Releases: rhysd/actionlint
Releases · rhysd/actionlint
v1.7.5
- Strictly check available contexts in
${{ }}
placeholders following the 'Context availability' table in the official document.- For example,
jobs.<job>.env
allowsgithub
context butjobs.<job>.services.<service>.env
doesn't allow any contexts. Now actionlint can catch the mistake.jobs: test: runs-on: ubuntu-latest env: # OK. `github` context is available here. COMMIT_SHA: ${{ github.sha }} services: redis: image: redis env: # ERROR: No context is available here. COMMIT_SHA: ${{ github.sha }} steps: - ...
- For example,
- Check a string literal passed to
fromJSON()
call. This pattern is popular to create array or object constants because GitHub Actions does not provide the literal syntax for them. See the document for more details. (#464)jobs: test: # ERROR: Key 'mac' does not exist in the object returned by the fromJSON() runs-on: ${{ fromJSON('{"win":"windows-latest","linux":"ubuntul-latest"}')['mac'] }} steps: - run: echo This is a special branch! # ERROR: Broken JSON string passed to fromJSON. if: contains(fromJSON('["main","release","dev"'), github.ref_name)
- Allow passing command arguments to
-shellcheck
argument. (#483, thanks @anuraaga)- This is useful when you want to use alternative build of shellcheck like go-shellcheck.
actionlint -shellcheck="go run github.com/wasilibs/go-shellcheck/cmd/shellcheck@latest"
- This is useful when you want to use alternative build of shellcheck like go-shellcheck.
- Support undocumented
repository_visibility
,artifact_cache_size_limit
,step_summary
,output
,state
properties ingithub
context. (#489, thanks @rasa for addingrepository_visibility
property) - Remove
macos-12
runner label from known labels because it was dropped from GitHub-hosted runners on Dec. 3 and is no longer available. - Add
windows-2025
runner label to the known labels. The runner is in public preview. (#491, thanks @ericcornelissen) - Add
black
to the list of colors forbranding.color
action metadata. (#485, thanks @eifinger) - Add
table
to the list of icons forbranding.icon
action metadata. - Fix parsing escaped
{
informat()
function call's first argument. - Fix the incorrect
join()
function overload.join(s1: string, s2: string)
was wrongly accepted. - Update popular actions data set to the latest.
- Link to the documents of the stable version in actionlint
man
page and-help
output. - Refactor
LintStdin()
API example and some unit tests. (#472, #475, thanks @alexandear) - Improve the configuration example in
actionlint.yaml
document to explain glob patterns forpaths
. (#481)
v1.7.4
- Disallow the usage of popular actions that run on
node16
runner. Thenode16
runner will reach the end of life on November 12.- In case of the error, please update your actions to the latest version so that they run on the latest
node20
runner. - If you're using self-hosted runner and you cannot upgrade your runner to
node20
soon, please consider to ignore the error by thepaths
configuration described below. - If you're using
actions/upload-artifact@v3
andactions/download-artifact@v3
on GHES, please replace them withactions/upload-artifact@v3-node20
andactions/download-artifact@v3-node20
. (#468)
- In case of the error, please update your actions to the latest version so that they run on the latest
- Provide the configuration for ignoring errors by regular expressions in
actionlint.yml
(oractionlint.yaml
). Please see the document for more details. (#217, #342)- The
paths
is a mapping from the file path glob pattern to the corresponding configuration. Theignore
configuration is a list of regular expressions to match error messages (similar to the-ignore
command line option).paths: # This pattern matches any YAML file under the '.github/workflows/' directory. .github/workflows/**/*.yaml: ignore: # Ignore the specific error from shellcheck - 'shellcheck reported issue in this script: SC2086:.+' # This pattern only matches '.github/workflows/release.yaml' file. .github/workflows/release.yaml: ignore: # Ignore errors from the old runner check. This may be useful for (outdated) self-hosted runner environment. - 'the runner of ".+" action is too old to run on GitHub Actions'
- This configuration was not implemented initially because I wanted to keep the configuration as minimal as possible. However, due to several requests for it, the configuration has now been added.
- The
- Untrusted inputs check is safely skipped inside specific function calls. (#459, thanks @IlyaGulya)
- For example, the following step contains the untrusted input
github.head_ref
, but it is safe because it's passed to thecontains()
argument.- run: echo "is_release_branch=${{ contains(github.head_ref, 'release') }}" >> "$GITHUB_OUTPUT"
- For more details, please read the rule document.
- For example, the following step contains the untrusted input
- Recognize
gcr.io
andgcr.dev
as the correct container registry hosts. (#463, thanks @takaidohigasi)- Note that it is recommended explicitly specifying the scheme like
docker://gcr.io/...
.
- Note that it is recommended explicitly specifying the scheme like
- Remove
macos-x.0
runner labels which are no longer available. (#452) - Disable shellcheck
SC2043
rule because it can cause false positives on checkingrun:
. (#355)- The rule document was updated as well. (#466, thanks @risu729)
- Fix the error message was not deterministic when detecting cycles in
needs
dependencies. - Fix the check for
format()
function was not applied when the function name contains upper case likeFormat()
. Note that function names in${{ }}
placeholders are case-insensitive. - Update the popular actions data set to the latest.
- This includes the new
ref
andcommit
outputs ofactions/checkout
.
- This includes the new
- Add
actions/cache/save
andactions/cache/restore
to the popular actions data set. - Links in the README.md now point to the document of the latest version tag instead of HEAD of
main
branch. - Add
Linter.LintStdin
method dedicated to linting STDIN instead of handling STDIN inCommand
. - (Dev) Add new
check-checks
script to maintain the 'Checks' document. It automatically updates the outputs and playground links for example inputs in the document. It also checks the document is up-to-date on CI. Please read the document for more details.
v1.7.3
- Remove
macos-11
runner labels because macOS 11 runner was dropped on 6/28/2024. (#451, thanks @muzimuzhi) - Support
macos-15
,macos-15-large
, andmacos-15-xlarge
runner labels. The macOS 15 runner is not globally available yet, but they are available in beta. (#453, thanks @muzimuzhi) - Release artifact includes checksums for the released binaries. The file name is
actionlint_{version}_checksums.txt
. (#449)- For example, the checksums for v1.7.3 can be found here.
- Fix
download-path
output is missing inactions/download-artifact@v3
action. (#442)- Note that the latest version
actions/download-artifact@v4
was not affected by this issue.
- Note that the latest version
- Support Go 1.23.
v1.7.2
- Fix child processes to run in parallel.
- Update the popular actions data set to the latest. (#442, #445, #446, #447, thanks @maikelvdh)
- Add support for checking branch filters on
merge_group
event. (#448, thanks @muzimuzhi) - The playground now supports both light and dark modes and automatically applies the system's theme.
- Fix releasing a failure on making a new winget package. (#438, thanks @vedantmgoyal9)
v1.7.1
- Support
ubuntu-24.04
runner label, which was recently introduced as beta. (#425, thanks @bitcoin-tools) - Remove the support for
macos-10
runner label which was officially dropped about 2 years ago. - Remove the support for
windows-2016
runner label which was officially dropped about 2 years ago. - Document URLs used in help output and links in the playground prefer specific version tag rather than
main
branch. For example, - Fix actionlint wrongly reports an error when using
ghcr.io
ordocker.io
atimage
field of action metadata file of Docker action withoutdocker://
scheme. (#428)runs: using: 'docker' # This should be OK image: 'ghcr.io/user/repo:latest'
- Fix checking
preactjs/compressed-size-action@v2
usage caused a false positive. (#422) - Fix an error message when invalid escaping is found in globs.
- The design of the playground page is overhauled following the upgrade of bulma package to v1.
- Current actionlint version is shown in the heading.
- The color theme is changed to the official dark theme.
- The list of useful links is added to the bottom of the page as 'Resources' section.
v1.7.0
- From this version, actionlint starts to check action metadata file
action.yml
(oraction.yaml
). At this point, only very basic checks are implemented and contents ofsteps:
are not checked yet.- It checks properties under
runs:
section (e.g.main:
can be specified when it is a JavaScript action),branding:
properties, and so on.name: 'My action' author: '...' # ERROR: 'description' section is missing branding: # ERROR: Invalid icon name icon: dog runs: # ERROR: Node.js runtime version is too old using: 'node12' # ERROR: The source file being run by this action does not exist main: 'this-file-does-not-exist.js' # ERROR: 'env' configuration is only allowed for Docker actions env: SOME_VAR: SOME_VALUE
- actionlint still focuses on checking workflow files. So there is no way to directly specify
action.yml
as an argument ofactionlint
command. actionlint checks all local actions which are used by given workflows. If you want to use actionlint for your action development, prepare a test/example workflow which uses your action, and check it with actionlint instead. - Checks for
steps:
contents are planned to be implemented. Since several differences are expected betweensteps:
in workflow file andsteps:
in action metadata file (e.g. available contexts), the implementation is delayed to later version. And the current implementation of action metadata parser is ad hoc. I'm planning a large refactorying and breaking changes Go API around it are expected.
