ci: add actionlint workflow to lint GitHub Actions YAML

Adds .github/workflows/actionlint.yml which runs rhysd/actionlint over
.github/workflows/*.yml on push and PR to master.  Triggers only when
something in .github/workflows/ (or the actionlint config) changes, so
the rest of the platform matrix isn't billed when nothing here moves.

The job downloads a pinned actionlint binary (1.7.12) via the upstream
download script (which verifies a SHA256) -- no third-party Action
dependency, matching the inline-install style of the existing
ubuntu/macos/cygwin workflows.  Bump the pinned version deliberately.

actionlint catches a) GitHub Actions expression / type errors, b)
unsupported runner images, c) missing secrets / inputs, and d) the
embedded shellcheck class of issues in 'run:' scripts that the previous
commit cleaned up.  Keeping it in CI prevents regressions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644 (file)
index 0000000..0e81e91
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,43 @@
+name: Lint GitHub Actions workflows
+
+# Static-check the workflow YAML with rhysd/actionlint.  Catches missing
+# secrets, bad expressions, expression-type errors, unsupported runner
+# images, and (via embedded shellcheck) common pitfalls in `run:` scripts.
+# Trigger only on changes under .github/workflows/ so the rest of the
+# matrix isn't billed when nothing here moves.
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/actionlint.yaml'
+      - '.github/actionlint.yml'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/actionlint.yaml'
+      - '.github/actionlint.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    name: actionlint
+    steps:
+      - uses: actions/checkout@v4
+      - name: install actionlint
+        # Pin a version so this job is reproducible; bump deliberately.
+        # The download script verifies a SHA256 of the release tarball.
+        run: |
+          bash <(curl --proto '=https' --tlsv1.2 -fsSL \
+              https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) \
+              1.7.12
+          echo "$PWD" >>"$GITHUB_PATH"
+      - name: actionlint --version
+        run: actionlint -version
+      - name: actionlint .github/workflows/*.yml
+        run: actionlint -color