department-of-veterans-affairs · yoomlam · Sep 6, 2023 · Sep 6, 2023 · Sep 6, 2023 · Sep 6, 2023
@@ -7,7 +7,7 @@ runs:
     # http://man7.org/linux/man-pages/man1/date.1.html
     - name: Get Date
       id: get-date
-      run: echo "today_date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
+      run: echo "today_date=$(/bin/date -u "+%Y%m%d")" >> "$GITHUB_OUTPUT"
       shell: bash
 
     - name: Restore hadolint

@@ -92,8 +92,8 @@ runs:
         # GHCR_TOKEN is expected by imageTagExists
         export GHCR_TOKEN=$(echo ${{ inputs.ghcr_password }} | base64)
 
-        echo "## Published images" >> $GITHUB_STEP_SUMMARY
-        echo "images<<EOF" >> $GITHUB_OUTPUT
+        echo "## Published images" >> "$GITHUB_STEP_SUMMARY"
+        echo "images<<EOF" >> "$GITHUB_OUTPUT"
         source scripts/image_vars.src
         for PREFIX in "${VAR_PREFIXES_ARR[@]}"; do
           # Set IMG_TAG, which will determine if a new image will get published
@@ -126,7 +126,7 @@ runs:
           if [ "$(imageTagExists "$IMG_NAME" "$IMG_TAG")" == "200" ]; then
             # Pinned versions of images will already exist, so they don't need to be published
             echo "Image already exists: $IMG_NAME:$IMG_TAG -- not overwriting"
-            echo "* ($IMG_NAME:$IMG_TAG -- already exists, not overwriting)" >> $GITHUB_STEP_SUMMARY
+            echo "* ($IMG_NAME:$IMG_TAG -- already exists, not overwriting)" >> "$GITHUB_STEP_SUMMARY"
           else
             GRADLE_IMG_NAME=$(getVarValue "${PREFIX}" _GRADLE_IMG)
 
@@ -137,10 +137,10 @@ runs:
             docker tag "$GRADLE_IMG_NAME" "${GHCR_PATH}:latest"
             docker push "${GHCR_PATH}:latest"
 
-            echo "* $IMG_NAME:$IMG_TAG" >> $GITHUB_STEP_SUMMARY
-            echo "${GHCR_PATH}:$IMG_TAG" >> $GITHUB_OUTPUT
+            echo "* $IMG_NAME:$IMG_TAG" >> "$GITHUB_STEP_SUMMARY"
+            echo "${GHCR_PATH}:$IMG_TAG" >> "$GITHUB_OUTPUT"
           fi
           echo "::endgroup::"
         done
-        echo "EOF" >> $GITHUB_OUTPUT
+        echo "EOF" >> "$GITHUB_OUTPUT"
         docker image list
@@ -113,7 +113,7 @@ jobs:
       - name: "API Gateway Rest Controller GET /hello - Validate Response"
         run: |
           # Validate Response:
-          if [ "${{ fromJson(steps.apiGatewayHello.outputs.response).data }}" != "Hi!"]; then
+          if [ "${{ fromJson(steps.apiGatewayHello.outputs.response).data }}" != "Hi!" ]; then
             echo "Unexpected Response: ${{ steps.apiGatewayHello.outputs.response }}"
             exit 10
           else

@@ -30,8 +30,8 @@ jobs:
           source scripts/setenv.sh
 
           # create basic auth token for RabbitMQ and export to github environment
-          BASIC_AUTH=`echo "${RABBITMQ_PLACEHOLDERS_USERNAME}:${RABBITMQ_PLACEHOLDERS_USERPASSWORD}" | base64`
-          echo "RABBITMQ_BASIC_AUTH=${BASIC_AUTH}" >> $GITHUB_ENV
+          BASIC_AUTH=$(echo "${RABBITMQ_PLACEHOLDERS_USERNAME}:${RABBITMQ_PLACEHOLDERS_USERPASSWORD}" | base64)
+          echo "RABBITMQ_BASIC_AUTH=${BASIC_AUTH}" >> "$GITHUB_ENV"
 
           export -p | sed 's/declare -x //'
 