- It checks properties under
- Add
runner.environment
property. (#412)- run: echo 'Run by GitHub-hosted runner' if: runner.environment == 'github-hosted'
- Using outdated popular actions is now detected at error. See the document for more details.
- Here 'outdated' means actions which use runtimes no longer supported by GitHub-hosted runners such as
node12
.# ERROR: actions/checkout@v2 is using the outdated runner 'node12' - uses: actions/checkout@v2
- Here 'outdated' means actions which use runtimes no longer supported by GitHub-hosted runners such as
- Support
attestations
permission which was recently added to GitHub Actions as beta. (#418, thanks @bdehamer)permissions: id-token: write contents: read attestations: write
- Check comparison expressions more strictly. Arbitrary types of operands can be compared as the official document explains. However, comparisons between some types are actually meaningless because the values are converted to numbers implicitly. actionlint catches such meaningless comparisons as errors. Please see the check document for more details.
on: workflow_call: inputs: timeout: type: boolean jobs: test: runs-on: ubuntu-latest steps: - run: echo 'called!' # ERROR: Comparing string to object is always evaluated to false if: ${{ github.event == 'workflow_call' }} - run: echo 'timeout is too long' # ERROR: Comparing boolean value with `>` doesn't make sense if: ${{ inputs.timeout > 60 }}
- Follow the update that
macos-latest
is now an alias tomacos-14
runner. - Support a custom python shell by
pyflakes
rule. - Add workaround actionlint reports that
dorny/paths-filter
'spredicate-quantifier
input is not defined. (#416) - Fix the type of a conditional expression by comparison operators is wider than expected by implementing type narrowing. (#384)
- For example, the type of following expression should be
number
but it was actuallystring | number
and actionlint complained thattimeout-minutes
must take a number value.timeout-minutes: ${{ env.FOO && 10 || 60 }}
- For example, the type of following expression should be
- Fix
${{ }}
placeholder is not available atjobs.<job_id>.services
. (#402)jobs: test: services: ${{ fromJSON('...') }} runs-on: ubuntu-latest steps: - run: ...
- Do not check outputs of
google-github-actions/get-secretmanager-secrets
because this action sets outputs dynamically. (#404) - Fix
defaults.run
is ignored on detecting the shell used inrun:
. (#409)defaults: run: shell: pwsh jobs: test: runs-on: ubuntu-latest steps: # This was wrongly detected as bash script - run: $Env:FOO = "FOO"
- Fix parsing a syntax error reported from pyflakes when checking a Python script in
run:
. (#411)- run: print( shell: python
- Skip checking
exclude:
items inmatrix:
when they are constructed from${{ }}
dynamically. (#414)matrix: foo: ['a', 'b'] exclude: # actionlint complained this value didn't exist in matrix combinations - foo: ${{ env.EXCLUDE_FOO }}
- Fix checking
exclude:
items when${{ }}
is used in nested arrays at matrix items.matrix: foo: - ["${{ fromJSON('...') }}"] exclude: # actionlint complained this value didn't match to any matrix combinations - foo: ['foo']
- Update popular actions data set. New major versions are added and the following actions are newly added.
peaceiris/actions-hugo
actions/attest-build-provenance
actions/add-to-project
octokit/graphql-action
- Update Go dependencies to the latest.
- Reduce the size of
actionlint
executable by removing redundant data from popular actions data set.- x86_64 executable binary size was reduced from 6.9MB to 6.7MB (2.9% smaller).
- Wasm binary size was reduced from 9.4MB to 8.9MB (5.3% smaller).
- Describe how to integrate actionlint to Pulsar Edit in the document. (#408, thanks @mschuchard)
- Update outdated action versions in the usage document. (#413, thanks @naglis)
v1.6.27
- Add macOS 14 runner labels for Apple Silicon support. The following labels are added. (thanks @harryzcy, #392)
macos-14
macos-14-xlarge
macos-14-large
- Remove
ubuntu-18.04
runner label from runners list since it is no longer supported. (#363) - Allow glob patterns in
self-hosted-runner.labels
configuration. For example, the following configuration defines any runner labels prefixed withprivate-linux-
. (thanks @kishaningithub, #378)self-hosted-runner: labels: - private-linux-*
- Fix a race condition bug when
-format
option is used for linting multiple workflow files. Thanks @ReinAchten-TomTom for your help on the investigation. (#370) - Fix a race condition due to conflicts between some goroutine which starts to run shellcheck process and other goroutine which starts to wait until all processes finish.
