From 01b04af2fd60b80109fc268a952cd8e63d70a0de Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Fri, 23 Jan 2026 11:11:09 +0000
Subject: [PATCH 1/2] Add actionlint workflow to lint GHAs

Helps us keep our GHA workflows maintainable. Keeps consistency with our
other repos (that have this enabled).
---
 .github/workflows/lint-workflows.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 .github/workflows/lint-workflows.yml

diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml
new file mode 100644
index 0000000000..f55a7be6e0
--- /dev/null
+++ b/.github/workflows/lint-workflows.yml
@@ -0,0 +1,12 @@
+name: "Lint Workflows"
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/workflows/*.yaml'
+
+jobs:
+  lint-workflows:
+    uses: alphagov/forms-deploy/.github/workflows/reusable-lint-workflows.yml@main

From 46a9e8230b9b72cc744773db0c3e0b6831723040 Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Fri, 23 Jan 2026 12:02:03 +0000
Subject: [PATCH 2/2] Fix linting issues with action workflows

These are existing linting issues flagged after introducing actionlint.
---
 .github/workflows/review_apps_on_pr_change.yml | 17 +++++++++++------
 .github/workflows/review_apps_on_pr_close.yml  |  3 ++-
 .github/workflows/terraform.yml                |  3 ++-
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/review_apps_on_pr_change.yml b/.github/workflows/review_apps_on_pr_change.yml
index 9b5ed8590d..96d6eaf0c1 100644
--- a/.github/workflows/review_apps_on_pr_change.yml
+++ b/.github/workflows/review_apps_on_pr_change.yml
@@ -45,7 +45,8 @@ jobs:
       - name: Determine Terraform version
         id: terraform-version
         run: |
-          cat .review_apps/.terraform-version | xargs printf "TF_VERSION=%s" >> "$GITHUB_OUTPUT"
+          TF_VERSION=$(< .review_apps/.terraform-version)
+          printf "TF_VERSION=%s\n" "$TF_VERSION" >> "$GITHUB_OUTPUT"
 
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
@@ -63,10 +64,14 @@ jobs:
             -var "forms_admin_container_image=${{env.CONTAINER_IMAGE_URI}}" \
             -no-color \
             -auto-approve
-
-          echo "REVIEW_APP_URL=$(terraform output -raw review_app_url)" >> "$GITHUB_OUTPUT"
-          echo "ECS_CLUSTER_ID=$(terraform output -raw review_app_ecs_cluster_id)" >> "$GITHUB_OUTPUT"
-          echo "ECS_SERVICE_NAME=$(terraform output -raw review_app_ecs_service_name)" >> "$GITHUB_OUTPUT"
+          REVIEW_APP_URL=$(terraform output -raw review_app_url)
+          ECS_CLUSTER_ID=$(terraform output -raw review_app_ecs_cluster_id)
+          ECS_SERVICE_NAME=$(terraform output -raw review_app_ecs_service_name)
+          {
+            printf 'REVIEW_APP_URL=%s\n' "$REVIEW_APP_URL"
+            printf 'ECS_CLUSTER_ID=%s\n' "$ECS_CLUSTER_ID"
+            printf 'ECS_SERVICE_NAME=%s\n' "$ECS_SERVICE_NAME"
+          } >> "$GITHUB_OUTPUT"
 
       - name: Wait for AWS ECS deployments to finish
         run: |
@@ -91,7 +96,7 @@ jobs:
           $COMMENT_MARKER
           EOF
 
-          old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and (.body | endswith($ENV.COMMENT_MARKER + "\n")))) | .[].id')
+          old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq "map(select((.user.login == \"github-actions[bot]\") and (.body | endswith(env.COMMENT_MARKER + \"\n\")))) | .[].id")
           for comment_id in $old_comment_ids; do
             gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
           done
diff --git a/.github/workflows/review_apps_on_pr_close.yml b/.github/workflows/review_apps_on_pr_close.yml
index 54514e046b..b3123efe7c 100644
--- a/.github/workflows/review_apps_on_pr_close.yml
+++ b/.github/workflows/review_apps_on_pr_close.yml
@@ -18,7 +18,8 @@ jobs:
       - name: Determine Terraform version
         id: terraform-version
         run: |
-          cat .review_apps/.terraform-version | xargs printf "TF_VERSION=%s" >> "$GITHUB_OUTPUT"
+          TF_VERSION=$(< .review_apps/.terraform-version)
+          printf "TF_VERSION=%s\n" "$TF_VERSION" >> "$GITHUB_OUTPUT"
 
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index ee847a7dc8..f47f322094 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -16,7 +16,8 @@ jobs:
       - name: Determine Terraform version
         id: terraform-version
         run: |
-          cat .review_apps/.terraform-version | xargs printf "TF_VERSION=%s" >> "$GITHUB_OUTPUT"
+          TF_VERSION=$(< .review_apps/.terraform-version)
+          printf "TF_VERSION=%s\n" "$TF_VERSION" >> "$GITHUB_OUTPUT"
 
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with: