I'd like to use this container as part of a workflow in GitHub Actions, however when I try to do so the actions/checkout action the action fails:

Deleting the contents of '/__w/my-repo/my-repo'
The repository will be downloaded using the GitHub REST API
To create a local Git repository instead, add Git 2.18 or higher to the PATH
Downloading the archive
(node:17) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Writing archive to disk
Error: EACCES: permission denied, open '/__w/my-repo/my-repo/231afe6e-70d6-44ac-a49f-824acfe6593a.tar.gz'

I'd like to keep using a container instead of downloading a binary as imo the workflow of using containers is a better workflow than downloading binaries. Additionally, GitHub's unauthenticated API rate-limit budget is not generous. Would it be possible to also build an alpine image with git in it or provide a ubuntu image too for those that want to use your container in a CI/CD setup?

There are a few open issues in actions/checkout that cover this error actions/checkout#639 actions/checkout#639

I'm looking at using actionlint, and busy testing it on a few workflows. It's working really well and the integration with shellcheck is a huge saver.

The one problem I have encountered is this:

.github/workflows/master_push.yml:165:213: property "result" is not defined in object type {} [expression]

The step in question uses the ${{ needs.build.result }} context expression, where build is a previous job in the workflow, in the needs list for this job. result is a valid property of the needs context, documented here: https://docs.github.com/en/actions/learn-github-actions/contexts#needs-context

Hi, thank you so much for creating this nice tool! 😄

When I tried running actionlint on GitHub Actions, It took some time to set up.
Here is my setup code:

https://gist.github.com/ybiquitous/c72834b30882d3c1f9c105683d4c1137

I use Problem Matcher in the setup code, but I doubt it difficult for many users to use Problem Matcher.

If actionlint could output messages with the ::warning or ::error format of Actions, it might be easier to set up.
(But, for the purpose, severities may be needed...)

For example:

$ actionlint -format github
::error file=.github/workflows/test.yml,line=10,col=15::Something went wrong

What do you think about this idea?

I just found a bug in a workflow because I was trying to reference this property:

${{ github.event.worflow_run.head_commit.message }}

It was only after I copy and pasted the names from the output of ${{ toJSON(github) }} that I realised I'd made an embarrasing typo - (it should be workflow_run)!

What I'm wondering is whether actionlint could catch these kinds of things? How deep you could validate is a good question, but I'd say at least github.event.xxxxx would be a starting point, where xxxxx is one of the events listed at https://docs.github.com/en/actions/reference/events-that-trigger-workflows

Making this available as a pre-commit hook, i.e. add .pre-commit-hooks.yaml would be awesome. 😄

When I run actionlint, the output is as follows:

.github/workflows/schedule.yml:4:13: scheduled job runs too frequently. it runs once per 60 seconds [events]
  |
4 |     - cron: '* * * * *'
  |             ^~

According to the documentation at https://docs.github.com/en/actions/reference/events-that-trigger-workflows#scheduled-events, it seems that '* * * * *' appears to be the correct format.

Which is correct, GitHub Actions document or actionlint implementation?

I don't read too long README.md.

I think documents should be separated into several files and structured in doc directory.

• README.md: screenshot, sample input/output, reasons, installation, basic usage, links to documents, bug reporting, about license
• docs/
  • usage.md: Advanced Usage and exit statuses
  • checks.md: Checks
  • config.md: Configuration file
  • api.md: About Go API
  • references.md: Links to resources

Error

input "cache" is not defined in action "actions/setup-python@v2". available inputs
are "architecture", "python-version", "token"

Steps to Reproduce

1. Create this workflow:

name: My Workflow

on:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Set up python
        uses: actions/setup-python@v2
        with:
          python-version: 3.10
          cache: 'pip'

2. Lint this workflow with actionlint

Links
https://github.com/actions/setup-python#caching-packages-dependencies caching is a somewhat new input for this action
https://github.com/actions/setup-python/blob/main/action.yml there are a few additional inputs compared to the current whitelist

Right now, I don't see a way to customize shellcheck invocation (I want to exclude additional check).

The list of excluded checks is hard-coded, and it is not using a configuration file:

If I add workflow_call to a simple workflow, I'll get an error about an env later in the file.

This passes actionlint 1.6.8:

---
name: Lint Code Base

on:
  push:

jobs:
  build:
    name: Lint Code Base
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Code
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Lint Code Base
        uses: github/super-linter@v4
        env:
          VALIDATE_ALL_CODEBASE: false
          DEFAULT_BRANCH: master
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This fails (only added one line workflow_call)

---
name: Lint Code Base

on:
  push:
  workflow_call:

jobs:
  build:
    name: Lint Code Base
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Code
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Lint Code Base
        uses: github/super-linter@v4
        env:
          VALIDATE_ALL_CODEBASE: false
          DEFAULT_BRANCH: master
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

error:

 property "github_token" is not defined in object type {} [expression]
   |
24 |           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   |                             ^~~~~~~~~~~~~~~~~~~~

The checks.md document is a very useful resource to find more about each issue types reported by actionlint.

However, currently there's no straightforward way to find out which documentation section corresponds to which issue. The kind key (in the actionlint json formatting) is not usable for this purpose, since both issues

• https://github.com/rhysd/actionlint/blob/main/docs/checks.md#unexpected-keys
• https://github.com/rhysd/actionlint/blob/main/docs/checks.md#missing-required-keys-or-key-duplicates
  have kind value syntax-check (it's not 1-to-1 correspondence)

I'm not sure what is the best/easiest way to address this, but maybe a new docs key with either link to https://github.com/rhysd/actionlint/blob/main/docs/checks.md#XYZ or just the section name XYZ would help.

Example:

[
  {
    "message": "pyflakes reported issue in this script: 1:7 undefined name 'hello'",
    "filepath": "myworkflow.yml",
    "line": 9,
    "column": 9,
    "kind": "pyflakes",
    "snippet": "      - run: print(hello)\n        ^~~~",
    "docs": "https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-pyflakes-integ"
  }
]

Alternatively, the checks.md section names could be named after the kind parameter values, however then it may be useful for the kind values to be more detailed - to distinguish between different types of syntax-check.

What do you think?

Yep. Currently using this, but I see actionlint is getting more frequent updates, and I like the online tool it provides.
Can you build a VS Code extension out of it?

Keeping your GitHub Actions and workflows secure: Untrusted input | GitHub Security Lab describe the Untrusted input on GitHub Actions.

In many case, using next values in run: or script: directry has vulnerbility.

github.event.issue.title
github.event.issue.body
github.event.pull_request.title
github.event.pull_request.body
github.event.comment.body
github.event.review.body
github.event.review_comment.body
github.event.pages.*.page_name
github.event.commits.*.message
github.event.head_commit.message
github.event.head_commit.author.email
github.event.head_commit.author.name
github.event.commits.*.author.email
github.event.commits.*.author.name
github.event.pull_request.head.ref
github.event.pull_request.head.label
github.event.pull_request.head.repo.default_branch
github.head_ref

For example, following action has a comand injection vulnerbility.

name: test
on: [pull_request]
permissions:
  contents: read
jobs:
  test:
    name: "Test"
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - run: echo "${{ github.event.pull_request.title }}"

If attacker create malcious PR title like ";cat .git/config|base64", GitHub Actions will execulte the title as command.

📝 actions/checkout set GITHUB_TOKEN in .git/config for checkouting repo.

We can mitigate the vulnerbility of action by usging env: as parameter.

name: test
on: [pull_request]
permissions:
  contents: read
jobs:
  test:
    name: "Test"
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - run: echo "${PR_TITLE}"
        env:
          PR_TITLE: "${{ github.event.pull_request.title }}"

If actionlint check the Untrusted input in run:, it make us safer.

Related

• GitHub Capture the Flag results | The GitHub Blog
• Security hardening for GitHub Actions - GitHub Docs
• PyPIにおける潜在的な任意コード実行 - RyotaK's Blog

GitHub CodeQL has implemented related functions.

• codeql/ExpressionInjection.ql at main · github/codeql
• codeql/UntrustedCheckout.ql at main · github/codeql

An expression can reference an event name, for example if: ${{ github.event_name == 'push' || github.event_name == 'release' }}.

As the events to which a workflow responds are always present at the top of the workflow, it should be possible to determine when an event name within an expression is redundant.

Take the following workflow as an example:

on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
        uses: actions/checkout@v2

In this example, the workflow only responds to push events, however the expression refers to both push and pull_request events. This suggests that something is wrong somewhere. Either the workflow should be responding also to pull_request events or the expression needs to be changed to remove the second part of the expression.

Howdy, came across this error while using outputs in a reusable workflow:

unexpected key "outputs" for "workflow_call" section. expected one of "inputs", "secrets" [syntax-check]

The workflow works properly, and is in keeping with the github actions workflow syntax example.

on:
  workflow_call:
    # Map the workflow outputs to job outputs
    outputs:
      workflow_output1:
        description: "The first job output"
        value: ${{ jobs.my_job.outputs.job_output1 }}
      workflow_output2:
        description: "The second job output"
        value: ${{ jobs.my_job.outputs.job_output2 }}  

Dropping timeout-minutes configuration is a common mistake when writing jobs; the default value is 360 (6 hours!), that can waste your quota.

Hello there -- we use an Action -- specifically https://github.com/actions/stale -- and with a recent release we noticed this linter (invoked via https://github.com/github/super-linter) isn't happy about it. Sample workflow config:

...

jobs:
  stale:
    name: Staleness
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write

    steps:
      - uses: actions/stale@v4
        with:
          exempt-draft-pr: true

...

Note the @v4 release. Based on https://github.com/actions/stale/tags this is linked to the latest @v4.1.0 and the Action runs correctly, but this linter doesn't like exempt-draft-pr which seems acceptable based on the action.yml present in that repository. Furthermore, if we put almost anything in place instead of @v4 the linter will pass, and we assume that's some kind of resolution problem altogether.

Can there be some documentation expansions about the resolution process of a config? Even though this is a specific case, why is the linter not seeing this Action's latest properties?

If you checkout a repository to a local path and try to use it, linting will fail with a file not found.

Example:

- name: Checkout token action
  uses: actions/checkout@v2
  with: 
    repository: qwerty/create-github-server-token
    path: ./.helpers/create-github-server-token

- name: Generate GitHub Token
  uses: ./.helpers/create-github-server-token
  id: create-token
...

neither action.yaml nor action.yml is found in directory

This error is expected because the file does not exist locally; it gets downloaded in the pipeline.

The env variable cannot reference another env variable at the same level, for example, it wont work like this

env:
  IS_QA: "qa"
  PROJECT: "important"
  LOCAL_TAG: "${{env.IS_QA}}-latest"
  AWS_TASKDEF: "project-${{env.PROJECT}}-something"

But it can be put into different levels as below would work

jobs:
  test:
    runs-on: ubuntu-latest
    env:
      IS_QA: "qa"
      PROJECT: "important"
    steps:
      - run:
          echo ${{env.IS_QA}}
          echo ${{env.LOCAL_TAG}}
          echo ${{env.PROJECT}}
          echo ${{env.AWS_TASKDEF}}
        env:
          LOCAL_TAG: "${{env.IS_QA}}-latest"
          AWS_TASKDEF: "project-${{env.PROJECT}}-something"

so ref, https://stackoverflow.com/questions/69979085/github-actions-using-variables-in-global-env-section

Environment

• actionlint: 3c86c33
• OS: macOS 10.15
• Go 1.16

Repro

Check many workflows or large workflow:

actionlint ./testdata/realworld/*.yml

Expected behavior

actionlint runs as usual; runs without any output or reports some errors in workflows.

Actual behavior

actionlint dies with message:

`/usr/local/bin/shellcheck --norc -f json -x --shell bash -e SC1091,SC2194 -` did not run successfully while checking script at line:463,col:9: pipe: too many open files: error while checking ./testdata/realworld/diem_diem_.github_workflows_ci-test.yml

or hangs.

Investigation

actionlint runs checks in parallel thanks to Go's goroutine:

• each files are checked in parallel
• processes for external linters to check each run: are run in parallel

This works fine and makes actionlint much faster when the target size is small. But running so many processes in parallel consumes OS resource (in this case, it hit limit for number of files to open). And running process sometimes hangs on macOS though I don't know the reason.

minimum reproducing example

on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - run: echo "$FOO"
        env:
          FOO: FOO
      - run: echo "$bar"
        env:
          bar: bar

❯ actionlint testdata/examples/shellcheck_integration.yaml
testdata/examples/shellcheck_integration.yaml:9:9: shellcheck reported issue in this script: SC2154:warning:1:7: bar is referenced but not assigned [shellcheck]
  |
9 |       - run: echo "$bar"
  |         ^~~~


❯ cat /etc/os-release
NAME="Ubuntu"
VERSION="21.04 (Hirsute Hippo)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 21.04"
VERSION_ID="21.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=hirsute
UBUNTU_CODENAME=hirsute


❯ actionlint --version
1.6.4
installed by downloading from release page
built with go1.17.1 compiler for linux/amd64

What's happen

Actionlint doesn't give env:, jobs.<job_id>.env or jobs.<job_id>.steps[*].env to shellcheck.
And shellcheck skips variable unassigned check only if it doesn't contains lowercase.

Solution candidate

1. Generate variable assign code by env:, jobs.<job_id>.env and jobs.<job_id>.steps[*].env then prepend it to the run script.
2. Ignore SC2154 (option) and write this limitation in README

actionlint warns if conditions without ${{ ... }}.

this expression must be contained within ${{ }} like if: ${{ ... }} since it contains operator ".". see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idif for more details [expression]

but, I can't find its source in https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idif
It looks that it is removed recently: github/docs#8786

https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_id

Create an identifier for your job by giving it a unique name. The key job_id is a string and its value is a map of the job's configuration data. You must replace <job_id> with a string that is unique to the jobs object. The <job_id> must start with a letter or _ and contain only alphanumeric characters, -, or _.

Examples:

name: invalid-job-name-1
on: push

jobs:
  invalid-JOB-Name-v1.2.3-docker_hub:
    runs-on: ubuntu-latest
    steps:
      - run: echo hi
  valid-JOB-Name-v123-docker_hub:
    runs-on: ubuntu-latest
    steps:
      - run: echo hi

name: invalid-job-name-2
on: push

jobs:
  1234invalid-JOB-Name-v123-docker_hub:
    runs-on: ubuntu-latest
    steps:
      - run: echo hi

name: valid-job-name-1
on: push

jobs:
  valid-JOB-Name-v123-docker_hub:
    runs-on: ubuntu-latest
    steps:
      - run: echo hi

name: valid-job-name-2
on: push

jobs:
  ___valid-JOB-Name-v123-docker_hub:
    runs-on: ubuntu-latest
    steps:
      - run: echo hi

Your documentation (https://github.com/rhysd/actionlint/blob/main/docs/config.md#configuration-file) states:

Configuration file actionlint.yaml or actionlint.yml can be put in .github directory.

however in order for it to be recognised by SuperLinter I had to put it in .github/linters

Hi,

I think I might found a bug related to feature added in v1.6.2, actionlint now checks evaluated values at ${{ }} are not an object nor an array since they are not useful

Example below produces this error, however it's a valid workflow and recommended for self-hosted runners (multiple tags to select runner).
https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-7

Link to playground

Error message:
object, array, and null values should not be evaluated in template with ${{ }} but evaluating the value of type array<string> [expression]

