• Add support for ubuntu-slim runner label. (#585, thanks @cestorer)
• Check input deprecation in action by checking deprecationMessage property. Using a deprecated input is reported as error if it is not marked as required. See the document for more details. (#580)

  - uses: reviewdog/action-actionlint@v1
    with:
      # ERROR: Using a deprecated input
      fail_on_error: true

• Add support for the Custom images feature.
  • Support image_version workflow trigger.

    on:
      image_version:
        names:
          - "MyNewImage"
          - "MyOtherImage"
        versions:
          - 1.*
          - 2.*

  • Support jobs.<job_id>.snapshot syntax. To make actionlint recognize your own image generation runner, use self-hosted-runner.labels config.

    jobs:
      build:
        runs-on: my-image-generation-runner
        snapshot:
            image-name: my-custom-image
            version: 2.*

• Report constant conditions at if: like if: true as error. Only very simple expressions like true or false are detected for now. See the document for more details.
• Fix some invalid permissions are not reported as error in id-token and models scopes. (#582, thanks @holtkampjs)
• Fix args and entrypoint inputs are not recognized at uses: when it's not a Docker action. (#550)
• Set correct column in source position of YAML parse error.
• Fix credentials cannot be configured with ${{ }}. (#590)
• Improve messages in syntax errors on parsing steps (run: and uses:). Available keys suggestion is now more accurate and unexpected keys are detected more accurately.
• Fix the order of errors can be non-deterministic when multiple errors are caused at the same source positions.
• Improve error messages showing suggestions on detecting invalid permissions.
• Add instruction for installing actionlint with mise package manager. (#589, thanks @jylenhof)
• Fix outdated URLs in the document.
• Add new actionlint.AllContexts map constant in Go API that contains the information about all context availability.
• Update popular actions data set to the latest with several major versions of actions and the following new actions.
  • anthropics/claude-code-action
  • openai/codex-action
  • google-github-actions/run-gemini-cli
• Add make cov task to easily generate a code coverage report.
• Make installing the formula version of actionlint pacakge from tap of this repository with Homebrew a hard error. Install the cask version instead following the instruction in the error message.

• Support models permission in permissions section. (#531, thanks @muzimuzhi)
• Support job.check_run_id property. (#576, thanks @muzimuzhi for fixing the type at #577)
• Support node24 runtime at using section in action metadata. (#561, thanks @salmanmkc)
• Add support for the following runner labels.
  • macos-26 and macos-26-large (#572, thanks @muzimuzhi)
  • macos-15 (#572, thanks @muzimuzhi)
• Drop support for the following runner labels which are no longer supported by GitHub.
  • ubuntu-20.04 (#534, thanks @shogo82148)
  • windows-2019 (#572, thanks @muzimuzhi)
• Support deprecationMessage in action inputs metadata. (#540, thanks @saansh45)
• Support windows-11-arm runner. (#542, thanks @trim21)
• Handle ubuntu-latest runner label as ubuntu-24.04 and macos-latest runner label as macos-15.
• Report mixing Intel Mac labels and Arm Mac labels as error.
• Add new types to issues and pull_request_target webhooks.
• Update the popular actions data set to the latest and add more actions to it. (thanks @sethvargo for fixing the go generate scripts)
  • actions/create-github-app-token
  • actions/attest-sbom
  • actions/ai-inference
  • peter-evans/create-or-update-comment
  • release-drafter/release-drafter
  • SamKirkland/FTP-Deploy-Action
• Fix the version value in actionlint -version output can be empty.
• Fix outdated URL links in some error messages and documents.
• Homebrew formula in this repository is deprecated and Homebrew cask is newly added instead because GoReleaser no longer supports Homebrew formula update. Note that Homebrew's official actionlint formula is still maintained. Please read the documentation for more details.
• Drop support for Go 1.23 and earlier because they are no longer maintained officially. Go 1.24 and later are supported to build actionlint.
• Replace go-yaml/yaml@v3 package with yaml/go-yaml@v4 package. go-yaml/yaml was used for parsing workflow files however it was unmaintained. yaml/go-yaml is a successor of the library officially maintained by YAML organization. (#575)
• Improve error messages on parsing workflow and action metadata files.

• Support runner labels for Linux arm64 hosted runners. (#503, #504, thanks @martincostello)
  • ubuntu-24.04-arm
  • ubuntu-22.04-arm
• Update Go dependencies to the latest.
• Update the popular actions data set to the latest.
• Add Linux arm64 job to our CI workflow. Now actionlint is tested on the platform. (#507, thanks @cclauss)

• Fix using contexts at specific workflow keys is incorrectly reported as not allowed. Affected workflow keys are as follows. (#495, #497, #498, #500)
  • jobs.<job_id>.steps.with.args
  • jobs.<job_id>.steps.with.entrypoint
  • jobs.<job_id>.services.<service_id>.env
• Update Go dependencies to the latest.

• Strictly check available contexts in ${{ }} placeholders following the 'Context availability' table in the official document.
  • For example, jobs.<job_id>.defaults.run.shell allows env context but shell workflow keys in other places allow no context.

    defaults:
      run:
        # ERROR: No context is available here
        shell: ${{ env.SHELL }}
    
    jobs:
      test:
        runs-on: ubuntu-latest
        defaults:
          run:
            # OK: 'env' context is available here
            shell: ${{ env.SHELL }}
        steps:
          - run: echo hello
            # ERROR: No context is available here
            shell: ${{ env.SHELL}}

• Check a string literal passed to fromJSON() call. This pattern is popular to create array or object constants because GitHub Actions does not provide the literal syntax for them. See the document for more details. (#464)

  jobs:
    test:
      # ERROR: Key 'mac' does not exist in the object returned by the fromJSON()
      runs-on: ${{ fromJSON('{"win":"windows-latest","linux":"ubuntul-latest"}')['mac'] }}
      steps:
        - run: echo This is a special branch!
          # ERROR: Broken JSON string passed to fromJSON.
          if: contains(fromJSON('["main","release","dev"'), github.ref_name)

• Allow passing command arguments to -shellcheck argument. (#483, thanks @anuraaga)
  • This is useful when you want to use alternative build of shellcheck like go-shellcheck.

    actionlint -shellcheck="go run github.com/wasilibs/go-shellcheck/cmd/shellcheck@latest"

• Support undocumented repository_visibility, artifact_cache_size_limit, step_summary, output, state properties in github context. (#489, thanks @rasa for adding repository_visibility property)
• Remove macos-12 runner label from known labels because it was dropped from GitHub-hosted runners on Dec. 3 and is no longer available.
• Add windows-2025 runner label to the known labels. The runner is in public preview. (#491, thanks @ericcornelissen)
• Add black to the list of colors for branding.color action metadata. (#485, thanks @eifinger)
• Add table to the list of icons for branding.icon action metadata.
• Fix parsing escaped { in format() function call's first argument.
• Fix the incorrect join() function overload. join(s1: string, s2: string) was wrongly accepted.
• Update popular actions data set to the latest.
  • Add download-artifact/v3-node20 to the data set. (#468)
  • Fix missing the reviewdog/action-hadolint@v1 action input. (#487, thanks @mi-wada)
• Link to the documents of the stable version in actionlint man page and -help output.
• Refactor LintStdin() API example and some unit tests. (#472, #475, thanks @alexandear)
• Improve the configuration example in actionlint.yaml document to explain glob patterns for paths. (#481)

• Disallow the usage of popular actions that run on node16 runner. The node16 runner will reach the end of life on November 12.
  • In case of the error, please update your actions to the latest version so that they run on the latest node20 runner.
  • If you're using self-hosted runner and you cannot upgrade your runner to node20 soon, please consider to ignore the error by the paths configuration described below.
  • If you're using actions/upload-artifact@v3 and actions/download-artifact@v3 on GHES, please replace them with actions/upload-artifact@v3-node20 and actions/download-artifact@v3-node20. (#468)
• Provide the configuration for ignoring errors by regular expressions in actionlint.yml (or actionlint.yaml). Please see the document for more details. (#217, #342)
  • The paths is a mapping from the file path glob pattern to the corresponding configuration. The ignore configuration is a list of regular expressions to match error messages (similar to the -ignore command line option).

    paths:
      # This pattern matches any YAML file under the '.github/workflows/' directory.
      .github/workflows/**/*.yaml:
        ignore:
          # Ignore the specific error from shellcheck
          - 'shellcheck reported issue in this script: SC2086:.+'
      # This pattern only matches '.github/workflows/release.yaml' file.
      .github/workflows/release.yaml:
        ignore:
          # Ignore errors from the old runner check. This may be useful for (outdated) self-hosted runner environment.
          - 'the runner of ".+" action is too old to run on GitHub Actions'

  • This configuration was not implemented initially because I wanted to keep the configuration as minimal as possible. However, due to several requests for it, the configuration has now been added.
• Untrusted inputs check is safely skipped inside specific function calls. (#459, thanks @IlyaGulya)
  • For example, the following step contains the untrusted input github.head_ref, but it is safe because it's passed to the contains() argument.

