actionlint

package module
v1.7.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 4, 2024 License: MIT Imports: 35 Imported by: 29

README

actionlint

CI Badge API Document

actionlint is a static checker for GitHub Actions workflow files. Try it online!

Features:

  • Syntax check for workflow files to check unexpected or missing keys following workflow syntax
  • Strong type check for ${{ }} expressions to catch several semantic errors like access to not existing property, type mismatches, ...
  • Actions usage check to check that inputs at with: and outputs in steps.{id}.outputs are correct
  • Reusable workflow check to check inputs/outputs/secrets of reusable workflows and workflow calls
  • shellcheck and pyflakes integrations for scripts at run:
  • Security checks; script injection by untrusted inputs, hard-coded credentials
  • Other several useful checks; glob syntax validation, dependencies check for needs:, runner label validation, cron syntax validation, ...

See the full list of checks done by actionlint.

actionlint reports 7 errors

Example of broken workflow:

on:
  push:
    branch: main
    tags:
      - 'v\d+'
jobs:
  test:
    strategy:
      matrix:
        os: [macos-latest, linux-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node_version: 18.x
      - uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ matrix.platform }}-node-${{ hashFiles('**/package-lock.json') }}
        if: ${{ github.repository.permissions.admin == true }}
      - run: npm install && npm test

actionlint reports 7 errors:

test.yaml:3:5: unexpected key "branch" for "push" section. expected one of "branches", "branches-ignore", "paths", "paths-ignore", "tags", "tags-ignore", "types", "workflows" [syntax-check]
  |
3 |     branch: main
  |     ^~~~~~~
test.yaml:5:11: character '\' is invalid for branch and tag names. only special characters [, ?, +, *, \, ! can be escaped with \. see `man git-check-ref-format` for more details. note that regular expression is unavailable. note: filter pattern syntax is explained at https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet [glob]
  |
5 |       - 'v\d+'
  |           ^~~~
test.yaml:10:28: label "linux-latest" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]
   |
10 |         os: [macos-latest, linux-latest]
   |                            ^~~~~~~~~~~~~
test.yaml:13:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression]
   |
13 |       - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
   |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.yaml:17:11: input "node_version" is not defined in action "actions/setup-node@v4". available inputs are "always-auth", "architecture", "cache", "cache-dependency-path", "check-latest", "node-version", "node-version-file", "registry-url", "scope", "token" [action]
   |
17 |           node_version: 18.x
   |           ^~~~~~~~~~~~~
test.yaml:21:20: property "platform" is not defined in object type {os: string} [expression]
   |
21 |           key: ${{ matrix.platform }}-node-${{ hashFiles('**/package-lock.json') }}
   |                    ^~~~~~~~~~~~~~~
test.yaml:22:17: receiver of object dereference "permissions" must be type of object but got "string" [expression]
   |
22 |         if: ${{ github.repository.permissions.admin == true }}
   |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Why?

  • Running a workflow is time consuming. You need to push the changes and wait until the workflow runs on GitHub even if it contains some trivial mistakes. act is useful to debug the workflow locally. But it is not suitable for CI and still time consuming when your workflow gets larger.
  • Checks of workflow files by GitHub are very loose. It reports no error even if unexpected keys are in mappings (meant that some typos in keys). And also it reports no error when accessing to property which is actually not existing. For example matrix.foo when no foo is defined in matrix: section, it is evaluated to null and causes no error.
  • Some mistakes silently break a workflow. Most common case I saw is specifying missing property to cache key. In the case cache silently does not work properly but a workflow itself runs without error. So you might not notice the mistake forever.

Quick start

Install actionlint command by downloading the released binary or by Homebrew or by go install. See the installation document for more details like how to manage the command with several package managers or run via Docker container.

go install github.com/rhysd/actionlint/cmd/actionlint@latest

Basically all you need to do is run the actionlint command in your repository. actionlint automatically detects workflows and checks errors. actionlint focuses on finding out mistakes. It tries to catch errors as much as possible and make false positives as minimal as possible.

actionlint

Another option to try actionlint is the online playground. Your browser can run actionlint through WebAssembly.

See the usage document for more details.

Documents

  • Checks: Full list of all checks done by actionlint with example inputs, outputs, and playground links.
  • Installation: Installation instructions. Prebuilt binaries, a Docker image, building from source, a download script (for CI), supports by several package managers are available.
  • Usage: How to use actionlint command locally or on GitHub Actions, the online playground, an official Docker image, and integrations with reviewdog, Problem Matchers, super-linter, pre-commit, VS Code.
  • Configuration: How to configure actionlint behavior. Currently, the labels of self-hosted runners, the configuration variables, and ignore patterns of errors for each file paths can be set.
  • Go API: How to use actionlint as Go library.
  • References: Links to resources.

Bug reporting

When you see some bugs or false positives, it is helpful to file a new issue with a minimal example of input. Giving me some feedbacks like feature requests or ideas of additional checks is also welcome.

License

actionlint is distributed under the MIT license.

Documentation

Overview

Package actionlint is the implementation of actionlint linter. It's a static checker for GitHub Actions workflow files.

https://github.com/rhysd/actionlint

actionlint is a command line tool but it also provides Go API for Go programs. It includes a workflow file parser built on top of go-yaml/yaml, lexer/parser/checker for expressions embedded by ${{ }} placeholder, popular actions data, available contexts information, etc.

To run the linter, Linter is the struct which manages the entire linter lifecycle. Please see the first example.

actionlint also provides the flexibility to add your own rules by implementing Rule interface. Please read the YourOwnRule example.

Library versioning

The version is for the command line tool. So it does not represent the version of the library. It means that the library does not follow semantic versioning and any patch version bump may introduce some breaking changes.

Go version compatibility

Minimum supported Go version is written in go.mod file in this library. That said, older Go versions are actually not tested on CI. Last two major Go versions are recommended because they're tested on CI. For example, when the latest Go version is v1.22, v1.21 and v1.22 are nice to use.

https://github.com/rhysd/actionlint/blob/main/go.mod

Other documentations

All documentations for actionlint can be found in the following page.

https://github.com/rhysd/actionlint/tree/main/docs

License

This library is provided under the MIT license.

> Copyright (c) 2021 rhysd

Full text can be found in the following page.

https://github.com/rhysd/actionlint/blob/main/LICENSE.txt

Index

Examples

Constants

View Source 
const (
	// RawYAMLValueKindObject is kind for an object value of raw YAML value.
	RawYAMLValueKindObject = RawYAMLValueKind(yaml.MappingNode)
	// RawYAMLValueKindArray is kind for an array value of raw YAML value.
	RawYAMLValueKindArray = RawYAMLValueKind(yaml.SequenceNode)
	// RawYAMLValueKindString is kind for a string value of raw YAML value.
	RawYAMLValueKindString = RawYAMLValueKind(yaml.ScalarNode)
)
View Source 
const (
	// ExitStatusSuccessNoProblem is the exit status when the command ran successfully with no problem found.
	ExitStatusSuccessNoProblem = 0
	// ExitStatusSuccessProblemFound is the exit status when the command ran successfully with some problem found.
	ExitStatusSuccessProblemFound = 1
	// ExitStatusInvalidCommandOption is the exit status when parsing command line options failed.
	ExitStatusInvalidCommandOption = 2
	// ExitStatusFailure is the exit status when the command stopped due to some fatal error while checking workflows.
	ExitStatusFailure = 3
)
View Source 
const (
	// LogLevelNone does not output any log output.
	LogLevelNone LogLevel = 0
	// LogLevelVerbose shows verbose log output. This is equivalent to specifying -verbose option
	// to actionlint command.
	LogLevelVerbose = 1
	// LogLevelDebug shows all log output including debug information.
	LogLevelDebug = 2
)

