From 107a3c4383704ee7763ff75f4a8dd0e814671bdf Mon Sep 17 00:00:00 2001
From: Maxwell G <maxwell@gtmx.me>
Date: Mon, 9 Sep 2024 16:42:58 -0500
Subject: [PATCH 1/2] nox: add actionlint to lint Github Actions workflows

This PR integrates [actionlint](https://github.com/rhysd/actionlint)
into our CI pipeline to check our Github Actions for best practices and
common errors.
---
 .github/workflows/reusable-nox.yml |  2 ++
 README.md                          |  5 +++
 noxfile.py                         | 49 ++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+)

diff --git a/.github/workflows/reusable-nox.yml b/.github/workflows/reusable-nox.yml
index bf8ac66ab75..2f8b8a92900 100644
--- a/.github/workflows/reusable-nox.yml
+++ b/.github/workflows/reusable-nox.yml
@@ -23,6 +23,8 @@ jobs:
             python-versions: "3.11"
           - session: "checkers(docs-build)"
             python-versions: "3.11"
+          - session: "actionlint"
+            python-versions: "3.11"
     name: "Run nox ${{ matrix.session }} session"
     steps:
       - name: Check out repo
diff --git a/README.md b/README.md
index 9ec6cd5a5be..2712aabf09d 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,11 @@ The `nox` configuration also contains session to run automated docs checkers.
   nox -s lint
   ```
 
+  The `actionlint` linter that is run as part of the `lint` session requires
+  `podman` or `docker` to be installed.
+  If both container engines are installed, `podman` is preferred.
+  Set `CONTAINER_ENGINE=docker` to change this behavior.
+
 ### Checking spelling
 
 Use [`codespell`](https://github.com/codespell-project/codespell) to check for common spelling mistakes in the documentation source.
diff --git a/noxfile.py b/noxfile.py
index 491c700d638..5961a5b132a 100644
--- a/noxfile.py
+++ b/noxfile.py
@@ -2,6 +2,7 @@
 
 import os
 import shlex
+import shutil
 from argparse import ArgumentParser, BooleanOptionalAction
 from glob import iglob
 from pathlib import Path
@@ -45,6 +46,29 @@ def install(session: nox.Session, *args, req: str, **kwargs):
     session.install("-r", f"tests/{req}.in", *args, **kwargs)
 
 
+CONTAINER_ENGINES = ("podman", "docker")
+CHOSEN_CONTAINER_ENGINE = os.environ.get("CONTAINER_ENGINE")
+ACTIONLINT_IMAGE = "docker.io/rhysd/actionlint"
+
+
+def _get_container_engine(session: nox.Session) -> str:
+    path: str | None = None
+    if CHOSEN_CONTAINER_ENGINE:
+        path = shutil.which(CHOSEN_CONTAINER_ENGINE)
+        if not path:
+            session.error(
+                f"CONTAINER_ENGINE {CHOSEN_CONTAINER_ENGINE!r} does not exist!"
+            )
+        return path
+    for engine in CONTAINER_ENGINES:
+        if path := shutil.which(engine):
+            return path
+    session.error(
+        f"None of the following container engines were found: {CONTAINER_ENGINES}."
+        f" {session.name} requires a container engine installed."
+    )
+
+
 @nox.session
 def static(session: nox.Session):
     """
@@ -93,12 +117,37 @@ def spelling(session: nox.Session):
     )
 
 
+@nox.session
+def actionlint(session: nox.Session) -> None:
+    """
+    Run actionlint to lint Github Actions workflows.
+    The actionlint tool is run in a Podman/Docker container.
