ci: check for unused actions

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

bazel/ci/BUILD.bazel

@@ -441,6 +441,13 @@ sh_template(
     template = "bazel_container.sh.in",
 )
 
+sh_template(
+    name = "unused_gh_actions",
+    data = [],
+    substitutions = {},
+    template = "unused_gh_actions.sh.in",
+)
+
 multirun(
     name = "tidy",
     commands = [
@@ -472,6 +479,7 @@ multirun(
         ":govulncheck",
         ":deps_mirror_check",
         ":proto_targets_check",
+        ":unused_gh_actions",
     ] + select({
         "@io_bazel_rules_go//go/platform:darwin_arm64": [
             ":shellcheck_noop_warning",

bazel/ci/unused_gh_action.sh.in

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+###### script header ######
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1
+
+# shellcheck source=../sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+cd "${BUILD_WORKSPACE_DIRECTORY}"
+
+###### script body ######
+
+# Find all action YAMLs. This action check if there are files within
+# .github/actions that are not used in any workflow or action YAML.
+# We only want directory of that exact level and ignore subdirectories.
+actionNames=$(
+    find .github/actions \
+        -maxdepth 2 \
+        -type d \
+        ! -name actions
+)
+
+actionYMLs=$(
+    find .github/actions \
+        ! -name actions \
+        -type f \
+        -name '*.yml'
+)
+
+workflowYMLs=$(
+    find .github/workflows \
+        -type f \
+        -name '*.yml'
+)
+
+exitcode=0
+
+for action in ${actionNames}; do
+    used=false
+
+    for yml in ${actionYMLs} ${workflowYMLs}; do
+        if grep -q "${action}" "${yml}"; then
+            used=true
+            break
+        fi
+    done
+
+    if ! ${used}; then
+        echo "Action ${action} is unused"
+        exitcode=1
+    fi
+done
+
+exit "${exitcode}"