Merge pull request #4457 from DataDog/tonycthsu/actionlint

Scan with `actionlint`

Author: TonyCTHsu

.github/workflows/_unit_test.yml

@@ -42,7 +42,7 @@ jobs:
         LOCKFILE: lockfile-${{ inputs.alias }}-${{ github.run_id }}
       run: |
         bundle lock
-        echo "lockfile=$LOCKFILE" >> $GITHUB_OUTPUT
+        echo "lockfile=$LOCKFILE" >> "$GITHUB_OUTPUT"
 
     - name: Upload lockfile
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
@@ -73,8 +73,8 @@ jobs:
         batches_data=$(echo "$data" | ruby -rjson -e 'puts JSON.parse(STDIN.read)["batches"].to_json')
         misc_data=$(echo "$data" | ruby -rjson -e 'puts JSON.parse(STDIN.read)["misc"].to_json')
 
-        echo "batches=$batches_data" >> $GITHUB_OUTPUT
-        echo "misc=$misc_data" >> $GITHUB_OUTPUT
+        echo "batches=$batches_data" >> "$GITHUB_OUTPUT"
+        echo "misc=$misc_data" >> "$GITHUB_OUTPUT"
     - name: Generate batch summary
       run: bundle exec rake github:generate_batch_summary
       env:

.github/workflows/add-milestone-to-pull-requests.yml

@@ -23,7 +23,7 @@ jobs:
         # Parse the gemspec and return the major version
         id: version
         run: |
-          echo "::set-output name=version::$(find . -name *.gemspec | ruby -ne 'puts Gem::Specification.load($_.chomp).version.to_s.split(".").first')"
+          echo "name=version::$(find . -name "*.gemspec" | ruby -ne "puts Gem::Specification.load($_.chomp).version.to_s.split(\".\").first")" >> "$GITHUB_OUTPUT"
 
       - name: Get project milestones
         id: milestones

.github/workflows/build-gem.yml

@@ -47,7 +47,7 @@ jobs:
           GIT_REF: ${{ github.ref }}
           GIT_SHA: ${{ github.sha }}
         run: |
-          .gitlab/patch_gem_version.sh gha $GHA_RUN_ID $GIT_REF $GIT_SHA;
+          .gitlab/patch_gem_version.sh gha "$GHA_RUN_ID" "$GIT_REF" "$GIT_SHA";
 
       - name: Patch gem host
         if: ${{ matrix.type != 'final' }}
@@ -56,7 +56,7 @@ jobs:
           sed datadog.gemspec -i -e "s,^\([\t ]*spec\.metadata\['allowed_push_host'\]\) *= *,\1 = \'${GEM_HOST}\' # ,"
 
           # Test result
-          cat datadog.gemspec | grep -e allowed_push_host
+          grep -e allowed_push_host datadog.gemspec
       - name: Build gem
         run: bundle exec rake build
       - name: List gem

.github/workflows/cache-cleanup.yml

@@ -16,46 +16,50 @@ jobs:
     steps:
       - name: Cleanup
         run: |
-          echo "# Cache Cleanup Summary" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**PR Number:** #${{ github.event.pull_request.number }}" >> $GITHUB_STEP_SUMMARY
-          echo "**Branch:** \`$BRANCH\`" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "# Cache Cleanup Summary"
+            echo ""
+            echo "**PR Number:** #${{ github.event.pull_request.number }}"
+            echo "**Branch:** \`$BRANCH\`"
+            echo ""
+          } >> "$GITHUB_STEP_SUMMARY"
 
           echo "[DEBUG] Fetching cache list..."
           # Get full cache details
-          CACHE_LIST=$(gh cache list --ref $BRANCH --limit 100 --json key,sizeInBytes,id)
+          CACHE_LIST=$(gh cache list --ref "$BRANCH" --limit 100 --json key,sizeInBytes,id)
 
           if [ -z "$CACHE_LIST" ] || [ "$CACHE_LIST" = "[]" ]; then
             echo "[DEBUG] No caches found"
-            echo "No caches found for this PR" >> $GITHUB_STEP_SUMMARY
+            echo "No caches found for this PR" >> "$GITHUB_STEP_SUMMARY"
             exit 0
           fi
 
