Skip to content

Releases: rhysd/actionlint

v1.6.4

21 Sep 11:46
Compare
Choose a tag to compare
  • Implement 'map' object types { string => T }, where all properties of the object are typed as T. Since a key of object is always string, left hand side of => is fixed to string. For example, env context only has string properties so it is typed as { string => string}. Previously its properties were typed any.
    # typed as string (previously any)
    env.FOO
    
    # typed as { id: string; network: string; ports: object; } (previously any)
    job.services.redis
  • github.event.discussion.title and github.event.discussion.body are now checked as untrusted inputs.
  • Update popular actions data set. (#50, #51)
  • Update webhooks payload data set. branch_protection_rule hook was dropped from the list due to github/docs@179a6d3. (#50, #51)

v1.6.3

04 Sep 13:10
Compare
Choose a tag to compare
  • Improve guessing a type of matrix value. When a matrix contains numbers and strings, previously the type fell back to any. Now it is deduced as string.
    strategy:
      matrix:
        # matrix.node is now deduced as `string` instead of `any`
        node: [14, 'latest']
  • Fix types of || and && expressions. Previously they were typed as bool but it was not correct. Correct type is sum of types of both sides of the operator like TypeScript. For example, type of 'foo' || 'bar' is a string, and github.event && matrix is an object.
  • actionlint no longer reports an error when a local action does not exist in the repository. It is a popular pattern that a local action directory is cloned while a workflow running. (#25, #40)
  • Disable SC2050 shellcheck rule since it causes some false positive. (#45)
  • Fix -version did not work when running actionlint via the Docker image (#47).
  • Fix pre-commit hook file name. (thanks @xsc27, #38)
  • New branch_protection_rule event is supported. (#48)
  • Update popular actions data set. (#41, #48)
  • Update Go library dependencies.
  • Update playground dependencies.

v1.6.2

23 Aug 02:41
Compare
Choose a tag to compare
  • actionlint now checks evaluated values at ${{ }} are not an object nor an array since they are not useful. See the check document for more details.
# ERROR: This will always be replaced with `echo 'Object'`
- run: echo '${{ runner }}'
# OK: Serialize an object into JSON to check the content
- run: echo '${{ toJSON(runner) }}'
  • Add pre-commit support. pre-commit is a framework for managing Git pre-commit hooks. See the usage document for more details. (thanks @xsc27 for adding the integration at #33) (#23)
  • Add an official Docker image. The Docker image contains shellcheck and pyflakes as dependencies. Now actionlint can be run with docker run command easily. See the usage document for more details. (thanks @xsc27 for the help at #34)
docker run --rm -v $(pwd):/repo --workdir /repo rhysd/actionlint:latest -color
  • Go 1.17 is now a default compiler to build actionlint. Built binaries are faster than before by 2~7% when the process is CPU-bound. Sizes of built binaries are about 2% smaller. Note that Go 1.16 continues to be supported.
  • windows/arm64 target is added to released binaries thanks to Go 1.17.
  • Now any value can be converted into bool implicitly. Previously this was not permitted as actionlint provides stricter type check. However it is not useful that a condition like if: github.event.foo causes a type error.
  • Fix a prefix operator cannot be applied repeatedly like !!42.
  • Fix a potential crash when type checking on expanding an object with ${{ }} like matrix: ${{ fromJSON(env.FOO) }}
  • Update popular actions data set (#36)

v1.6.1

16 Aug 11:41
Compare
Choose a tag to compare

annotation by Problem Matchers

  • runner_label rule now checks conflicts in labels at runs-on. For example, there is no runner which meats both ubuntu-latest and windows-latest. This kind of misconfiguration sometimes happen when a beginner misunderstands the usage of runs-on:. To run a job on each runners, matrix: should be used. See the document for more information.
on: push
jobs:
  test:
    # These labels match to no runner
    runs-on: [ubuntu-latest, windows-latest]
    steps:
      - run: echo ...
  • Reduce memory footprint (around 16%) on starting actionlint command by removing unnecessary data from PopularActions global variable. This also slightly reduces binary size (about 3.7% at playground/main.wasm).
  • Fix accessing steps.* objects in job's environment: configuration caused a type error (#30).
  • Fix checking that action's input names at with: were not in case insensitive (#31).
  • Ignore outputs of getsentry/paths-filter. It is a fork of dorny/paths-filter. actionlint cannot check the outputs statically because it sets outputs dynamically.
  • Add Azure/functions-action to popular actions.
  • Update popular actions data set (#29).

v1.6.0

11 Aug 06:07
Compare
Choose a tag to compare

Incorrect code

- run: echo '${{ github.event.pull_request.title }}'

should be replaced with

- run: echo "issue ${TITLE}"
  env:
    TITLE: ${{github.event.issue.title}}

Simple example to output error messages as JSON:

actionlint -format '{{json .}}'

