v1.6.8

• Untrusted inputs detection can detect untrusted inputs in object filter syntax. For example, github.event.*.body filters body properties and it includes the untrusted input github.event.comment.body. actionlint detects such filters and causes an error. The error message includes all untrusted input names which are filtered by the object filter so that you can know what inputs are untrusted easily. See the document for more details.
  Input example:

  - name: Get comments
    run: echo '${{ toJSON(github.event.*.body) }}'

  Error message:

  object filter extracts potentially untrusted properties "github.event.comment.body", "github.event.discussion.body", "github.event.issue.body", ...
  

  Instead you should do:

  - name: Get comments
    run: echo "$JSON"
    env:
      JSON: {{ toJSON(github.event.*.body) }}

• Support the new input type syntax for workflow_dispatch event, which was introduced recently. You can declare types of inputs on triggering a workflow manually. actionlint does two things with this new syntax.
  • actionlint checks the syntax. Unknown input types, invalid default values, missing options for 'choice' type.

    inputs:
      # Unknown input type
      id:
        type: number
      # ERROR: No options for 'choice' input type
      kind:
        type: choice
      name:
        type: choice
        options:
          - Tama
          - Mike
        # ERROR: Default value is not in options
        default: Chobi
      verbose:
        type: boolean
        # ERROR: Boolean value must be 'true' or 'false'
        default: yes

  • actionlint give a strict object type to github.event.inputs so that a type checker can check unknown input names and type mismatches on using the value.

    on:
      workflow_dispatch:
        inputs:
          message:
            type: string
          verbose:
            type: boolean
    # Type of `github.event.inputs` is {"message": string; "verbose": bool}
    jobs:
      test:
        runs-on: ubuntu-latest
        steps:
          # ERROR: Undefined input
          - run: echo "${{ github.event.inputs.massage }}"
          # ERROR: Bool value is not available for object key
          - run: echo "${{ env[github.event.inputs.verbose] }}"

  • See the document for more details.
• Add missing properties in github context. See the contexts document to know the full list of properties.
  • github.ref_name (thanks @dihmandrake, #72)
  • github.ref_protected
  • github.ref_type
• Filtered array by object filters is typed more strictly.

  # `env` is a map object { string => string }
  # Previously typed as array<any> now it is typed as array<string>
  env.*
  

• Update Go module dependencies and playground dependencies.