rhysd / actionlint Goto Github PK
View Code? Open in Web Editor NEW:octocat: Static checker for GitHub Actions workflow files
Home Page: https://rhysd.github.io/actionlint/
License: MIT License
:octocat: Static checker for GitHub Actions workflow files
Home Page: https://rhysd.github.io/actionlint/
License: MIT License
I'd like to use this container as part of a workflow in GitHub Actions, however when I try to do so the actions/checkout
action the action fails:
Deleting the contents of '/__w/my-repo/my-repo'
The repository will be downloaded using the GitHub REST API
To create a local Git repository instead, add Git 2.18 or higher to the PATH
Downloading the archive
(node:17) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Writing archive to disk
Error: EACCES: permission denied, open '/__w/my-repo/my-repo/231afe6e-70d6-44ac-a49f-824acfe6593a.tar.gz'
I'd like to keep using a container instead of downloading a binary as imo the workflow of using containers is a better workflow than downloading binaries. Additionally, GitHub's unauthenticated API rate-limit budget is not generous. Would it be possible to also build an alpine image with git in it or provide a ubuntu image too for those that want to use your container in a CI/CD setup?
There are a few open issues in actions/checkout
that cover this error actions/checkout#639 actions/checkout#639
I'm looking at using actionlint
, and busy testing it on a few workflows. It's working really well and the integration with shellcheck is a huge saver.
The one problem I have encountered is this:
.github/workflows/master_push.yml:165:213: property "result" is not defined in object type {} [expression]
The step in question uses the ${{ needs.build.result }}
context expression, where build
is a previous job in the workflow, in the needs
list for this job. result
is a valid property of the needs context, documented here: https://docs.github.com/en/actions/learn-github-actions/contexts#needs-context
Hi, thank you so much for creating this nice tool! ๐
When I tried running actionlint
on GitHub Actions, It took some time to set up.
Here is my setup code:
https://gist.github.com/ybiquitous/c72834b30882d3c1f9c105683d4c1137
I use Problem Matcher in the setup code, but I doubt it difficult for many users to use Problem Matcher.
If actionlint
could output messages with the ::warning
or ::error
format of Actions, it might be easier to set up.
(But, for the purpose, severities may be needed...)
For example:
$ actionlint -format github
::error file=.github/workflows/test.yml,line=10,col=15::Something went wrong
What do you think about this idea?
I just found a bug in a workflow because I was trying to reference this property:
${{ github.event.worflow_run.head_commit.message }}
It was only after I copy and pasted the names from the output of ${{ toJSON(github) }}
that I realised I'd made an embarrasing typo - (it should be workflow_run
)!
What I'm wondering is whether actionlint could catch these kinds of things? How deep you could validate is a good question, but I'd say at least github.event.xxxxx
would be a starting point, where xxxxx is one of the events listed at https://docs.github.com/en/actions/reference/events-that-trigger-workflows
Making this available as a pre-commit hook, i.e. add .pre-commit-hooks.yaml
would be awesome. ๐
When I run actionlint
, the output is as follows:
.github/workflows/schedule.yml:4:13: scheduled job runs too frequently. it runs once per 60 seconds [events]
|
4 | - cron: '* * * * *'
| ^~
According to the documentation at https://docs.github.com/en/actions/reference/events-that-trigger-workflows#scheduled-events, it seems that '* * * * *' appears to be the correct format.
Which is correct, GitHub Actions document or actionlint
implementation?
I don't read too long README.md.
I think documents should be separated into several files and structured in doc
directory.
README.md
: screenshot, sample input/output, reasons, installation, basic usage, links to documents, bug reporting, about licensedocs/
usage.md
: Advanced Usage and exit statuseschecks.md
: Checksconfig.md
: Configuration fileapi.md
: About Go APIreferences.md
: Links to resourcesError
input "cache" is not defined in action "actions/setup-python@v2". available inputs
are "architecture", "python-version", "token"
Steps to Reproduce
name: My Workflow
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up python
uses: actions/setup-python@v2
with:
python-version: 3.10
cache: 'pip'
Links
https://github.com/actions/setup-python#caching-packages-dependencies caching is a somewhat new input for this action
https://github.com/actions/setup-python/blob/main/action.yml there are a few additional inputs compared to the current whitelist
Right now, I don't see a way to customize shellcheck invocation (I want to exclude additional check).
The list of excluded checks is hard-coded, and it is not using a configuration file:
Line 165 in 7d51998
If I add workflow_call
to a simple workflow, I'll get an error about an env later in the file.
---
name: Lint Code Base
on:
push:
jobs:
build:
name: Lint Code Base
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Lint Code Base
uses: github/super-linter@v4
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: master
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
workflow_call
)---
name: Lint Code Base
on:
push:
workflow_call:
jobs:
build:
name: Lint Code Base
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Lint Code Base
uses: github/super-linter@v4
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: master
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
property "github_token" is not defined in object type {} [expression]
|
24 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
| ^~~~~~~~~~~~~~~~~~~~
The checks.md document is a very useful resource to find more about each issue types reported by actionlint.
However, currently there's no straightforward way to find out which documentation section corresponds to which issue. The kind
key (in the actionlint json formatting) is not usable for this purpose, since both issues
kind
value syntax-check
(it's not 1-to-1 correspondence)I'm not sure what is the best/easiest way to address this, but maybe a new docs
key with either link to https://github.com/rhysd/actionlint/blob/main/docs/checks.md#XYZ
or just the section name XYZ
would help.
Example:
[
{
"message": "pyflakes reported issue in this script: 1:7 undefined name 'hello'",
"filepath": "myworkflow.yml",
"line": 9,
"column": 9,
"kind": "pyflakes",
"snippet": " - run: print(hello)\n ^~~~",
"docs": "https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-pyflakes-integ"
}
]
Alternatively, the checks.md section names could be named after the kind
parameter values, however then it may be useful for the kind
values to be more detailed - to distinguish between different types of syntax-check
.
What do you think?
Yep. Currently using this, but I see actionlint is getting more frequent updates, and I like the online tool it provides.
Can you build a VS Code extension out of it?
Keeping your GitHub Actions and workflows secure: Untrusted input | GitHub Security Lab describe the Untrusted input on GitHub Actions.
In many case, using next values in run:
or script:
directry has vulnerbility.
github.event.issue.title
github.event.issue.body
github.event.pull_request.title
github.event.pull_request.body
github.event.comment.body
github.event.review.body
github.event.review_comment.body
github.event.pages.*.page_name
github.event.commits.*.message
github.event.head_commit.message
github.event.head_commit.author.email
github.event.head_commit.author.name
github.event.commits.*.author.email
github.event.commits.*.author.name
github.event.pull_request.head.ref
github.event.pull_request.head.label
github.event.pull_request.head.repo.default_branch
github.head_ref
For example, following action has a comand injection vulnerbility.
name: test
on: [pull_request]
permissions:
contents: read
jobs:
test:
name: "Test"
runs-on: ubuntu-18.04
steps:
- name: Checkout
uses: actions/checkout@v2
- run: echo "${{ github.event.pull_request.title }}"
If attacker create malcious PR title like ";cat .git/config|base64"
, GitHub Actions will execulte the title as command.
๐ actions/checkout
set GITHUB_TOKEN
in .git/config
for checkouting repo.
We can mitigate the vulnerbility of action by usging env:
as parameter.
name: test
on: [pull_request]
permissions:
contents: read
jobs:
test:
name: "Test"
runs-on: ubuntu-18.04
steps:
- name: Checkout
uses: actions/checkout@v2
- run: echo "${PR_TITLE}"
env:
PR_TITLE: "${{ github.event.pull_request.title }}"
If actionlint check the Untrusted input in run:
, it make us safer.
GitHub CodeQL has implemented related functions.
An expression can reference an event name, for example if: ${{ github.event_name == 'push' || github.event_name == 'release' }}
.
As the events to which a workflow responds are always present at the top of the workflow, it should be possible to determine when an event name within an expression is redundant.
Take the following workflow as an example:
on:
push:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
uses: actions/checkout@v2
In this example, the workflow only responds to push
events, however the expression refers to both push
and pull_request
events. This suggests that something is wrong somewhere. Either the workflow should be responding also to pull_request
events or the expression needs to be changed to remove the second part of the expression.
Howdy, came across this error while using outputs
in a reusable workflow:
unexpected key "outputs" for "workflow_call" section. expected one of "inputs", "secrets" [syntax-check]
The workflow works properly, and is in keeping with the github actions workflow syntax example.
on:
workflow_call:
# Map the workflow outputs to job outputs
outputs:
workflow_output1:
description: "The first job output"
value: ${{ jobs.my_job.outputs.job_output1 }}
workflow_output2:
description: "The second job output"
value: ${{ jobs.my_job.outputs.job_output2 }}
Dropping timeout-minutes
configuration is a common mistake when writing jobs; the default value is 360 (6 hours!), that can waste your quota.
Hello there -- we use an Action -- specifically https://github.com/actions/stale -- and with a recent release we noticed this linter (invoked via https://github.com/github/super-linter) isn't happy about it. Sample workflow config:
...
jobs:
stale:
name: Staleness
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/stale@v4
with:
exempt-draft-pr: true
...
Note the @v4
release. Based on https://github.com/actions/stale/tags this is linked to the latest @v4.1.0
and the Action runs correctly, but this linter doesn't like exempt-draft-pr
which seems acceptable based on the action.yml
present in that repository. Furthermore, if we put almost anything in place instead of @v4
the linter will pass, and we assume that's some kind of resolution problem altogether.
Can there be some documentation expansions about the resolution process of a config? Even though this is a specific case, why is the linter not seeing this Action's latest properties?
If you checkout a repository to a local path and try to use it, linting will fail with a file not found.
Example:
- name: Checkout token action
uses: actions/checkout@v2
with:
repository: qwerty/create-github-server-token
path: ./.helpers/create-github-server-token
- name: Generate GitHub Token
uses: ./.helpers/create-github-server-token
id: create-token
...
neither action.yaml nor action.yml is found in directory
This error is expected because the file does not exist locally; it gets downloaded in the pipeline.
The env variable cannot reference another env variable at the same level, for example, it wont work like this
env:
IS_QA: "qa"
PROJECT: "important"
LOCAL_TAG: "${{env.IS_QA}}-latest"
AWS_TASKDEF: "project-${{env.PROJECT}}-something"
But it can be put into different levels as below would work
jobs:
test:
runs-on: ubuntu-latest
env:
IS_QA: "qa"
PROJECT: "important"
steps:
- run:
echo ${{env.IS_QA}}
echo ${{env.LOCAL_TAG}}
echo ${{env.PROJECT}}
echo ${{env.AWS_TASKDEF}}
env:
LOCAL_TAG: "${{env.IS_QA}}-latest"
AWS_TASKDEF: "project-${{env.PROJECT}}-something"
so ref, https://stackoverflow.com/questions/69979085/github-actions-using-variables-in-global-env-section
Check many workflows or large workflow:
actionlint ./testdata/realworld/*.yml
actionlint
runs as usual; runs without any output or reports some errors in workflows.
actionlint
dies with message:
`/usr/local/bin/shellcheck --norc -f json -x --shell bash -e SC1091,SC2194 -` did not run successfully while checking script at line:463,col:9: pipe: too many open files: error while checking ./testdata/realworld/diem_diem_.github_workflows_ci-test.yml
or hangs.
actionlint
runs checks in parallel thanks to Go's goroutine:
run:
are run in parallelThis works fine and makes actionlint much faster when the target size is small. But running so many processes in parallel consumes OS resource (in this case, it hit limit for number of files to open). And running process sometimes hangs on macOS though I don't know the reason.
on: push
jobs:
test:
runs-on: ubuntu-latest
steps:
- run: echo "$FOO"
env:
FOO: FOO
- run: echo "$bar"
env:
bar: bar
โฏ actionlint testdata/examples/shellcheck_integration.yaml
testdata/examples/shellcheck_integration.yaml:9:9: shellcheck reported issue in this script: SC2154:warning:1:7: bar is referenced but not assigned [shellcheck]
|
9 | - run: echo "$bar"
| ^~~~
โฏ cat /etc/os-release
NAME="Ubuntu"
VERSION="21.04 (Hirsute Hippo)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 21.04"
VERSION_ID="21.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=hirsute
UBUNTU_CODENAME=hirsute
โฏ actionlint --version
1.6.4
installed by downloading from release page
built with go1.17.1 compiler for linux/amd64
Actionlint doesn't give env:
, jobs.<job_id>.env
or jobs.<job_id>.steps[*].env
to shellcheck.
And shellcheck skips variable unassigned check only if it doesn't contains lowercase.
env:
, jobs.<job_id>.env
and jobs.<job_id>.steps[*].env
then prepend it to the run
script.actionlint warns if conditions without ${{ ... }}
.
this expression must be contained within ${{ }} like
if: ${{ ... }}
since it contains operator ".". see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idif for more details [expression]
but, I can't find its source in https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idif
It looks that it is removed recently: github/docs#8786
Create an identifier for your job by giving it a unique name. The key
job_id
is a string and its value is a map of the job's configuration data. You must replace<job_id>
with a string that is unique to thejobs
object. The<job_id>
must start with a letter or_
and contain only alphanumeric characters,-
, or_
.
Examples:
name: invalid-job-name-1
on: push
jobs:
invalid-JOB-Name-v1.2.3-docker_hub:
runs-on: ubuntu-latest
steps:
- run: echo hi
valid-JOB-Name-v123-docker_hub:
runs-on: ubuntu-latest
steps:
- run: echo hi
name: invalid-job-name-2
on: push
jobs:
1234invalid-JOB-Name-v123-docker_hub:
runs-on: ubuntu-latest
steps:
- run: echo hi
name: valid-job-name-1
on: push
jobs:
valid-JOB-Name-v123-docker_hub:
runs-on: ubuntu-latest
steps:
- run: echo hi
name: valid-job-name-2
on: push
jobs:
___valid-JOB-Name-v123-docker_hub:
runs-on: ubuntu-latest
steps:
- run: echo hi
Your documentation (https://github.com/rhysd/actionlint/blob/main/docs/config.md#configuration-file) states:
Configuration file actionlint.yaml or actionlint.yml can be put in .github directory.
however in order for it to be recognised by SuperLinter I had to put it in .github/linters
Hi,
I think I might found a bug related to feature added in v1.6.2, actionlint now checks evaluated values at ${{ }} are not an object nor an array since they are not useful
Example below produces this error, however it's a valid workflow and recommended for self-hosted runners (multiple tags to select runner).
https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-7
Error message:
object, array, and null values should not be evaluated in template with ${{ }} but evaluating the value of type array<string> [expression]
Example:
name: test
on: [push]
jobs:
test:
runs-on: ${{ matrix.runner }}
strategy:
matrix:
include:
- runner:
- arm64
- linux
- runner:
- x64
- linux
steps:
- name: Echo details
env:
RUNNER: ${{ matrix.runner }}
run: echo $RUNNER
I tried to change it to ${{ toJSON(matrix.runner) }}
, actionlint passes after that, but workflow is broken after that.
actionlint
allows only mediaType
and route
as input for octokit/[email protected]
.
https://github.com/rhysd/actionlint/blob/main/popular_actions.go#L2415-L2430
But it's false positive, because request-action
v2 allows other inputs.
ref. https://github.com/octokit/request-action#inputs
They are simply treated as request parameters to the API.
Hi, thanks a lot for creating the nice tool!
actions/[email protected]
has newly supported the node-version-file
parameter, so it would be so happy if actionlint could support also the parameter!
Current:
.github/workflows/ci.yml
:
name: CI
on: push
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v2
with:
node-version-file: .nvmrc
$ actionlint .github/workflows/ci.yml
.github/workflows/ci.yml:9:11: input "node-version-file" is not defined in action "actions/setup-node@v2". available inputs are "always-auth", "architecture", "cache", "cache-dependency-path", "check-latest", "node-version", "registry-url", "scope", "token", "version" [action]
|
11 | node-version-file: .nvmrc
| ^~~~~~~~~~~~~~~~~~
Version:
$ actionlint -version
1.6.8
installed by building from source
built with go1.17.2 compiler for darwin/arm64
It would be great to have support for linting action files as well as workflow files.
Especially with the recent release of composite actions, it seems that building private actions will be a common way to DRY up workflow files. Currently there is a gap in linting, because the workflow files are covered but anything moved to an action is not.
I get this error:
SC2050:warning:2:56: This expression is constant. Did you forget the $ on a variable? [shellcheck]
With code like this:
run: |
if [[ "${{ github.event.inputs.chart_force_publish }}" = "true" ]]; then
force="true"
fi
So I assume it's balking because this is converted to:
if [[ "_______________________" = "true" ]]; then
force="true"
fi
Can anyone see a workaround?
Actionlint knows about array element dereferences, but not object element dereferences. For example, GitHub Actions supports the syntax ${{ join(needs.*.result, ' ') }}
as documented in slack-templates' README despite the fact that needs is not an array. Actionlint 1.6.6 yields an error message of the following form:
[...]/.github/workflows/test.yaml:[row]:[col]: receiver of array element dereference must be type of array but got "{<job_id_1>: {outputs: {}; result: string}; <job_id_2>: {outputs: {}; result: string}}" [expression]
|
[row] | results: ${{ join(needs.*.result, ' ') }}
Thank you for creating Actionlint! It's quite nice to have a super easy way to check whether an action has syntax errors without wasting build credits.
I have the following SC2086 violation:
2021-08-27 20:45:30 [ERROR] Found errors in [actionlint] linter!
2021-08-27 20:45:30 [ERROR] Error code: 1. Command output:
------
.github/workflows/release.yml:20:9: shellcheck reported issue in this script: SC2086:info:1:51: Double quote to prevent globbing and word splitting [shellcheck]
|
20 | run: |
| ^~~~
.github/workflows/release.yml:20:9: shellcheck reported issue in this script: SC2086:info:2:44: Double quote to prevent globbing and word splitting [shellcheck]
|
20 | run: |
| ^~~~
------
for this GitHub Actions script which sets environment variables.
- name: Set variables
run: |
echo "CREATED=$(date -u +%Y-%m-%dT%H:%M:%S%z)" >> $GITHUB_ENV
echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
any advice on get this one fixed would be appreciated.
I have a GitHub org with private repos, which includes private actions. While official support for private actions is in GitHub's backlog, I am working around this by using action/checkout
before use: ./.github/actions/my-action
. So during linting, I get:
test.yaml:13:15: neither action.yaml nor action.yml is found in directory "github/actions/my-action" [action]
|
13 | - uses: ./github/actions/my-action
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
We found that the parser returns Infinity
and NaN
as variables while -Infinity
is tried to parse as number.
-Infinity
results in a lexer error:
Failed to parse: got unexpected character 'I' while lexing integer part of number, expecting '0'..'9'
The GHA runner recently added a new context property added to the github
object: run_attempt
. This property was added in v2.283.0.
Using this property currently fails actionlint validation with property "run_attempt" is not defined in object type...
.
nice tool!
It would be cool if it would also run shfmt from https://github.com/mvdan/sh :)
I would like to be warned if a step is using user input inside the "run" part of a step to mitigate the risk of script injections.
Inputs includes:
(I may be missing some that should be on the list.)
An incorrect event name reference in an expression can result in the expression always evaluating to false
.
An expression that always evaluates to false suggests either:
Take the following simplified workflow as an example:
on:
push:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
if: ${{ github.event_name == 'pull_request' }}
uses: actions/checkout@v2
- name: Build
run: |
# Do something with the checked-out code
git status
The example workflow will always fail. The expression controlling execution of the Checkout code
step will always evaluate to false
. In this case, either the expression needs changing to github.event_name == 'push'
or the expression-controlled step needs to be removed.
Whilst it is probably impossible to determine whether any arbitrary expression always evaluates to false (sounds like a halting problem situation), it is probably possible to determine whether an expression containing an event name reference always evaluates to false as the event names to which a workflow responds are always present.
Github Action Workflow Example:
###########################
###########################
## Linter GitHub Actions ##
###########################
###########################
name: Lint all the codes!
#
# Documentation:
# https://help.github.com/en/articles/workflow-syntax-for-github-actions
#
#############################
# lint on push to release/main branches
# also lint on all pushes to PRs
#############################
on:
# runs when PRs are merged, or pushes directly to these branches
# if you have multiple release branches, add them to push
push:
branches:
- main
# runs on pushed commits to any PR
pull_request:
# allow reuse of this workflow in other repos
workflow_call:
Github Action (BETA):
https://docs.github.com/en/actions/learn-github-actions/reusing-workflows
There a way to fix this please.
Thx!
Thank you for the excellent service.
When I ran the following workflow check on the web, I got an error that I think was caused by uppercase letters being identified as lowercase.
https://rhysd.github.io/actionlint/
name: Create new release
on:
workflow_dispatch:
jobs:
create_release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: ncipollo/release-action@v1
with:
allowUpdates: false
I have a workflow similar to the following (code edited slightly):
jobs:
myjob:
environment:
name: env-name
url: ${{ steps.thing.outputs.app-url }}
steps:
- name: 'Run Azure Functions Action'
uses: Azure/[email protected]
id: thing
with:
app-name: 'my-function-app'
package: my.zip
The linter is throwing an error which seems to be invalid to me.
.github/workflows/thing.yml:86:16: property "thing" is not defined in object type {} [expression]
|
86 | url: ${{ steps.thing.outputs.app-url }}
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
One of the most common errors I encounter with our workflow files is when we reference other jobs in needs
and have a typo there or update job names while forgetting to update the dependent jobs.
Luckily actionlint is able to find this kind of error with the job-needs check.
Is there any possibility to have that kind of check for on.workflow_run.workflows
to verify whether the specified workflow name actually exists in the project?
