From b341e37be482462dca92cbf880e64f2ce79b185a Mon Sep 17 00:00:00 2001
From: Ashish Bhatia <ashishb@ashishb.net>
Date: Thu, 2 Jan 2025 23:04:48 -0800
Subject: [PATCH] ci: add GitHub Actions linter (#92)

---
 .github/workflows/lint-github-actions.yaml | 74 ++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 .github/workflows/lint-github-actions.yaml

diff --git a/.github/workflows/lint-github-actions.yaml b/.github/workflows/lint-github-actions.yaml
new file mode 100644
index 0000000..4f91395
--- /dev/null
+++ b/.github/workflows/lint-github-actions.yaml
@@ -0,0 +1,74 @@
+# Generated by Gabo (https://github.com/ashishb/gabo)
+---
+# Run this locally with act - https://github.com/nektos/act
+# act -j lintGitHubActions
+name: Lint GitHub Actions
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches: [master, main]
+    paths:
+      - ".github/workflows/**.yml"
+      - ".github/workflows/**.yaml"
+  pull_request:
+    branches: [master, main]
+    paths:
+      - ".github/workflows/**.yml"
+      - ".github/workflows/**.yaml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lintGitHubActionsWithActionLint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          sparse-checkout: |
+            .github/workflows
+          sparse-checkout-cone-mode: false
+
+      - name: Lint GitHub Actions
+        uses: reviewdog/action-actionlint@v1
+
+      - name: Check GitHub Actions with 'actionlint'
+        # Ref: https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions
+        # shellcheck is too noisy and disabled
+        run: |
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+          ./actionlint -color -shellcheck=
+        shell: bash
+
+
+  lintGitHubActionsForSecurity:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          sparse-checkout: |
+            .github/workflows
+          sparse-checkout-cone-mode: false
+
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - name: Install zizmor
+        run: cargo install zizmor
+
+      - name: Run zizmor on GitHub Actions
+        run: zizmor .github/workflows/*