Variables

View Source 
var AllWebhookTypes = map[string][]string{
	"branch_protection_rule":      {"created", "edited", "deleted"},
	"check_run":                   {"created", "rerequested", "completed", "requested_action"},
	"check_suite":                 {"completed"},
	"create":                      {},
	"delete":                      {},
	"deployment":                  {},
	"deployment_status":           {},
	"discussion":                  {"created", "edited", "deleted", "transferred", "pinned", "unpinned", "labeled", "unlabeled", "locked", "unlocked", "category_changed", "answered", "unanswered"},
	"discussion_comment":          {"created", "edited", "deleted"},
	"fork":                        {},
	"gollum":                      {},
	"issue_comment":               {"created", "edited", "deleted"},
	"issues":                      {"opened", "edited", "deleted", "transferred", "pinned", "unpinned", "closed", "reopened", "assigned", "unassigned", "labeled", "unlabeled", "locked", "unlocked", "milestoned", "demilestoned"},
	"label":                       {"created", "edited", "deleted"},
	"merge_group":                 {"checks_requested"},
	"milestone":                   {"created", "closed", "opened", "edited", "deleted"},
	"page_build":                  {},
	"project":                     {"created", "closed", "reopened", "edited", "deleted"},
	"project_card":                {"created", "moved", "converted", "edited", "deleted"},
	"project_column":              {"created", "updated", "moved", "deleted"},
	"public":                      {},
	"pull_request":                {"assigned", "unassigned", "labeled", "unlabeled", "opened", "edited", "closed", "reopened", "synchronize", "converted_to_draft", "locked", "unlocked", "enqueued", "dequeued", "milestoned", "demilestoned", "ready_for_review", "review_requested", "review_request_removed", "auto_merge_enabled", "auto_merge_disabled"},
	"pull_request_review":         {"submitted", "edited", "dismissed"},
	"pull_request_review_comment": {"created", "edited", "deleted"},
	"pull_request_target":         {"assigned", "unassigned", "labeled", "unlabeled", "opened", "edited", "closed", "reopened", "synchronize", "converted_to_draft", "ready_for_review", "locked", "unlocked", "review_requested", "review_request_removed", "auto_merge_enabled", "auto_merge_disabled"},
	"push":                        {},
	"registry_package":            {"published", "updated"},
	"release":                     {"published", "unpublished", "created", "edited", "deleted", "prereleased", "released"},
	"repository_dispatch":         {},
	"status":                      {},
	"watch":                       {"started"},
	"workflow_dispatch":           {},
	"workflow_run":                {"completed", "requested", "in_progress"},
}

AllWebhookTypes is a table of all webhooks with their types. This variable was generated by script at ./scripts/generate-webhook-events based on https://github.com/github/docs/blob/main/content/actions/using-workflows/events-that-trigger-workflows.md

View Source 
var BrandingColors = map[string]struct{}{
	"white":     {},
	"yellow":    {},
	"blue":      {},
	"green":     {},
	"orange":    {},
	"red":       {},
	"purple":    {},
	"gray-dark": {},
}

BrandingColors is a set of colors allowed at branding.color in action.yaml. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#brandingcolor

View Source 
var BrandingIcons = map[string]struct{}{}/* 256 elements not displayed */

BrandingIcons is a set of icon names allowed at branding.icon in action.yaml. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#brandingicon

View Source 
var BuiltinFuncSignatures = map[string][]*FuncSignature{
	"contains": {
		{
			Name: "contains",
			Ret:  BoolType{},
			Params: []ExprType{
				StringType{},
				StringType{},
			},
		},
		{
			Name: "contains",
			Ret:  BoolType{},
			Params: []ExprType{
				&ArrayType{Elem: AnyType{}},
				AnyType{},
			},
		},
	},
	"startswith": {
		{
			Name: "startsWith",
			Ret:  BoolType{},
			Params: []ExprType{
				StringType{},
				StringType{},
			},
		},
	},
	"endswith": {
		{
			Name: "endsWith",
			Ret:  BoolType{},
			Params: []ExprType{
				StringType{},
				StringType{},
			},
		},
	},
	"format": {
		{
			Name: "format",
			Ret:  StringType{},
			Params: []ExprType{
				StringType{},
				AnyType{},
			},
			VariableLengthParams: true,
		},
	},
	"join": {
		{
			Name: "join",
			Ret:  StringType{},
			Params: []ExprType{
				&ArrayType{Elem: StringType{}},
				StringType{},
			},
		},
		{
			Name: "join",
			Ret:  StringType{},
			Params: []ExprType{
				StringType{},
				StringType{},
			},
		},

		{
			Name: "join",
			Ret:  StringType{},
			Params: []ExprType{
				&ArrayType{Elem: StringType{}},
			},
		},
		{
			Name: "join",
			Ret:  StringType{},
			Params: []ExprType{
				StringType{},
			},
		},
	},
	"tojson": {{
		Name: "toJSON",
		Ret:  StringType{},
		Params: []ExprType{
			AnyType{},
		},
	}},
	"fromjson": {{
		Name: "fromJSON",
		Ret:  AnyType{},
		Params: []ExprType{
			StringType{},
		},
	}},
	"hashfiles": {{
		Name: "hashFiles",
		Ret:  StringType{},
		Params: []ExprType{
			StringType{},
		},
		VariableLengthParams: true,
	}},
	"success": {{
		Name:   "success",
		Ret:    BoolType{},
		Params: []ExprType{},
	}},
	"always": {{
		Name:   "always",
		Ret:    BoolType{},
		Params: []ExprType{},
	}},
	"cancelled": {{
		Name:   "cancelled",
		Ret:    BoolType{},
		Params: []ExprType{},
	}},
	"failure": {{
		Name:   "failure",
		Ret:    BoolType{},
		Params: []ExprType{},
	}},
}

