ci: introduce yamllint check for controls and profiles

marcusburghardt · marcusburghardt · commit daa42cd28327 · 2025-06-17T22:47:28.000+02:00
This workflow will detect files changed by the PR and in case controls
or profiles files are included in the list, it will execute yamllint
using the .yamllint configuration file located in .github directory.

Signed-off-by: Marcus Burghardt &lt;maburgha@redhat.com&gt;
diff --git a/.github/.yamllint b/.github/.yamllint
@@ -0,0 +1,13 @@
+---
+extends: default
+
+# https://yamllint.readthedocs.io/en/stable/rules.html
+rules:
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    level: warning
+  indentation:
+    spaces: consistent
+  line-length: disable
diff --git a/.github/workflows/ci_lint.yml b/.github/workflows/ci_lint.yml
@@ -0,0 +1,63 @@
+name: CI Lint
+on:
+  pull_request:
+    branches: [master, 'stabilization*']
+permissions:
+    contents: read
+jobs:
+  yamllint:
+    name: Run yamllint on changed controls and profiles
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Git
+        run: sudo apt-get update && sudo apt-get install -y git
+
+      - name: Checkout CaC repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: ${{ github.repository }}
+          fetch-depth: 0
+
+      - name: Detect files changed by PR
+        id: changed_files
+        run: |
+          repo=${{ github.repository }}
+          pr_number=${{ github.event.pull_request.number }}
+          # Fetch all pages of the files for the pull request
+          url="repos/$repo/pulls/$pr_number/files"
+          response=$(gh api "$url" --paginate)
+          echo "$response" | jq -r '.[].filename' > filenames.txt
+          cat filenames.txt
+
+          if grep "controls/" filenames.txt; then
+            echo "CONTROLS_CHANGES=true" >> $GITHUB_ENV
+          else
+            echo "CONTROLS_CHANGES=false" >> $GITHUB_ENV
+          fi
+          if grep "\.profile" filenames.txt; then
+            echo "PROFILES_CHANGES=true" >> $GITHUB_ENV
+          else
+            echo "PROFILES_CHANGES=false" >> $GITHUB_ENV
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install yamllint
+        if : ${{ env.CONTROLS_CHANGES == 'true' || env.PROFILES_CHANGES == 'true' }}
+        run: pip install yamllint
+
+      - name: Run yamllint in control files modified by PR
+        if: ${{ env.CONTROLS_CHANGES == 'true' }}
+        run: |
+          for control_file in $(cat filenames.txt | grep "controls/"); do
+            echo "Running yamllint on $control_file..."
+            yamllint --no-warnings "$control_file"
+          done
+
+      - name: Run yamllint in profile files modified by PR
+        if: ${{ env.PROFILES_CHANGES == 'true' }}
+        run: |
+          for profile_file in $(cat filenames.txt | grep "\.profile"); do
+            echo "Running yamllint on $profile_file..."
+            yamllint --no-warnings "$profile_file"
+          done
