• Fix missing property name in runner context object (thanks @ioanrogers, #67).
• Fix a false positive on type checking at x.* object filtering syntax where the receiver is an object. actionlint previously only allowed arrays as receiver of object filtering (#66).

  fromJSON('{"a": "from a", "b": "from b"}').*
  # => ["from a", "from b"]
  
  fromJSON('{"a": {"x": "from a.x"}, "b": {"x": "from b.x"}}').*.x
  # => ["from a.x", "from b.x"]

• Add rust-cache as new popular action.
• Remove bottle: unneeded from Homebrew formula (thanks @oppara, #63).
• Support branch_protection_rule webhook again.
• Update popular actions data set to the latest (#64, #70).

• inputs and secrets objects are now typed looking at workflow_call event at on:. See the document for more details.
  • inputs object is typed with definitions at on.workflow_call.inputs. When the workflow is not callable, it is typed at {} (empty object) so any inputs.* access causes a type error.
  • secrets object is typed with definitions at on.workflow_call.secrets.

  on:
    workflow_call:
      # `inputs` object is typed {url: string; lucky_number: number}
      inputs:
        url:
          description: 'your URL'
          type: string
        lucky_number:
          description: 'your lucky number'
          type: number
      # `secrets` object is typed {user: string; credential: string}
      secrets:
        user:
          description: 'your user name'
        credential:
          description: 'your credential'
  jobs:
    test:
      runs-on: ubuntu-20.04
      steps:
        - name: Send data
          # ERROR: uri is typo of url
          run: curl ${{ inputs.uri }} -d ${{ inputs.lucky_number }}
          env:
            # ERROR: credentials is typo of credential
            TOKEN: ${{ secrets.credentials }}

• id-token is added to permissions (thanks @cmmarslender, #62).
• Report an error on nested workflow calls since it is not allowed.

  on:
    # This workflow is reusable
    workflow_call:
  
  jobs:
    test:
      # ERROR: Nested workflow call is not allowed
      uses: owner/repo/path/to/workflow.yml@ref

• Parse uses: at reusable workflow call more strictly following {owner}/{repo}/{path}@{ref} format.
• Popular actions data set was updated to the latest (#61).
• Dependencies of playground were updated to the latest (including eslint v8).

• Support reusable workflows syntax which is now in beta. Only very basic syntax checks are supported at this time. Please see the document to know checks for reusable workflow syntax.
  • Example of workflow_call event

    on:
      workflow_call:
        inputs:
          name:
            description: your name
            type: string
        secrets:
          token:
            required: true
    
    jobs:
      ...

  • Example of reusable workflow call with uses: at job.<job_id>

    on: ...
    jobs:
      hello:
        uses: owner/repo/path/to/workflow.yml@main
        with:
          name: Octocat
        secrets:
          token: ${{ secrets.token }}

• Support github.run_attempt property in ${{ }} expression (#57).
• Add support for windows-2022 runner which is now in public beta.
• Remove support for ubuntu-16.04 runner which was removed from GitHub Actions at the end of September.
• Ignore SC2154 shellcheck rule which can cause false positive (#53).
• Fix error position was not correct when required keys are not existing in job configuration.
• Update popular actions data set. New major versions of github-script and lock-threads actions are supported (#59).
• Fix document (thanks @fornwall at #52, thanks @equal-l2 at #56).
  • Now actionlint is an official package of Homebrew. Simply executing brew install actionlint can install actionlint.

• Implement 'map' object types { string => T }, where all properties of the object are typed as T. Since a key of object is always string, left hand side of => is fixed to string. For example, env context only has string properties so it is typed as { string => string}. Previously its properties were typed any.

  # typed as string (previously any)
  env.FOO
  
  # typed as { id: string; network: string; ports: object; } (previously any)
  job.services.redis

• github.event.discussion.title and github.event.discussion.body are now checked as untrusted inputs.
• Update popular actions data set. (#50, #51)
• Update webhooks payload data set. branch_protection_rule hook was dropped from the list due to github/docs@179a6d3. (#50, #51)

• Improve guessing a type of matrix value. When a matrix contains numbers and strings, previously the type fell back to any. Now it is deduced as string.

  strategy:
    matrix:
      # matrix.node is now deduced as `string` instead of `any`
      node: [14, 'latest']

• Fix types of || and && expressions. Previously they were typed as bool but it was not correct. Correct type is sum of types of both sides of the operator like TypeScript. For example, type of 'foo' || 'bar' is a string, and github.event && matrix is an object.
• actionlint no longer reports an error when a local action does not exist in the repository. It is a popular pattern that a local action directory is cloned while a workflow running. (#25, #40)
• Disable SC2050 shellcheck rule since it causes some false positive. (#45)
• Fix -version did not work when running actionlint via the Docker image (#47).
• Fix pre-commit hook file name. (thanks @xsc27, #38)
• New branch_protection_rule event is supported. (#48)
• Update popular actions data set. (#41, #48)
• Update Go library dependencies.
• Update playground dependencies.

• actionlint now checks evaluated values at ${{ }} are not an object nor an array since they are not useful. See the check document for more details.