    - run: echo "is_release_branch=${{ contains(github.head_ref, 'release') }}" >> "$GITHUB_OUTPUT"

  • For more details, please read the rule document.
• Recognize gcr.io and gcr.dev as the correct container registry hosts. (#463, thanks @takaidohigasi)
  • Note that it is recommended explicitly specifying the scheme like docker://gcr.io/....
• Remove macos-x.0 runner labels which are no longer available. (#452)
• Disable shellcheck SC2043 rule because it can cause false positives on checking run:. (#355)
  • The rule document was updated as well. (#466, thanks @risu729)
• Fix the error message was not deterministic when detecting cycles in needs dependencies.
• Fix the check for format() function was not applied when the function name contains upper case like Format(). Note that function names in ${{ }} placeholders are case-insensitive.
• Update the popular actions data set to the latest.
  • This includes the new ref and commit outputs of actions/checkout.
• Add actions/cache/save and actions/cache/restore to the popular actions data set.
• Links in the README.md now point to the document of the latest version tag instead of HEAD of main branch.
• Add Linter.LintStdin method dedicated to linting STDIN instead of handling STDIN in Command.
• (Dev) Add new check-checks script to maintain the 'Checks' document. It automatically updates the outputs and playground links for example inputs in the document. It also checks the document is up-to-date on CI. Please read the document for more details.

Documentation

• Remove macos-11 runner labels because macOS 11 runner was dropped on 6/28/2024. (#451, thanks @muzimuzhi)
• Support macos-15, macos-15-large, and macos-15-xlarge runner labels. The macOS 15 runner is not globally available yet, but they are available in beta. (#453, thanks @muzimuzhi)
• Release artifact includes checksums for the released binaries. The file name is actionlint_{version}_checksums.txt. (#449)
  • For example, the checksums for v1.7.3 can be found here.
• Fix download-path output is missing in actions/download-artifact@v3 action. (#442)
  • Note that the latest version actions/download-artifact@v4 was not affected by this issue.
• Support Go 1.23.

Documentation

• Fix child processes to run in parallel.
• Update the popular actions data set to the latest. (#442, #445, #446, #447, thanks @maikelvdh)
• Add support for checking branch filters on merge_group event. (#448, thanks @muzimuzhi)
• The playground now supports both light and dark modes and automatically applies the system's theme.
• Fix releasing a failure on making a new winget package. (#438, thanks @vedantmgoyal9)

• Support ubuntu-24.04 runner label, which was recently introduced as beta. (#425, thanks @bitcoin-tools)
• Remove the support for macos-10 runner label which was officially dropped about 2 years ago.
• Remove the support for windows-2016 runner label which was officially dropped about 2 years ago.
• Document URLs used in help output and links in the playground prefer specific version tag rather than main branch. For example,
  • Before: https://github.com/rhysd/actionlint/tree/main/docs
  • After: https://github.com/rhysd/actionlint/tree/v1.7.1/docs
• Fix actionlint wrongly reports an error when using ghcr.io or docker.io at image field of action metadata file of Docker action without docker:// scheme. (#428)

  runs:
    using: 'docker'
    # This should be OK
    image: 'ghcr.io/user/repo:latest'

• Fix checking preactjs/compressed-size-action@v2 usage caused a false positive. (#422)
• Fix an error message when invalid escaping is found in globs.
• The design of the playground page is overhauled following the upgrade of bulma package to v1.
  • Current actionlint version is shown in the heading.
  • The color theme is changed to the official dark theme.
  • The list of useful links is added to the bottom of the page as 'Resources' section.

