From 9dedea14000231db591d2d14367d268decd26b59 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 17:52:46 -0800
Subject: [PATCH] Add actionlint pre-commit hook for workflow validation

- Fix workflow to use github.* context vars (Forgejo schema validator
  only recognizes GitHub Actions syntax, not gitea.* aliases)
- Pass untrusted inputs through env vars (security best practice)
- Add actionlint to Brewfile and pre-commit config

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .forgejo/workflows/test.yaml | 14 +++++++++-----
 .pre-commit-config.yaml      |  7 +++++++
 Brewfile                     |  1 +
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/.forgejo/workflows/test.yaml b/.forgejo/workflows/test.yaml
index 6f9faf1..8aa673b 100644
--- a/.forgejo/workflows/test.yaml
+++ b/.forgejo/workflows/test.yaml
@@ -13,17 +13,21 @@ jobs:
       - name: Checkout (git clone)
         run: |
           # For PRs use head_ref (branch name), for pushes use ref_name
-          BRANCH="${{ gitea.head_ref || gitea.ref_name }}"
+          BRANCH="${HEAD_REF:-$REF_NAME}"
           git clone --depth 1 --branch "$BRANCH" \
-            "${{ gitea.server_url }}/${{ gitea.repository }}.git" .
+            "${SERVER_URL}/${REPOSITORY}.git" .
         env:
           GIT_SSL_NO_VERIFY: "true"
+          HEAD_REF: ${{ github.head_ref }}
+          REF_NAME: ${{ github.ref_name }}
+          SERVER_URL: ${{ github.server_url }}
+          REPOSITORY: ${{ github.repository }}
 
       - name: Hello World
         run: |
           echo "Hello from Forgejo Actions!"
           echo "Runner: $(hostname)"
-          echo "Repository: ${{ gitea.repository }}"
-          echo "Event: ${{ gitea.event_name }}"
-          echo "Ref: ${{ gitea.ref }}"
+          echo "Repository: ${{ github.repository }}"
+          echo "Event: ${{ github.event_name }}"
+          echo "Ref: ${{ github.ref }}"
           ls -la
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 612fb64..421de65 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -80,3 +80,10 @@ repos:
       - id: prettier
         types_or: [json]
         args: ['--tab-width', '2']
+
+  # GitHub/Forgejo Actions workflow linting
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.10
+    hooks:
+      - id: actionlint-system
+        files: ^\.forgejo/workflows/
diff --git a/Brewfile b/Brewfile
index 2f962c5..64592c8 100644
--- a/Brewfile
+++ b/Brewfile
@@ -1,4 +1,5 @@
 # CLI tools for blumeops management
+brew "actionlint"  # GitHub/Forgejo Actions workflow linter
 brew "argocd"  # ArgoCD CLI for GitOps management
 brew "bat"  # Syntax-highlighted file concatenation
 brew "tea"  # Gitea/Forgejo CLI for forge.tail8d86e.ts.net