Skip to content

ci: Add actionlint hardened action step and documentation#53

Merged
yunseo-kim merged 2 commits into
mainfrom
ci/add-actionlint-hardened-action
Jun 27, 2026
Merged

ci: Add actionlint hardened action step and documentation#53
yunseo-kim merged 2 commits into
mainfrom
ci/add-actionlint-hardened-action

Conversation

@yunseo-kim

@yunseo-kim yunseo-kim commented Jun 27, 2026

Copy link
Copy Markdown
Member

Summary

Adds the windlasstech/actionlint-hardened-action step to the repository lint workflow to validate all GitHub Actions workflow files. Also documents the action usage in the workflow hardening security guide.

  • What changed?
    • .github/workflows/lint-and-format.yml: new actionlint step using SHA-pinned windlasstech/actionlint-hardened-action@39b1442298202b328f0da62908b70c54ab6601b9 (v1.0.0)
    • docs/security/workflow-hardening.md: new Workflow Linting section describing how to use the hardened action
  • Why is this needed?
    • Enforce consistent, automated linting of workflow files across the organization and provide a hardened, supply-chain-safe reference pattern.

Related Issues

  • Closes #
  • Related #

Change Type

  • Bug fix
  • Feature
  • Refactor
  • Documentation
  • Test/CI
  • Breaking change
  • Other:

Changelog

  • Category: None
  • User-facing note: CI-only and documentation change with no direct user-facing impact

Changelog update:

  • CHANGELOG.md [Unreleased] updated
  • Not needed because this change is not user-facing

Checklist

General

  • PR title follows Conventional Commits format: type(scope): Summary
  • This PR does not expose backend/internal implementation details in a public repo.
  • No secrets, tokens, keys, or private endpoints are included.
  • Changes stay within this repository's intended scope.

CI/Workflow Changes (if applicable)

If this PR modifies GitHub Actions workflows or CI/CD configuration, it must comply with our Supply Chain Integrity requirements:

  • All uses: references are pinned to full 40-character commit SHAs (with # vX.Y.Z comment)
  • step-security/harden-runner is included as the first step in every job
  • Job-level permissions are used instead of top-level permissions
    • Note: the existing workflow uses minimal top-level contents: read permissions, which matches the current convention documented in docs/security/workflow-hardening.md.

Protocol / Compatibility Impact

  • No protocol/spec impact
  • Protocol/spec updated
  • Conformance tests updated
  • Breaking change is versioned and migration notes are included

If impacted, describe compatibility impact:

Testing

  • Unit tests added/updated
  • Integration or conformance tests added/updated
  • Tests pass
  • Lint and format pass
  • Type check passes
  • Manual verification performed

Describe test evidence:

  • bun run lint:md passes
  • bun run format:check passes
  • lefthook pre-commit hooks pass

Documentation

  • README updated
  • Spec/docs updated
  • Changelog decision completed above

Rollout / Risk

  • Risk level: Low
  • Rollback plan: Revert this PR

Reviewer Checklist

  • Scope is clear and minimal
  • Security and boundary checks passed
  • Tests and docs are sufficient
  • Compatibility impact is correctly handled

Signed-off-by: Yunseo Kim <git@yunseo.kim>
Signed-off-by: Yunseo Kim <git@yunseo.kim>
@yunseo-kim yunseo-kim merged commit a1afbf4 into main Jun 27, 2026
7 checks passed
@yunseo-kim yunseo-kim deleted the ci/add-actionlint-hardened-action branch June 27, 2026 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant