ci: add actionlint workflow

[nicktrn]

Adds an actionlint job that runs on changes to .github/workflows/** and .github/actions/**. Catches workflow bugs at PR time — expression typos, deprecated runner labels, broken matrices, and shellcheck issues in run: blocks.

Run from the official docker://rhysd/actionlint image, digest-pinned alongside everything else.

Existing workflows had 6 shellcheck findings — fixed inline:

• 3× SC2086 (>> $GITHUB_OUTPUT → >> "$GITHUB_OUTPUT") in helm-prerelease.yml, release-helm.yml, release.yml
• 1× SC2129 in publish-webapp.yml (grouped repeated redirects under one { ... } >> "$GITHUB_OUTPUT")
• 2× SC2193 false-positive in publish-worker.yml and publish-worker-v4.yml (the [[ "${{ matrix.package }}" == *-provider ]] pattern). Refactored to pass matrix.package via env: and use bash parameter expansion - cleaner and dodges the warning.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c5c84cd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 75ac7ced-f4cc-4bf6-b492-691465d4359b

📥 Commits

Reviewing files that changed from the base of the PR and between 57cca97 and c5c84cd.

📒 Files selected for processing (7)

• .github/workflows/actionlint.yml
• .github/workflows/helm-prerelease.yml
• .github/workflows/publish-webapp.yml
• .github/workflows/publish-worker-v4.yml
• .github/workflows/publish-worker.yml
• .github/workflows/release-helm.yml
• .github/workflows/release.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (32)

• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: units / e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: sdk-compat / Deno Runtime
• GitHub Check: sdk-compat / Bun Runtime
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: sdk-compat / Node.js 22.12 (ubuntu-latest)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: sdk-compat / Cloudflare Workers
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: sdk-compat / Node.js 20.20 (ubuntu-latest)
• GitHub Check: typecheck / typecheck
• GitHub Check: audit
• GitHub Check: Analyze (actions)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (python)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2024-09-23T12:51:42.019Z

Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 1306
File: .github/actions/get-image-tag/action.yml:51-62
Timestamp: 2024-09-23T12:51:42.019Z
Learning: In the 'get-image-tag' GitHub Action, prefer dependent workflows to fail immediately when the tag is invalid, without outputting the validity status as an output.

Applied to files:

• .github/workflows/release-helm.yml

📚 Learning: 2026-03-02T12:43:34.140Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: packages/cli-v3/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:43:34.140Z
Learning: Applies to packages/cli-v3/src/deploy/buildImage.ts : Build Docker images using `src/deploy/buildImage.ts` for local Docker/Depot or remote builds

Applied to files:

• .github/workflows/publish-worker.yml
• .github/workflows/publish-worker-v4.yml

🔇 Additional comments (7)

.github/workflows/actionlint.yml (1)

3-33: Looks good—secure and correctly scoped CI lint workflow.

Trigger filters, least-privilege permissions, concurrency cancellation, and SHA/digest pinning are all implemented cleanly.

.github/workflows/publish-webapp.yml (1)

62-70: Solid output grouping in build-info step.

This keeps behavior intact while making the GITHUB_OUTPUT writes cleaner and shellcheck-friendly.

.github/workflows/release.yml (1)

46-46: Good shell-quoting fix for step summary output.

Quoting GITHUB_STEP_SUMMARY is correct and avoids pathname-splitting issues.

.github/workflows/helm-prerelease.yml (1)

121-121: Nice fix for GitHub output file redirection.

The quoted output target is correct and keeps the prerelease version flow unchanged.

.github/workflows/release-helm.yml (1)

101-101: Correct quoting update for release version output.

This is a safe shellcheck-oriented improvement with no functional change.

.github/workflows/publish-worker.yml (1)

35-41: Repo derivation refactor looks good.

Using PACKAGE + ${PACKAGE%-provider} is clean and preserves expected repo names for provider/non-provider packages.

.github/workflows/publish-worker-v4.yml (1)

47-53: Looks good—same robust repo parsing pattern applied here.

The PACKAGE env + suffix-removal approach is clear and keeps outputs consistent.

---

Walkthrough

This pull request adds a new GitHub Actions workflow for linting GitHub Actions configuration files and updates six existing workflows with shell script improvements. The changes include: introducing actionlint.yml as a dedicated CI workflow that validates GitHub Actions configuration, adding proper quoting around environment variables (GITHUB_OUTPUT, GITHUB_STEP_SUMMARY) in shell redirections, and refactoring conditional shell logic to use parameter expansion (e.g., ${PACKAGE%-provider}) instead of command-based extraction (e.g., cut) for computing repository paths and package names. No functional behavior changes occur; these are structural improvements to shell script execution correctness and clarity.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is comprehensive and well-structured but does not follow the required template with checklist, testing, changelog, and screenshots sections.	Consider following the repository's PR template more closely by including the checklist, testing, and changelog sections as specified in CONTRIBUTING.md.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely summarizes the primary change: adding an actionlint workflow for CI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/actionlint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nicktrn]

ready