[plan] Replace Docker-based actionlint with in-process actionlint.Linter Go API

[github-actions]

Objective

Evaluate and implement replacing the Docker-based actionlint execution with in-process linting via actionlint.Linter from the Go API.

Context

From discussion #22839: actionlint is already a direct Go dependency (v1.7.11 in go.mod). Running it in-process via actionlint.Linter would:

• Remove the Docker requirement specifically for actionlint (zizmor and poutine still need Docker)
• Eliminate the Docker image version mismatch problem entirely
• Run faster (no container startup overhead)
• Work without a Docker daemon available

Approach

1. Research actionlint.Linter API — see (pkg.go.dev/redacted)
2. Prototype in-process linting in pkg/cli/actionlint.go:
   • Replace the docker run ... rhysd/actionlint:latest command with a call to actionlint.Linter
   • Map []actionlint.Error results to the existing ActionlintStats and display format
3. Preserve the existing behavior:
   • Strict mode (errors = compile failure vs. warnings)
   • Per-kind stats aggregation in ActionlintStats
   • Docs URL mapping via getActionlintDocsURL
   • Aggregate output display
4. Remove ActionlintImage constant from pkg/cli/docker_images.go if Docker is no longer needed for actionlint
5. Add/update tests to cover the new in-process path

Files to Modify

• pkg/cli/actionlint.go — replace Docker subprocess with actionlint.Linter
• pkg/cli/docker_images.go — remove ActionlintImage if no longer needed

Acceptance Criteria

• actionlint runs in-process without Docker
• All existing error display behavior is preserved
• ActionlintStats aggregation still works
• make test-unit passes
• Works when Docker daemon is not available

Generated by Plan Command for issue #discussion #22839 · ◷

• expires on Mar 27, 2026, 11:12 AM UTC