ci: Lint GitHub Actions workflows with actionlint (#34729)

Added [rhysd/actionlint](https://github.com/rhysd/actionlint/) a static checker for GitHub Actions workflow files. Install locally with `brew install actionlint` the run with `actionlint`. Inspired by: https://github.com/zed-industries/zed/pull/34704 which yielded this observation: > In github actions: > 1. strings are truthy > 2. `${{ }}` will become a string if it doesn't wrap the whole value. > > So `if: false && true` becomes `false` > and `if: ${{ false && true }}` becomes `false` > but `if: false && ${{ true }}` becomes `"false && true"` which evaluates true > The reason you sometimes need `${{ }}` is because YAML doesn't like `!` > so `if: !false` is invalid yaml > and `if: ${{ !false }}` works just fine. Changes: - Add `actionlint` job - Refactor `job_spec` job to be more readable - Fix all `actionlint` and `shellcheck` errors in Actions workflows (62 in all) - Add `self-mini-macos` and `self-32vcpu-windows-2022` labels to self-hosted runners. Not strictly related, but useful if you need to take a runner out of the rotation (since `macOS`, `self-hosted`, and `ARM64` are auto-set and cannot be added/removed). - Change ci.yml macos_relase to target `self-mini-macos` instead of `bundle` which was previously deprecated. This would've caught the error fixed in https://github.com/zed-industries/zed/pull/34704. Here's what that [job failure](https://github.com/zed-industries/zed/actions/runs/16376993944/job/46279281842?pr=34729) would've looked like. Release Notes: - N/A
2025-07-18 15:15:07 -04:00 · 2025-07-18 15:15:07 -04:00 · 70bde54a2c
commit 70bde54a2c
parent 43486c416c
9 changed files with 111 additions and 61 deletions
--- a/.github/workflows/deploy_collab.yml
+++ b/.github/workflows/deploy_collab.yml
@ -79,12 +79,12 @@ jobs:
      - name: Build docker image
        run: |
          docker build -f Dockerfile-collab \
-            --build-arg GITHUB_SHA=$GITHUB_SHA \
-            --tag registry.digitalocean.com/zed/collab:$GITHUB_SHA \
+            --build-arg "GITHUB_SHA=$GITHUB_SHA" \
+            --tag "registry.digitalocean.com/zed/collab:$GITHUB_SHA" \
            .

      - name: Publish docker image
-        run: docker push registry.digitalocean.com/zed/collab:${GITHUB_SHA}
+        run: docker push "registry.digitalocean.com/zed/collab:${GITHUB_SHA}"

      - name: Prune Docker system
        run: docker system prune  --filter 'until=72h' -f
@ -131,7 +131,8 @@ jobs:
          source script/lib/deploy-helpers.sh
          export_vars_for_environment $ZED_KUBE_NAMESPACE

-          export ZED_DO_CERTIFICATE_ID=$(doctl compute certificate list --format ID --no-header)
+          ZED_DO_CERTIFICATE_ID="$(doctl compute certificate list --format ID --no-header)"
+          export ZED_DO_CERTIFICATE_ID
          export ZED_IMAGE_ID="registry.digitalocean.com/zed/collab:${GITHUB_SHA}"

          export ZED_SERVICE_NAME=collab