
+config-variables: []
+
+# Configuration for file paths. The keys are glob patterns to match to file
+# paths relative to the repository root. The values are the configurations for
+# the file paths. Note that the path separator is always '/'.
+# The following configurations are available.
+#
+# "ignore" is an array of regular expression patterns. Matched error messages
+# are ignored. This is similar to the "-ignore" command line option.
+paths:
+  .github/workflows/*.yaml:
+    ignore:
+      - 'file "/entrypoints/.*\.sh" does not exist'
+      - 'property "output_string" is not defined in object type'
+      - 'property "my.*" is not defined in object type'
+      - 'property "from_.*" is not defined in object type'
+      - 'property "complex_output" is not defined in object type'
+      - 'property "v" is not defined in object type'
+      - 'property "test" is not defined in object type'
+      - 'property "default" is not defined in object type'
+      - 'property "len" is not defined in object type'
+      - 'property "https" is not defined in object type'
+      - 'property "git_https" is not defined in object type'
+      - 'property "awkward_.*" is not defined in object type'
+      - 'property "word" is not defined in object type'
+  .github/workflows/test-target-replace.yaml:
+    ignore:
+      - 'property "count" is not defined in object type'
+      - 'property "foreach" is not defined in object type'
+  .github/workflows/release.yaml:
+    ignore:
+      - 'Useless cat.'
+  .github/workflows/test-version.yaml:
+    ignore:
+      - 'property "random" is not defined in object type'
+      - 'property "acme" is not defined in object type'

.github/workflows/base-image.yaml

@@ -33,19 +33,19 @@ jobs:
         env:
           DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
         run: |
-          echo $DOCKER_TOKEN | docker login --username danielflook --password-stdin
+          echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - name: Base image
         id: build-and-push
         run: |
           docker buildx build \
-            --tag danielflook/terraform-github-actions-base:$GITHUB_RUN_ID \
+            --tag "danielflook/terraform-github-actions-base:$GITHUB_RUN_ID" \
             --tag danielflook/terraform-github-actions-base:latest  \
             --platform linux/amd64,linux/arm64 \
-            --attest type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID \
+            --attest "type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
             --annotation "index,manifest:org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%z')" \
             --annotation "index,manifest:org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
             --annotation "index,manifest:org.opencontainers.image.revision=${{ github.sha }}" \

.github/workflows/pull_request_review.yaml

@@ -3,6 +3,9 @@ name: Test pull_request_review event
 on:
   - pull_request_review
 
+permissions:
+  contents: read
+
 jobs:
   apply:
     runs-on: ubuntu-24.04

.github/workflows/release.yaml

@@ -38,11 +38,11 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
         run: |
-          echo $GITHUB_TOKEN | docker login ghcr.io --username dflook --password-stdin
-          echo $DOCKER_TOKEN | docker login --username danielflook --password-stdin
+          echo "$GITHUB_TOKEN" | docker login ghcr.io --username dflook --password-stdin
+          echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - name: Build action image
         id: image_build
@@ -51,7 +51,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           BASE_TAG=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:latest --format '{{json .}}' | jq -r '.manifest.annotations."ref.tag"')
-          BASE_DIGEST=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:$BASE_TAG --format '{{json .}}' | jq -r '.manifest.digest')
+          BASE_DIGEST=$(docker buildx imagetools inspect "danielflook/terraform-github-actions-base:$BASE_TAG" --format '{{json .}}' | jq -r '.manifest.digest')
 
           gh attestation verify --repo dflook/terraform-github-actions "oci://index.docker.io/danielflook/terraform-github-actions-base@$BASE_DIGEST"
 
@@ -63,7 +63,7 @@ jobs:
             --tag "danielflook/terraform-github-actions:$RELEASE_TAG" \
             --tag "ghcr.io/dflook/terraform-github-actions:$RELEASE_TAG" \
             --platform linux/amd64,linux/arm64 \
-            --attest type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID \
+            --attest "type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
             --annotation "index,manifest:org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%z')" \
             --annotation "index,manifest:org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
             --annotation "index,manifest:org.opencontainers.image.revision=${{ github.sha }}" \
@@ -125,8 +125,10 @@ jobs:
           RELEASE_TAG: "${{ github.event.release.tag_name }}"
           IMAGE_DIGEST: ${{ needs.image.outputs.digest }}
         run: |
-          export major=$(echo "$RELEASE_TAG" | cut -d. -f1)
-          export minor=$(echo "$RELEASE_TAG" | cut -d. -f2)
+          major=$(echo "$RELEASE_TAG" | cut -d. -f1)
+          minor=$(echo "$RELEASE_TAG" | cut -d. -f2)
+          export major
+          export minor
 
           function prepare_release() {
               rsync -r "$GITHUB_WORKSPACE/$action/" "$HOME/$action"

.github/workflows/repository_dispatch.yaml

@@ -1,6 +1,7 @@
 name: Repository Dispatch
 
-on: [repository_dispatch]
+on:
+  repository_dispatch:
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/retain-images.yaml

@@ -24,6 +24,6 @@ jobs:
       - name: docker pull
         run: |
           for tag in $(git tag); do
-            docker pull --quiet danielflook/terraform-github-actions:$tag
+            docker pull --quiet "danielflook/terraform-github-actions:$tag"
             docker system prune --all --force
           done

.github/workflows/test-cloud.yaml

@@ -616,7 +616,7 @@ jobs:
             exit 1
           fi
 
-          if ! grep -q "Terraform will perform the following actions" $SAVED_PLAN_TEXT_PLAN_PATH; then
+          if ! grep -q "Terraform will perform the following actions" "$SAVED_PLAN_TEXT_PLAN_PATH"; then
             echo "::error:: text_plan_path not set correctly"
             exit 1
           fi

.github/workflows/test-plan.yaml

@@ -33,7 +33,7 @@ jobs:
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
           PLAN_PATH: ${{ steps.plan.outputs.plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           echo "changes=$CHANGES"
 
@@ -94,7 +94,7 @@ jobs:
         env:
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           cat "$JSON_PLAN_PATH"
           if [[ $(jq -r .format_version "$JSON_PLAN_PATH") != "1.2" ]]; then
@@ -656,7 +656,7 @@ jobs:
         env:
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           cat "$JSON_PLAN_PATH"
           if [[ $(jq -r .output_changes.s.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then
@@ -699,7 +699,7 @@ jobs:
         env:
           OUTCOME: ${{ steps.plan.outcome }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           if [[ "$OUTCOME" != "failure" ]]; then
             echo "Plan did not fail correctly"
@@ -754,7 +754,7 @@ jobs:
           OUTCOME: ${{ steps.plan.outcome }}
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           if [[ "$OUTCOME" != "failure" ]]; then
             echo "Plan did not fail correctly"
@@ -800,7 +800,7 @@ jobs:
           OUTCOME: ${{ steps.plan.outcome }}
           JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }}
           TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }}
-          RUN_ID: ${{ steps.apply.outputs.run_id }}
+          RUN_ID: ${{ steps.plan.outputs.run_id }}
         run: |
           if [[ "$OUTCOME" != "failure" ]]; then
             echo "Plan did not fail correctly"

.github/workflows/test-version.yaml

@@ -624,6 +624,7 @@ jobs:
           TERRAFORM_VERSION: 99.0.0
         with:
           path: tests/workflows/test-version/empty
+          workspace: hello
 
       - name: Check failed to download no such version
         env:

.github/workflows/test.yaml

@@ -17,7 +17,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.9
 
@@ -48,7 +48,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: 3.9
 
@@ -71,8 +71,6 @@ jobs:
   docs:
     runs-on: ubuntu-24.04
     name: Check documentation
-    env:
-      GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -84,3 +82,44 @@ jobs:
           PYTHONPATH=docs-gen python3 docs-gen/generate.py
           git diff --exit-code
 
+  lint:
+    runs-on: ubuntu-24.04
+    name: Linting
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Actions workflows (including action metadata)
+        run: |
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+          ./actionlint
+          ./actionlint example_workflows/*.yaml
+
+      - name: Lint CHANGELOG
+        uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19
+        with:
+          config: '.config/changelog.markdownlint.yaml'
+          globs: 'CHANGELOG.md'
+
+      - name: Lint Other Markdown
+        uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19
+        with:
+          config: '.config/.markdownlint.yaml'
+          globs: |
+            docs/*.md
+            **/README.md
+
+  ensure-pinned-actions:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633 # v3
+        with:
+          allowlist: |
+            actions/
+            dflook/

.github/workflows/trigger-test-events.yaml

@@ -14,7 +14,7 @@ jobs:
       contents: write
     steps:
       - name: Repository Dispatch
-        uses: peter-evans/repository-dispatch@v2
+        uses: peter-evans/repository-dispatch@bf47d102fdb849e755b0b0023ea3e81a44b6f570 # v2
         with:
           event-type: test
           client-payload: '{"pull_request": { "url": "${{ github.event.pull_request.url }}" } }'