+    """
+    engine = _get_container_engine(session)
+    session.run_always(engine, "pull", ACTIONLINT_IMAGE, external=True)
+    session.run(
+        engine,
+        "run",
+        "--rm",
+        # fmt: off
+        "--volume", f"{Path.cwd()}:/pwd:z",
+        "--workdir", "/pwd",
+        # fmt: on
+        ACTIONLINT_IMAGE,
+        # Disable shellcheck for now
+        "-shellcheck=",
+        *session.posargs,
+        external=True,
+    )
+
+
 @nox.session
 def lint(session: nox.Session):
     session.notify("typing")
     session.notify("static")
     session.notify("formatters")
     session.notify("spelling")
+    session.notify("actionlint")
 
 
 requirements_files = list(

From b5e957a567c5a9a84920be3cdba3fe86cbaf5198 Mon Sep 17 00:00:00 2001
From: Maxwell G <maxwell@gtmx.me>
Date: Sat, 14 Sep 2024 15:12:16 -0500
Subject: [PATCH 2/2] lint actionlint: enable shellcheck integration

---
 .github/workflows/build-package-docs.yaml  | 16 +++++++++-------
 .github/workflows/reusable-pip-compile.yml |  2 ++
 noxfile.py                                 |  2 --
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build-package-docs.yaml b/.github/workflows/build-package-docs.yaml
index 93882a5e19b..5d95397fe78 100644
--- a/.github/workflows/build-package-docs.yaml
+++ b/.github/workflows/build-package-docs.yaml
@@ -80,7 +80,7 @@ jobs:
     - name: Set the COLLECTION_LIST variable
       if: env.PACKAGE_VERSION != 'devel'
       run: >-
-        echo COLLECTION_LIST='"${PACKAGE_VERSION}"'
+        echo COLLECTION_LIST="${PACKAGE_VERSION}"
         >> "${GITHUB_ENV}"
 
     - name: Set the VERSION variable
@@ -93,7 +93,7 @@ jobs:
     - name: Create a tarball with the build contents
       run: >-
         tar -czvf
-        ansible-package-docs-html-"${PACKAGE_VERSION}"-$(date '+%Y-%m-%d')-${{
+        ansible-package-docs-html-"${PACKAGE_VERSION}"-"$(date '+%Y-%m-%d')"-${{
           github.run_id
         }}-${{
           github.run_number
@@ -117,11 +117,13 @@ jobs:
     steps:
     - name: Log the workflow inputs if deployed
       run: |
-        echo "## Deployment details :shipit:" >> "${GITHUB_STEP_SUMMARY}"
-        echo "Publish to: ${{ github.event.inputs.deployment-environment }}" >> "${GITHUB_STEP_SUMMARY}"
-        echo "Package version: ${{ github.event.inputs.ansible-package-version }}"  >> "${GITHUB_STEP_SUMMARY}"
-        echo "Owner: ${{ github.event.inputs.repository-owner }}" >> "${GITHUB_STEP_SUMMARY}"
-        echo "Branch: ${{ github.event.inputs.repository-branch }}" >> "${GITHUB_STEP_SUMMARY}"
+        {
+          echo "## Deployment details :shipit:";
+          echo "Publish to: ${{ github.event.inputs.deployment-environment }}";
+          echo "Package version: ${{ github.event.inputs.ansible-package-version }}";
+          echo "Owner: ${{ github.event.inputs.repository-owner }}";
+          echo "Branch: ${{ github.event.inputs.repository-branch }}";
+        } >> "${GITHUB_STEP_SUMMARY}"
 
   notify-build-failures:
     if: failure()
diff --git a/.github/workflows/reusable-pip-compile.yml b/.github/workflows/reusable-pip-compile.yml
index b96bd0353a0..5fcb9db3915 100644
--- a/.github/workflows/reusable-pip-compile.yml
+++ b/.github/workflows/reusable-pip-compile.yml
@@ -94,7 +94,9 @@ jobs:
         run: |
           set -x
           git diff || :
+          # shellcheck disable=SC2086
           git add ${changed_files}
+          # shellcheck disable=SC2086
           if git diff-index --quiet HEAD ${changed_files}; then
             echo "Nothing to do!"
             exit
diff --git a/noxfile.py b/noxfile.py
index 5961a5b132a..395d3aaf101 100644
--- a/noxfile.py
+++ b/noxfile.py
@@ -134,8 +134,6 @@ def actionlint(session: nox.Session) -> None:
         "--workdir", "/pwd",
         # fmt: on
         ACTIONLINT_IMAGE,
-        # Disable shellcheck for now
-        "-shellcheck=",
         *session.posargs,
         external=True,
     )