workflow: Add actionlint workflows

.github/actionlint.yaml

@@ -0,0 +1,9 @@
+# Copyright (c) 2024 IBM Corporation
+# SPDX-License-Identifier: Apache-2.0
+#
+# Configuration file with rules for the actionlint tool.
+#
+self-hosted-runner:
+  # Labels of self-hosted runner that linter should ignore
+  labels:
+    - S390X

.github/workflows/actionlint.yaml

@@ -0,0 +1,33 @@
+name: Lint GHA workflows
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+    paths:
+      - '.github/workflows/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  run-actionlint:
+    env:
+      GH_TOKEN: ${{ github.token }}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install actionlint gh extension
+        run: gh extension install https://github.com/cschleiden/gh-actionlint
+
+      - name: Run actionlint
+        run:  gh actionlint

.github/workflows/build.yaml

@@ -61,7 +61,7 @@ jobs:
           export CI="true"
           sudo -E env PATH="$PATH" make test | tee tests_report.txt
           sudo chmod o+rw tests_report.txt
-          cat tests_report.txt | $(go env GOPATH)/bin/go-junit-report -set-exit-code > tests_report_junit.xml
+          < tests_report.txt "$(go env GOPATH)/bin/go-junit-report" -set-exit-code > tests_report_junit.xml
         shell: bash
       - name: Upload tests report
         uses: actions/upload-artifact@v4

.github/workflows/csi_wrapper_images.yaml

@@ -14,7 +14,6 @@ on:
         required: false
         type: string
       image_tags:
-        default: ''
         description: 'Comma-separated list of tags for the dev built image (e.g. latest,ci-dev). By default uses the values from src/cloud-api-adaptor/hack/build.sh'
         required: true
         type: string

.github/workflows/daily-e2e-tests-ibmcloud.yaml

@@ -42,10 +42,10 @@ jobs:
           ibmcloud plugin install cloud-object-storage -f
       - name: Config IBM COS
         run: |
-          ibmcloud cos config crn --crn $crn --force | grep -v ^FAILED$ || exit 1
+          ibmcloud cos config crn --crn "$crn" --force | grep -v ^FAILED$ || exit 1
           ibmcloud cos config auth --method HMAC | grep -v ^FAILED$ || exit 1
-          echo -e $access_key_id "\n" $secret_access_key | ibmcloud cos config hmac
-          ibmcloud cos config endpoint-url --url $endpoint | grep -v ^FAILED$ || exit 1
+          echo -e "$access_key_id" "\n" "$secret_access_key" | ibmcloud cos config hmac
+          ibmcloud cos config endpoint-url --url "$endpoint" | grep -v ^FAILED$ || exit 1
           ibmcloud cos config list
         env:
           crn: ${{ secrets.IBM_E2E_COS_CRN }}
@@ -55,21 +55,21 @@ jobs:
       - name: Check e2e test result
         run: |
           date_name=$(date +"%y%m%d")
-          echo $date_name
-          log_name=$(ibmcloud cos objects --bucket $bucket_name |grep $date_name |grep ${{matrix.type}} | awk 'END { print $1 }')
-          echo $log_name
-          ibmcloud cos object-get --bucket daily-e2e-test-bucket --key=$log_name $log_name
-          cat $log_name
-          last_line=$(awk 'END {print}' $log_name)
+          echo "$date_name"
+          log_name=$(ibmcloud cos objects --bucket "$bucket_name" |grep "$date_name" |grep ${{matrix.type}} | awk 'END { print $1 }')
+          echo "$log_name"
+          ibmcloud cos object-get --bucket daily-e2e-test-bucket --key="$log_name" "$log_name"
+          cat "$log_name"
+          last_line=$(awk 'END {print}' "$log_name")
           if [[ $last_line = "Finished: SUCCESS" ]]; then
             echo "ibmcloud e2e test (${{matrix.type}}) is passed."
           else
             echo "ibmcloud e2e test (${{matrix.type}}) is failed."
             exit 2
           fi
-          caa_commitid=$(cat $log_name | grep -oP 'CAA commit_id: \K\S+')
+          caa_commitid=$(< "$log_name" grep -oP 'CAA commit_id: \K\S+')
           echo "The CAA commit_id: ${caa_commitid}"
-          echo ${caa_commitid} > caa_commitid
+          echo "${caa_commitid}" > caa_commitid
         env:
           bucket_name : "daily-e2e-test-bucket"
       - name: Login to Quay container Registry
@@ -102,18 +102,18 @@ jobs:
               echo "${podvm_docker_name} exists."
             else
               echo "downloading ${podvm_image_tar_name}"
-              ibmcloud cos object-get --bucket daily-e2e-test-bucket --key=$podvm_image_tar_name $podvm_image_tar_name
-              docker load -i $podvm_image_tar_name
-              docker push ${podvm_docker_name}
+              ibmcloud cos object-get --bucket daily-e2e-test-bucket --key="$podvm_image_tar_name" "$podvm_image_tar_name"
+              docker load -i "$podvm_image_tar_name"
+              docker push "${podvm_docker_name}"
               echo "${podvm_docker_name} is pushed"
             fi
           fi
           if [[ "${{matrix.type}}" == "ibmse" ]]; then
             echo "Checking built out generic fedora s390x se enabled docker image"
             podvm_image_tar_name="podvm-generic-fedora-s390x-se-${caa_commit_id}.tar"
             echo "Checkouting commit: ${caa_commit_id}"
-            git checkout ${caa_commit_id}
-            image_tag=`sha256sum src/cloud-api-adaptor/versions.yaml | awk -F " " '{ print $1 }'`
+            git checkout "${caa_commit_id}"
+            image_tag=$(sha256sum src/cloud-api-adaptor/versions.yaml | awk -F " " '{ print $1 }')
             echo "fedora s390x se image tag: $image_tag"
             podvm_docker_name="quay.io/confidential-containers/podvm-generic-fedora-s390x-se:${image_tag}"
             manifest_url="https://quay.io/v2/confidential-containers/podvm-generic-fedora-s390x-se/manifests/${image_tag}"
@@ -122,11 +122,11 @@ jobs:
               echo "${podvm_docker_name} exists."
             else
               echo "downloading ${podvm_image_tar_name}"
-              ibmcloud cos object-get --bucket daily-e2e-test-bucket --key=$podvm_image_tar_name $podvm_image_tar_name
-              docker load -i $podvm_image_tar_name
+              ibmcloud cos object-get --bucket daily-e2e-test-bucket --key="$podvm_image_tar_name" "$podvm_image_tar_name"
+              docker load -i "$podvm_image_tar_name"
               echo "show docker images"
               docker images
-              echo docker push ${podvm_docker_name}
+              echo docker push "${podvm_docker_name}"
               echo "${podvm_docker_name} is pushed"
             fi
           fi