@@ -76,7 +76,7 @@ jobs:
         run: |
           # Verify broker is up
           BROKER_QUERY=$(kafkacat -m 30 -b localhost:9092 -L)
-          if echo $BROKER_QUERY | grep -q '1 brokers'
+          if echo "$BROKER_QUERY" | grep -q '1 brokers'
           then
             echo "Found Broker: $BROKER_QUERY"
           else
@@ -121,7 +121,7 @@ jobs:
         run: |
           source scripts/setenv.sh
 
-          psql postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@localhost:5432/vro -c \
+          psql "postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@localhost:5432/vro" -c \
           "SELECT *
             FROM
               claims.bie_contention_event
@@ -135,8 +135,8 @@ jobs:
               -- This is the contention id used in BieKafkaApplicationTest
               contention_id=1234567890
           ")
-          echo $RESULTS
-          if echo $RESULTS | grep -q 'count | 1'
+          echo "$RESULTS"
+          if echo "$RESULTS" | grep -q 'count | 1'
           then
             echo "Found record in DB."
           else

@@ -81,7 +81,7 @@ jobs:
             docker ps --all
             echo ''
             echo '```'
-          } | tee -a $GITHUB_STEP_SUMMARY
+          } | tee -a "$GITHUB_STEP_SUMMARY"
 
           # Ignore mocks and redis-service since they don't have health checks
           # TODO: add health check for svc-bgs-api; ignore it for now

@@ -22,10 +22,10 @@ jobs:
             # This workflow is triggered more than once in the internal repo.
             # Subsequent runs are undesirable, so don't continue.
             # See notes at https://github.com/department-of-veterans-affairs/abd-vro/issues/1955
-            echo "continue=false" >> $GITHUB_OUTPUT
-            echo "Skipping b/c GitHub release ${{ github.ref_name }} already exists." | tee -a $GITHUB_STEP_SUMMARY
+            echo "continue=false" >> "$GITHUB_OUTPUT"
+            echo "Skipping b/c GitHub release ${{ github.ref_name }} already exists." | tee -a "$GITHUB_STEP_SUMMARY"
           else
-            echo "continue=true" >> $GITHUB_OUTPUT
+            echo "continue=true" >> "$GITHUB_OUTPUT"
           fi
 
       - name: "Create GitHub Release"

@@ -16,12 +16,12 @@ on:
       older_than:
         description: 'Delete pre-releases published older than this many days ago'
         required: true
-        type: number
+        type: string
         default: 45
       keep_latest:
         description: 'Number of latest pre-releases to keep'
         required: true
-        type: number
+        type: string
         default: 10
       tag_pattern:
         description: 'Pre-releases matching this git tag regex pattern'

@@ -11,12 +11,12 @@ on:
       retain_days:
         description: 'Delete images older than this many days'
         required: true
-        type: number
+        type: string
         default: 30
       keep_last:
         description: 'Minimum versions to keep'
         required: true
-        type: number
+        type: string
         default: 10
       dry_run:
         description: 'Always do a dry-run first'

@@ -11,12 +11,12 @@ on:
       retain_days:
         description: 'Delete images older than this many days'
         required: true
-        type: number
+        type: string
         default: 30
       keep_last:
         description: 'Minimum versions to keep'
         required: true
-        type: number
+        type: string
         default: 10
       dry_run:
         description: 'Always do a dry-run first'

@@ -11,12 +11,12 @@ on:
       retain_days:
         description: 'Delete runs older than this many days'
         required: true
-        type: number
+        type: string
         default: 30
       min_runs:
         description: 'Minimum runs to keep'
         required: true
-        type: number
+        type: string
         default: 20
 
 jobs:

@@ -47,14 +47,14 @@ jobs:
       - name: "Build image"
         run: |
           docker build -f .github/runner/Dockerfile-set-secrets \
-            -t ghcr.io/${{ github.repository }}/vro-set-secrets:$(date '+%Y-%m-%d') \
-            -t ghcr.io/${{ github.repository }}/vro-set-secrets:latest \
+            -t "ghcr.io/${{ github.repository }}/vro-set-secrets:$(date '+%Y-%m-%d')" \
+            -t "ghcr.io/${{ github.repository }}/vro-set-secrets:latest" \
             .github/runner
 
