v1.6.2

• actionlint now checks evaluated values at ${{ }} are not an object nor an array since they are not useful. See the check document for more details.

# ERROR: This will always be replaced with `echo 'Object'`
- run: echo '${{ runner }}'
# OK: Serialize an object into JSON to check the content
- run: echo '${{ toJSON(runner) }}'

• Add pre-commit support. pre-commit is a framework for managing Git pre-commit hooks. See the usage document for more details. (thanks @xsc27 for adding the integration at #33) (#23)
• Add an official Docker image. The Docker image contains shellcheck and pyflakes as dependencies. Now actionlint can be run with docker run command easily. See the usage document for more details. (thanks @xsc27 for the help at #34)

docker run --rm -v $(pwd):/repo --workdir /repo rhysd/actionlint:latest -color

• Go 1.17 is now a default compiler to build actionlint. Built binaries are faster than before by 2~7% when the process is CPU-bound. Sizes of built binaries are about 2% smaller. Note that Go 1.16 continues to be supported.
• windows/arm64 target is added to released binaries thanks to Go 1.17.
• Now any value can be converted into bool implicitly. Previously this was not permitted as actionlint provides stricter type check. However it is not useful that a condition like if: github.event.foo causes a type error.
• Fix a prefix operator cannot be applied repeatedly like !!42.
• Fix a potential crash when type checking on expanding an object with ${{ }} like matrix: ${{ fromJSON(env.FOO) }}
• Update popular actions data set (#36)

v1.6.1

• Problem Matchers is now officially supported by actionlint, which annotates errors from actionlint on GitHub as follows. The matcher definition is maintained at .github/actionlint-matcher.json by script. For the usage, see the document.

• runner_label rule now checks conflicts in labels at runs-on. For example, there is no runner which meats both ubuntu-latest and windows-latest. This kind of misconfiguration sometimes happen when a beginner misunderstands the usage of runs-on:. To run a job on each runners, matrix: should be used. See the document for more information.

on: push
jobs:
  test:
    # These labels match to no runner
    runs-on: [ubuntu-latest, windows-latest]
    steps:
      - run: echo ...

• Reduce memory footprint (around 16%) on starting actionlint command by removing unnecessary data from PopularActions global variable. This also slightly reduces binary size (about 3.7% at playground/main.wasm).
• Fix accessing steps.* objects in job's environment: configuration caused a type error (#30).
• Fix checking that action's input names at with: were not in case insensitive (#31).
• Ignore outputs of getsentry/paths-filter. It is a fork of dorny/paths-filter. actionlint cannot check the outputs statically because it sets outputs dynamically.
• Add Azure/functions-action to popular actions.
• Update popular actions data set (#29).

v1.6.0

• Check potentially untrusted inputs to prevent a script injection vulnerability at run: and script input of actions/github-script. See the rule document for more explanations and workflow example. (thanks @azu for the feature request at #19)

Incorrect code

- run: echo '${{ github.event.pull_request.title }}'

should be replaced with

- run: echo "issue ${TITLE}"
  env:
    TITLE: ${{github.event.issue.title}}

• Add -format option to actionlint command. It allows to flexibly format error messages as you like with Go template syntax. See the usage document for more details. (thanks @ybiquitous for the feature request at #20)

Simple example to output error messages as JSON:

actionlint -format '{{json .}}'

More compliated example to output error messages as markdown:

actionlint -format '{{range $ := .}}### Error at line {{$.Line}}, col {{$.Column}} of `{{$.Filepath}}`\n\n{{$.Message}}\n\n```\n{{$.Snippet}}\n```\n\n{{end}}'

• Documents are reorganized. Long README.md is separated into several document files (#28)
  • README.md: Introduction, Quick start, Document links
  • docs/checks.md: Full list of all checks done by actionlint with example inputs, outputs, and playground links
  • docs/install.md: Installation instruction
  • docs/usage.md: Advanced usage of actionlint command, usage of playground, integration with reviewdog, Problem Matchers, super-linter
  • docs/config.md: About configuration file
  • doc/api.md: Using actionlint as Go library
  • doc/reference.md: Links to resources
• Fix checking shell names was not case-insensitive, for example PowerShell was detected as invalid shell name
• Update popular actions data set to the latest
• Make lexer errors on checking ${{ }} expressions more meaningful

v1.5.3

• Now actionlint allows to use any operators outside ${{ }} on if: condition like if: github.repository_owner == 'rhysd' (#22). The official document said that using any operator outside ${{ }} was invalid even if it was on if: condition. However, github/docs#8786 clarified that the document was not correct.

v1.5.2

• Outputs of dorny/paths-filter are now not typed strictly because the action dynamically sets outputs which are not defined in its action.yml. actionlint cannot check such outputs statically (#18).
• The table for checking Webhooks supported by GitHub Actions is now generated from the official document automatically with script. The table continues to be updated weekly by the CI workflow.
• Improve error messages while lexing expressions as follows.
• Fix column numbers are off-by-one on some lexer errors.
• Fix checking invalid numbers where some digit follows zero in a hex number (e.g. 0x01) or an exponent part of number (e.g. 1e0123).
• Fix a parse error message when some tokens still remain after parsing finishes.
• Refactor the expression lexer to lex an input incrementally. It slightly reduces memory consumption.

