Releases: rhysd/actionlint
Releases · rhysd/actionlint
v1.6.9
- Support
runner.arch
context value. (thanks @shogo82148, #101)steps: - run: ./do_something_64bit.sh if: ${{ runner.arch == 'x64' }}
- Support calling reusable workflows in local directories. (thanks @jsok, #107)
jobs: call-workflow-in-local-repo: uses: ./.github/workflows/useful_workflow.yml
- Add a document to install actionlint via asdf version manager. (thanks @crazy-matt, #99)
- Fix using
secrets.GITHUB_TOKEN
caused a type error when some other secret is defined. (thanks @mkj-is, #106) - Fix nil check is missing on parsing
uses:
step. (thanks @shogo82148, #102) - Fix some documents including broken links. (thanks @ohkinozomu, #105)
- Update popular actions data set to the latest. More arguments are added to many actions. And a few actions had new major versions.
- Update webhook payload data set to the latest.
requested_action
type was added tocheck_run
hook.requested
andrerequested
types were removed fromcheck_suite
hook.updated
type was removed fromproject
hook.
v1.6.8
- Untrusted inputs detection can detect untrusted inputs in object filter syntax. For example,
github.event.*.body
filtersbody
properties and it includes the untrusted inputgithub.event.comment.body
. actionlint detects such filters and causes an error. The error message includes all untrusted input names which are filtered by the object filter so that you can know what inputs are untrusted easily. See the document for more details.
Input example:Error message:- name: Get comments run: echo '${{ toJSON(github.event.*.body) }}'
Instead you should do:object filter extracts potentially untrusted properties "github.event.comment.body", "github.event.discussion.body", "github.event.issue.body", ...
- name: Get comments run: echo "$JSON" env: JSON: {{ toJSON(github.event.*.body) }}
- Support the new input type syntax for
workflow_dispatch
event, which was introduced recently. You can declare types of inputs on triggering a workflow manually. actionlint does two things with this new syntax.- actionlint checks the syntax. Unknown input types, invalid default values, missing options for 'choice' type.
inputs: # Unknown input type id: type: number # ERROR: No options for 'choice' input type kind: type: choice name: type: choice options: - Tama - Mike # ERROR: Default value is not in options default: Chobi verbose: type: boolean # ERROR: Boolean value must be 'true' or 'false' default: yes
- actionlint give a strict object type to
github.event.inputs
so that a type checker can check unknown input names and type mismatches on using the value.on: workflow_dispatch: inputs: message: type: string verbose: type: boolean # Type of `github.event.inputs` is {"message": string; "verbose": bool} jobs: test: runs-on: ubuntu-latest steps: # ERROR: Undefined input - run: echo "${{ github.event.inputs.massage }}" # ERROR: Bool value is not available for object key - run: echo "${{ env[github.event.inputs.verbose] }}"
- See the document for more details.
- actionlint checks the syntax. Unknown input types, invalid default values, missing options for 'choice' type.
- Add missing properties in
github
context. See the contexts document to know the full list of properties.github.ref_name
(thanks @dihmandrake, #72)github.ref_protected
github.ref_type
- Filtered array by object filters is typed more strictly.
# `env` is a map object { string => string } # Previously typed as array<any> now it is typed as array<string> env.*
- Update Go module dependencies and playground dependencies.
v1.6.7
- Fix missing property
name
inrunner
context object (thanks @ioanrogers, #67). - Fix a false positive on type checking at
x.*
object filtering syntax where the receiver is an object. actionlint previously only allowed arrays as receiver of object filtering (#66).fromJSON('{"a": "from a", "b": "from b"}').* # => ["from a", "from b"] fromJSON('{"a": {"x": "from a.x"}, "b": {"x": "from b.x"}}').*.x # => ["from a.x", "from b.x"]
- Add rust-cache as new popular action.
- Remove
bottle: unneeded
from Homebrew formula (thanks @oppara, #63). - Support
branch_protection_rule
webhook again. - Update popular actions data set to the latest (#64, #70).
v1.6.6
inputs
andsecrets
objects are now typed looking atworkflow_call
event aton:
. See the document for more details.inputs
object is typed with definitions aton.workflow_call.inputs
. When the workflow is not callable, it is typed at{}
(empty object) so anyinputs.*
access causes a type error.secrets
object is typed with definitions aton.workflow_call.secrets
.
on: workflow_call: # `inputs` object is typed {url: string; lucky_number: number} inputs: url: description: 'your URL' type: string lucky_number: description: 'your lucky number' type: number # `secrets` object is typed {user: string; credential: string} secrets: user: description: 'your user name' credential: description: 'your credential' jobs: test: runs-on: ubuntu-20.04 steps: - name: Send data # ERROR: uri is typo of url run: curl ${{ inputs.uri }} -d ${{ inputs.lucky_number }} env: # ERROR: credentials is typo of credential TOKEN: ${{ secrets.credentials }}
id-token
is added to permissions (thanks @cmmarslender, #62).- Report an error on nested workflow calls since it is not allowed.
on: # This workflow is reusable workflow_call: jobs: test: # ERROR: Nested workflow call is not allowed uses: owner/repo/path/to/workflow.yml@ref
- Parse
uses:
at reusable workflow call more strictly following{owner}/{repo}/{path}@{ref}
format. - Popular actions data set was updated to the latest (#61).
- Dependencies of playground were updated to the latest (including eslint v8).
v1.6.5
- Support reusable workflows syntax which is now in beta. Only very basic syntax checks are supported at this time. Please see the document to know checks for reusable workflow syntax.
- Example of
workflow_call
eventon: workflow_call: inputs: name: description: your name type: string secrets: token: required: true jobs: ...
- Example of reusable workflow call with
uses:
atjob.<job_id>
on: ... jobs: hello: uses: owner/repo/path/to/workflow.yml@main with: name: Octocat secrets: token: ${{ secrets.token }}
- Example of
- Support
github.run_attempt
property in${{ }}
expression (#57). - Add support for
windows-2022
runner which is now in public beta. - Remove support for
ubuntu-16.04
runner which was removed from GitHub Actions at the end of September. - Ignore SC2154 shellcheck rule which can cause false positive (#53).
- Fix error position was not correct when required keys are not existing in job configuration.
- Update popular actions data set. New major versions of github-script and lock-threads actions are supported (#59).
- Fix document (thanks @fornwall at #52, thanks @equal-l2 at #56).
- Now actionlint is an official package of Homebrew. Simply executing
brew install actionlint
can install actionlint.
- Now actionlint is an official package of Homebrew. Simply executing
v1.6.4
- Implement 'map' object types
{ string => T }
, where all properties of the object are typed asT
. Since a key of object is always string, left hand side of=>
is fixed tostring
. For example,env
context only has string properties so it is typed as{ string => string}
. Previously its properties were typedany
.# typed as string (previously any) env.FOO # typed as { id: string; network: string; ports: object; } (previously any) job.services.redis
github.event.discussion.title
andgithub.event.discussion.body
are now checked as untrusted inputs.- Update popular actions data set. (#50, #51)
- Update webhooks payload data set.
branch_protection_rule
hook was dropped from the list due to github/docs@179a6d3. (#50, #51)
v1.6.3
- Improve guessing a type of matrix value. When a matrix contains numbers and strings, previously the type fell back to
any
. Now it is deduced as string.strategy: matrix: # matrix.node is now deduced as `string` instead of `any` node: [14, 'latest']
- Fix types of
||
and&&
expressions. Previously they were typed asbool
but it was not correct. Correct type is sum of types of both sides of the operator like TypeScript. For example, type of'foo' || 'bar'
is a string, andgithub.event && matrix
is an object. - actionlint no longer reports an error when a local action does not exist in the repository. It is a popular pattern that a local action directory is cloned while a workflow running. (#25, #40)
- Disable SC2050 shellcheck rule since it causes some false positive. (#45)
- Fix
-version
did not work when running actionlint via the Docker image (#47). - Fix pre-commit hook file name. (thanks @xsc27, #38)
- New
branch_protection_rule
event is supported. (#48) - Update popular actions data set. (#41, #48)
- Update Go library dependencies.
- Update playground dependencies.
v1.6.2
- actionlint now checks evaluated values at
${{ }}
are not an object nor an array since they are not useful. See the check document for more details.