-          # Create table header
-          echo "| Cache ID | Cache Key | Size |" >> $GITHUB_STEP_SUMMARY
-          echo "|----------|-----------|------|" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "| Cache ID | Cache Key | Size |"
+            echo "|----------|-----------|------|"
+          } >> "$GITHUB_STEP_SUMMARY"
 
           # Extract IDs and process deletions
           echo "$CACHE_LIST" | jq -r '.[] | [.id, .key, .sizeInBytes] | @tsv' | while IFS=$'\t' read -r id key size; do
             # Convert size to human readable format
-            if [ $size -ge 1048576 ]; then
-              readable_size=$(echo "scale=2; $size/1048576" | bc)"MB"
+            if [ "$size" -ge 1048576 ]; then
+              readable_size=$(echo "scale=2; $size/1048576" | bc 2>/dev/null || echo "$size")"MB"
             else
-              readable_size=$(echo "scale=2; $size/1024" | bc)"KB"
+              readable_size=$(echo "scale=2; $size/1024" | bc 2>/dev/null || echo "$size")"KB"
             fi
 
             echo "[DELETE] Processing cache ID: $id"
-            gh cache delete $id
+            gh cache delete "$id"
             echo "[INFO] Processed cache $id"
 
             # Add row to summary table
-            echo "| \`$id\` | \`$key\` | $readable_size |" >> $GITHUB_STEP_SUMMARY
+            echo "| \`$id\` | \`$key\` | $readable_size |" >> "$GITHUB_STEP_SUMMARY"
           done
 
-          # Add completion timestamp
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Cleanup completed at: $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY
+          {
+            echo ""
+            echo "Cleanup completed at: $(date -u '+%Y-%m-%d %H:%M:%S UTC')"
+          } >> "$GITHUB_STEP_SUMMARY"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ github.repository }}

.github/workflows/check.yml

@@ -77,7 +77,7 @@ jobs:
       - name: Check types
         run: bundle exec rake steep:check
       - name: Record stats
-        run: bundle exec rake steep:stats[md] >> $GITHUB_STEP_SUMMARY
+        run: bundle exec rake steep:stats[md] >> "$GITHUB_STEP_SUMMARY"
 
   # Dogfooding Datadog SBOM Analysis
   dd-software-composition-analysis:
@@ -147,6 +147,17 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  actionlint:
+    name: actionlint
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: docker://rhysd/actionlint:1.7.7
+        with:
+          args: -color
+
   complete:
     name: Static Analysis (complete)
     needs:
@@ -157,6 +168,7 @@ jobs:
       - 'dd-software-composition-analysis'
       - 'dd-static-analysis'
       - 'zizmor'
+      - 'actionlint'
     runs-on: ubuntu-24.04
     steps:
       - run: echo "Done"

.github/workflows/publish.yml

@@ -25,7 +25,7 @@ jobs:
           ruby-version: '3.3.7'
 
       - id: version
-        run: echo "version=$(ruby -e 'puts Gem::Specification::load(Dir.glob("*.gemspec").first).version')" >> $GITHUB_OUTPUT
+        run: echo "version=$(ruby -e 'puts Gem::Specification::load(Dir.glob("*.gemspec").first).version')" >> "$GITHUB_OUTPUT"
 
       # Check if the gem version is already published
       - name: Verify gem version
@@ -138,10 +138,10 @@ jobs:
     steps:
       - name: Download from RubyGems
         run: |
-          gem fetch datadog --version ${GEM_VERSION} --verbose
+          gem fetch datadog --version "${GEM_VERSION}" --verbose
       - name: Attach to existing release draft
         run: |
-          gh release upload "v${GEM_VERSION}" *.gem --clobber
+          gh release upload "v${GEM_VERSION}" -- *.gem --clobber
           gh release edit "v${GEM_VERSION}" --draft=false
 
   update-gem-version:
@@ -167,7 +167,7 @@ jobs:
       - run: bundle install
       - id: next_version
         run: |
-          echo "next_version=$(bundle exec rake version:next)" >> $GITHUB_OUTPUT
+          echo "next_version=$(bundle exec rake version:next)" >> "$GITHUB_OUTPUT"
 
   # https://docs.github.com/en/rest/issues/milestones?apiVersion=2022-11-28
   milestone:

.github/workflows/system-tests.yml

@@ -172,9 +172,11 @@ jobs:
       - name: Read forced-tests-list.json file
         id: read_forced_tests_list
         run: |
-          echo "FORCED_TESTS_LIST<<EOF" >> $GITHUB_OUTPUT
-          echo "$(cat binaries/dd-trace-rb/.github/forced-tests-list.json)" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+          {
+            printf "FORCED_TESTS_LIST<<EOF\n"
+            cat binaries/dd-trace-rb/.github/forced-tests-list.json
+            printf "\nEOF\n"
+          } >> "$GITHUB_OUTPUT"
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
@@ -201,12 +203,17 @@ jobs:
           for tag in latest; do
             cache_from+=(--cache-from "${{ env.REPO }}/system-tests/${{ matrix.library.name }}/${{ matrix.image }}-${{ matrix.app }}:${tag}")
           done
+
           parents="$(cd 'binaries/${{ matrix.library.path }}' && git rev-list --parents -n 1 ${{ github.sha }})"
-          for sha in $parents; do
-            cache_from+=(--cache-from ${{ env.REPO }}/system-tests/${{ matrix.library.name }}/${{ matrix.image }}-${{ matrix.app }}:g${sha})
+
+          # Use read to properly split the string into an array
+          read -ra parent_shas <<< "$parents"
+          for sha in "${parent_shas[@]}"; do
+            cache_from+=(--cache-from "${{ env.REPO }}/system-tests/${{ matrix.library.name }}/${{ matrix.image }}-${{ matrix.app }}:g${sha}")
           done
+
           echo "cache args: ${cache_from[*]}"
-          ./build.sh --library ${{ matrix.library.name }} --weblog-variant ${{ matrix.app }} --images ${{ matrix.image }} --extra-docker-args "${cache_from[*]}"
+          ./build.sh --library "${{ matrix.library.name }}" --weblog-variant "${{ matrix.app }}" --images "${{ matrix.image }}" --extra-docker-args "${cache_from[*]}"
       - name: Tag image for CI run
         run: docker tag system_tests/${{ matrix.image }}:latest ${{ env.REPO }}/system-tests/${{ matrix.library.name }}/${{ matrix.image }}-${{ matrix.app }}:gha${{ github.run_id }}-g${{ github.sha }}
       - name: Push image for CI run
@@ -444,7 +451,7 @@ jobs:
       - name: Print fancy log report
         run: |
           find logs*
-          python utils/scripts/markdown_logs.py >> $GITHUB_STEP_SUMMARY
+          python utils/scripts/markdown_logs.py >> "$GITHUB_STEP_SUMMARY"
 
   cleanup:
     strategy:

.github/workflows/test-memory-leaks.yaml

@@ -38,7 +38,11 @@ jobs:
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
           bundler: latest
           cache-version: v2 # bump this to invalidate cache
-      - run: env RUBY_FREE_AT_EXIT=1 LSAN_OPTIONS=verbosity=0:log_threads=1:suppressions=`pwd`/suppressions/lsan.supp ASAN_OPTIONS=detect_leaks=1 bundle exec rake spec:profiling:main
+      - run: bundle exec rake spec:profiling:main
+        env:
+          RUBY_FREE_AT_EXIT: 1
+          LSAN_OPTIONS: verbosity=0:log_threads=1:suppressions=${{ github.workspace }}/suppressions/lsan.supp
+          ASAN_OPTIONS: detect_leaks=1
 
   complete:
     name: Test for memory leaks (complete)

.github/workflows/test.yml

@@ -152,12 +152,12 @@ jobs:
     - if: github.event_name == 'pull_request'
       env:
         DD_GIT_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
-      run: echo "DD_GIT_COMMIT_SHA=$DD_GIT_COMMIT_SHA" >> $GITHUB_ENV
+      run: echo "DD_GIT_COMMIT_SHA=$DD_GIT_COMMIT_SHA" >> "$GITHUB_ENV"
     - if: github.event_name != 'pull_request'
       env:
         DD_GIT_COMMIT_SHA: ${{ github.sha }}
-      run: echo "DD_GIT_COMMIT_SHA=$DD_GIT_COMMIT_SHA" >> $GITHUB_ENV
-    - run: echo $DD_GIT_COMMIT_SHA
+      run: echo "DD_GIT_COMMIT_SHA=$DD_GIT_COMMIT_SHA" >> "$GITHUB_ENV"
+    - run: echo "$DD_GIT_COMMIT_SHA"
     - name: Upload junit reports
       run: datadog-ci junit upload --verbose tmp/rspec/