# ERROR: This will always be replaced with `echo 'Object'`
- run: echo '${{ runner }}'
# OK: Serialize an object into JSON to check the content
- run: echo '${{ toJSON(runner) }}'

• Add pre-commit support. pre-commit is a framework for managing Git pre-commit hooks. See the usage document for more details. (thanks @xsc27 for adding the integration at #33) (#23)
• Add an official Docker image. The Docker image contains shellcheck and pyflakes as dependencies. Now actionlint can be run with docker run command easily. See the usage document for more details. (thanks @xsc27 for the help at #34)

docker run --rm -v $(pwd):/repo --workdir /repo rhysd/actionlint:latest -color

• Go 1.17 is now a default compiler to build actionlint. Built binaries are faster than before by 2~7% when the process is CPU-bound. Sizes of built binaries are about 2% smaller. Note that Go 1.16 continues to be supported.
• windows/arm64 target is added to released binaries thanks to Go 1.17.
• Now any value can be converted into bool implicitly. Previously this was not permitted as actionlint provides stricter type check. However it is not useful that a condition like if: github.event.foo causes a type error.
• Fix a prefix operator cannot be applied repeatedly like !!42.
• Fix a potential crash when type checking on expanding an object with ${{ }} like matrix: ${{ fromJSON(env.FOO) }}
• Update popular actions data set (#36)

• Problem Matchers is now officially supported by actionlint, which annotates errors from actionlint on GitHub as follows. The matcher definition is maintained at .github/actionlint-matcher.json by script. For the usage, see the document.

• runner_label rule now checks conflicts in labels at runs-on. For example, there is no runner which meats both ubuntu-latest and windows-latest. This kind of misconfiguration sometimes happen when a beginner misunderstands the usage of runs-on:. To run a job on each runners, matrix: should be used. See the document for more information.

on: push
jobs:
  test:
    # These labels match to no runner
    runs-on: [ubuntu-latest, windows-latest]
    steps:
      - run: echo ...

• Reduce memory footprint (around 16%) on starting actionlint command by removing unnecessary data from PopularActions global variable. This also slightly reduces binary size (about 3.7% at playground/main.wasm).
• Fix accessing steps.* objects in job's environment: configuration caused a type error (#30).
• Fix checking that action's input names at with: were not in case insensitive (#31).
• Ignore outputs of getsentry/paths-filter. It is a fork of dorny/paths-filter. actionlint cannot check the outputs statically because it sets outputs dynamically.
• Add Azure/functions-action to popular actions.
• Update popular actions data set (#29).

• Check potentially untrusted inputs to prevent a script injection vulnerability at run: and script input of actions/github-script. See the rule document for more explanations and workflow example. (thanks @azu for the feature request at #19)

Incorrect code

- run: echo '${{ github.event.pull_request.title }}'

should be replaced with

- run: echo "issue ${TITLE}"
  env:
    TITLE: ${{github.event.issue.title}}

• Add -format option to actionlint command. It allows to flexibly format error messages as you like with Go template syntax. See the usage document for more details. (thanks @ybiquitous for the feature request at #20)

Simple example to output error messages as JSON:

actionlint -format '{{json .}}'

More compliated example to output error messages as markdown:

actionlint -format '{{range $ := .}}### Error at line {{$.Line}}, col {{$.Column}} of `{{$.Filepath}}`\n\n{{$.Message}}\n\n```\n{{$.Snippet}}\n```\n\n{{end}}'

• Documents are reorganized. Long README.md is separated into several document files (#28)
  • README.md: Introduction, Quick start, Document links
  • docs/checks.md: Full list of all checks done by actionlint with example inputs, outputs, and playground links
  • docs/install.md: Installation instruction
  • docs/usage.md: Advanced usage of actionlint command, usage of playground, integration with reviewdog, Problem Matchers, super-linter
  • docs/config.md: About configuration file
  • doc/api.md: Using actionlint as Go library
  • doc/reference.md: Links to resources
• Fix checking shell names was not case-insensitive, for example PowerShell was detected as invalid shell name
• Update popular actions data set to the latest
• Make lexer errors on checking ${{ }} expressions more meaningful

• Now actionlint allows to use any operators outside ${{ }} on if: condition like if: github.repository_owner == 'rhysd' (#22). The official document said that using any operator outside ${{ }} was invalid even if it was on if: condition. However, github/docs#8786 clarified that the document was not correct.

• Outputs of dorny/paths-filter are now not typed strictly because the action dynamically sets outputs which are not defined in its action.yml. actionlint cannot check such outputs statically (#18).
• The table for checking Webhooks supported by GitHub Actions is now generated from the official document automatically with script. The table continues to be updated weekly by the CI workflow.
• Improve error messages while lexing expressions as follows.
• Fix column numbers are off-by-one on some lexer errors.
• Fix checking invalid numbers where some digit follows zero in a hex number (e.g. 0x01) or an exponent part of number (e.g. 1e0123).
• Fix a parse error message when some tokens still remain after parsing finishes.
• Refactor the expression lexer to lex an input incrementally. It slightly reduces memory consumption.

Lex error until v1.5.1:

test.yaml:9:26: got unexpected character '+' while lexing expression, expecting '_', '\'', '}', '(', ')', '[', ']', '.', '!', '<', '>', '=', '&', '|', '*', ',', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' [expression]

Lex error from v1.5.2:

test.yaml:9:26: got unexpected character '+' while lexing expression, expecting 'a'..'z', 'A'..'Z', '0'..'9', ''', '}', '(', ')', '[', ']', '.', '!', '<', '>', '=', '&', '|', '*', ',', '_' [expression]