feat: Add stack removal detection, actionlint validation, and workflow improvements

.github/workflows/lint.yml

@@ -118,6 +118,20 @@ jobs:
         with:
           unset-previous: true
 
+  actionlint:
+    name: Workflow validation
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Checkout target repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        with:
+          repository: ${{ inputs.target-repository }}
+          ref: ${{ inputs.target-ref }}
+
+      - name: Run actionlint
+        uses: raven-actions/actionlint@v2.0.1
+
   lint:
     strategy:
       matrix:
@@ -154,7 +168,10 @@ jobs:
             local temp_env_file="$2"
 
             # Extract environment variable references from compose file and create realistic placeholders
-            grep -oE '\$\{[^}]+\}' "$compose_file" | sort -u | sed 's/\${//' | sed 's/}//' | while read var; do
+            while IFS= read -r match; do
+              # Remove ${ prefix and } suffix using parameter expansion
+              var="${match#\$\{}"
+              var="${var%\}}"
               # Use realistic placeholder values based on common variable patterns
               case "$var" in
                 *PATH*|*DIR*)
@@ -185,7 +202,7 @@ jobs:
                   echo "${var}=placeholder_value" >> "$temp_env_file"
                   ;;
               esac
-            done 2>/dev/null || true
+            done < <(grep -oE '\$\{[^}]+\}' "$compose_file" | sort -u) 2>/dev/null || true
           }
 
           # Run YAML and Docker Compose linting in parallel with output capture
@@ -234,7 +251,7 @@ jobs:
             echo "❌ FAILED - YAML linting detected issues in ./${{ matrix.stack }}/compose.yaml:"
             echo ""
             echo "🔍 Issues found:"
-            cat "$YAML_OUTPUT" | sed 's/^/    /' | sed 's|\.\/||g'
+            sed 's/^/    /' "$YAML_OUTPUT" | sed 's|\.\/||g'
             echo ""
             echo "🛠️  Fix locally with:"
             echo "    yamllint --strict --config-file .yamllint ${{ matrix.stack }}/compose.yaml"
@@ -253,7 +270,7 @@ jobs:
             echo "🔍 Issues found:"
             # Use filtered output to show relevant errors
             if [ -s "$DOCKER_FILTERED" ]; then
-              cat "$DOCKER_FILTERED" | sed 's/^/    /'
+              sed 's/^/    /' "$DOCKER_FILTERED"
             else
               echo "    Configuration errors detected (see full output above)"
             fi
@@ -308,7 +325,7 @@ jobs:
   lint-summary:
     name: Lint Summary
     runs-on: ubuntu-24.04
-    needs: [scanning, lint]
+    needs: [scanning, actionlint, lint]
     if: always()
     timeout-minutes: 5
     steps:
@@ -326,7 +343,10 @@ jobs:
             local temp_env_file="$2"
 
             # Extract environment variable references from compose file and create realistic placeholders
-            grep -oE '\$\{[^}]+\}' "$compose_file" | sort -u | sed 's/\${//' | sed 's/}//' | while read var; do
+            while IFS= read -r match; do
+              # Remove ${ prefix and } suffix using parameter expansion
+              var="${match#\$\{}"
+              var="${var%\}}"
               # Use realistic placeholder values based on common variable patterns
               case "$var" in
                 *PATH*|*DIR*)
@@ -357,7 +377,7 @@ jobs:
                   echo "${var}=placeholder_value" >> "$temp_env_file"
                   ;;
               esac
-            done 2>/dev/null || true
+            done < <(grep -oE '\$\{[^}]+\}' "$compose_file" | sort -u) 2>/dev/null || true
           }
 
           echo "📊 Final Validation Summary"
@@ -390,6 +410,26 @@ jobs:
 
           echo ""
 
+          # Actionlint Workflow Validation Results
+          echo "⚙️  WORKFLOW VALIDATION (ACTIONLINT)"
+          echo "───────────────────────────────────────────────────────────────────────────────────"
+          case "${{ needs.actionlint.result }}" in
+            "success")
+              echo "✅ PASSED - All GitHub Actions workflows are valid"
+              ACTIONLINT_OK=true
+              ;;
+            "failure")
+              echo "❌ FAILED - Workflow validation issues detected"
+              ACTIONLINT_OK=false
+              ;;
+            *)
+              echo "❓ UNKNOWN - Unexpected actionlint result: ${{ needs.actionlint.result }}"
+              ACTIONLINT_OK=false
+              ;;
+          esac
+
+          echo ""
+
           # Detailed Lint Results with Error Reproduction
           echo "📋 CODE QUALITY VALIDATION - DETAILED RESULTS"
           echo "───────────────────────────────────────────────────────────────────────────────────"
@@ -422,6 +462,7 @@ jobs:
             else
               echo "   ❌ FAILED - YAML validation detected issues:"
               echo ""
+              # shellcheck disable=SC2001  # sed is appropriate for multi-line prefix addition
               yamllint --strict --config-file .yamllint "./$stack/compose.yaml" 2>&1 | sed 's/^/      /' | sed 's|\.\/||g'
               echo ""
               echo "   🛠️  Fix locally: yamllint --strict --config-file .yamllint $stack/compose.yaml"
@@ -447,7 +488,8 @@ jobs:
                 grep -v "WARNING.*not set" || echo "Configuration errors detected")
 
