v1.6.8
- Untrusted inputs detection can detect untrusted inputs in object filter syntax. For example,
github.event.*.body
filtersbody
properties and it includes the untrusted inputgithub.event.comment.body
. actionlint detects such filters and causes an error. The error message includes all untrusted input names which are filtered by the object filter so that you can know what inputs are untrusted easily. See the document for more details.
Input example:Error message:- name: Get comments run: echo '${{ toJSON(github.event.*.body) }}'
Instead you should do:object filter extracts potentially untrusted properties "github.event.comment.body", "github.event.discussion.body", "github.event.issue.body", ...
- name: Get comments run: echo "$JSON" env: JSON: {{ toJSON(github.event.*.body) }}
- Support the new input type syntax for
workflow_dispatch
event, which was introduced recently. You can declare types of inputs on triggering a workflow manually. actionlint does two things with this new syntax.- actionlint checks the syntax. Unknown input types, invalid default values, missing options for 'choice' type.
inputs: # Unknown input type id: type: number # ERROR: No options for 'choice' input type kind: type: choice name: type: choice options: - Tama - Mike # ERROR: Default value is not in options default: Chobi verbose: type: boolean # ERROR: Boolean value must be 'true' or 'false' default: yes
- actionlint give a strict object type to
github.event.inputs
so that a type checker can check unknown input names and type mismatches on using the value.on: workflow_dispatch: inputs: message: type: string verbose: type: boolean # Type of `github.event.inputs` is {"message": string; "verbose": bool} jobs: test: runs-on: ubuntu-latest steps: # ERROR: Undefined input - run: echo "${{ github.event.inputs.massage }}" # ERROR: Bool value is not available for object key - run: echo "${{ env[github.event.inputs.verbose] }}"
- See the document for more details.
- actionlint checks the syntax. Unknown input types, invalid default values, missing options for 'choice' type.
- Add missing properties in
github
context. See the contexts document to know the full list of properties.github.ref_name
(thanks @dihmandrake, #72)github.ref_protected
github.ref_type
- Filtered array by object filters is typed more strictly.
# `env` is a map object { string => string } # Previously typed as array<any> now it is typed as array<string> env.*
- Update Go module dependencies and playground dependencies.