Description

Running npm run lint:yaml in a fresh devcontainer fails with:

Write-Error: YAML Lint failed: actionlint is not installed. See script help for installation instructions.

Root Cause

Invoke-YamlLint.ps1 requires actionlint to validate GitHub Actions workflow files, but the devcontainer setup scripts do not install it. Neither on-create.sh nor post-create.sh include an actionlint installation step.

The copilot-setup-steps.yml workflow (for Copilot Coding Agent) may install it separately, but the local devcontainer environment does not.

Reproduction

1. Open hve-core in a fresh codespace or devcontainer
2. Run npm run lint:yaml
3. Observe the error

Suggested Fix

Add actionlint installation to .devcontainer/scripts/on-create.sh alongside the existing gitleaks and shellcheck installations. Use a pinned version with SHA256 verification, consistent with how gitleaks is installed:

echo "Installing actionlint..."
curl -sSfL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash \
  | bash -s -- <pinned-version>
sudo mv actionlint /usr/local/bin/

Workaround

cd /tmp
curl -sSfL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash \
  | bash -s -- latest
sudo mv actionlint /usr/local/bin/

Affected Scripts

• scripts/linting/Invoke-YamlLint.ps1 (line 75)
• .devcontainer/scripts/on-create.sh (missing installation)

Environment

• DevContainer on Ubuntu 24.04
• PowerShell 7.5.4
• Node.js 24.x