Example:

name: test
on: [push]
jobs:
  test:
    runs-on: ${{ matrix.runner }}
    strategy:
      matrix:
       include:
         - runner: 
           - arm64
           - linux
         - runner:  
            - x64
            - linux
    steps:
      - name: Echo details
        env:
          RUNNER: ${{ matrix.runner }}
        run: echo $RUNNER

I tried to change it to ${{ toJSON(matrix.runner) }}, actionlint passes after that, but workflow is broken after that.

actionlint allows only mediaType and route as input for octokit/[email protected].
https://github.com/rhysd/actionlint/blob/main/popular_actions.go#L2415-L2430

But it's false positive, because request-action v2 allows other inputs.
ref. https://github.com/octokit/request-action#inputs
They are simply treated as request parameters to the API.

Hi, thanks a lot for creating the nice tool!

actions/[email protected] has newly supported the node-version-file parameter, so it would be so happy if actionlint could support also the parameter!

Current:

.github/workflows/ci.yml:

name: CI
on: push
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/setup-node@v2
        with:
          node-version-file: .nvmrc

$ actionlint .github/workflows/ci.yml
.github/workflows/ci.yml:9:11: input "node-version-file" is not defined in action "actions/setup-node@v2". available inputs are "always-auth", "architecture", "cache", "cache-dependency-path", "check-latest", "node-version", "registry-url", "scope", "token", "version" [action]
   |
11 |           node-version-file: .nvmrc
   |           ^~~~~~~~~~~~~~~~~~

Version:

$ actionlint -version
1.6.8
installed by building from source
built with go1.17.2 compiler for darwin/arm64

It would be great to have support for linting action files as well as workflow files.

Especially with the recent release of composite actions, it seems that building private actions will be a common way to DRY up workflow files. Currently there is a gap in linting, because the workflow files are covered but anything moved to an action is not.

I get this error:

SC2050:warning:2:56: This expression is constant. Did you forget the $ on a variable? [shellcheck]

With code like this:

      run: |
          if [[ "${{ github.event.inputs.chart_force_publish }}" = "true" ]]; then
            force="true"
          fi

So I assume it's balking because this is converted to:

          if [[ "_______________________" = "true" ]]; then
            force="true"
          fi

Can anyone see a workaround?

Actionlint knows about array element dereferences, but not object element dereferences. For example, GitHub Actions supports the syntax ${{ join(needs.*.result, ' ') }} as documented in slack-templates' README despite the fact that needs is not an array. Actionlint 1.6.6 yields an error message of the following form:

[...]/.github/workflows/test.yaml:[row]:[col]: receiver of array element dereference must be type of array but got "{<job_id_1>: {outputs: {}; result: string}; <job_id_2>: {outputs: {}; result: string}}" [expression]
         |
[row] |           results: ${{ join(needs.*.result, ' ') }}

Thank you for creating Actionlint! It's quite nice to have a super easy way to check whether an action has syntax errors without wasting build credits.

I have the following SC2086 violation:

2021-08-27 20:45:30 [ERROR]   Found errors in [actionlint] linter!
2021-08-27 20:45:30 [ERROR]   Error code: 1. Command output:
------
.github/workflows/release.yml:20:9: shellcheck reported issue in this script: SC2086:info:1:51: Double quote to prevent globbing and word splitting [shellcheck]
   |
20 |         run: |
   |         ^~~~
.github/workflows/release.yml:20:9: shellcheck reported issue in this script: SC2086:info:2:44: Double quote to prevent globbing and word splitting [shellcheck]
   |
20 |         run: |
   |         ^~~~
------

for this GitHub Actions script which sets environment variables.

- name: Set variables
  run: |
    echo "CREATED=$(date -u +%Y-%m-%dT%H:%M:%S%z)" >> $GITHUB_ENV
    echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV

any advice on get this one fixed would be appreciated.

