v1.6.22

• Detect deprecated workflow commands such as set-output or save-state and suggest the alternative. See the document for more details. (#234)

  # ERROR: This format of 'set-output' workflow command was deprecated
  - run: echo '::set-output name=foo::bar'

• Fix that ${{ }} expression at on.workflow_call.inputs.<id>.default caused an error. (#235)

  on:
    workflow_call:
      inputs:
        project:
          type: string
          # OK: The default value is generated dynamically
          default: ${{ github.event.repository.name }}

• Improve type of inputs context to grow gradually while checking inputs in workflow_call event.

  on:
    workflow_call:
      inputs:
        input1:
          type: string
          # ERROR: `input2` is not defined yet
          default: ${{ inputs.input2 }}
        input2:
          type: string
          # OK: `input1` was already defined above
          default: ${{ inputs.input1 }}

• Check types of default values of workflow call inputs even if ${{ }} expression is used.

  on:
    workflow_call:
      inputs:
        input1:
          type: boolean
        input2:
          type: number
          # ERROR: Boolean value cannot be assigned to number
          default: ${{ inputs.input1 }}

• Fix the download script is broken since GHE server does not support the new set-output format yet. (#240)
• Replace the deprecated set-output workflow command in our own workflows. (#239, thanks @Mrtenz)
• Popular actions data set was updated to the latest as usual.

v1.6.21

• Check contexts availability. Some contexts limit where they can be used. For example, jobs.<job_id>.env workflow key does not allow accessing env context, but jobs.<job_id>.steps.env allows. See the official document for the complete list of contexts availability. (#180)

  ...
  
  env:
    TOPLEVEL: ...
  
  jobs:
    test:
      runs-on: ubuntu-latest
      env:
        # ERROR: 'env' context is not available here
        JOB_LEVEL: ${{ env.TOPLEVEL }}
      steps:
        - env:
            # OK: 'env' context is available here
            STEP_LEVEL: ${{ env.TOPLEVEL }}
          ...

  actionlint reports the context is not available and what contexts are available as follows:

  test.yaml:11:22: context "env" is not allowed here. available contexts are "github", "inputs", "matrix", "needs", "secrets", "strategy". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
     |
  11 |       JOB_LEVEL: ${{ env.TOPLEVEL }}
     |                      ^~~~~~~~~~~~
  

• Check special functions availability. Some functions limit where they can be used. For example, status functions like success() or failure() are only available in conditions of if:. See the official document for the complete list of special functions availability. (#214)

  ...
  
  steps:
    # ERROR: 'success()' function is not available here
    - run: echo 'Success? ${{ success() }}'
      # OK: 'success()' function is available here
      if: success()

  actionlint reports success() is not available and where the function is available as follows:

  test.yaml:8:33: calling function "success" is not allowed here. "success" is only available in "jobs.<job_id>.if", "jobs.<job_id>.steps.if". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
    |
  8 |       - run: echo 'Success? ${{ success() }}'
    |                                 ^~~~~~~~~
  

• Fix inputs context is not available in run-name: section. (#223)
• Allow dynamic shell configuration like shell: ${{ env.SHELL }}.
• Fix no error is reported when on: does not exist at toplevel. (#232)
• Fix an error position is not correct when the error happens at root node of workflow AST.
• Fix an incorrect empty event is parsed when on: section is empty.
• Fix the error message when parsing an unexpected key on toplevel. (thanks @norwd, #231)
• Add in_progress type to workflow_run webhook event trigger.
• Describe the actionlint extension for Nova.app in the usage document. (thanks @jbergstroem, #222)
• Note Super-Linter uses a different place for configuration file. (thanks @per-oestergaard, #227)
• Add actions/setup-dotnet@v3 to popular actions data set.
• generate-availability script was created to scrape the information about contexts and special functions availability from the official document. The information can be used through actionlint.WorkflowKeyAvailability() Go API. This script is run once a week on CI to keep the information up-to-date.

v1.6.20

• Support run-name which GitHub introduced recently. It is a name of workflow run dynamically configured. See the official document for more details. (#220)

  on: push
  run-name: Deploy by @${{ github.actor }}
  
  jobs:
    ...

