Releases: rhysd/actionlint
v1.5.3
- Now actionlint allows to use any operators outside
${{ }}
onif:
condition likeif: github.repository_owner == 'rhysd'
(#22). The official document said that using any operator outside${{ }}
was invalid even if it was onif:
condition. However, github/docs#8786 clarified that the document was not correct.
v1.5.2
- Outputs of dorny/paths-filter are now not typed strictly because the action dynamically sets outputs which are not defined in its
action.yml
. actionlint cannot check such outputs statically (#18). - The table for checking Webhooks supported by GitHub Actions is now generated from the official document automatically with script. The table continues to be updated weekly by the CI workflow.
- Improve error messages while lexing expressions as follows.
- Fix column numbers are off-by-one on some lexer errors.
- Fix checking invalid numbers where some digit follows zero in a hex number (e.g.
0x01
) or an exponent part of number (e.g.1e0123
). - Fix a parse error message when some tokens still remain after parsing finishes.
- Refactor the expression lexer to lex an input incrementally. It slightly reduces memory consumption.
Lex error until v1.5.1:
test.yaml:9:26: got unexpected character '+' while lexing expression, expecting '_', '\'', '}', '(', ')', '[', ']', '.', '!', '<', '>', '=', '&', '|', '*', ',', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' [expression]
Lex error from v1.5.2:
test.yaml:9:26: got unexpected character '+' while lexing expression, expecting 'a'..'z', 'A'..'Z', '0'..'9', ''', '}', '(', ')', '[', ']', '.', '!', '<', '>', '=', '&', '|', '*', ',', '_' [expression]
v1.5.1
- Improve checking the intervals of scheduled events (#14, #15). Since GitHub Actions limits the interval to once every 5 minutes, actionlint now reports an error when a workflow is configured to be run once per less than 5 minutes.
- Skip checking inputs of octokit/request-action since it allows to specify arbitrary inputs though they are not defined in its
action.yml
(#16).- Outputs of the action are still be typed strictly. Only its inputs are not checked.
- The help text of
actionlint
is now hosted online: https://rhysd.github.io/actionlint/usage.html - Add new fuzzing target for parsing glob patterns.
v1.5.0
action
rule now validates inputs of popular actions atwith:
. When a required input is not specified or an undefined input is specified, actionlint will report it.- Popular actions are updated automatically once a week and the data set is embedded to executable directly. The check does not need any network request and does not affect performance of actionlint. Sources of the actions are listed here. If you have some request to support new action, please report it at the issue form.
- Please see the document for example (Playground).
expression
rule now types outputs of popular actions (type ofsteps.{id}.outputs
object) more strictly.- For example,
actions/cache@v2
setscache-hit
output. The outputs object is typed as{ cache-hit: any }
. Previously it was typed asany
which means no further type check was performed. - Please see the second example of the document (Playground).
- For example,
- Outputs of local actions (their names start with
./
) are also typed more strictly as well as popular actions. - Metadata (
action.yml
) of local actions are now cached to avoid reading and parsingaction.yml
files repeatedly for the same action. - Add new rule
permissions
to check permission scopes for defaultsecrets.GITHUB_TOKEN
. Please see the document for more details (Playground). - Structure of
actionlint.Permissions
struct was changed. A parser no longer checks values ofpermissions:
configuration. The check is now done bypermissions
rule.
v1.4.3
- Support new Webhook events
discussion
anddiscussion_comment
(#8). - Read file concurrently with limiting concurrency to number of CPUs. This improves performance when checking many files and disabling shellcheck/pyflakes integration.
- Support Linux based on musl libc by the download script (#5).
- Reduce number of goroutines created while running shellcheck/pyflakes processes. This has small impact on memory usage when your workflows have many
run:
steps. - Reduce built binary size by splitting an external library which is only used for debugging into a separate command line tool.
- Introduce several micro benchmark suites to track performance.
