ci: add GitHub Actions linter

Author: ashishb

.github/workflows/lint-github-actions.yaml

@@ -0,0 +1,74 @@
+# Generated by Gabo (https://github.com/ashishb/gabo)
+---
+# Run this locally with act - https://github.com/nektos/act
+# act -j lintGitHubActions
+name: Lint GitHub Actions
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches: [master, main]
+    paths:
+      - ".github/workflows/**.yml"
+      - ".github/workflows/**.yaml"
+  pull_request:
+    branches: [master, main]
+    paths:
+      - ".github/workflows/**.yml"
+      - ".github/workflows/**.yaml"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lintGitHubActionsWithActionLint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          sparse-checkout: |
+            .github/workflows
+          sparse-checkout-cone-mode: false
+
+      - name: Lint GitHub Actions
+        uses: reviewdog/action-actionlint@v1
+
+      - name: Check GitHub Actions with 'actionlint'
+        # Ref: https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions
+        # shellcheck is too noisy and disabled
+        run: |
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+          ./actionlint -color -shellcheck=
+        shell: bash
+
+
+  lintGitHubActionsForSecurity:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          sparse-checkout: |
+            .github/workflows
+          sparse-checkout-cone-mode: false
+
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - name: Install zizmor
+        run: cargo install zizmor
+
+      - name: Run zizmor on GitHub Actions
+        run: zizmor .github/workflows/*

.github/workflows/lint-markdown.yaml

@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
         # See https://github.com/ruby/setup-ruby#versioning

.github/workflows/lint-shell-script.yaml

@@ -30,6 +30,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Run ShellCheck
         uses: ludeeus/[email protected]

.github/workflows/lint-yaml.yaml

@@ -31,6 +31,9 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - name: Check YAML files with linter
         uses: ibiqlik/action-yamllint@v3
         with:

.github/workflows/validate-links.yml

@@ -30,6 +30,8 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with: