v1.7.0

• From this version, actionlint starts to check action metadata file action.yml (or action.yaml). At this point, only very basic checks are implemented and contents of steps: are not checked yet.
  • It checks properties under runs: section (e.g. main: can be specified when it is a JavaScript action), branding: properties, and so on.

    name: 'My action'
    author: '...'
    # ERROR: 'description' section is missing
    
    branding:
      # ERROR: Invalid icon name
      icon: dog
    
    runs:
      # ERROR: Node.js runtime version is too old
      using: 'node12'
      # ERROR: The source file being run by this action does not exist
      main: 'this-file-does-not-exist.js'
      # ERROR: 'env' configuration is only allowed for Docker actions
      env:
        SOME_VAR: SOME_VALUE

  • actionlint still focuses on checking workflow files. So there is no way to directly specify action.yml as an argument of actionlint command. actionlint checks all local actions which are used by given workflows. If you want to use actionlint for your action development, prepare a test/example workflow which uses your action, and check it with actionlint instead.
  • Checks for steps: contents are planned to be implemented. Since several differences are expected between steps: in workflow file and steps: in action metadata file (e.g. available contexts), the implementation is delayed to later version. And the current implementation of action metadata parser is ad hoc. I'm planning a large refactorying and breaking changes Go API around it are expected.
• Add runner.environment property. (#412)

  - run: echo 'Run by GitHub-hosted runner'
    if: runner.environment == 'github-hosted'

• Using outdated popular actions is now detected at error. See the document for more details.
  • Here 'outdated' means actions which use runtimes no longer supported by GitHub-hosted runners such as node12.

    # ERROR: actions/checkout@v2 is using the outdated runner 'node12'
    - uses: actions/checkout@v2

• Support attestations permission which was recently added to GitHub Actions as beta. (#418, thanks @bdehamer)

  permissions:
    id-token: write
    contents: read
    attestations: write

• Check comparison expressions more strictly. Arbitrary types of operands can be compared as the official document explains. However, comparisons between some types are actually meaningless because the values are converted to numbers implicitly. actionlint catches such meaningless comparisons as errors. Please see the check document for more details.

  on:
    workflow_call:
      inputs:
        timeout:
          type: boolean
  
  jobs:
    test:
      runs-on: ubuntu-latest
      steps:
        - run: echo 'called!'
          # ERROR: Comparing string to object is always evaluated to false
          if: ${{ github.event == 'workflow_call' }}
        - run: echo 'timeout is too long'
          # ERROR: Comparing boolean value with `>` doesn't make sense
          if: ${{ inputs.timeout > 60 }}

• Follow the update that macos-latest is now an alias to macos-14 runner.
• Support a custom python shell by pyflakes rule.
• Add workaround actionlint reports that dorny/paths-filter's predicate-quantifier input is not defined. (#416)
• Fix the type of a conditional expression by comparison operators is wider than expected by implementing type narrowing. (#384)
  • For example, the type of following expression should be number but it was actually string | number and actionlint complained that timeout-minutes must take a number value.

    timeout-minutes: ${{ env.FOO && 10 || 60 }}

• Fix ${{ }} placeholder is not available at jobs.<job_id>.services. (#402)

  jobs:
    test:
      services: ${{ fromJSON('...') }}
      runs-on: ubuntu-latest
      steps:
        - run: ...

• Do not check outputs of google-github-actions/get-secretmanager-secrets because this action sets outputs dynamically. (#404)
• Fix defaults.run is ignored on detecting the shell used in run:. (#409)

  defaults:
    run:
      shell: pwsh
  jobs:
    test:
      runs-on: ubuntu-latest
      steps:
        # This was wrongly detected as bash script
        - run: $Env:FOO = "FOO"

• Fix parsing a syntax error reported from pyflakes when checking a Python script in run:. (#411)

  - run: print(
    shell: python

• Skip checking exclude: items in matrix: when they are constructed from ${{ }} dynamically. (#414)

  matrix:
    foo: ['a', 'b']
    exclude:
      # actionlint complained this value didn't exist in matrix combinations
      - foo: ${{ env.EXCLUDE_FOO }}

• Fix checking exclude: items when ${{ }} is used in nested arrays at matrix items.

  matrix:
    foo:
      - ["${{ fromJSON('...') }}"]
    exclude:
      # actionlint complained this value didn't match to any matrix combinations
      - foo: ['foo']

• Update popular actions data set. New major versions are added and the following actions are newly added.
  • peaceiris/actions-hugo
  • actions/attest-build-provenance
  • actions/add-to-project
  • octokit/graphql-action
• Update Go dependencies to the latest.
• Reduce the size of actionlint executable by removing redundant data from popular actions data set.
  • x86_64 executable binary size was reduced from 6.9MB to 6.7MB (2.9% smaller).
  • Wasm binary size was reduced from 9.4MB to 8.9MB (5.3% smaller).
• Describe how to integrate actionlint to Pulsar Edit in the document. (#408, thanks @mschuchard)
• Update outdated action versions in the usage document. (#413, thanks @naglis)

v1.6.27

• Add macOS 14 runner labels for Apple Silicon support. The following labels are added. (thanks @harryzcy, #392)
  • macos-14
  • macos-14-xlarge
  • macos-14-large
• Remove ubuntu-18.04 runner label from runners list since it is no longer supported. (#363)
• Allow glob patterns in self-hosted-runner.labels configuration. For example, the following configuration defines any runner labels prefixed with private-linux-. (thanks @kishaningithub, #378)

  self-hosted-runner:
      labels:
        - private-linux-*

• Fix a race condition bug when -format option is used for linting multiple workflow files. Thanks @ReinAchten-TomTom for your help on the investigation. (#370)
• Fix a race condition due to conflicts between some goroutine which starts to run shellcheck process and other goroutine which starts to wait until all processes finish.
• The popular actions data set was updated to the latest and the following actions were newly added. (thanks @jmarshall, #380)
  • google-github-actions/auth
  • google-github-actions/get-secretmanager-secrets
  • google-github-actions/setup-gcloud
  • google-github-actions/upload-cloud-storage
  • pulumi/actions
  • pypa/gh-action-pypi-publish
• Add support for larger runner labels. The following labels are added. (thanks @therealdwright, #371)
  • windows-latest-8-cores
  • ubuntu-latest-4-cores
  • ubuntu-latest-8-cores
  • ubuntu-latest-16-cores
• The following WebHook types are supported for pull_request event.
  • enqueued
  • dequeued
  • milestoned
  • demilestoned
• Explain how to control shellckeck behavior in the shellcheck rule document. Use SHELLCHECK_OPTS environment variable to pass arguments to shellcheck. See the shellcheck's official document for more details.

  # Enable some optional rules
  SHELLCHECK_OPTS='--enable=avoid-nullary-conditions' actionlint
  # Disable some rules
  SHELLCHECK_OPTS='--exclude=SC2129' actionlint
  

• Explicitly specify docker.io host name in pre-commit hook. (thanks @gotmax23, #382)
• Explain how to report issues and send patches in CONTRIBUTING.md.
• Fix the link to super-linter project. (thanks @zkoppert, #376)
• Add the instruction to install actionlint via the Arch Linux's official repository. (thanks @sorairolake, #381)
• Prefer fixed revisions in the pre-commit usage. (thanks @corneliusroemer, #354)
• Add instructions to use actionlint with Emacs. (thanks @tirimia, #341)
• Add instructions to use actionlint with Vim and Neovim text editors.
• Add actionlint.RuleBase.Config method to get the actionlint configuration passed to rules. (thanks @hugo-syn, #387)
• Add actionlint.ContainsExpression function to check if the given string contains ${{ }} placeholders or not. (thanks @hugo-syn, #388)
• Support Go 1.22 and set the minimum supported Go version to 1.18 for x/sys package.
• Update Go dependencies to the latest.

v1.6.26

• Several template fields and template actions were added. All fields and actions are listed in the document. Please read it for more details. (#311)
  • By these additions, now actionlint can output the result in the SARIF format. SARIF is a format for the output of static analysis tools used by GitHub CodeQL. the example Go template to format actionlint output in SARIF.

    actionlint -format "$(cat /path/to/sarif_template.txt)" > output.json

  • allKinds returns the kinds (lint rules) information as an array. You can include what lint rules are defined in the command output.
  • toPascalCase converts snake case (foo_bar) or kebab case (foo-bar) into pascal case (FooBar).
• Report an error when the condition at if: is always evaluated to true. See the check document to know more details. (#272)