BuiltinFuncSignatures is a set of all builtin function signatures. All function names are in lower case because function names are compared in case insensitive. https://docs.github.com/en/actions/learn-github-actions/expressions#functions

View Source 
var BuiltinGlobalVariableTypes = map[string]ExprType{

	"github": NewStrictObjectType(map[string]ExprType{
		"action":              StringType{},
		"action_path":         StringType{},
		"action_ref":          StringType{},
		"action_repository":   StringType{},
		"action_status":       StringType{},
		"actor":               StringType{},
		"actor_id":            StringType{},
		"api_url":             StringType{},
		"base_ref":            StringType{},
		"env":                 StringType{},
		"event":               NewEmptyObjectType(),
		"event_name":          StringType{},
		"event_path":          StringType{},
		"graphql_url":         StringType{},
		"head_ref":            StringType{},
		"job":                 StringType{},
		"job_workflow_sha":    StringType{},
		"ref":                 StringType{},
		"ref_name":            StringType{},
		"ref_protected":       StringType{},
		"ref_type":            StringType{},
		"path":                StringType{},
		"repository":          StringType{},
		"repository_id":       StringType{},
		"repository_owner":    StringType{},
		"repository_owner_id": StringType{},
		"repositoryurl":       StringType{},
		"retention_days":      NumberType{},
		"run_id":              StringType{},
		"run_number":          StringType{},
		"run_attempt":         StringType{},
		"secret_source":       StringType{},
		"server_url":          StringType{},
		"sha":                 StringType{},
		"token":               StringType{},
		"triggering_actor":    StringType{},
		"workflow":            StringType{},
		"workflow_ref":        StringType{},
		"workflow_sha":        StringType{},
		"workspace":           StringType{},
	}),

	"env": NewMapObjectType(StringType{}),

	"job": NewStrictObjectType(map[string]ExprType{
		"container": NewStrictObjectType(map[string]ExprType{
			"id":      StringType{},
			"network": StringType{},
		}),
		"services": NewMapObjectType(
			NewStrictObjectType(map[string]ExprType{
				"id":      StringType{},
				"network": StringType{},
				"ports":   NewMapObjectType(StringType{}),
			}),
		),
		"status": StringType{},
	}),

	"steps": NewEmptyStrictObjectType(),

	"runner": NewStrictObjectType(map[string]ExprType{
		"name":        StringType{},
		"os":          StringType{},
		"arch":        StringType{},
		"temp":        StringType{},
		"tool_cache":  StringType{},
		"debug":       StringType{},
		"environment": StringType{},
	}),

	"secrets": NewMapObjectType(StringType{}),

	"strategy": NewObjectType(map[string]ExprType{
		"fail-fast":    BoolType{},
		"job-index":    NumberType{},
		"job-total":    NumberType{},
		"max-parallel": NumberType{},
	}),

	"matrix": NewEmptyStrictObjectType(),

	"needs": NewEmptyStrictObjectType(),

	"inputs": NewEmptyStrictObjectType(),

	"vars": NewMapObjectType(StringType{}),
}

BuiltinGlobalVariableTypes defines types of all global variables. All context variables are documented at https://docs.github.com/en/actions/learn-github-actions/contexts

