Feature Request: add rule to force `timeout-minutes` about actionlint HOT 6 OPEN

I agree that explicitly configuring timeout-minutes is useful to avoid common mistake around hanging jobs.

However I feel causing an error due to lack of timeout-minutes configuration is opinionated. There are some reasons:

• actionlint does not have functionality to disable each rules (yet). Only -ignore option can ignore errors. It is important that all rules don't cause false-positives.
• Missing timeout-minutes is not always bad choice since there is no quota limit to run GitHub Actions workflows if the repository is public. For those who think it's just ok to leave it for 6 hours, reporting it as error by actionlint is pure overhead.
• It is not trivial that what value is suitable for value of timeout-minutes. People need to experiment/guess on how long the workflow usually runs. It would be an overhead on writing/maintaining workflows.

from actionlint.

In the meanwhile this could be used https://github.com/marketplace/actions/check-actions

from actionlint.

It is not trivial that what value is suitable

I'm not saying that we should force some specific value from the actionlint's side. The actual value should completely be left to users. It's enough for users to warn just like “timeout-minutes option is missing; the default value is 360 (6 hours), which is probably not what you want”.

On the other hand, setting any value greater than 360 might also be a mistake; GitHub normally limits the maximum to 360. That said, this limit may vary for self-hosted runners, so we wouldn't be able to notice this as a mistake unless we have a reliable way to ensure the workflow is to run on self-hosted runners (I just don't know about self-hosted setup).

For those who think it's just ok to leave it for 6 hours, reporting it as error by actionlint is pure overhead.

Well, some people just “don't care” about running time, but I believe 6 hours must definitely not be what users “want”, especially when they just ignorantly omit the config. If one really expects the job to run for such a long time (or doesn't know how much time it may take), they should set it explicitly to the maximum value 360.

I understand it would introduce some sort of cognitive load for maintainers when writing workflows, but I'd say, that only applies for the very first time of setting up workflows.

from actionlint.

When writing a lot of workflows missing options such as timeout happens regularly and results in wasting resources and paying a lot when jobs get stuck. GitHub provides neither repo nor workflow level options to limit job or step running time. Having it covered by a linter would be very helpful.

from actionlint.

I would also love to see this (as an opt-in flag), so it's up for the user to decide if they want to force themselves to use timeout-minutes (and for actionlint to protect against forgetting).

We've recently had an incident in my team where a 3rd party action hanged forever and we ended up spending dozens of hours of our quota on nothing.

from actionlint.

FTR I use https://check-jsonschema.rtfd.io/en/stable/precommit_usage.html#check-a-builtin-schema to lint for this.

from actionlint.