- The popular actions data set was updated to the latest and the following actions were newly added. (thanks @jmarshall, #380)
google-github-actions/auth
google-github-actions/get-secretmanager-secrets
google-github-actions/setup-gcloud
google-github-actions/upload-cloud-storage
pulumi/actions
pypa/gh-action-pypi-publish
- Add support for larger runner labels. The following labels are added. (thanks @therealdwright, #371)
windows-latest-8-cores
ubuntu-latest-4-cores
ubuntu-latest-8-cores
ubuntu-latest-16-cores
- The following WebHook types are supported for
pull_request
event.enqueued
dequeued
milestoned
demilestoned
- Explain how to control shellckeck behavior in the shellcheck rule document. Use
SHELLCHECK_OPTS
environment variable to pass arguments to shellcheck. See the shellcheck's official document for more details.# Enable some optional rules SHELLCHECK_OPTS='--enable=avoid-nullary-conditions' actionlint # Disable some rules SHELLCHECK_OPTS='--exclude=SC2129' actionlint
- Explicitly specify
docker.io
host name in pre-commit hook. (thanks @gotmax23, #382) - Explain how to report issues and send patches in CONTRIBUTING.md.
- Fix the link to super-linter project. (thanks @zkoppert, #376)
- Add the instruction to install actionlint via the Arch Linux's official repository. (thanks @sorairolake, #381)
- Prefer fixed revisions in the pre-commit usage. (thanks @corneliusroemer, #354)
- Add instructions to use actionlint with Emacs. (thanks @tirimia, #341)
- Add instructions to use actionlint with Vim and Neovim text editors.
- Add
actionlint.RuleBase.Config
method to get the actionlint configuration passed to rules. (thanks @hugo-syn, #387) - Add
actionlint.ContainsExpression
function to check if the given string contains${{ }}
placeholders or not. (thanks @hugo-syn, #388) - Support Go 1.22 and set the minimum supported Go version to 1.18 for
x/sys
package. - Update Go dependencies to the latest.
v1.6.26
- Several template fields and template actions were added. All fields and actions are listed in the document. Please read it for more details. (#311)
- By these additions, now actionlint can output the result in the SARIF format. SARIF is a format for the output of static analysis tools used by GitHub CodeQL. the example Go template to format actionlint output in SARIF.
actionlint -format "$(cat /path/to/sarif_template.txt)" > output.json
allKinds
returns the kinds (lint rules) information as an array. You can include what lint rules are defined in the command output.toPascalCase
converts snake case (foo_bar
) or kebab case (foo-bar
) into pascal case (FooBar
).
- By these additions, now actionlint can output the result in the SARIF format. SARIF is a format for the output of static analysis tools used by GitHub CodeQL. the example Go template to format actionlint output in SARIF.
- Report an error when the condition at
if:
is always evaluated to true. See the check document to know more details. (#272)# ERROR: All the following `if:` conditions are always evaluated to true - run: echo 'Commit is pushed' if: | ${{ github.event_name == 'push' }} - run: echo 'Commit is pushed' if: "${{ github.event_name == 'push' }} " - run: echo 'Commit is pushed to main' if: ${{ github.event_name == 'push' }} && ${{ github.ref_name == 'main' }}
- Fix actionlint didn't understand
${{ }}
placeholders in environment variable names. (#312)env: "${{ steps.x.outputs.value }}": "..."
