v1.6.14

• Some filters are exclusive in events at on:. Now actionlint checks the exclusive filters are used in the same event. paths and paths-ignore, branches and branches-ignore, tags and tags-ignore are exclusive. See the document for the details.

  on:
    push:
      # ERROR: Both 'paths' and 'paths-ignore' filters cannot be used for the same event
      paths: ...
      paths-ignore: ...

• Some event filters are checked more strictly. Some filters are only available with specific events. Now actionlint checks the limitation. See the document for complete list of such filters.

  on:
    release:
      # ERROR: 'tags' filter is only available for 'push' event
      tags: v*.*.*

• Paths starting/ending with spaces are now reported as error.
• Inputs of workflow which specify both default and required are now reported as error. When required is specified at input of workflow call, a caller of it must specify value of the input. So the default value will never be used. (#154, thanks @sksat)

  on:
    workflow_call:
      inputs:
        my_input:
          description: test
          type: string
          # ERROR: The default value 'aaa' will never be used
          required: true
          default: aaa

• Fix inputs of workflow_dispatch are set to inputs context as well as github.event.inputs. This was added by the recent change of GitHub Actions. (#152)

  on:
    workflow_dispatch:
      inputs:
        my_input:
          type: string
          required: true
  jobs:
    my_job:
      runs-on: ubuntu-latest
      steps:
        - run: echo ${{ github.event.inputs.my_input }}
        # Now the input is also set to `inputs` context
        - run: echo ${{ inputs.my_input }}

• Improve that env context is now not defined in values of env:, id: and uses:. actionlint now reports usage of env context in such places as type errors. (#158)

  runs-on: ubuntu-latest
  env:
    FOO: aaa
  steps:
    # ERROR: 'env' context is not defined in values of 'env:', 'id:' and 'uses:'
    - uses: test/${{ env.FOO }}@main
      env:
        BAR: ${{ env.FOO }}
      id: foo-${{ env.FOO }}

• actionlint command gains -stdin-filename command line option. When it is specified, the file name is used on reading input from stdin instead of <stdin>. (#157, thanks @arahatashun)

  # Error message shows foo.yml as file name where the error happened
  ... | actionlint -stdin-filename foo.yml -

• The download script allows to specify a directory path to install actionlint executable with the second argument of the script. For example, the following command downloads /path/to/bin/actionlint:

  # Downloads the latest stable version at `/path/to/bin/actionlint`
  bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) latest /path/to/bin
  # Downloads actionlint v1.6.14 at `/path/to/bin/actionlint`
  bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.6.14 /path/to/bin

• Update popular actions data set including goreleaser-action@v3, setup-python@v4, aks-set-context@v3.
• Update Go dependencies including go-yaml/yaml v3.

v1.6.13

• secrets: inherit in reusable workflow is now supported (#138)

  on:
    workflow_dispatch:
  
  jobs:
    pass-secrets-to-workflow:
      uses: ./.github/workflows/called-workflow.yml
      secrets: inherit

  This means that actionlint cannot know the workflow inherits secrets or not when checking a reusable workflow. To support secrets: inherit without giving up on checking secrets context, actionlint assumes the followings. See the document for the details.
  • when secrets: is omitted in a reusable workflow, the workflow inherits secrets from a caller
  • when secrets: exists in a reusable workflow, the workflow inherits no other secret
• macos-12 runner is now supported (#134, thanks @shogo82148)
• ubuntu-22.04 runner is now supported (#142, thanks @shogo82148)
• concurrency is available on reusable workflow call (#136)

  jobs:
    checks:
      concurrency:
        group: ${{ github.ref }}-${{ github.workflow }}
        cancel-in-progress: true
      uses: ./path/to/workflow.yaml

• pre-commit hook now uses a fixed version of actionlint. For example, the following configuration continues to use actionlint v1.6.13 even if v1.6.14 is released. (#116)

  repos:
    - repo: https://github.com/rhysd/actionlint
      rev: v1.6.13
      hooks:
        - id: actionlint-docker

• Update popular actions data set including new versions of docker/*, haskell/actions/setup, actions/setup-go, ... (#140, thanks @bflad)
• Update Go module dependencies

v1.6.12

• Fix secrets.ACTIONS_RUNNER_DEBUG and secrets.ACTIONS_STEP_DEBUG are not pre-defined in a reusable workflow. (#130)
• Fix checking permissions is outdated. pages and discussions permissions were added and metadata permission was removed. (#131, thanks @suzuki-shunsuke)
• Disable SC2157 shellcheck rule to avoid a false positive due to the replacement of ${{ }} in script. For example, in the below script -z ${{ env.FOO }} was replaced with -z ______________ and it caused 'always false due to literal strings' error. (#113)

  - run: |
      if [[ -z ${{ env.FOO }} ]]; then
        echo "FOO is empty"
      fi

• Add codecov-action@v3 to popular actions data set.

v1.6.11

• Fix crash on making outputs in JSON format with actionlint -format '{{json .}}'. (#128)
• Allow any outputs from actions/github-script action because it allows to set arbitrary outputs via calling core.setOutput() in JavaScript. (#104)

  - id: test
    uses: actions/github-script@v5
    with:
      script: |
        core.setOutput('answer', 42);
  - run: |
      echo "The answer is ${{ steps.test.outputs.answer }}"

• Add support for Go 1.18. All released binaries were built with Go 1.18 compiler. The bottom supported version is Go 1.16 and it's not been changed.
• Update popular actions data set (actions/cache, code-ql-actions/*, ...)
• Update some Go module dependencies

v1.6.10

• Support outputs in reusable workflow call. See the official document for the usage of the outputs syntax. (#119, #121)
  Example of reusable workflow definition:

  on:
    workflow_call:
      outputs:
        some_output:
          description: "Some awesome output"
          value: 'result value of workflow call'
  jobs:
    job:
      runs-on: ubuntu-latest
      steps:
        ...

  Example of reusable workflow call:

  jobs:
    job1:
      uses: ./.github/workflows/some_workflow.yml
    job2:
      runs-on: ubuntu-latest
      needs: job1
      steps:
        - run: echo ${{ needs.job1.outputs.some_output }}

• Support checking jobs context, which is only available in on.workflow_call.outputs.<name>.value. Outputs of jobs can be referred via the context. See the document for more details.

  on:
    workflow_call:
      outputs:
        image-version:
          description: "Docker image version"
          # ERROR: 'imagetag' does not exist (typo of 'image_tag')
          value: ${{ jobs.gen-image-version.outputs.imagetag }}
  jobs:
    gen-image-version:
      runs-on: ubuntu-latest
      outputs:
        image_tag: "${{ steps.get_tag.outputs.tag }}"
      steps:
        - run: ./output_image_tag.sh
          id: get_tag

• Add new major releases in actions/* actions including actions/checkout@v3, actions/setup-go@v3, actions/setup-python@v3, ...
• Check job IDs. They must start with a letter or _ and contain only alphanumeric characters, - or _. See the document for more details. (#80)

  on: push
  jobs:
    # ERROR: '.' cannot be contained in job ID
    foo-v1.2.3:
      runs-on: ubuntu-latest
      steps:
        - run: 'job ID with version'

• Fix windows-latest now means windows-2022 runner. See virtual-environments#4856 for the details. (#120)
• Update the playground dependencies to the latest.
• Update Go module dependencies

v1.6.9

• Support runner.arch context value. (thanks @shogo82148, #101)

  steps:
    - run: ./do_something_64bit.sh
      if: ${{ runner.arch == 'x64' }}

• Support calling reusable workflows in local directories. (thanks @jsok, #107)

  jobs:
    call-workflow-in-local-repo:
      uses: ./.github/workflows/useful_workflow.yml

• Add a document to install actionlint via asdf version manager. (thanks @crazy-matt, #99)
• Fix using secrets.GITHUB_TOKEN caused a type error when some other secret is defined. (thanks @mkj-is, #106)
• Fix nil check is missing on parsing uses: step. (thanks @shogo82148, #102)
• Fix some documents including broken links. (thanks @ohkinozomu, #105)
• Update popular actions data set to the latest. More arguments are added to many actions. And a few actions had new major versions.
• Update webhook payload data set to the latest. requested_action type was added to check_run hook. requested and rerequested types were removed from check_suite hook. updated type was removed from project hook.

v1.6.8

• Untrusted inputs detection can detect untrusted inputs in object filter syntax. For example, github.event.*.body filters body properties and it includes the untrusted input github.event.comment.body. actionlint detects such filters and causes an error. The error message includes all untrusted input names which are filtered by the object filter so that you can know what inputs are untrusted easily. See the document for more details.
  Input example:

  - name: Get comments
    run: echo '${{ toJSON(github.event.*.body) }}'

  Error message:

  object filter extracts potentially untrusted properties "github.event.comment.body", "github.event.discussion.body", "github.event.issue.body", ...
  