               if [[ -n "$DOCKER_ERRORS" && "$DOCKER_ERRORS" != "Configuration errors detected" ]]; then
-                echo "$DOCKER_ERRORS" | sed 's/^/      /'
+                # shellcheck disable=SC2001  # sed is appropriate for multi-line prefix addition
+                sed 's/^/      /' <<< "$DOCKER_ERRORS"
               else
                 echo "      Configuration syntax or structure issues detected"
               fi
@@ -505,7 +547,7 @@ jobs:
           echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 
           # Final determination
-          if [[ "$SCANNING_OK" == "true" && "$LINT_OK" == "true" ]]; then
+          if [[ "$SCANNING_OK" == "true" && "$ACTIONLINT_OK" == "true" && "$LINT_OK" == "true" ]]; then
             echo "🎉 FINAL STATUS: ALL VALIDATION CHECKS PASSED"
             echo "   Repository is ready for deployment"
             exit 0
@@ -515,6 +557,7 @@ jobs:
             echo ""
             echo "   Failed components:"
             [[ "$SCANNING_OK" != "true" ]] && echo "   • GitGuardian security scanning"
+            [[ "$ACTIONLINT_OK" != "true" ]] && echo "   • Workflow validation (actionlint)"
             [[ "$LINT_OK" != "true" ]] && echo "   • Code quality validation (see detailed errors above)"
             echo ""
             exit 1
@@ -523,7 +566,7 @@ jobs:
   notify:
     name: Discord Notification
     runs-on: ubuntu-24.04
-    needs: [scanning, lint, lint-summary]
+    needs: [scanning, actionlint, lint, lint-summary]
     if: always()
     steps:
       - name: Configure 1Password Service Account
@@ -551,12 +594,20 @@ jobs:
             ${{ needs.lint-summary.result == 'failure' && inputs.discord-user-id != '' && steps.op-load-discord.outputs.DISCORD_USER_ID != 'SKIP' && format('<@{0}> ', steps.op-load-discord.outputs.DISCORD_USER_ID) || '' }}${{ needs.lint-summary.result == 'success' && '✅ **All validation checks passed**' || '❌ **Validation issues detected**' }}
 
             **🔒 Security Scan:** ${{ needs.scanning.result == 'success' && '✅ No secrets detected' || needs.scanning.result == 'skipped' && '⏭️ Skipped (PR/manual)' || '❌ Issues found' }}
+            **⚙️ Workflow Validation:** ${{ needs.actionlint.result == 'success' && '✅ All workflows valid' || '❌ Issues detected' }}
             **📋 Code Quality:** ${{ needs.lint.result == 'success' && '✅ All stacks valid' || '❌ Issues detected' }}
 
             **📂 Validated Stacks:** `${{ join(fromJson(inputs.stacks), '`, `') }}`
 
             ${{ github.event_name == 'pull_request' && '🔀 **Pull Request Validation**' || github.event_name == 'workflow_dispatch' && '🔧 **Manual Validation**' || format('📝 **Push to `{0}`**', github.ref_name) }}
 
+            ${{ needs.actionlint.result == 'failure' && '
+            **⚙️ Workflow Issues:**
+            • GitHub Actions workflow validation failed
+            • Review the **Workflow Validation** job for details
+            • Fix workflow syntax, shellcheck, or expression errors
+            • Test locally: `actionlint .github/workflows/*.yml`' || '' }}
+
             ${{ needs.lint.result == 'failure' && '
             **🚨 Action Required:**
             • Review stack validation errors in workflow logs

.github/workflows/yamllint.yml

@@ -1,4 +1,4 @@
-name: YAML Lint
+name: Lint Workflows
 
 on:
   push:
@@ -16,14 +16,27 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
 
       - name: Run yamllint
+        id: yamllint
+        continue-on-error: true
         run: yamllint --strict --config-file .yamllint .
 
       - name: Report results
         if: always()
         run: |
-          if [ $? -eq 0 ]; then
+          if [ "${{ steps.yamllint.outcome }}" = "success" ]; then
             echo "✅ All YAML files are properly formatted"
           else
             echo "❌ YAML formatting issues found"
             echo "Please fix the issues above or update .yamllint configuration if needed"
+            exit 1
           fi
+
+  actionlint:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+
+      - name: Run actionlint
+        uses: raven-actions/actionlint@v2.0.1

.gitignore

@@ -43,4 +43,7 @@ package-lock.json
 yarn.lock
 
 # GitHub Actions runner temp files
-.runner/
+.runner/
+
+# Git worktrees
+.worktrees/

CLAUDE.md

@@ -60,6 +60,7 @@ This repository provides two main reusable workflows:
 5. **Caching Strategies**: Optimized caching for Tailscale state and deployment tools
 6. **SSH Optimization**: Connection multiplexing and retry mechanisms
 7. **Parallel Execution**: All lint jobs (GitGuardian, YAML lint) run concurrently
+8. **Stack Removal Detection**: Automatic cleanup of removed stacks with fail-safe operation
 
 ### Benefits of Centralization
 
@@ -175,6 +176,7 @@ The deploy workflow (`deploy.yml`) provides:
 8. **SSH Optimization** - Connection multiplexing for better performance
 9. **Caching** - Optimized caching for Tailscale and deployment tools
 10. **Rich Discord Notifications** - Comprehensive deployment status with health metrics
+11. **Stack Removal Cleanup** - Detect deleted stacks via git diff and clean up containers before repository update
 
 ## Security Integration