View Source 
var BuiltinUntrustedInputs = UntrustedInputSearchRoots{
	"github": NewUntrustedInputMap("github",
		NewUntrustedInputMap("event",
			NewUntrustedInputMap("issue",
				NewUntrustedInputMap("title"),
				NewUntrustedInputMap("body"),
			),
			NewUntrustedInputMap("pull_request",
				NewUntrustedInputMap("title"),
				NewUntrustedInputMap("body"),
				NewUntrustedInputMap("head",
					NewUntrustedInputMap("ref"),
					NewUntrustedInputMap("label"),
					NewUntrustedInputMap("repo",
						NewUntrustedInputMap("default_branch"),
					),
				),
			),
			NewUntrustedInputMap("comment",
				NewUntrustedInputMap("body"),
			),
			NewUntrustedInputMap("review",
				NewUntrustedInputMap("body"),
			),
			NewUntrustedInputMap("review_comment",
				NewUntrustedInputMap("body"),
			),
			NewUntrustedInputMap("pages",
				NewUntrustedInputMap("*",
					NewUntrustedInputMap("page_name"),
				),
			),
			NewUntrustedInputMap("commits",
				NewUntrustedInputMap("*",
					NewUntrustedInputMap("message"),
					NewUntrustedInputMap("author",
						NewUntrustedInputMap("email"),
						NewUntrustedInputMap("name"),
					),
				),
			),
			NewUntrustedInputMap("head_commit",
				NewUntrustedInputMap("message"),
				NewUntrustedInputMap("author",
					NewUntrustedInputMap("email"),
					NewUntrustedInputMap("name"),
				),
			),
			NewUntrustedInputMap("discussion",
				NewUntrustedInputMap("title"),
				NewUntrustedInputMap("body"),
			),
		),
		NewUntrustedInputMap("head_ref"),
	),
}

BuiltinUntrustedInputs is list of untrusted inputs. These inputs are detected as untrusted in `run:` scripts. See the URL for more details. - https://securitylab.github.com/research/github-actions-untrusted-input/ - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - https://github.com/github/codeql/blob/main/javascript/ql/src/experimental/Security/CWE-094/ExpressionInjection.ql

View Source 
var OutdatedPopularActionSpecs = map[string]struct{}{}/* 151 elements not displayed */

OutdatedPopularActionSpecs is a spec set of known outdated popular actions. The word 'outdated' means that the runner used by the action is no longer available such as "node12", "node16".

View Source 
var PopularActions = map[string]*ActionMetadata{}/* 117 elements not displayed */

PopularActions is data set of known popular actions. Keys are specs (owner/repo@ref) of actions and values are their metadata.

View Source 
var SpecialFunctionNames = map[string][]string{"always": []string{"jobs.<job_id>.if", "jobs.<job_id>.steps.if"}, "cancelled": []string{"jobs.<job_id>.if", "jobs.<job_id>.steps.if"}, "failure": []string{"jobs.<job_id>.if", "jobs.<job_id>.steps.if"}, "hashfiles": []string{"jobs.<job_id>.steps.continue-on-error", "jobs.<job_id>.steps.env", "jobs.<job_id>.steps.if", "jobs.<job_id>.steps.name", "jobs.<job_id>.steps.run", "jobs.<job_id>.steps.timeout-minutes", "jobs.<job_id>.steps.with", "jobs.<job_id>.steps.working-directory"}, "success": []string{"jobs.<job_id>.if", "jobs.<job_id>.steps.if"}}

SpecialFunctionNames is a map from special function name to available workflow keys. Some functions are only available at specific positions. This variable is useful when you want to know which functions are special and what workflow keys support them.

This function was generated from https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability. See the script for more details: https://github.com/rhysd/actionlint/blob/main/scripts/generate-availability/

Functions

func ContainsExpression added in v1.6.27 

func ContainsExpression(s string) bool

ContainsExpression checks if the given string contains a ${{ }} placeholder or not. This function is identical to String.ContainsExpression method except for taking a standard string value.

func EqualTypes added in v1.6.4 

func EqualTypes(l, r ExprType) bool

EqualTypes returns if the two types are equal.

func LexExpression added in v1.6.1 

func LexExpression(src string) ([]*Token, int, *ExprError)

LexExpression lexes the given string as expression syntax. The parameter must contain '}}' which represents end of expression. Otherwise this function will report an error that it encountered unexpected EOF.

func Parse 

func Parse(b []byte) (*Workflow, []*Error)

Parse parses given source as byte sequence into workflow syntax tree. It returns all errors detected while parsing the input. It means that detecting one error does not stop parsing. Even if one or more errors are detected, parser will try to continue parsing and finding more errors.

func VisitExprNode added in v1.6.1 

func VisitExprNode(n ExprNode, f VisitExprNodeFunc)

VisitExprNode visits the given expression syntax tree with given function f.

func WorkflowKeyAvailability added in v1.6.21 

func WorkflowKeyAvailability(key string) ([]string, []string)

WorkflowKeyAvailability returns contexts and special functions availability of the given workflow key. 1st return value indicates what contexts are available. Empty slice means any contexts are available. 2nd return value indicates what special functions are available. Empty slice means no special functions are available. The 'key' parameter should represents a workflow key like "jobs.<job_id>.concurrency".