.github/workflows/e2e_libvirt.yaml

@@ -75,7 +75,7 @@ jobs:
       - name: Extract qcow2 from ${{ inputs.podvm_image }}
         run: |
            qcow2=$(echo ${{ inputs.podvm_image }} | sed -e "s#.*/\(.*\):.*#\1.qcow2#")
-           ./hack/download-image.sh ${{ inputs.podvm_image }} . -o ${qcow2} --clean-up
+           ./hack/download-image.sh ${{ inputs.podvm_image }} . -o "${qcow2}" --clean-up
            echo "PODVM_QCOW2=$(pwd)/${qcow2}" >> "$GITHUB_ENV"
            # Clean up docker images to make space
            docker system prune -a -f

.github/workflows/e2e_run_all.yaml

@@ -127,7 +127,7 @@ jobs:
           providers=(${{ env.PROVIDERS }})
           # If there aren't providers then something is wrong
           [[ ${#providers[@]} -gt 0 ]] || exit 1
-          for provider in ${providers[@]}; do
+          for provider in "${providers[@]}"; do
             img="${E2E_IMG_REGISTRY}/cloud-api-adaptor"
             tag="${E2E_IMG_RELEASE_TAG}"
             [[ "$provider" = "libvirt" ]] && tag="${E2E_IMG_DEV_TAG}"

.github/workflows/peerpod-ctrl_image.yaml

@@ -14,7 +14,6 @@ on:
         required: false
         type: string
       image_tags:
-        default: ''
         description: 'Comma-separated list of tags for the dev built image (e.g. latest,ci-dev). By default uses the values from hack/build.sh'
         required: true
         type: string

.github/workflows/podvm_mkosi_image.yaml

@@ -40,7 +40,7 @@ jobs:
         run: |
           git clone -b v22 https://github.com/systemd/mkosi
           sudo rm /usr/local/bin/mkosi | true
-          sudo ln -s $PWD/mkosi/bin/mkosi /usr/local/bin/mkosi
+          sudo ln -s "$PWD/mkosi/bin/mkosi" /usr/local/bin/mkosi
           mkosi --version
 
       - name: Build builder

.github/workflows/test-images.yaml

@@ -21,7 +21,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - id: set-matrix
-        run: echo "MATRIX=$(ls test/e2e/fixtures/Dockerfile.* | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_ENV
+        run: echo "MATRIX=$(find test/e2e/fixtures/Dockerfile.* | jq -R -s -c 'split("\n")[:-1]')" >> "$GITHUB_ENV"
   build:
     name: Create Test Images
     needs: list-dockerfiles
@@ -56,12 +56,8 @@ jobs:
       id: docker-tag
       shell: bash
       run: |
-          for path in "${{matrix.targets}}"; do
-            file_name=$(basename "$path")
-            name="${file_name##*.}"
-            output_paths+=("${name,,}")
-          done
-          echo "DOCKER_TAG=${output_paths[*]}" >> $GITHUB_ENV
+        file_name=$(basename "${{matrix.targets}}")
+        echo "DOCKER_TAG=${file_name##*.}" >> "$GITHUB_ENV"
     - name: Build and push
       uses: docker/build-push-action@v6
       with:

.github/workflows/webhook_image.yaml

@@ -13,7 +13,6 @@ on:
         required: false
         type: string
       image_tags:
-        default: ''
         description: 'Comma-separated list of tags for the dev built image (e.g. latest,ci-dev). By default uses the values from hack/build.sh'
         required: true
         type: string
@@ -71,7 +70,7 @@ jobs:
               latest=1
             else
               echo "::group::Build and push tag ${t}"
-              make docker-load docker-push IMG=${{ inputs.registry }}/peer-pods-webhook:${t}
+              make docker-load docker-push IMG="${{ inputs.registry }}/peer-pods-webhook:${t}"
               echo "::endgroup::"
             fi
           done