When you run actionlint in a workflow it is unable to indicate which line the error is on:
This would be useful for tracking error types and for linking to documentation.
actionlint currently provides a kind
key, which is however not unique: different error messages can have the same kind
. Example of kind
value:
$ actionlint -format '{{json .}}' pyflakes.yml | jq .
[
{
"message": "pyflakes reported issue in this script: 1:7 undefined name 'hello'",
"filepath": "pyflakes.yml",
"line": 9,
"column": 9,
"kind": "pyflakes",
"snippet": " - run: print(hello)\n ^~~~"
}
]
So we would either need to make kind
values more unique, or create a new field for this error ID.
It should also be determined what to do with different error types reported by "sub-linters", shellcheck and pyflakes. If we decide to reuse the sublinter error id, the lack of error ID system for pyflakes might be a problem (AFAIK there is no system). Flake8 might be better in this sense (see below).
Other linters have a kind of error code catalogue, e.g.
I'm using dorny/paths-filter and that sets a dynamic output for me, but actionlint is complaining about the output not being there, see code below. I can't see how I can fix that.
- name: Checkout repo
uses: actions/checkout@v2
- id: filterchanges
uses: dorny/paths-filter@v2
with:
filters: 'files: .github/workflows/*.yml'
- name: lint
if: ${{ steps.filterchanges.outputs.files == 'true'}}
[actionlint] reported by reviewdog ๐ถ property "files" is not defined in object type {changes: any} [expression]
Example: catthehacker@0ff2df5
In https://github.com/nektos/act we have more than just action
/run
types but it would help us (and not only us) if actionlint
provided ExecInvalid
kind for steps that are known to be incorrect
https://github.com/nektos/act/blob/b910a42edfab7a02b08a52ecef203fd419725642/pkg/model/workflow.go#L378-L411
The docker image for version 1.6.2 displays the "(devel)" version
docker run -it --rm rhysd/actionlint:1.6.2 -version
(devel)
installed by building from source
built with go1.17 compiler for linux/amd64
Version 1.6.1 displays the expected "1.6.1"
docker run -it --rm rhysd/actionlint:1.6.1 -version
1.6.1
installed by building from source
built with go1.17 compiler for linux/amd64
โฏ brew tap "rhysd/actionlint" "https://github.com/rhysd/actionlint"
==> Tapping rhysd/actionlint
Cloning into '/opt/homebrew/Library/Taps/rhysd/homebrew-actionlint'...
remote: Enumerating objects: 2103, done.
remote: Counting objects: 100% (768/768), done.
remote: Compressing objects: 100% (317/317), done.
remote: Total 2103 (delta 429), reused 705 (delta 411), pack-reused 1335
Receiving objects: 100% (2103/2103), 6.70 MiB | 736.00 KiB/s, done.
Resolving deltas: 100% (1206/1206), done.
Error: Invalid formula: /opt/homebrew/Library/Taps/rhysd/homebrew-actionlint/HomebrewFormula/actionlint.rb
formulae require at least a URL
Error: Cannot tap rhysd/actionlint: invalid syntax in tap!
โฏ brew --version
Homebrew 3.2.1-70-g5659d74
Homebrew/homebrew-core (git revision 4e3ff58f97; last commit 2021-07-12)
Homebrew/homebrew-cask (git revision 59f1985d26; last commit 2021-07-12)
Please publishing actions in GitHub Marketplace.
I know there is documentation, but I would like the official action to be published for the following reasons:
I wish to use this great tool's docker container in a workflow as this greatly simplifies the pipeline.
Pre-commit hooks are great but some developers turn them off when they just want to get something finished and so it can be nicer to have actionlint in a workflow instead sometimes. Additionally, as this tool is somewhat niche, some developers may not know much about it so putting it in a pipeline can help with that too. The container doesn't seem to have an accessible shell in it and so I can't override the entrypoint to something that will enable me to define some steps in a workflow before running the actionlint
command.
An example below of what I was thinking:
name: Lint Workflows
on:
pull_request:
type:
- synchronize
paths:
- .github/workflows/*.yaml
- .github/workflows/*.yml
jobs:
lint:
runs-on: ubuntu-latest
container:
image: rhysd/actionlint:latest
args: sh
steps:
- name: Run lint
run: |
echo "::add-matcher::.github/actionlint-matcher.json"
actionlint -color
I think supporting eslint
as well as shellcheck
makes it easier to inspect code written using actions/github-script
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.