       - name: "Publish image"
         run: |
-          docker push ghcr.io/${{ github.repository }}/vro-set-secrets:$(date '+%Y-%m-%d')
-          docker push ghcr.io/${{ github.repository }}/vro-set-secrets:latest
+          docker push "ghcr.io/${{ github.repository }}/vro-set-secrets:$(date '+%Y-%m-%d')"
+          docker push "ghcr.io/${{ github.repository }}/vro-set-secrets:latest"
 
   gh_runner:
     name: "Start GitHub runner to set ${{ inputs.target_env }} secrets"

@@ -39,7 +39,7 @@ jobs:
               origin/develop..origin/${{ inputs.domain_branch }}
             echo ''
             echo '```'
-          } | tee -a $GITHUB_STEP_SUMMARY
+          } | tee -a "$GITHUB_STEP_SUMMARY"
 
       - name: "Fast-forward merge ${{ inputs.domain_branch }}"
         run: |
@@ -58,4 +58,4 @@ jobs:
             cat git-graph.log
             echo ''
             echo '```'
-          } | tee -a $GITHUB_STEP_SUMMARY
+          } | tee -a "$GITHUB_STEP_SUMMARY"
@@ -0,0 +1,23 @@
+name: "Lint GitHub Actions"
+on:
+  push:
+    paths:
+      - .github/workflows/*.yml
+      - .github/actions/**/*.yml
+
+jobs:
+  lint-github-actions:
+    # Configuration copied from https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions
+    name: Lint GitHub Actions workflows
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: "Set up actionlint"
+        id: get_actionlint
+        shell: bash
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+
+      - name: "Check workflow files"
+        shell: bash
+        run: ${{ steps.get_actionlint.outputs.executable }} -color
@@ -7,6 +7,7 @@ on:
 env:
   # Id for the #benefits-vro-devops Slack channel
   SLACK_CHANNEL: C04CA47HV96
+  HEAD_COMMIT_MSG: ${{ github.event.head_commit.message }}
 
 jobs:
   notify_push:
@@ -16,15 +17,15 @@ jobs:
       - name: "Get PR title"
         id: get-pr-title
         run: |
-          echo "first_line=$(echo "${{github.event.head_commit.message}}" | head -n 1)" >> $GITHUB_OUTPUT
+          echo "first_line=$(echo "$HEAD_COMMIT_MSG" | head -n 1)" >> "$GITHUB_OUTPUT"
 
-          if [ $(echo "${{github.event.head_commit.message}}" | wc -l) -gt 1 ]; then
-            echo "multiline=true" >> $GITHUB_OUTPUT
+          if [ "$(echo "$HEAD_COMMIT_MSG" | wc -l)" -gt 1 ]; then
+            echo "multiline=true" >> "$GITHUB_OUTPUT"
           else
-            echo "multiline=false" >> $GITHUB_OUTPUT
+            echo "multiline=false" >> "$GITHUB_OUTPUT"
           fi
 
-          echo "short_sha=${GITHUB_SHA:0:7}" >> $GITHUB_OUTPUT
+          echo "short_sha=${GITHUB_SHA:0:7}" >> "$GITHUB_OUTPUT"
 
       - name: "Notify Slack"
         id: notify-slack

@@ -55,9 +55,11 @@ jobs:
         docker tag "${{ inputs.image_name }}:${{ inputs.image_tag }}" "${{ env.GHCR_PATH }}:${{ inputs.image_tag }}"
         docker push "${{ env.GHCR_PATH }}:${{ inputs.image_tag }}"
 
-        echo "images_list<<EOF" >> $GITHUB_OUTPUT
-        echo "${{ env.GHCR_PATH }}:${{ inputs.image_tag }}" >> $GITHUB_OUTPUT
-        echo "EOF" >> $GITHUB_OUTPUT
+        {
+          echo "images_list<<EOF"
+          echo "${{ env.GHCR_PATH }}:${{ inputs.image_tag }}"
+          echo "EOF"
+        } >> "$GITHUB_OUTPUT"
 
   secrel:
     name: SecRel Pipeline

@@ -46,6 +46,7 @@ on:
 env:
   # Id for the #benefits-vro-devops Slack channel
   SLACK_CHANNEL: C04CA47HV96
+  HEAD_COMMIT_MSG: "${{ github.event.head_commit.message }}"
 
 jobs:
   gate-check:
@@ -62,31 +63,31 @@ jobs:
 