I have a GitHub org with private repos, which includes private actions. While official support for private actions is in GitHub's backlog, I am working around this by using action/checkout before use: ./.github/actions/my-action. So during linting, I get:

test.yaml:13:15: neither action.yaml nor action.yml is found in directory "github/actions/my-action" [action]
   |
13 |       - uses: ./github/actions/my-action
   |               ^~~~~~~~~~~~~~~~~~~~~~~~~~

We found that the parser returns Infinity and NaN as variables while -Infinity is tried to parse as number.

-Infinity results in a lexer error:

Failed to parse: got unexpected character 'I' while lexing integer part of number, expecting '0'..'9'

The GHA runner recently added a new context property added to the github object: run_attempt. This property was added in v2.283.0.

Using this property currently fails actionlint validation with property "run_attempt" is not defined in object type....

nice tool!

It would be cool if it would also run shfmt from https://github.com/mvdan/sh :)

I would like to be warned if a step is using user input inside the "run" part of a step to mitigate the risk of script injections.

Inputs includes:

• inputs.*
• env.* (why not just use the environment variable)
• github.actor
• github.event.[issue | pull_request].[body | default_branch | email | head_ref | label | message | name | page_name | ref | title]
• github.event.inputs.*
• github.head_ref (could be branch name)
• github.ref (can be branch and tag names)
• github.ref_name

(I may be missing some that should be on the list.)

An incorrect event name reference in an expression can result in the expression always evaluating to false.

An expression that always evaluates to false suggests either:

• the expression is mistakenly incorrect and needs fixing
• a job or step whose execution is controlled by an expression needs to be removed

Take the following simplified workflow as an example:

on:
 push:

jobs:
 build:
   runs-on: ubuntu-latest

   steps:
     - name: Checkout code
       if: ${{ github.event_name == 'pull_request' }}
       uses: actions/checkout@v2

     - name: Build
       run: |
         # Do something with the checked-out code
         git status

The example workflow will always fail. The expression controlling execution of the Checkout code step will always evaluate to false. In this case, either the expression needs changing to github.event_name == 'push' or the expression-controlled step needs to be removed.

Whilst it is probably impossible to determine whether any arbitrary expression always evaluates to false (sounds like a halting problem situation), it is probably possible to determine whether an expression containing an event name reference always evaluates to false as the event names to which a workflow responds are always present.

Github Action Workflow Example:

###########################
###########################
## Linter GitHub Actions ##
###########################
###########################
name: Lint all the codes!

#
# Documentation:
# https://help.github.com/en/articles/workflow-syntax-for-github-actions
#

#############################
# lint on push to release/main branches
# also lint on all pushes to PRs
#############################
on:
  # runs when PRs are merged, or pushes directly to these branches
  # if you have multiple release branches, add them to push
  push:
    branches:
      - main
  # runs on pushed commits to any PR
  pull_request:
  # allow reuse of this workflow in other repos
  workflow_call:

Error:

Github Action (BETA):
https://docs.github.com/en/actions/learn-github-actions/reusing-workflows

There a way to fix this please.

Thx!

Thank you for the excellent service.

When I ran the following workflow check on the web, I got an error that I think was caused by uppercase letters being identified as lowercase.
https://rhysd.github.io/actionlint/

name: Create new release
on:
  workflow_dispatch:

jobs:
  create_release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ncipollo/release-action@v1
        with:
          allowUpdates: false

I have a workflow similar to the following (code edited slightly):

jobs:
  myjob:
    environment:
      name: env-name
      url: ${{ steps.thing.outputs.app-url }}

  steps:
      - name: 'Run Azure Functions Action'
        uses: Azure/[email protected]
        id: thing
        with:
          app-name: 'my-function-app'
          package: my.zip

The linter is throwing an error which seems to be invalid to me.

.github/workflows/thing.yml:86:16: property "thing" is not defined in object type {} [expression]
   |
86 |       url: ${{ steps.thing.outputs.app-url }}
   |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

One of the most common errors I encounter with our workflow files is when we reference other jobs in needs and have a typo there or update job names while forgetting to update the dependent jobs.
Luckily actionlint is able to find this kind of error with the job-needs check.