• Add end_column property to JSON representation of error. The property indicates a column of the end position of ^~~~~~~ indicator in snippet. Note that end_column is equal to column when the indicator cannot be shown. (#219)

  $ actionlint -format '{{json .}}' test.yaml | jq
  [
    {
      "message": "property \"unknown_prop\" is not defined in object type {arch: string; debug: string; name: string; os: string; temp: string; tool_cache: string; workspace: string}",
      "filepath": "test.yaml",
      "line": 7,
      "column": 23,
      "kind": "expression",
      "snippet": "      - run: echo ${{ runner.unknown_prop }}\n                      ^~~~~~~~~~~~~~~~~~~",
      "end_column": 41
    }
  ]

• Overhaul the workflow parser to parse workflow keys in case-insensitive. This is a work derived from the fix of #216. Now the parser parses all workflow keys in case-insensitive way correctly. Note that permission names at permissions: are exceptionally case-sensitive.
  • This fixes properties of inputs for workflow_dispatch were not case-insensitive.
  • This fixes inputs and outputs of local actions were not handled in case-insensitive way.
• Update popular actions data set. actions/stale@v6 was newly added.

v1.6.19

• Fix inputs, outputs, and secrets of reusable workflow should be case-insensitive. (#216)

  # .github/workflows/reusable.yaml
  on:
    workflow_call:
      inputs:
        INPUT_UPPER:
          type: string
        input_lower:
          type: string
      secrets:
        SECRET_UPPER:
        secret_lower:
  ...
  
  # .github/workflows/test.yaml
  ...
  
  jobs:
    caller:
      uses: ./.github/workflows/reusable.yaml
      # Inputs and secrets are case-insensitive. So all the followings should be OK
      with:
        input_upper: ...
        INPUT_LOWER: ...
      secrets:
        secret_upper: ...
        SECRET_LOWER: ...

• Describe how to install specific version of actionlint binary with the download script. (#218)

v1.6.18

• This release much enhances checks for local reusable workflow calls. Note that these checks are done for local reusable workflows (starting with ./). (#179).
  • Detect missing required inputs/secrets and undefined inputs/secrets at jobs.<job_id>.with and jobs.<job_id>.secrets. See the document for more details.

    # .github/workflows/reusable.yml
    on:
      workflow_call:
        inputs:
          name:
            type: string
            required: true
        secrets:
          password:
            required: true
    ...
    
    # .github/workflows/test.yml
    ...
    
    jobs:
      missing-required:
        uses: ./.github/workflows/reusable.yml
        with:
          # ERROR: Undefined input "user"
          user: rhysd
          # ERROR: Required input "name" is missing
        secrets:
          # ERROR: Undefined secret "credentials"
          credentials: my-token
          # ERROR: Required secret "password" is missing

  • Type check for reusable workflow inputs at jobs.<job_id>.with. Types are defined at on.workflow_call.inputs.<name>.type in reusable workflow. actionlint checks types of expressions in workflow calls. See the document for more details.

    # .github/workflows/reusable.yml
    on:
      workflow_call:
        inputs:
          id:
            type: number
          message:
            type: string
    ...
    
    # .github/workflows/test.yml
    ...
    
    jobs:
      type-checks:
        uses: ./.github/workflows/reusable.yml
        with:
          # ERROR: Cannot assign string value to number input. format() returns string value
          id: ${{ format('runner name is {0}', runner.name) }}
          # ERROR: Cannot assign null to string input. If you want to pass string "null", use ${{ 'null' }}
          message: null

  • Detect local reusable workflow which does not exist at jobs.<job_id>.uses. See the document for more details.

    jobs:
      test:
        # ERROR: This workflow file does not exist
        with: ./.github/workflows/does-not-exist.yml

  • Check needs.<job_id>.outputs.<output_id> in downstream jobs of workflow call jobs. The outputs object is now typed strictly based on on.workflow_call.outputs.<name> in the called reusable workflow. See the document for more details.