           # Use triggering_actor instead of actor to allow manually re-running this workflow as another user
           if [ "${{github.triggering_actor}}" == "abd-vro-machine" ]; then
-            if [ "${{ startsWith(github.event.head_commit.message, 'Automated commit: Pin versions') }}" == "true" ]; then
+            if echo "$HEAD_COMMIT_MSG" | grep '^Automated commit: Pin versions'; then
               CONTINUE=false
               echo "Skipping this workflow b/c it was triggered by a commit that pins image versions \
           immediately after a release. Otherwise, the workflow will fail.
           Until the release images are published to GHCR (so that they're available for comparison), \
-          the 'Publish to GHCR' step of this workflow will fail." | tee -a $GITHUB_STEP_SUMMARY
+          the 'Publish to GHCR' step of this workflow will fail." | tee -a "$GITHUB_STEP_SUMMARY"
 
-            elif [ "${{ startsWith(github.event.head_commit.message, 'Automated commit:') }}" == "true" ]; then
+            elif echo "$HEAD_COMMIT_MSG" | grep '^Automated commit:'; then
               CONTINUE=false
               echo "Skipping this workflow b/c it was triggered by an automated commit that \
-          doesn't change container images." | tee -a $GITHUB_STEP_SUMMARY
+          doesn't change container images." | tee -a "$GITHUB_STEP_SUMMARY"
             fi
           fi
 
           if [ "${{ github.event_name }}" == "pull_request" ]; then
-            if [ "${{ startsWith(github.head_ref, 'dependabot/')}}" == "true" ]; then
+            if echo "$GITHUB_HEAD_REF" | grep '^dependabot/'; then
               CONTINUE=true
-              echo "Running SecRel against a Dependabot PR" | tee -a $GITHUB_STEP_SUMMARY
+              echo "Running SecRel against a Dependabot PR" | tee -a "$GITHUB_STEP_SUMMARY"
             else
               CONTINUE=false
-              echo "For PRs, SecRel runs against only Dependabot PR" | tee -a $GITHUB_STEP_SUMMARY
+              echo "For PRs, SecRel runs against only Dependabot PR" | tee -a "$GITHUB_STEP_SUMMARY"
             fi
           fi
 
-          echo "continue=${CONTINUE:-true}" >> $GITHUB_OUTPUT
+          echo "continue=${CONTINUE:-true}" >> "$GITHUB_OUTPUT"
 
   publish-to-ghcr:
     name: Publish to GHCR
@@ -134,11 +135,13 @@ jobs:
             PUBLISH_MODE=${{ inputs.publish_mode }}
           fi
 
-          echo "image_tag=${IMG_TAG}" >> $GITHUB_OUTPUT
-          echo "image_prefix=${IMG_PREFIX}" >> $GITHUB_OUTPUT
-          echo "run_tests=${RUN_GRADLE_TESTS}" >> $GITHUB_OUTPUT
-          echo "run_secrel=${RUN_SECREL}" >> $GITHUB_OUTPUT
-          echo "publish_mode=${PUBLISH_MODE}" >> $GITHUB_OUTPUT
+          {
+            echo "image_tag=${IMG_TAG}"
+            echo "image_prefix=${IMG_PREFIX}"
+            echo "run_tests=${RUN_GRADLE_TESTS}"
+            echo "run_secrel=${RUN_SECREL}"
+            echo "publish_mode=${PUBLISH_MODE}"
+          } >> "$GITHUB_OUTPUT"
 