Is there any possibility to have that kind of check for on.workflow_run.workflows to verify whether the specified workflow name actually exists in the project?

When you run actionlint in a workflow it is unable to indicate which line the error is on:

https://github.com/toast-gear/actionlint-test/pull/3/checks

This would be useful for tracking error types and for linking to documentation.

actionlint currently provides a kind key, which is however not unique: different error messages can have the same kind. Example of kind value:

$ actionlint -format '{{json .}}' pyflakes.yml | jq .
[
  {
    "message": "pyflakes reported issue in this script: 1:7 undefined name 'hello'",
    "filepath": "pyflakes.yml",
    "line": 9,
    "column": 9,
    "kind": "pyflakes",
    "snippet": "      - run: print(hello)\n        ^~~~"
  }
]

So we would either need to make kind values more unique, or create a new field for this error ID.

It should also be determined what to do with different error types reported by "sub-linters", shellcheck and pyflakes. If we decide to reuse the sublinter error id, the lack of error ID system for pyflakes might be a problem (AFAIK there is no system). Flake8 might be better in this sense (see below).

Other linters have a kind of error code catalogue, e.g.

• shellcheck
• flake8

I'm using dorny/paths-filter and that sets a dynamic output for me, but actionlint is complaining about the output not being there, see code below. I can't see how I can fix that.

- name: Checkout repo
        uses: actions/checkout@v2
      - id: filterchanges
        uses: dorny/paths-filter@v2
        with:
          filters: 'files: .github/workflows/*.yml'
      - name: lint
        if: ${{ steps.filterchanges.outputs.files == 'true'}}
[actionlint] reported by reviewdog 🐶 property "files" is not defined in object type {changes: any} [expression]

Example: catthehacker@0ff2df5

In https://github.com/nektos/act we have more than just action/run types but it would help us (and not only us) if actionlint provided ExecInvalid kind for steps that are known to be incorrect
https://github.com/nektos/act/blob/b910a42edfab7a02b08a52ecef203fd419725642/pkg/model/workflow.go#L378-L411

The docker image for version 1.6.2 displays the "(devel)" version

docker run -it  --rm rhysd/actionlint:1.6.2 -version
(devel)
installed by building from source
built with go1.17 compiler for linux/amd64

Version 1.6.1 displays the expected "1.6.1"

docker run -it  --rm rhysd/actionlint:1.6.1 -version
1.6.1
installed by building from source
built with go1.17 compiler for linux/amd64

Reference: https://hub.docker.com/r/rhysd/actionlint/tags

Please publishing actions in GitHub Marketplace.

I know there is documentation, but I would like the official action to be published for the following reasons:

• Fixing the version, can safely a major version up.
• Avoiding the use of bash improves the readability of the user's action.

I wish to use this great tool's docker container in a workflow as this greatly simplifies the pipeline.

Pre-commit hooks are great but some developers turn them off when they just want to get something finished and so it can be nicer to have actionlint in a workflow instead sometimes. Additionally, as this tool is somewhat niche, some developers may not know much about it so putting it in a pipeline can help with that too. The container doesn't seem to have an accessible shell in it and so I can't override the entrypoint to something that will enable me to define some steps in a workflow before running the actionlint command.

An example below of what I was thinking:

name: Lint Workflows

on:
  pull_request:
    type:
      - synchronize
    paths:
      - .github/workflows/*.yaml
      - .github/workflows/*.yml

jobs:
  lint:
    runs-on: ubuntu-latest
    container: 
      image: rhysd/actionlint:latest
      args: sh
    steps:
      - name: Run lint
        run: |
          echo "::add-matcher::.github/actionlint-matcher.json"
          actionlint -color

I think supporting eslint as well as shellcheck makes it easier to inspect code written using actions/github-script.