    # .github/workflows/get-build-info.yml
    on:
      workflow_call:
        outputs:
          version:
            value: ...
            description: version of software
    ...
    
    # .github/workflows/test.yml
    ...
    
    jobs:
      # This job's outputs object is typed as {version: string}
      get_build_info:
        uses: ./.github/workflows/get-build-info.yml
      downstream:
        needs: [get_build_info]
        runs-on: ubuntu-latest
        steps:
          # OK. `version` is defined in the reusable workflow
          - run: echo '${{ needs.get_build_info.outputs.version }}'
          # ERROR: `tag` is not defined in the reusable workflow
          - run: echo '${{ needs.get_build_info.outputs.tag }}'

• Add missing properties in contexts and improve types of some properties looking at the official contexts document.
  • github.action_status
  • runner.debug
  • services.<service_id>.ports
• Fix on.workflow_call.inputs.<name>.description and on.workflow_call.secrets.<name>.description were incorrectly mandatory. They are actually optional.
• Report parse errors when parsing action.yml in local actions. They were ignored in previous versions.
• Sort the order of properties in an object type displayed in error message. In previous versions, actionlint sometimes displayed {a: true, b: string}, or it displayed {b: string, a: true} for the same object type. This randomness was caused by random iteration of map values in Go.
• Update popular actions data set to the latest.

v1.6.17

• Allow workflow calls are available in matrix jobs. See the official announcement for more details. (#197)

  jobs:
    ReuseableMatrixJobForDeployment:
      strategy:
        matrix:
          target: [dev, stage, prod]
      uses: octocat/octo-repo/.github/workflows/deployment.yml@main
      with:
        target: ${{ matrix.target }}

• Allow nested workflow calls. See the official announcement for more details. (#201)

  on: workflow_call
  
  jobs:
    call-another-reusable:
      uses: path/to/another-reusable.yml@v1

• Fix job outputs should be passed to needs.*.outputs of only direct children. Until v1.6.16, they are passed to any downstream jobs. (#151)

  jobs:
    first:
      runs-on: ubuntu-latest
      outputs:
        first: 'output from first job'
      steps:
        - run: echo 'first'
  
    second:
      needs: [first]
      runs-on: ubuntu-latest
      outputs:
        second: 'output from second job'
      steps:
        - run: echo 'second'
  
    third:
      needs: [second]
      runs-on: ubuntu-latest
      steps:
        - run: echo '${{ toJSON(needs.second.outputs) }}'
        # ERROR: `needs.first` does not exist, but v1.6.16 reported no error
        - run: echo '${{ toJSON(needs.first.outputs) }}'

  When you need both needs.first and needs.second, add the both to needs:.

    third:
      needs: [first, second]
      runs-on: ubuntu-latest
      steps:
        # OK
        -  echo '${{ toJSON(needs.first.outputs) }}'

• Fix }} in string literals are detected as end marker of placeholder ${{ }}. (#205)

  jobs:
    test:
      runs-on: ubuntu-latest
      strategy:
        # This caused an incorrect error until v1.6.16
        matrix: ${{ fromJSON('{"foo":{}}') }}

• Fix working-directory: should not be available with uses: in steps. working-directory: is only available with run:. (#207)

  steps:
    - uses: actions/checkout@v3
      # ERROR: `working-directory:` is not available here
      working-directory: ./foo

• The working directory for running actionlint command can be set via WorkingDir field of LinterOptions struct. When it is empty, the return value from os.Getwd will be used.
• Update popular actions data set. actions/configure-pages@v2 was added.
• Use Go 1.19 on CI by default. It is used to build release binaries.
• Update dependencies (go-yaml/yaml v3.0.1).
• Update playground dependencies (except for CodeMirror v6).

v1.6.16

• Allow an empty object at permissions:. You can use it to disable permissions for all of the available scopes. (#170, #171, thanks @peaceiris)

  permissions: {}

• Support github.triggering_actor context value. (#190, thanks @stefreak)
• Rename step-id rule to id rule. Now the rule checks both job IDs and step IDs. See the document for more details. (#182)

  jobs:
    # ERROR: '.' cannot be contained in ID
    v1.2.3:
      runs-on: ubuntu-latest
      steps:
        - run: echo 'job ID with version'
          # ERROR: ID cannot contain spaces
          id: echo for test
    # ERROR: ID cannot start with numbers
    2d-game:
      runs-on: ubuntu-latest
      steps:
        - run: echo 'oops'

