From 49c2d68a57ee6a7f29003ede4d13901ecad263d1 Mon Sep 17 00:00:00 2001
From: Jacek <jacek@clerk.dev>
Date: Tue, 16 Jun 2026 07:54:38 -0500
Subject: [PATCH] ci(repo): add actionlint workflow check (SDK-79)

Lint GitHub Actions workflows on every PR via rhysd/actionlint (pinned by digest), with .github/actionlint.yaml declaring the Blacksmith self-hosted runner labels and shellcheck SC2086/SC2129/SC2162 excluded for the intentional $TURBO_ARGS word-splitting. Clears the two real findings the lint surfaced: drop a dead E2E_CLERK_ENCRYPTION_KEY matrix env (always empty; consumers default to 'a-key'), and migrate the release notification step off the deprecated ::set-output to $GITHUB_OUTPUT, passing inputs via env so github.actor is no longer interpolated into the shell.
---
 .changeset/sdk-79-actionlint.md  |  2 ++
 .github/actionlint.yaml          |  8 ++++++
 .github/workflows/actionlint.yml | 43 ++++++++++++++++++++++++++++++++
 .github/workflows/ci.yml         |  1 -
 .github/workflows/release.yml    | 11 +++++++-
 5 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/sdk-79-actionlint.md
 create mode 100644 .github/actionlint.yaml
 create mode 100644 .github/workflows/actionlint.yml

diff --git a/.changeset/sdk-79-actionlint.md b/.changeset/sdk-79-actionlint.md
new file mode 100644
index 00000000000..a845151cc84
--- /dev/null
+++ b/.changeset/sdk-79-actionlint.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
new file mode 100644
index 00000000000..a0b6af82c74
--- /dev/null
+++ b/.github/actionlint.yaml
@@ -0,0 +1,8 @@
+# Configuration for actionlint (run by .github/workflows/actionlint.yml).
+# See SDK-79 / Monorepo Supply-Chain Hardening.
+
+self-hosted-runner:
+  # Blacksmith self-hosted runner labels. actionlint cannot know custom runner
+  # labels, so declare them here to avoid false "unknown runner label" errors.
+  labels:
+    - blacksmith-8vcpu-ubuntu-2204
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 00000000000..ad15d2476b6
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,43 @@
+name: Actionlint
+
+# Lint GitHub Actions workflows for syntax errors, unsafe patterns, and shell
+# bugs. Part of SDK-79 / Monorepo Supply-Chain Hardening. Runs on every PR so it
+# always reports a status and can be wired up as a required check.
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  actionlint:
+    name: Lint workflows
+    runs-on: ${{ vars.RUNNER_NORMAL || 'ubuntu-latest' }}
+    timeout-minutes: ${{ vars.TIMEOUT_MINUTES_SHORT && fromJSON(vars.TIMEOUT_MINUTES_SHORT) || 5 }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+          show-progress: false
+          sparse-checkout: .github
+          sparse-checkout-cone-mode: false
+
+      - name: Run actionlint
+        # Pinned by digest (immutable). rhysd/actionlint 1.7.12; the image bundles a
+        # matching shellcheck. Bump the version and refresh the digest together.
+        uses: docker://rhysd/actionlint@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667
+        env:
+          # Intentional word-splitting ($TURBO_ARGS etc., SC2086) and minor style
+          # (SC2129, SC2162) are excluded; every other shellcheck rule stays on.
+          SHELLCHECK_OPTS: --exclude=SC2086,SC2129,SC2162
+        with:
+          args: -color
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b6e639c157e..32478c15868 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -498,7 +498,6 @@ jobs:
           E2E_CLERK_UI_VERSION: "latest"
           E2E_NEXTJS_VERSION: ${{ matrix.next-version }}
           E2E_PROJECT: ${{ matrix.test-project }}
-          E2E_CLERK_ENCRYPTION_KEY: ${{ matrix.clerk-encryption-key }}
           INTEGRATION_INSTANCE_KEYS: ${{ secrets.INTEGRATION_INSTANCE_KEYS }}
           NODE_EXTRA_CA_CERTS: ${{ github.workspace }}/integration/certs/rootCA.pem
           VERCEL_AUTOMATION_BYPASS_SECRET: ${{ secrets.VERCEL_AUTOMATION_BYPASS_SECRET }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ce10319a293..df1a0684e01 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -201,7 +201,16 @@ jobs:
       - name: Generate notification payload
         id: notification
         if: steps.changesets.outputs.published == 'true'
-        run: payload=$(node scripts/notify.mjs '${{ steps.changesets.outputs.publishedPackages }}' '${{ github.actor }}') && echo ::set-output name=payload::${payload//$'\n'/'%0A'}
+        env:
+          PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
+          GH_ACTOR: ${{ github.actor }}
+        run: |
+          payload="$(node scripts/notify.mjs "$PUBLISHED_PACKAGES" "$GH_ACTOR")"
+          {
+            echo 'payload<<__NOTIFY_EOF__'
+            echo "$payload"
+            echo '__NOTIFY_EOF__'
+          } >> "$GITHUB_OUTPUT"
 
       - name: Send commit log to Slack
         id: slack