  # ERROR: All the following `if:` conditions are always evaluated to true
  - run: echo 'Commit is pushed'
    if: |
      ${{ github.event_name == 'push' }}
  - run: echo 'Commit is pushed'
    if: "${{ github.event_name == 'push' }} "
  - run: echo 'Commit is pushed to main'
    if: ${{ github.event_name == 'push' }} && ${{ github.ref_name == 'main' }}

• Fix actionlint didn't understand ${{ }} placeholders in environment variable names. (#312)

  env:
    "${{ steps.x.outputs.value }}": "..."

• Fix type of matrix row when some expression is assigned to it with ${{ }} (#285)

  strategy:
    matrix:
      test:
        # Matrix rows are assigned from JSON string
        - ${{ fromJson(inputs.matrix) }}
  steps:
    - run: echo ${{ matrix.test.foo.bar }}

• Fix checking exclude of matrix was incorrect when some matrix row is dynamically constructed with ${{ }}. (#261)

  strategy:
    matrix:
      build-type:
        - debug
        - ${{ fromJson(inputs.custom-build-type) }}
      exclude:
        # 'release' is not listed in 'build-type' row, but it should not be reported as error
        # since the second row of 'build-type' is dynamically constructed with ${{ }}.
        - build-type: release

• Fix checking exclude of matrix was incorrect when object is nested at row of the matrix. (#249)

  matrix:
    os:
      - name: Ubuntu
        matrix: ubuntu
      - name: Windows
        matrix: windows
    arch:
      - name: ARM
        matrix: arm
      - name: Intel
        matrix: intel
    exclude:
      # This should exclude { os: { name: Windows, matrix: windows }, arch: {name: ARM, matrix: arm } }
      - os:
          matrix: windows
        arch:
          matrix: arm

• Fix data race when actionlint.yml config file is used by multiple goroutines to check multiple workflow files. (#333)
• Check keys' case sensitivity. (#302)

  steps:
    # ERROR: 'run:' is correct
    - ruN: echo "hello"

• Add number as input type of workflow_dispatch event. (#316)
• Check max number of inputs of workflow_dispatch event is 10.
• Check numbers at timeout-minutes and max-parallel are greater than zero.
• Add Go APIs to define a custom rule. Please read the code example to know the usage.
  • Make some RuleBase methods public which are useful to implement your own custom rule type. (thanks @hugo-syn, #327, #331)
  • OnRulesCreated field is added to LinterOptions struct. You can modify applied rules with the hook (add your own rule, remove some rule, ...).
• Add NewProject() Go API to create a Project instance.
• Fix tests failed when sources are downloaded from .tar.gz link. (#307)
• Improve the pre-commit document to explain all pre-commit hooks by this repository.
• Clarify the regular expression syntax of -ignore option is RE2. (#320)
• Use ubuntu-latest runner to create winget release. (thanks @sitiom, #308)
• Update popular actions data set, available contexts, webhook types to the latest.
  • Fix typo in watch webhook's types (thanks @suzuki-shunsuke, #334)
  • Add secret_source property to github context. (thanks @asml-mdroogle, #339)
  • Many new major releases are added to the popular actions data set (including actions/checkout@v4).
• Use Go 1.21 to build release binaries.
• Update Go dependencies to the latest. (thanks @harryzcy, #322)

v1.6.25

• Parse new syntax at runs-on:. Now runs-on: can have group: and labels: configurations. Please read the official document for more details. (#280)

  runs-on:
    group: ubuntu-runners
    labels: ubuntu-20.04-16core

• Add support for macOS XL runners. macos-latest-xl, macos-13-xl, macos-12-xl labels are available at runs-on:. (#299, thanks @woa7)
• Find Git project directory from -stdin-filename command line argument. Even if the workflow content is passed via stdin, actionlint can recognize reusable workflows depended by the workflow using file path passed at -stdin-filename argument. (#283)
• Fix order of errors is not deterministic when multiple errors happen at the same location (file name, line number, column number). It happens only when building actionlint with Go 1.20 or later.
• Fix type name of watch webhook.
• Fix type of matrix row (property of matrix context) when ${{ }} is used in the row value. (#294)
• Fix go install ./... doesn't work. (#297)
• Update actionlint pre-commit hook to use Go toolchain. Now pre-commit automatically installs actionlint command so you don't need to install it manually. Note that this hook requires pre-commit v3.0.0 or later. For those who don't have Go toolchain, the previous hook is maintained as actionlint-system hook. Please read the document to know the usage details. (#301, thanks @Freed-Wu and @dokempf)
• Update Go dependencies to the latest.
• Update npm dependencies for playground to the latest and fix optimizing Wasm binary with wasm-opt.
• Update popular actions data set. New major versions and new inputs of many popular actions are now supported like sparse-checkout input of actions/checkout action. (#305)
• Fix outdated document for Problem Matchers. (#289, thanks @carlcsaposs-canonical)
• Fix outdated links in document for super-linter. (#303, thanks @gmacario)
• Automate releasing the Winget package with GitHub Actions. (#276, #293, thanks @sitiom)

v1.6.24

• Add support for configuration variables. However actionlint doesn't know what variables are defined in the repository on GitHub. To notify them, you need to configure your variables in your repository.

  config-variables:
    - DEFAULT_RUNNER
    - DEFAULT_TIMEOUT

• Fix type error when inputs context is shared by multiple events. (#263)
• Add document for how to install actionlint with winget. (#267, thanks @sitiom)
• Add document for how to integrate actionlint to trunk.io. (#269, thanks @dapirian)
• Add document for how to install actionlint with Nix package manager. (#273, thanks @diohabara)
• Update popular actions data set to the latest
• Add support for Go 1.20 and build release binaries with Go 1.20

v1.6.23

• Fix using vars context causes 'undefined context' error. This context is for 'Variables' feature which was recently added to GitHub Actions. (#260)

  - name: Use variables
    run: |
      echo "repository variable : ${{ vars.REPOSITORY_VAR }}"
      echo "organization variable : ${{ vars.ORGANIZATION_VAR }}"
      echo "overridden variable : ${{ vars.OVERRIDE_VAR }}"
      echo "variable from shell environment : $env_var"

• Fix 'no property' error on accessing some github context's properties which were added recently. (#259)
• Update popular actions data set and add some new actions to it
  • actions/dependency-review-action
  • dtolnay/rust-toolchain
• Playground is improved by making the right pane sticky. It is useful when many errors are reported. (#253, thanks @ericcornelissen)
• Update Go modules dependencies and playground dependencies

v1.6.22

• Detect deprecated workflow commands such as set-output or save-state and suggest the alternative. See the document for more details. (#234)

  # ERROR: This format of 'set-output' workflow command was deprecated
  - run: echo '::set-output name=foo::bar'

• Fix that ${{ }} expression at on.workflow_call.inputs.<id>.default caused an error. (#235)

  on:
    workflow_call:
      inputs:
        project:
          type: string
          # OK: The default value is generated dynamically
          default: ${{ github.event.repository.name }}

• Improve type of inputs context to grow gradually while checking inputs in workflow_call event.

  on:
    workflow_call:
      inputs:
        input1:
          type: string
          # ERROR: `input2` is not defined yet
          default: ${{ inputs.input2 }}
        input2:
          type: string
          # OK: `input1` was already defined above
          default: ${{ inputs.input1 }}

• Check types of default values of workflow call inputs even if ${{ }} expression is used.

  on:
    workflow_call:
      inputs:
        input1:
          type: boolean
        input2:
          type: number
          # ERROR: Boolean value cannot be assigned to number
          default: ${{ inputs.input1 }}

• Fix the download script is broken since GHE server does not support the new set-output format yet. (#240)
• Replace the deprecated set-output workflow command in our own workflows. (#239, thanks @Mrtenz)
• Popular actions data set was updated to the latest as usual.

v1.6.21

• Check contexts availability. Some contexts limit where they can be used. For example, jobs.<job_id>.env workflow key does not allow accessing env context, but jobs.<job_id>.steps.env allows. See the official document for the complete list of contexts availability. (#180)

  ...
  
  env:
    TOPLEVEL: ...
  
  jobs:
    test:
      runs-on: ubuntu-latest
      env:
        # ERROR: 'env' context is not available here
        JOB_LEVEL: ${{ env.TOPLEVEL }}
      steps:
        - env:
            # OK: 'env' context is available here
            STEP_LEVEL: ${{ env.TOPLEVEL }}
          ...