• Accessing env context in jobs.<id>.if is now reported as error. (#155)

  jobs:
    test:
      runs-on: ubuntu-latest
      # ERROR: `env` is not available here
      if: ${{ env.DIST == 'arch' }}
      steps:
        - run: ...

• Fix actionlint wrongly typed some matrix value when the matrix is expanded with ${{ }}. For example, matrix.foo in the following code is typed as {x: string}, but it should be any because it is initialized with the value from fromJSON. (#145)

  strategy:
    matrix:
      foo: ${{ fromJSON(...) }}
      exclude:
        - foo:
            x: y

• Fix incorrect type check when multiple runner labels are set to runs-on: via expanding ${{ }} for selecting self-hosted runners. (#164)

  jobs:
    test:
      strategy:
        matrix:
          include:
            - labels: ["self-hosted", "macOS", "X64"]
            - labels: ["self-hosted", "linux"]
      # actionlint incorrectly reported type error here
      runs-on: ${{ matrix.labels }}

• Fix usage of local actions (uses: ./path/to/action) was not checked when multiple workflow files were passed to actionlint command. (#173)
• Allow description: is missing in secrets: of reusable workflow call definition since it is optional. (#174)
• Fix type of propery of github.event.inputs is string unlike inputs context. See the document for more details. (#181)

  on:
    workflow_dispatch:
      inputs:
        is-valid:
          # Type of `inputs.is-valid` is bool
          # Type of `github.event.inputs.is-valid` is string
          type: boolean

• Fix crash when a value is expanded with ${{ }} at continue-on-error:. (#193)
• Fix some error was caused by some other error. For example, the following code reported two errors. '" is not available for string literal' error caused another 'one placeholder should be included in boolean value string' error. This was caused because the ${{ x == "foo" }} placeholder was not counted due to the previous type error.

  if: ${{ x == "foo" }}

• Add support for merge_group workflow trigger.
• Add official actions to manage GitHub Pages to popular actions data set.
  • actions/configure-pages@v1
  • actions/deploy-pages@v1
  • actions/upload-pages-artifact@v1
• Update popular actions data set to the latest. Several new major versions and new inputs of actions were added to it.
• Describe how to install actionlint via Chocolatey, scoop, and AUR in the installation document. (#167, #168, thanks @sitiom)
• VS Code extension for actionlint was created by @arahatashun. See the document for more details.
• Describe how to use the Docker image at step of GitHub Actions workflow. See the document for the details. (#146)

  - uses: docker://rhysd/actionlint:latest
    with:
      args: -color

• Clarify the behavior if empty strings are set to some command line options in documents. -shellcheck= disables shellcheck integration and -pyflakes= disables pyflakes integration. (#156)
• Update Go module dependencies.

v1.6.15

• Fix referring env context from env: at step level caused an error. env: at toplevel and job level cannot refer env context, but env: at step level can. (#158)

  on: push
  
  env:
    # ERROR: 'env:' at toplevel cannot refer 'env' context
    ERROR1: ${{ env.PATH }}
  
  jobs:
    my_job:
      runs-on: ubuntu-latest
      env:
        # ERROR: 'env:' at job level cannot refer 'env' context
        ERROR2: ${{ env.PATH }}
      steps:
        - run: echo "$THIS_IS_OK"
          env:
            # OK: 'env:' at step level CAN refer 'env' context
            THIS_IS_OK: ${{ env.PATH }}

• Docker image for linux/arm64 is now provided. It is useful for M1 Mac users. (#159, thanks @politician)
• Fix the download script did not respect the version specified via the first argument. (#162, thanks @mateiidavid)

v1.6.14

• Some filters are exclusive in events at on:. Now actionlint checks the exclusive filters are used in the same event. paths and paths-ignore, branches and branches-ignore, tags and tags-ignore are exclusive. See the document for the details.

  on:
    push:
      # ERROR: Both 'paths' and 'paths-ignore' filters cannot be used for the same event
      paths: ...
      paths-ignore: ...