Lex error until v1.5.1:

test.yaml:9:26: got unexpected character '+' while lexing expression, expecting '_', '\'', '}', '(', ')', '[', ']', '.', '!', '<', '>', '=', '&', '|', '*', ',', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' [expression]

Lex error from v1.5.2:

test.yaml:9:26: got unexpected character '+' while lexing expression, expecting 'a'..'z', 'A'..'Z', '0'..'9', ''', '}', '(', ')', '[', ']', '.', '!', '<', '>', '=', '&', '|', '*', ',', '_' [expression]

v1.5.1

• Improve checking the intervals of scheduled events (#14, #15). Since GitHub Actions limits the interval to once every 5 minutes, actionlint now reports an error when a workflow is configured to be run once per less than 5 minutes.
• Skip checking inputs of octokit/request-action since it allows to specify arbitrary inputs though they are not defined in its action.yml (#16).
  • Outputs of the action are still be typed strictly. Only its inputs are not checked.
• The help text of actionlint is now hosted online: https://rhysd.github.io/actionlint/usage.html
• Add new fuzzing target for parsing glob patterns.

v1.5.0

• action rule now validates inputs of popular actions at with:. When a required input is not specified or an undefined input is specified, actionlint will report it.
  • Popular actions are updated automatically once a week and the data set is embedded to executable directly. The check does not need any network request and does not affect performance of actionlint. Sources of the actions are listed here. If you have some request to support new action, please report it at the issue form.
  • Please see the document for example (Playground).
• expression rule now types outputs of popular actions (type of steps.{id}.outputs object) more strictly.
  • For example, actions/cache@v2 sets cache-hit output. The outputs object is typed as { cache-hit: any }. Previously it was typed as any which means no further type check was performed.
  • Please see the second example of the document (Playground).
• Outputs of local actions (their names start with ./) are also typed more strictly as well as popular actions.
• Metadata (action.yml) of local actions are now cached to avoid reading and parsing action.yml files repeatedly for the same action.
• Add new rule permissions to check permission scopes for default secrets.GITHUB_TOKEN. Please see the document for more details (Playground).
• Structure of actionlint.Permissions struct was changed. A parser no longer checks values of permissions: configuration. The check is now done by permissions rule.

v1.4.3

• Support new Webhook events discussion and discussion_comment (#8).
• Read file concurrently with limiting concurrency to number of CPUs. This improves performance when checking many files and disabling shellcheck/pyflakes integration.
• Support Linux based on musl libc by the download script (#5).
• Reduce number of goroutines created while running shellcheck/pyflakes processes. This has small impact on memory usage when your workflows have many run: steps.
• Reduce built binary size by splitting an external library which is only used for debugging into a separate command line tool.
• Introduce several micro benchmark suites to track performance.
• Enable code scanning for Go/TypeScript/JavaScript sources in actionlint repository.

v1.4.2

• Fix executables in the current directory may be used unexpectedly to run shellcheck or pyflakes on Windows. This behavior could be security vulnerability since an attacker might put malicious executables in shared directories. actionlint searched an executable with exec.LookPath, but it searched the current directory on Windows as golang/go#43724 pointed. Now actionlint uses execabs.LookPath instead, which does not have the issue. (ref: sharkdp/bat#1724)
• Fix issue caused by running so many processes concurrently. Since checking workflows by actionlint is highly parallelized, checking many workflow files makes too many shellcheck processes and opens many files in parallel. This hit OS resources limitation (issue #3). Now reading files is serialized and number of processes run concurrently is limited for fixing the issue. Note that checking workflows is still done in parallel so this fix does not affect actionlint's performance.
• Ensure cleanup processes even if actionlint stops due to some fatal issue while visiting a workflow tree.
• Improve fatal error message to know which workflow file caused the error.
• Playground improvements
  • "Permalink" button was added to make permalink directly linked to the current workflow source code. The source code is embedded in hash of the URL.
  • "Check" button and URL input form was added to check workflow files on https://github.com or https://gist.github.com easily. Visit a workflow file on GitHub, copy the URL, paste it to the input form and click the button. It instantly fetches the workflow file content and checks it with actionlint.
  • u= URL parameter was added to specify GitHub or Gist URL like https://rhysd.github.io/actionlint/?u=https://github.com/rhysd/actionlint/blob/main/.github/workflows/ci.yaml

v1.4.1

• A pre-built executable for darwin/arm64 (Apple M1) was added to CI (#1)
  • Managing actionlint command with Homebrew on M1 Mac is now available. See the instruction for more details
  • Since the author doesn't have M1 Mac and GitHub Actions does not support M1 Mac yet, the built binary is not tested
• Pre-built executables are now built with Go 1.16 compiler (previously it was 1.15)
• Fix error message is sometimes not in one line when the error message was caused by go-yaml/yaml parser
• Fix playground does not work on Safari browsers on both iOS and Mac since they don't support WebAssembly.instantiateStreaming() yet
• Make URLs in error messages clickable on playground
• Code base of playground was migrated from JavaScript to Typescript along with improving error handlings