ci: Add GitHub action linting workflow

[aaronsteers]

ci: Add GitHub action linting workflow

Summary

Adds a new GitHub Actions workflow that runs actionlint (GitHub Actions workflow linter) with reviewdog integration for PR annotations. The workflow only triggers when .github/workflows/** files are modified, providing automated linting feedback directly on pull requests through review comments.

This implements the actionlint tool research and integration requested to improve GitHub Actions workflow quality with PR-level feedback.

Review & Testing Checklist for Human

• Verify conditional triggering works: Create a test PR that modifies a workflow file and confirm this actionlint workflow runs automatically
• Test reviewdog PR comments: Check that actionlint findings appear as PR review comments (not just CI logs)
• Validate action version security: Confirm reviewdog/[email protected] is current and doesn't have known vulnerabilities

Notes

• Uses ubuntu-24.04 runner to match existing workflow patterns in this repository
• Set to level: error to focus on critical issues and avoid noise from warnings
• Path filter .github/workflows/** ensures workflow only runs when relevant files change
• Requested by @aaronsteers via Slack in #ask-devin-ai
• Link to Devin session: https://app.devin.ai/sessions/064c9d5b289f41539aa6e5f6acfbb8cf

Summary by CodeRabbit

• Chores
  • Introduced automated linting for GitHub Actions workflows to catch configuration issues early and maintain consistent workflow quality.
  • Runs on pushes and pull requests, providing inline review feedback and enforcing error-level checks.
  • Improves developer experience and CI reliability; no changes to product features or user-facing behavior.

[devin-ai-integration]

Original prompt from AJ Steers

Received message in Slack channel #ask-devin-ai:

@Devin - apparently there's an 'actionlint' tool for linting GitHub actions. Can you research it and then research a GitHub action we can use to run it? 

I'd like to use this as an opportunity to test a very popular action that does linting and formatting and test annotations directly on the PR. I don't remember what that tool/action was called but if you find it I may recognize the name.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[Copilot]

Pull Request Overview

This PR adds a GitHub Actions workflow to automatically lint GitHub Actions workflow files using actionlint with reviewdog integration. The workflow provides automated feedback on workflow quality issues directly through PR review comments when .github/workflows/** files are modified.

• Implements conditional triggering to run only when workflow files change
• Integrates reviewdog for PR-level feedback instead of just CI logs
• Focuses on error-level issues to minimize noise

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This CDK Version

You can test this version of the CDK using the following:

# Run the CLI from this branch:
uvx 'git+https://github.com/airbytehq/airbyte-python-cdk.git@devin/1757017385-add-actionlint-workflow#egg=airbyte-python-cdk[dev]' --help

# Update a connector to use the CDK from this branch ref:
cd airbyte-integrations/connectors/source-example
poe use-cdk-branch devin/1757017385-add-actionlint-workflow

Helpful Resources

• CDK API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /autofix - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test - Runs connector tests with the updated CDK
• /poe build - Regenerate git-committed build artifacts, such as the pydantic models which are generated from the manifest JSON schema in YAML.
• /poe <command> - Runs any poe command in the CDK environment

📝 Edit this welcome message.

[coderabbitai]

Warning

Rate limit exceeded

@devin-ai-integration[bot] has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 4 minutes and 8 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 0a67362 and 722aa7e.

📒 Files selected for processing (1)

• .github/workflows/actionlint.yml (1 hunks)

📝 Walkthrough

Walkthrough

Introduces a new GitHub Actions workflow (.github/workflows/actionlint.yml) that runs actionlint via reviewdog on pushes to main and on pull requests affecting .github/workflows/**, using ubuntu-24.04.

Changes

Cohort / File(s)	Summary
CI: Actionlint workflow .github/workflows/actionlint.yml	Adds a workflow “GitHub action linting” triggered on push to main and PRs touching .github/workflows/**. Runs checkout and reviewdog/action-actionlint (v1.67.0) with reporter: github-pr-review, level: error, and github_token: secrets.GITHUB_TOKEN on ubuntu-24.04.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub
  participant WF as Action: actionlint
  participant RD as reviewdog
  Dev->>GH: Push to main or open PR (changes in .github/workflows/**)
  GH-->>WF: Trigger "GitHub action linting"
  WF->>WF: actions/checkout
  WF->>RD: Run actionlint via reviewdog (level=error)
  alt Lint issues found
    RD-->>GH: PR review comments (github-pr-review)
  else No issues
    RD-->>GH: No comments
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Would you like to also lint on all branches or restrict PR trigger paths using a negation to avoid missing root-level workflow changes, wdyt?