• Some event filters are checked more strictly. Some filters are only available with specific events. Now actionlint checks the limitation. See the document for complete list of such filters.

  on:
    release:
      # ERROR: 'tags' filter is only available for 'push' event
      tags: v*.*.*

• Paths starting/ending with spaces are now reported as error.
• Inputs of workflow which specify both default and required are now reported as error. When required is specified at input of workflow call, a caller of it must specify value of the input. So the default value will never be used. (#154, thanks @sksat)

  on:
    workflow_call:
      inputs:
        my_input:
          description: test
          type: string
          # ERROR: The default value 'aaa' will never be used
          required: true
          default: aaa

• Fix inputs of workflow_dispatch are set to inputs context as well as github.event.inputs. This was added by the recent change of GitHub Actions. (#152)

  on:
    workflow_dispatch:
      inputs:
        my_input:
          type: string
          required: true
  jobs:
    my_job:
      runs-on: ubuntu-latest
      steps:
        - run: echo ${{ github.event.inputs.my_input }}
        # Now the input is also set to `inputs` context
        - run: echo ${{ inputs.my_input }}

• Improve that env context is now not defined in values of env:, id: and uses:. actionlint now reports usage of env context in such places as type errors. (#158)

  runs-on: ubuntu-latest
  env:
    FOO: aaa
  steps:
    # ERROR: 'env' context is not defined in values of 'env:', 'id:' and 'uses:'
    - uses: test/${{ env.FOO }}@main
      env:
        BAR: ${{ env.FOO }}
      id: foo-${{ env.FOO }}

• actionlint command gains -stdin-filename command line option. When it is specified, the file name is used on reading input from stdin instead of <stdin>. (#157, thanks @arahatashun)

  # Error message shows foo.yml as file name where the error happened
  ... | actionlint -stdin-filename foo.yml -

• The download script allows to specify a directory path to install actionlint executable with the second argument of the script. For example, the following command downloads /path/to/bin/actionlint:

  # Downloads the latest stable version at `/path/to/bin/actionlint`
  bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) latest /path/to/bin
  # Downloads actionlint v1.6.14 at `/path/to/bin/actionlint`
  bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.6.14 /path/to/bin

• Update popular actions data set including goreleaser-action@v3, setup-python@v4, aks-set-context@v3.
• Update Go dependencies including go-yaml/yaml v3.

v1.6.13

• secrets: inherit in reusable workflow is now supported (#138)

  on:
    workflow_dispatch:
  
  jobs:
    pass-secrets-to-workflow:
      uses: ./.github/workflows/called-workflow.yml
      secrets: inherit

  This means that actionlint cannot know the workflow inherits secrets or not when checking a reusable workflow. To support secrets: inherit without giving up on checking secrets context, actionlint assumes the followings. See the document for the details.
  • when secrets: is omitted in a reusable workflow, the workflow inherits secrets from a caller
  • when secrets: exists in a reusable workflow, the workflow inherits no other secret
• macos-12 runner is now supported (#134, thanks @shogo82148)
• ubuntu-22.04 runner is now supported (#142, thanks @shogo82148)
• concurrency is available on reusable workflow call (#136)

  jobs:
    checks:
      concurrency:
        group: ${{ github.ref }}-${{ github.workflow }}
        cancel-in-progress: true
      uses: ./path/to/workflow.yaml

• pre-commit hook now uses a fixed version of actionlint. For example, the following configuration continues to use actionlint v1.6.13 even if v1.6.14 is released. (#116)

  repos:
    - repo: https://github.com/rhysd/actionlint
      rev: v1.6.13
      hooks:
        - id: actionlint-docker

• Update popular actions data set including new versions of docker/*, haskell/actions/setup, actions/setup-go, ... (#140, thanks @bflad)
• Update Go module dependencies