       - name: "DEBUG"
         run: |
@@ -232,28 +235,30 @@ jobs:
       - name: "Set status message"
         run: |
           URL=${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}
-          if [ "${{needs.publish-to-ghcr.result}}" == 'failure' ]; then
-            echo "WORKFLOW_STATE_TEXT=:panda_blank: <$URL|Publishing> failed!" >> $GITHUB_ENV
-            echo 'WORKFLOW_STATE_EMOJI=x' >> $GITHUB_ENV
-          elif [ "${{needs.secrel.result}}" == 'failure' ]; then
-            echo "WORKFLOW_STATE_TEXT=:panda_cop: <$URL|SecRel> failed!" >> $GITHUB_ENV
-            echo 'WORKFLOW_STATE_EMOJI=x' >> $GITHUB_ENV
-          elif [ "${{needs.secrel.result}}" == 'success' ]; then
-            echo "WORKFLOW_STATE_TEXT=:panda-yay: SecRel passed and images signed!" >> $GITHUB_ENV
-            echo 'WORKFLOW_STATE_EMOJI=panda-yay' >> $GITHUB_ENV
-          elif [ "${{needs.publish-to-ghcr.result}}" == 'skipped' ]; then
-            echo "WORKFLOW_STATE_TEXT=:black_square_for_stop: <$URL|Publishing> skipped" >> $GITHUB_ENV
-            echo 'WORKFLOW_STATE_EMOJI=black_square_for_stop' >> $GITHUB_ENV
-          elif [ "${{needs.publish-to-ghcr.outputs.run-secrel}}" == "true" ] && [ "${{needs.secrel.result}}" != 'success' ]; then
-            echo "WORKFLOW_STATE_TEXT=:black_square_for_stop: <$URL|SecRel> ${{needs.secrel.result}}" >> $GITHUB_ENV
-            echo 'WORKFLOW_STATE_EMOJI=black_square_for_stop' >> $GITHUB_ENV
-          elif [ "${{needs.publish-to-ghcr.outputs.run-secrel}}" == "false" ] && [ "${{needs.publish-to-ghcr.result}}" == 'success' ]; then
-            echo "WORKFLOW_STATE_TEXT=:heavy_check_mark: Run completed (without SecRel scans or signing images)" >> $GITHUB_ENV
-            echo 'WORKFLOW_STATE_EMOJI=heavy_check_mark' >> $GITHUB_ENV
-          else
-            echo "WORKFLOW_STATE_TEXT=publish: ${{needs.publish-to-ghcr.result}}; secrel: ${{needs.secrel.result}}" >> $GITHUB_ENV
-            echo 'WORKFLOW_STATE_EMOJI=shrug' >> $GITHUB_ENV
-          fi
+          {
+            if [ "${{needs.publish-to-ghcr.result}}" == 'failure' ]; then
+              echo "WORKFLOW_STATE_TEXT=:panda_blank: <$URL|Publishing> failed!"
+              echo 'WORKFLOW_STATE_EMOJI=x'
+            elif [ "${{needs.secrel.result}}" == 'failure' ]; then
+              echo "WORKFLOW_STATE_TEXT=:panda_cop: <$URL|SecRel> failed!"
+              echo 'WORKFLOW_STATE_EMOJI=x'
+            elif [ "${{needs.secrel.result}}" == 'success' ]; then
+              echo "WORKFLOW_STATE_TEXT=:panda-yay: SecRel passed and images signed!"
+              echo 'WORKFLOW_STATE_EMOJI=panda-yay'
+            elif [ "${{needs.publish-to-ghcr.result}}" == 'skipped' ]; then
+              echo "WORKFLOW_STATE_TEXT=:black_square_for_stop: <$URL|Publishing> skipped"
+              echo 'WORKFLOW_STATE_EMOJI=black_square_for_stop'
+            elif [ "${{needs.publish-to-ghcr.outputs.run-secrel}}" == "true" ] && [ "${{needs.secrel.result}}" != 'success' ]; then
+              echo "WORKFLOW_STATE_TEXT=:black_square_for_stop: <$URL|SecRel> ${{needs.secrel.result}}"
+              echo 'WORKFLOW_STATE_EMOJI=black_square_for_stop'
+            elif [ "${{needs.publish-to-ghcr.outputs.run-secrel}}" == "false" ] && [ "${{needs.publish-to-ghcr.result}}" == 'success' ]; then
+              echo "WORKFLOW_STATE_TEXT=:heavy_check_mark: Run completed (without SecRel scans or signing images)"
+              echo 'WORKFLOW_STATE_EMOJI=heavy_check_mark'
+            else
+              echo "WORKFLOW_STATE_TEXT=publish: ${{needs.publish-to-ghcr.result}}; secrel: ${{needs.secrel.result}}"
+              echo 'WORKFLOW_STATE_EMOJI=shrug'
+            fi
+          } >> "$GITHUB_ENV"
 
       - name: "Slack thread: Post final status"
         if: always() && needs.gate-check.outputs.continue == 'true'