Harden actionlint workflow user

Andrei.Ovcharenko · Andrei.Ovcharenko · commit f1805397a930 · 2026-06-17T07:12:49.000+03:00
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -24,6 +24,17 @@ jobs:
         with:
           persist-credentials: false
       - name: Check GitHub Actions workflows
-        uses: docker://rhysd/actionlint@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667 # 1.7.12
-        with:
-          args: -color
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [ "$(id -u)" -eq 0 ]; then
+            echo "::error title=Root runner is not allowed::actionlint must run as the runner user"
+            exit 1
+          fi
+          version="1.7.12"
+          archive="actionlint_${version}_linux_amd64.tar.gz"
+          checksum="8aca8db96f1b94770f1b0d72b6ddcb1ebb8123cb3712530b08cc387b349a3d8"
+          curl -fsSLO "https://github.com/rhysd/actionlint/releases/download/v${version}/${archive}"
+          echo "${checksum}  ${archive}" | sha256sum -c -
+          tar -xzf "${archive}" actionlint
+          ./actionlint -color