More compliated example to output error messages as markdown:

actionlint -format '{{range $ := .}}### Error at line {{$.Line}}, col {{$.Column}} of `{{$.Filepath}}`\n\n{{$.Message}}\n\n```\n{{$.Snippet}}\n```\n\n{{end}}'
  • Documents are reorganized. Long README.md is separated into several document files (#28)
  • Fix checking shell names was not case-insensitive, for example PowerShell was detected as invalid shell name
  • Update popular actions data set to the latest
  • Make lexer errors on checking ${{ }} expressions more meaningful

v1.5.3

04 Aug 06:45
Compare
Choose a tag to compare
  • Now actionlint allows to use any operators outside ${{ }} on if: condition like if: github.repository_owner == 'rhysd' (#22). The official document said that using any operator outside ${{ }} was invalid even if it was on if: condition. However, github/docs#8786 clarified that the document was not correct.

v1.5.2

02 Aug 11:20
Compare
Choose a tag to compare
  • Outputs of dorny/paths-filter are now not typed strictly because the action dynamically sets outputs which are not defined in its action.yml. actionlint cannot check such outputs statically (#18).
  • The table for checking Webhooks supported by GitHub Actions is now generated from the official document automatically with script. The table continues to be updated weekly by the CI workflow.
  • Improve error messages while lexing expressions as follows.
  • Fix column numbers are off-by-one on some lexer errors.
  • Fix checking invalid numbers where some digit follows zero in a hex number (e.g. 0x01) or an exponent part of number (e.g. 1e0123).
  • Fix a parse error message when some tokens still remain after parsing finishes.
  • Refactor the expression lexer to lex an input incrementally. It slightly reduces memory consumption.

Lex error until v1.5.1:

test.yaml:9:26: got unexpected character '+' while lexing expression, expecting '_', '\'', '}', '(', ')', '[', ']', '.', '!', '<', '>', '=', '&', '|', '*', ',', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' [expression]

Lex error from v1.5.2:

test.yaml:9:26: got unexpected character '+' while lexing expression, expecting 'a'..'z', 'A'..'Z', '0'..'9', ''', '}', '(', ')', '[', ']', '.', '!', '<', '>', '=', '&', '|', '*', ',', '_' [expression]

v1.5.1

29 Jul 03:20
Compare
Choose a tag to compare
  • Improve checking the intervals of scheduled events (#14, #15). Since GitHub Actions limits the interval to once every 5 minutes, actionlint now reports an error when a workflow is configured to be run once per less than 5 minutes.
  • Skip checking inputs of octokit/request-action since it allows to specify arbitrary inputs though they are not defined in its action.yml (#16).
    • Outputs of the action are still be typed strictly. Only its inputs are not checked.
  • The help text of actionlint is now hosted online: https://rhysd.github.io/actionlint/usage.html
  • Add new fuzzing target for parsing glob patterns.

v1.5.0

26 Jul 01:39
Compare
Choose a tag to compare
  • action rule now validates inputs of popular actions at with:. When a required input is not specified or an undefined input is specified, actionlint will report it.
    • Popular actions are updated automatically once a week and the data set is embedded to executable directly. The check does not need any network request and does not affect performance of actionlint. Sources of the actions are listed here. If you have some request to support new action, please report it at the issue form.
    • Please see the document for example (Playground).
  • expression rule now types outputs of popular actions (type of steps.{id}.outputs object) more strictly.
    • For example, actions/cache@v2 sets cache-hit output. The outputs object is typed as { cache-hit: any }. Previously it was typed as any which means no further type check was performed.
    • Please see the second example of the document (Playground).
  • Outputs of local actions (their names start with ./) are also typed more strictly as well as popular actions.
  • Metadata (action.yml) of local actions are now cached to avoid reading and parsing action.yml files repeatedly for the same action.
  • Add new rule permissions to check permission scopes for default secrets.GITHUB_TOKEN. Please see the document for more details (Playground).
  • Structure of actionlint.Permissions struct was changed. A parser no longer checks values of permissions: configuration. The check is now done by permissions rule.

v1.4.3

21 Jul 00:55
Compare
Choose a tag to compare
  • Support new Webhook events discussion and discussion_comment (#8).
  • Read file concurrently with limiting concurrency to number of CPUs. This improves performance when checking many files and disabling shellcheck/pyflakes integration.
  • Support Linux based on musl libc by the download script (#5).
  • Reduce number of goroutines created while running shellcheck/pyflakes processes. This has small impact on memory usage when your workflows have many run: steps.
  • Reduce built binary size by splitting an external library which is only used for debugging into a separate command line tool.
  • Introduce several micro benchmark suites to track performance.
  • Enable code scanning for Go/TypeScript/JavaScript sources in actionlint repository.