• From this version, actionlint starts to check action metadata file action.yml (or action.yaml). At this point, only very basic checks are implemented and contents of steps: are not checked yet.
  • It checks properties under runs: section (e.g. main: can be specified when it is a JavaScript action), branding: properties, and so on.

    name: 'My action'
    author: '...'
    # ERROR: 'description' section is missing
    
    branding:
      # ERROR: Invalid icon name
      icon: dog
    
    runs:
      # ERROR: Node.js runtime version is too old
      using: 'node12'
      # ERROR: The source file being run by this action does not exist
      main: 'this-file-does-not-exist.js'
      # ERROR: 'env' configuration is only allowed for Docker actions
      env:
        SOME_VAR: SOME_VALUE

  • actionlint still focuses on checking workflow files. So there is no way to directly specify action.yml as an argument of actionlint command. actionlint checks all local actions which are used by given workflows. If you want to use actionlint for your action development, prepare a test/example workflow which uses your action, and check it with actionlint instead.
  • Checks for steps: contents are planned to be implemented. Since several differences are expected between steps: in workflow file and steps: in action metadata file (e.g. available contexts), the implementation is delayed to later version. And the current implementation of action metadata parser is ad hoc. I'm planning a large refactorying and breaking changes Go API around it are expected.
• Add runner.environment property. (#412)

  - run: echo 'Run by GitHub-hosted runner'
    if: runner.environment == 'github-hosted'

• Using outdated popular actions is now detected at error. See the document for more details.
  • Here 'outdated' means actions which use runtimes no longer supported by GitHub-hosted runners such as node12.

    # ERROR: actions/checkout@v2 is using the outdated runner 'node12'
    - uses: actions/checkout@v2

• Support attestations permission which was recently added to GitHub Actions as beta. (#418, thanks @bdehamer)

  permissions:
    id-token: write
    contents: read
    attestations: write

• Check comparison expressions more strictly. Arbitrary types of operands can be compared as the official document explains. However, comparisons between some types are actually meaningless because the values are converted to numbers implicitly. actionlint catches such meaningless comparisons as errors. Please see the check document for more details.

  on:
    workflow_call:
      inputs:
        timeout:
          type: boolean
  
  jobs:
    test:
      runs-on: ubuntu-latest
      steps:
        - run: echo 'called!'
          # ERROR: Comparing string to object is always evaluated to false
          if: ${{ github.event == 'workflow_call' }}
        - run: echo 'timeout is too long'
          # ERROR: Comparing boolean value with `>` doesn't make sense
          if: ${{ inputs.timeout > 60 }}

• Follow the update that macos-latest is now an alias to macos-14 runner.
• Support a custom python shell by pyflakes rule.
• Add workaround actionlint reports that dorny/paths-filter's predicate-quantifier input is not defined. (#416)
• Fix the type of a conditional expression by comparison operators is wider than expected by implementing type narrowing. (#384)
  • For example, the type of following expression should be number but it was actually string | number and actionlint complained that timeout-minutes must take a number value.

    timeout-minutes: ${{ env.FOO && 10 || 60 }}

• Fix ${{ }} placeholder is not available at jobs.<job_id>.services. (#402)

  jobs:
    test:
      services: ${{ fromJSON('...') }}
      runs-on: ubuntu-latest
      steps:
        - run: ...

• Do not check outputs of google-github-actions/get-secretmanager-secrets because this action sets outputs dynamically. (#404)
• Fix defaults.run is ignored on detecting the shell used in run:. (#409)

  defaults:
    run:
      shell: pwsh
  jobs:
    test:
      runs-on: ubuntu-latest
      steps:
        # This was wrongly detected as bash script
        - run: $Env:FOO = "FOO"

• Fix parsing a syntax error reported from pyflakes when checking a Python script in run:. (#411)

  - run: print(
    shell: python

• Skip checking exclude: items in matrix: when they are constructed from ${{ }} dynamically. (#414)

  matrix:
    foo: ['a', 'b']
    exclude:
      # actionlint complained this value didn't exist in matrix combinations
      - foo: ${{ env.EXCLUDE_FOO }}

• Fix checking exclude: items when ${{ }} is used in nested arrays at matrix items.

  matrix:
    foo:
      - ["${{ fromJSON('...') }}"]
    exclude:
      # actionlint complained this value didn't match to any matrix combinations
      - foo: ['foo']

• Update popular actions data set. New major versions are added and the following actions are newly added.
  • peaceiris/actions-hugo
  • actions/attest-build-provenance
  • actions/add-to-project
  • octokit/graphql-action
• Update Go dependencies to the latest.
• Reduce the size of actionlint executable by removing redundant data from popular actions data set.
  • x86_64 executable binary size was reduced from 6.9MB to 6.7MB (2.9% smaller).
  • Wasm binary size was reduced from 9.4MB to 8.9MB (5.3% smaller).
• Describe how to integrate actionlint to Pulsar Edit in the document. (#408, thanks @mschuchard)
• Update outdated action versions in the usage document. (#413, thanks @naglis)