From 9d90ab6df7de09cff2bb7f8caf15a9732683276f Mon Sep 17 00:00:00 2001
From: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Date: Thu, 3 Aug 2023 15:04:55 +0200
Subject: [PATCH] ci: check for unused actions

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
---
 bazel/ci/BUILD.bazel            |  8 +++++
 bazel/ci/unused_gh_action.sh.in | 59 +++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100755 bazel/ci/unused_gh_action.sh.in

diff --git a/bazel/ci/BUILD.bazel b/bazel/ci/BUILD.bazel
index 4a8b9a75a..7e5a9bf06 100644
--- a/bazel/ci/BUILD.bazel
+++ b/bazel/ci/BUILD.bazel
@@ -441,6 +441,13 @@ sh_template(
     template = "bazel_container.sh.in",
 )
 
+sh_template(
+    name = "unused_gh_actions",
+    data = [],
+    substitutions = {},
+    template = "unused_gh_actions.sh.in",
+)
+
 multirun(
     name = "tidy",
     commands = [
@@ -472,6 +479,7 @@ multirun(
         ":govulncheck",
         ":deps_mirror_check",
         ":proto_targets_check",
+        ":unused_gh_actions",
     ] + select({
         "@io_bazel_rules_go//go/platform:darwin_arm64": [
             ":shellcheck_noop_warning",
diff --git a/bazel/ci/unused_gh_action.sh.in b/bazel/ci/unused_gh_action.sh.in
new file mode 100755
index 000000000..7d87ca45a
--- /dev/null
+++ b/bazel/ci/unused_gh_action.sh.in
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+###### script header ######
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1
+
+# shellcheck source=../sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######
+
+# Find all action YAMLs. This action check if there are files within
+# .github/actions that are not used in any workflow or action YAML.
+# We only want directory of that exact level and ignore subdirectories.
+actionNames=$(
+    find .github/actions \
+        -maxdepth 2 \
+        -type d \
+        ! -name actions
+)
+
+actionYMLs=$(
+    find .github/actions \
+        ! -name actions \
+        -type f \
+        -name '*.yml'
+)
+
+workflowYMLs=$(
+    find .github/workflows \
+        -type f \
+        -name '*.yml'
+)
+
+exitcode=0
+
+for action in ${actionNames}; do
+    used=false
+
+    for yml in ${actionYMLs} ${workflowYMLs}; do
+        if grep -q "${action}" "${yml}"; then
+            used=true
+            break
+        fi
+    done
+
+    if ! ${used}; then
+        echo "Action ${action} is unused"
+        exitcode=1
+    fi
+done
+
+exit "${exitcode}"