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1757017385-add-actionlint-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

.github/workflows/actionlint.yml (3)

16-16: Add timeout and concurrency to cut noise on force-pushes

Would you add a short timeout and a concurrency group to auto-cancel superseded runs on the same ref/PR, wdyt?

   actionlint:
     name: actionlint
     runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    concurrency:
+      group: actionlint-${{ github.workflow }}-${{ github.ref || github.head_ref }}
+      cancel-in-progress: true

---

3-11: Consider reducing triggers or aligning them with reporter behavior

Since annotations are most useful on PRs, do we want to:

• drop the push trigger altogether, or
• keep it (for main protection) but rely on github-check as suggested above?

Either way works; just aiming to avoid duplicate noise. Wdyt?

---

21-21: Pin reviewdog/action-actionlint to a commit SHA
The latest stable release is v1.67.0 at commit 95395aa, so to reduce supply-chain risk, please replace the tag with the SHA:

- uses: reviewdog/[email protected]
+ uses: reviewdog/action-actionlint@95395aa

wdyt?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between dd52cfe and 0a67362.

📒 Files selected for processing (1)

• .github/workflows/actionlint.yml (1 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/actionlint.yml

[warning] 15-25: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Pytest (Fast)
• GitHub Check: Manifest Server Docker Image Build
• GitHub Check: SDM Docker Image Build

[coderabbitai]

🛠️ Refactor suggestion

Pin actions/checkout to a commit SHA and avoid persisting credentials

For supply-chain hardening, could we pin to a specific commit SHA and avoid persisting credentials? Also, shallow history can confuse diff-based annotations; consider fetching full history (or at least the merge base), wdyt?

Example:

-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@<commit-sha-for-v4>
+        with:
+          persist-credentials: false
+          fetch-depth: 0

I can fetch the current recommended SHA if helpful.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout code
	uses: actions/checkout@v4
	- name: Checkout code
	uses: actions/checkout@<commit-sha-for-v4>
	with:
	persist-credentials: false
	fetch-depth: 0

🤖 Prompt for AI Agents

.github/workflows/actionlint.yml around lines 18-19: the workflow currently uses
actions/checkout@v4; pin this to a specific commit SHA and disable persisting
credentials to harden the supply chain and avoid leaking tokens, and adjust
fetch depth to ensure needed history for diff-based annotations (e.g., set
fetch-depth: 0 or at least fetch-depth: 2/merge-base). Replace the uses value
with actions/checkout@<commit-sha> (use the recommended SHA or ask reviewer for
it), add a with block setting persist-credentials: false and fetch-depth: 0 (or
another minimal depth that includes the merge-base).

[coderabbitai]

⚠️ Potential issue

Prevent failures on push events by using an appropriate reporter

reporter: github-pr-review cannot comment on push to main, which can cause the step to fail or be a no-op on those runs. Could we conditionally use github-check for non-PR events and keep github-pr-review for PRs, and also fail the job when errors are found (so CI is actionable), wdyt?

Apply this change:

       - name: Run actionlint
-        uses: reviewdog/[email protected]
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          reporter: github-pr-review
-          level: error
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: reviewdog/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-pr-review
+          level: error
+          fail_on_error: true
+
+      - name: Run actionlint (checks for non-PR events)
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: reviewdog/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-check
+          level: error
+          fail_on_error: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: reviewdog/[email protected]
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	reporter: github-pr-review
	level: error
	- name: Run actionlint
	if: ${{ github.event_name == 'pull_request' }}
	uses: reviewdog/[email protected]
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	reporter: github-pr-review
	level: error
	fail_on_error: true
	- name: Run actionlint (checks for non-PR events)
	if: ${{ github.event_name != 'pull_request' }}
	uses: reviewdog/[email protected]
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	reporter: github-check
	level: error
	fail_on_error: true

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 15-25: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

🤖 Prompt for AI Agents

In .github/workflows/actionlint.yml around lines 21-25, the action uses a fixed
reporter that fails on push events; change the reporter to pick github-pr-review
for pull_request events and github-check for others using a GitHub Actions
expression (e.g. reporter: ${{ github.event_name == 'pull_request' &&
'github-pr-review' || 'github-check' }}), and add the action input
fail_on_error: true so the job fails when actionlint finds errors.

[github-actions]

PyTest Results (Fast)

3 752 tests  ±0   3 740 ✅ ±0   6m 24s ⏱️ -1s
    1 suites ±0      12 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 722aa7e. ± Comparison against base commit dd52cfe.

♻️ This comment has been updated with latest results.