# ERROR: This will always be replaced with `echo 'Object'`
- run: echo '${{ runner }}'
# OK: Serialize an object into JSON to check the content
- run: echo '${{ toJSON(runner) }}'
- Add pre-commit support. pre-commit is a framework for managing Git
pre-commit
hooks. See the usage document for more details. (thanks @xsc27 for adding the integration at #33) (#23) - Add an official Docker image. The Docker image contains shellcheck and pyflakes as dependencies. Now actionlint can be run with
docker run
command easily. See the usage document for more details. (thanks @xsc27 for the help at #34)
docker run --rm -v $(pwd):/repo --workdir /repo rhysd/actionlint:latest -color
- Go 1.17 is now a default compiler to build actionlint. Built binaries are faster than before by 2~7% when the process is CPU-bound. Sizes of built binaries are about 2% smaller. Note that Go 1.16 continues to be supported.
windows/arm64
target is added to released binaries thanks to Go 1.17.- Now any value can be converted into bool implicitly. Previously this was not permitted as actionlint provides stricter type check. However it is not useful that a condition like
if: github.event.foo
causes a type error. - Fix a prefix operator cannot be applied repeatedly like
!!42
. - Fix a potential crash when type checking on expanding an object with
${{ }}
likematrix: ${{ fromJSON(env.FOO) }}
- Update popular actions data set (#36)
v1.6.1
- Problem Matchers is now officially supported by actionlint, which annotates errors from actionlint on GitHub as follows. The matcher definition is maintained at
.github/actionlint-matcher.json
by script. For the usage, see the document.
runner_label
rule now checks conflicts in labels atruns-on
. For example, there is no runner which meats bothubuntu-latest
andwindows-latest
. This kind of misconfiguration sometimes happen when a beginner misunderstands the usage ofruns-on:
. To run a job on each runners,matrix:
should be used. See the document for more information.
on: push
jobs:
test:
# These labels match to no runner
runs-on: [ubuntu-latest, windows-latest]
steps:
- run: echo ...
- Reduce memory footprint (around 16%) on starting
actionlint
command by removing unnecessary data fromPopularActions
global variable. This also slightly reduces binary size (about 3.7% atplayground/main.wasm
). - Fix accessing
steps.*
objects in job'senvironment:
configuration caused a type error (#30). - Fix checking that action's input names at
with:
were not in case insensitive (#31). - Ignore outputs of getsentry/paths-filter. It is a fork of dorny/paths-filter. actionlint cannot check the outputs statically because it sets outputs dynamically.
- Add Azure/functions-action to popular actions.
- Update popular actions data set (#29).
v1.6.0
- Check potentially untrusted inputs to prevent a script injection vulnerability at
run:
andscript
input of actions/github-script. See the rule document for more explanations and workflow example. (thanks @azu for the feature request at #19)
Incorrect code
- run: echo '${{ github.event.pull_request.title }}'
should be replaced with
- run: echo "issue ${TITLE}"
env:
TITLE: ${{github.event.issue.title}}
- Add
-format
option toactionlint
command. It allows to flexibly format error messages as you like with Go template syntax. See the usage document for more details. (thanks @ybiquitous for the feature request at #20)
Simple example to output error messages as JSON:
actionlint -format '{{json .}}'
More compliated example to output error messages as markdown:
actionlint -format '{{range $ := .}}### Error at line {{$.Line}}, col {{$.Column}} of `{{$.Filepath}}`\n\n{{$.Message}}\n\n```\n{{$.Snippet}}\n```\n\n{{end}}'
- Documents are reorganized. Long
README.md
is separated into several document files (#28)README.md
: Introduction, Quick start, Document linksdocs/checks.md
: Full list of all checks done by actionlint with example inputs, outputs, and playground linksdocs/install.md
: Installation instructiondocs/usage.md
: Advanced usage ofactionlint
command, usage of playground, integration with reviewdog, Problem Matchers, super-linterdocs/config.md
: About configuration filedoc/api.md
: Using actionlint as Go librarydoc/reference.md
: Links to resources
- Fix checking shell names was not case-insensitive, for example
PowerShell
was detected as invalid shell name - Update popular actions data set to the latest
- Make lexer errors on checking
${{ }}
expressions more meaningful