Linting for GitHub actions

[chris48s]

📋 Description

Follow up from #9542

We make extensive use of GitHub actions and workflows. They're a huge productivity boost.

Simultaneously, there are some foot guns and security considerations. #9542 highlights one of these.

This was an issue I was previously aware of

shields/.github/actions/service-tests/action.yml

Lines 47 to 57 in 1d9a6b0

	- name: Derive list of service tests to run
	# Note: In this step we are using an intermediate env var instead of
	# passing github.event.pull_request.title as an argument
	# to prevent a shell injection attack. Further reading:
	# https://securitylab.github.com/research/github-actions-untrusted-input/#exploitability-and-impact
	# https://securitylab.github.com/research/github-actions-untrusted-input/#remediation
	if: always()
	env:
	TITLE: ${{ github.event.pull_request.title }}
	run: npm run test:services:pr:prepare "$TITLE"
	shell: bash

but I missed it in the review of #9386

Can we adopt some automated tooling that would flag issues like this and help us to fall into the pit of success here? One option is https://github.com/rhysd/actionlint I've not tried it out yet but it looks like this would have caught that issue in CI.
Are there other options we should evaluate?

[jNullj]

I gave it a quick search and couldn't find a better fitting repo, Its the first time i see actionlint tho so I can't tell much about it.
I am for adding a linter to github actions changes.
I might run it in my fork to test it out later.

[arunstar]

Other options you may want to consider,

1. semgrep with github-actions rules (personally tested, does pretty good job )
2. checkov with github_actions framework

[calebcartwright]

Seems like there's some good 3rd party options out there based on what's been shared here, though the more I think about it the more I'm surprised GitHub doesn't have something built into the platform that highlights such known issues in real time 🤔