- Enable code scanning for Go/TypeScript/JavaScript sources in actionlint repository.
v1.4.2
- Fix executables in the current directory may be used unexpectedly to run
shellcheck
orpyflakes
on Windows. This behavior could be security vulnerability since an attacker might put malicious executables in shared directories. actionlint searched an executable withexec.LookPath
, but it searched the current directory on Windows as golang/go#43724 pointed. Now actionlint usesexecabs.LookPath
instead, which does not have the issue. (ref: sharkdp/bat#1724) - Fix issue caused by running so many processes concurrently. Since checking workflows by actionlint is highly parallelized, checking many workflow files makes too many
shellcheck
processes and opens many files in parallel. This hit OS resources limitation (issue #3). Now reading files is serialized and number of processes run concurrently is limited for fixing the issue. Note that checking workflows is still done in parallel so this fix does not affect actionlint's performance. - Ensure cleanup processes even if actionlint stops due to some fatal issue while visiting a workflow tree.
- Improve fatal error message to know which workflow file caused the error.
- Playground improvements
- "Permalink" button was added to make permalink directly linked to the current workflow source code. The source code is embedded in hash of the URL.
- "Check" button and URL input form was added to check workflow files on https://github.com or https://gist.github.com easily. Visit a workflow file on GitHub, copy the URL, paste it to the input form and click the button. It instantly fetches the workflow file content and checks it with actionlint.
u=
URL parameter was added to specify GitHub or Gist URL like https://rhysd.github.io/actionlint/?u=https://github.com/rhysd/actionlint/blob/main/.github/workflows/ci.yaml
v1.4.1
- A pre-built executable for
darwin/arm64
(Apple M1) was added to CI (#1)- Managing
actionlint
command with Homebrew on M1 Mac is now available. See the instruction for more details - Since the author doesn't have M1 Mac and GitHub Actions does not support M1 Mac yet, the built binary is not tested
- Managing
- Pre-built executables are now built with Go 1.16 compiler (previously it was 1.15)
- Fix error message is sometimes not in one line when the error message was caused by go-yaml/yaml parser
- Fix playground does not work on Safari browsers on both iOS and Mac since they don't support
WebAssembly.instantiateStreaming()
yet - Make URLs in error messages clickable on playground
- Code base of playground was migrated from JavaScript to Typescript along with improving error handlings
v1.4.0
- New rule to validate glob pattern syntax to filter branches, tags and paths. For more details, see documentation.
- syntax errors like missing closing brackets for character range
[..]
- invalid usage like
?
following*
, invalid character range[9-1]
, ... - invalid character usage for Git ref names (branch name, tag name)
- ref name cannot start/end with
/
- ref name cannot contain
[
,:
,\
, ...
- ref name cannot start/end with
- syntax errors like missing closing brackets for character range
- Fix column of error position is off by one when the error is caused by quoted strings like
'...'
or"..."
. - Add
--norc
option toshellcheck
command to check shell scripts inrun:
in order not to be affected by any user configuration. - Improve some error messages
- Explain playground in
man
manual
v1.3.2
- actionlint playground was implemented thanks to WebAssembly. actionlint is now available on browser without installing anything. The playground does not send user's workflow content to any remote server.
- Some margins are added to code snippets in error message. See below examples. I believe it's easier to recognize code in bunch of error messages than before.
- Line number is parsed from YAML syntax error. Since errors from go-yaml/go don't have position information, previously YAML syntax errors are reported at line:0, col:0. Now line number is parsed from error message and set correctly (if error message includes line number).
- Code snippet is shown in error message even if column number of the error position is unknown.
- Fix error message on detecting duplicate of step IDs.
- Fix and improve validating arguments of
format()
calls. - All rule documents have links to actionlint playground with example code.
man
manual covers usage of actionlint on CI services.
Error message until v1.3.1:
test.yaml:4:13: invalid CRON format "0 */3 * *" in schedule event: Expected exactly 5 fields, found 4: 0 */3 * * [events]
4| - cron: '0 */3 * *'
| ^~
Error message at v1.3.2:
test.yaml:4:13: invalid CRON format "0 */3 * *" in schedule event: Expected exactly 5 fields, found 4: 0 */3 * * [events]
|
4 | - cron: '0 */3 * *'
| ^~
v1.3.1
- Files are checked in parallel. This made actionlint around 1.3x faster with 3 workflow files in my environment
- Manual for
man
command was added.actionlint.1
is included in released archives. If you installed actionlint via Homebrew, the manual is also installed automatically -version
now reports how the binary was built (Go version, arch, os, ...)- Added
Command
struct to manage entire command lifecycle - Order of checked files is now stable. When all the workflows in the current repository are checked, the order is sorted by file names
- Added fuzz target for rule checkers