From dfa4cbb157065c9c93af04fb8fc5c9537e85ccab Mon Sep 17 00:00:00 2001 From: Dominikus Nold Date: Tue, 31 Mar 2026 00:59:30 +0200 Subject: [PATCH] fix: propagate docker actionlint exit code instead of masking failures Simplify run_actionlint.sh control flow so both local and docker execution paths propagate actionlint's exit code via `exit $?`. Previously the docker path used `if run_with_docker; then exit 0; fi` which treated lint errors as "docker unavailable" and fell through to install guidance. Co-Authored-By: Claude Opus 4.6 --- scripts/run_actionlint.sh | 26 +++++-------------- .../test_trustworthy_green_checks.py | 7 ++--- 2 files changed, 9 insertions(+), 24 deletions(-) diff --git a/scripts/run_actionlint.sh b/scripts/run_actionlint.sh index 7eaaeeae..0954a969 100755 --- a/scripts/run_actionlint.sh +++ b/scripts/run_actionlint.sh @@ -15,35 +15,23 @@ has_actionlint() { command -v actionlint >/dev/null 2>&1 } -run_actionlint_local() { - actionlint -no-color +has_docker() { + command -v docker >/dev/null 2>&1 && docker info >/dev/null 2>&1 } -run_with_docker() { - if ! command -v docker >/dev/null 2>&1; then - return 1 - fi - - if ! docker info >/dev/null 2>&1; then - echo "Docker daemon unavailable for actionlint; cannot run via Docker." >&2 - return 1 - fi +if has_actionlint; then + actionlint -no-color + exit $? +fi +if has_docker; then docker run --rm \ -v "$REPO_ROOT":/repo \ -w /repo \ "$DOCKER_IMAGE" -no-color -} - -if has_actionlint; then - run_actionlint_local exit $? fi -if run_with_docker; then - exit 0 -fi - echo "actionlint is required for workflow linting." >&2 echo "Install it globally or use a Docker-enabled environment." >&2 echo "Official install options: https://github.com/rhysd/actionlint" >&2 diff --git a/tests/unit/workflows/test_trustworthy_green_checks.py b/tests/unit/workflows/test_trustworthy_green_checks.py index 5f558170..527fc90b 100644 --- a/tests/unit/workflows/test_trustworthy_green_checks.py +++ b/tests/unit/workflows/test_trustworthy_green_checks.py @@ -196,8 +196,5 @@ def test_legacy_actionlint_runner_does_not_mask_docker_failures() -> None: assert "docker info >/dev/null 2>&1" in raw, "Expected docker daemon reachability check" assert "tools/bin" not in raw, "Should not download binaries into repo tree" assert "go install github.com/rhysd/actionlint/cmd/actionlint@" in raw, "Expected global install guidance" - # Docker run must not be followed by unconditional return 0 (would swallow failures) - for i, line in enumerate(lines): - if "docker run --rm" in line: - remaining = "\n".join(lines[i:]) - assert "return 0" not in remaining, "docker run must not be followed by unconditional return 0" + # Both execution paths (local binary and docker) must propagate exit codes + assert raw.count("exit $?") >= 2, "Expected exit code propagation for both local and docker paths"