  actionlint reports the context is not available and what contexts are available as follows:

  test.yaml:11:22: context "env" is not allowed here. available contexts are "github", "inputs", "matrix", "needs", "secrets", "strategy". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
     |
  11 |       JOB_LEVEL: ${{ env.TOPLEVEL }}
     |                      ^~~~~~~~~~~~
  

• Check special functions availability. Some functions limit where they can be used. For example, status functions like success() or failure() are only available in conditions of if:. See the official document for the complete list of special functions availability. (#214)

  ...
  
  steps:
    # ERROR: 'success()' function is not available here
    - run: echo 'Success? ${{ success() }}'
      # OK: 'success()' function is available here
      if: success()

  actionlint reports success() is not available and where the function is available as follows:

  test.yaml:8:33: calling function "success" is not allowed here. "success" is only available in "jobs.<job_id>.if", "jobs.<job_id>.steps.if". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
    |
  8 |       - run: echo 'Success? ${{ success() }}'
    |                                 ^~~~~~~~~
  

• Fix inputs context is not available in run-name: section. (#223)
• Allow dynamic shell configuration like shell: ${{ env.SHELL }}.
• Fix no error is reported when on: does not exist at toplevel. (#232)
• Fix an error position is not correct when the error happens at root node of workflow AST.
• Fix an incorrect empty event is parsed when on: section is empty.
• Fix the error message when parsing an unexpected key on toplevel. (thanks @norwd, #231)
• Add in_progress type to workflow_run webhook event trigger.
• Describe the actionlint extension for Nova.app in the usage document. (thanks @jbergstroem, #222)
• Note Super-Linter uses a different place for configuration file. (thanks @per-oestergaard, #227)
• Add actions/setup-dotnet@v3 to popular actions data set.
• generate-availability script was created to scrape the information about contexts and special functions availability from the official document. The information can be used through actionlint.WorkflowKeyAvailability() Go API. This script is run once a week on CI to keep the information up-to-date.

v1.6.20

• Support run-name which GitHub introduced recently. It is a name of workflow run dynamically configured. See the official document for more details. (#220)

  on: push
  run-name: Deploy by @${{ github.actor }}
  
  jobs:
    ...

• Add end_column property to JSON representation of error. The property indicates a column of the end position of ^~~~~~~ indicator in snippet. Note that end_column is equal to column when the indicator cannot be shown. (#219)

  $ actionlint -format '{{json .}}' test.yaml | jq
  [
    {
      "message": "property \"unknown_prop\" is not defined in object type {arch: string; debug: string; name: string; os: string; temp: string; tool_cache: string; workspace: string}",
      "filepath": "test.yaml",
      "line": 7,
      "column": 23,
      "kind": "expression",
      "snippet": "      - run: echo ${{ runner.unknown_prop }}\n                      ^~~~~~~~~~~~~~~~~~~",
      "end_column": 41
    }
  ]

• Overhaul the workflow parser to parse workflow keys in case-insensitive. This is a work derived from the fix of #216. Now the parser parses all workflow keys in case-insensitive way correctly. Note that permission names at permissions: are exceptionally case-sensitive.
  • This fixes properties of inputs for workflow_dispatch were not case-insensitive.
  • This fixes inputs and outputs of local actions were not handled in case-insensitive way.
• Update popular actions data set. actions/stale@v6 was newly added.

v1.6.19

• Fix inputs, outputs, and secrets of reusable workflow should be case-insensitive. (#216)

  # .github/workflows/reusable.yaml
  on:
    workflow_call:
      inputs:
        INPUT_UPPER:
          type: string
        input_lower:
          type: string
      secrets:
        SECRET_UPPER:
        secret_lower:
  ...
  
  # .github/workflows/test.yaml
  ...
  
  jobs:
    caller:
      uses: ./.github/workflows/reusable.yaml
      # Inputs and secrets are case-insensitive. So all the followings should be OK
      with:
        input_upper: ...
        INPUT_LOWER: ...
      secrets:
        secret_upper: ...
        SECRET_LOWER: ...

• Describe how to install specific version of actionlint binary with the download script. (#218)