- Fix type of matrix row when some expression is assigned to it with
${{ }}
(#285)strategy: matrix: test: # Matrix rows are assigned from JSON string - ${{ fromJson(inputs.matrix) }} steps: - run: echo ${{ matrix.test.foo.bar }}
- Fix checking
exclude
of matrix was incorrect when some matrix row is dynamically constructed with${{ }}
. (#261)strategy: matrix: build-type: - debug - ${{ fromJson(inputs.custom-build-type) }} exclude: # 'release' is not listed in 'build-type' row, but it should not be reported as error # since the second row of 'build-type' is dynamically constructed with ${{ }}. - build-type: release
- Fix checking
exclude
of matrix was incorrect when object is nested at row of the matrix. (#249)matrix: os: - name: Ubuntu matrix: ubuntu - name: Windows matrix: windows arch: - name: ARM matrix: arm - name: Intel matrix: intel exclude: # This should exclude { os: { name: Windows, matrix: windows }, arch: {name: ARM, matrix: arm } } - os: matrix: windows arch: matrix: arm
- Fix data race when
actionlint.yml
config file is used by multiple goroutines to check multiple workflow files. (#333) - Check keys' case sensitivity. (#302)
steps: # ERROR: 'run:' is correct - ruN: echo "hello"
- Add
number
as input type ofworkflow_dispatch
event. (#316) - Check max number of inputs of
workflow_dispatch
event is 10. - Check numbers at
timeout-minutes
andmax-parallel
are greater than zero. - Add Go APIs to define a custom rule. Please read the code example to know the usage.
- Make some
RuleBase
methods public which are useful to implement your own custom rule type. (thanks @hugo-syn, #327, #331) OnRulesCreated
field is added toLinterOptions
struct. You can modify applied rules with the hook (add your own rule, remove some rule, ...).
- Make some
- Add
NewProject()
Go API to create aProject
instance. - Fix tests failed when sources are downloaded from
.tar.gz
link. (#307) - Improve the pre-commit document to explain all pre-commit hooks by this repository.
- Clarify the regular expression syntax of
-ignore
option is RE2. (#320) - Use ubuntu-latest runner to create winget release. (thanks @sitiom, #308)
- Update popular actions data set, available contexts, webhook types to the latest.
- Fix typo in
watch
webhook's types (thanks @suzuki-shunsuke, #334) - Add
secret_source
property togithub
context. (thanks @asml-mdroogle, #339) - Many new major releases are added to the popular actions data set (including
actions/checkout@v4
).
- Fix typo in
- Use Go 1.21 to build release binaries.
- Update Go dependencies to the latest. (thanks @harryzcy, #322)
v1.6.25
- Parse new syntax at
runs-on:
. Nowruns-on:
can havegroup:
andlabels:
configurations. Please read the official document for more details. (#280)runs-on: group: ubuntu-runners labels: ubuntu-20.04-16core
- Add support for macOS XL runners.
macos-latest-xl
,macos-13-xl
,macos-12-xl
labels are available atruns-on:
. (#299, thanks @woa7) - Find Git project directory from
-stdin-filename
command line argument. Even if the workflow content is passed via stdin, actionlint can recognize reusable workflows depended by the workflow using file path passed at-stdin-filename
argument. (#283) - Fix order of errors is not deterministic when multiple errors happen at the same location (file name, line number, column number). It happens only when building actionlint with Go 1.20 or later.
- Fix type name of
watch
webhook. - Fix type of matrix row (property of
matrix
context) when${{ }}
is used in the row value. (#294) - Fix
go install ./...
doesn't work. (#297) - Update
actionlint
pre-commit hook to use Go toolchain. Now pre-commit automatically installsactionlint
command so you don't need to install it manually. Note that this hook requires pre-commit v3.0.0 or later. For those who don't have Go toolchain, the previous hook is maintained asactionlint-system
hook. Please read the document to know the usage details. (#301, thanks @Freed-Wu and @dokempf) - Update Go dependencies to the latest.
- Update npm dependencies for playground to the latest and fix optimizing Wasm binary with
wasm-opt
. - Update popular actions data set. New major versions and new inputs of many popular actions are now supported like
sparse-checkout
input ofactions/checkout
action. (#305) - Fix outdated document for Problem Matchers. (#289, thanks @carlcsaposs-canonical)
- Fix outdated links in document for super-linter. (#303, thanks @gmacario)
- Automate releasing the Winget package with GitHub Actions. (#276, #293, thanks @sitiom)
v1.6.24
- Add support for configuration variables. However actionlint doesn't know what variables are defined in the repository on GitHub. To notify them, you need to configure your variables in your repository.
config-variables: - DEFAULT_RUNNER - DEFAULT_TIMEOUT
- Fix type error when
inputs
context is shared by multiple events. (#263) - Add document for how to install actionlint with winget. (#267, thanks @sitiom)
- Add document for how to integrate actionlint to trunk.io. (#269, thanks @dapirian)
- Add document for how to install actionlint with Nix package manager. (#273, thanks @diohabara)
- Update popular actions data set to the latest
- Add support for Go 1.20 and build release binaries with Go 1.20