  Instead you should do:

  - name: Get comments
    run: echo "$JSON"
    env:
      JSON: {{ toJSON(github.event.*.body) }}

• Support the new input type syntax for workflow_dispatch event, which was introduced recently. You can declare types of inputs on triggering a workflow manually. actionlint does two things with this new syntax.
  • actionlint checks the syntax. Unknown input types, invalid default values, missing options for 'choice' type.

    inputs:
      # Unknown input type
      id:
        type: number
      # ERROR: No options for 'choice' input type
      kind:
        type: choice
      name:
        type: choice
        options:
          - Tama
          - Mike
        # ERROR: Default value is not in options
        default: Chobi
      verbose:
        type: boolean
        # ERROR: Boolean value must be 'true' or 'false'
        default: yes

  • actionlint give a strict object type to github.event.inputs so that a type checker can check unknown input names and type mismatches on using the value.

    on:
      workflow_dispatch:
        inputs:
          message:
            type: string
          verbose:
            type: boolean
    # Type of `github.event.inputs` is {"message": string; "verbose": bool}
    jobs:
      test:
        runs-on: ubuntu-latest
        steps:
          # ERROR: Undefined input
          - run: echo "${{ github.event.inputs.massage }}"
          # ERROR: Bool value is not available for object key
          - run: echo "${{ env[github.event.inputs.verbose] }}"

  • See the document for more details.
• Add missing properties in github context. See the contexts document to know the full list of properties.
  • github.ref_name (thanks @dihmandrake, #72)
  • github.ref_protected
  • github.ref_type
• Filtered array by object filters is typed more strictly.

  # `env` is a map object { string => string }
  # Previously typed as array<any> now it is typed as array<string>
  env.*
  

• Update Go module dependencies and playground dependencies.

v1.6.7

• Fix missing property name in runner context object (thanks @ioanrogers, #67).
• Fix a false positive on type checking at x.* object filtering syntax where the receiver is an object. actionlint previously only allowed arrays as receiver of object filtering (#66).

  fromJSON('{"a": "from a", "b": "from b"}').*
  # => ["from a", "from b"]
  
  fromJSON('{"a": {"x": "from a.x"}, "b": {"x": "from b.x"}}').*.x
  # => ["from a.x", "from b.x"]

• Add rust-cache as new popular action.
• Remove bottle: unneeded from Homebrew formula (thanks @oppara, #63).
• Support branch_protection_rule webhook again.
• Update popular actions data set to the latest (#64, #70).

v1.6.6

• inputs and secrets objects are now typed looking at workflow_call event at on:. See the document for more details.
  • inputs object is typed with definitions at on.workflow_call.inputs. When the workflow is not callable, it is typed at {} (empty object) so any inputs.* access causes a type error.
  • secrets object is typed with definitions at on.workflow_call.secrets.

  on:
    workflow_call:
      # `inputs` object is typed {url: string; lucky_number: number}
      inputs:
        url:
          description: 'your URL'
          type: string
        lucky_number:
          description: 'your lucky number'
          type: number
      # `secrets` object is typed {user: string; credential: string}
      secrets:
        user:
          description: 'your user name'
        credential:
          description: 'your credential'
  jobs:
    test:
      runs-on: ubuntu-20.04
      steps:
        - name: Send data
          # ERROR: uri is typo of url
          run: curl ${{ inputs.uri }} -d ${{ inputs.lucky_number }}
          env:
            # ERROR: credentials is typo of credential
            TOKEN: ${{ secrets.credentials }}

• id-token is added to permissions (thanks @cmmarslender, #62).
• Report an error on nested workflow calls since it is not allowed.

  on:
    # This workflow is reusable
    workflow_call:
  
  jobs:
    test:
      # ERROR: Nested workflow call is not allowed
      uses: owner/repo/path/to/workflow.yml@ref

• Parse uses: at reusable workflow call more strictly following {owner}/{repo}/{path}@{ref} format.
• Popular actions data set was updated to the latest (#61).
• Dependencies of playground were updated to the latest (including eslint v8).

v1.6.5

• Support reusable workflows syntax which is now in beta. Only very basic syntax checks are supported at this time. Please see the document to know checks for reusable workflow syntax.
  • Example of workflow_call event

    on:
      workflow_call:
        inputs:
          name:
            description: your name
            type: string
        secrets:
          token:
            required: true
    
    jobs:
      ...

  • Example of reusable workflow call with uses: at job.<job_id>

    on: ...
    jobs:
      hello:
        uses: owner/repo/path/to/workflow.yml@main
        with:
          name: Octocat
        secrets:
          token: ${{ secrets.token }}

• Support github.run_attempt property in ${{ }} expression (#57).
• Add support for windows-2022 runner which is now in public beta.
• Remove support for ubuntu-16.04 runner which was removed from GitHub Actions at the end of September.
• Ignore SC2154 shellcheck rule which can cause false positive (#53).
• Fix error position was not correct when required keys are not existing in job configuration.
• Update popular actions data set. New major versions of github-script and lock-threads actions are supported (#59).
• Fix document (thanks @fornwall at #52, thanks @equal-l2 at #56).
  • Now actionlint is an official package of Homebrew. Simply executing brew install actionlint can install actionlint.