This function was generated from https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability. See the script for more details: https://github.com/rhysd/actionlint/blob/main/scripts/generate-availability/

Types

type ActionMetadata added in v1.5.0 

type ActionMetadata struct {

	// Name is "name" field of action.yaml.
	Name string `yaml:"name" json:"name"`
	// Description is "description" field of action.yaml.
	Description string `yaml:"description" json:"-"`
	// Inputs is "inputs" field of action.yaml.
	Inputs ActionMetadataInputs `yaml:"inputs" json:"inputs"`
	// Outputs is "outputs" field of action.yaml. Key is name of output. Description is omitted
	// since actionlint does not use it.
	Outputs ActionMetadataOutputs `yaml:"outputs" json:"outputs"`
	// SkipInputs is flag to specify behavior of inputs check. When it is true, inputs for this
	// action will not be checked.
	SkipInputs bool `yaml:"-" json:"skip_inputs"`
	// SkipOutputs is flag to specify a bit loose typing to outputs object. If it is set to
	// true, the outputs object accepts any properties along with strictly typed props.
	SkipOutputs bool `yaml:"-" json:"skip_outputs"`
	// Runs is "runs" field of action.yaml.
	Runs ActionMetadataRuns `yaml:"runs" json:"runs"`
	// Branding is "branding" field of action.yaml.
	Branding ActionMetadataBranding `yaml:"branding" json:"-"`
	// contains filtered or unexported fields
}

ActionMetadata represents structure of action.yaml. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions

func (*ActionMetadata) Dir added in v1.7.0 

func (md *ActionMetadata) Dir() string

Dir returns a directory path of the action.

func (*ActionMetadata) Path added in v1.7.0 

func (md *ActionMetadata) Path() string

Path returns a file path of the action's metadata file.

type ActionMetadataBranding added in v1.7.0 

type ActionMetadataBranding struct {
	Icon  string `yaml:"icon"`
	Color string `yaml:"color"`
}

ActionMetadataBranding is "branding" section of action.yaml. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#branding

type ActionMetadataInput added in v1.5.0 

type ActionMetadataInput struct {
	// Name is a name of this input.
	Name string `json:"name"`
	// Required is true when this input is mandatory to run the action.
	Required bool `json:"required"`
}

ActionMetadataInput is input metadata in "inputs" section in action.yml metadata file. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputs

type ActionMetadataInputs added in v1.6.20 

type ActionMetadataInputs map[string]*ActionMetadataInput

ActionMetadataInputs is a map from input ID to its metadata. Keys are in lower case since input names are case-insensitive. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputs

func (*ActionMetadataInputs) UnmarshalYAML added in v1.6.20 

func (inputs *ActionMetadataInputs) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type ActionMetadataOutput added in v1.6.20 

type ActionMetadataOutput struct {
	Name string `json:"name"`
}

ActionMetadataOutput is output metadata in "outputs" section in action.yml metadata file. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions

type ActionMetadataOutputs added in v1.6.20 

type ActionMetadataOutputs map[string]*ActionMetadataOutput

ActionMetadataOutputs is a map from output ID to its metadata. Keys are in lower case since output names are case-insensitive. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions

func (*ActionMetadataOutputs) UnmarshalYAML added in v1.6.20 

func (inputs *ActionMetadataOutputs) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type ActionMetadataRuns added in v1.7.0 

type ActionMetadataRuns struct {
	// Using is `using` configuration of action.yaml. It defines what runner is used for the action.
	Using string `yaml:"using" json:"using"`
	// Main is `main` configuration of action.yaml for JavaScript action.
	Main string `yaml:"main" json:"main"`
	// Pre is `pre` configuration of action.yaml for JavaScript action.
	Pre string `yaml:"pre" json:"pre"`
	// PreIf is `pre-if` configuration of action.yaml for JavaScript action.
	PreIf string `yaml:"pre-if" json:"pre-if"`
	// Post is `post` configuration of action.yaml for JavaScript action.
	Post string `yaml:"post" json:"post"`
	// PostIf is `post-if` configuration of action.yaml for JavaScript action.
	PostIf string `yaml:"post-if" json:"post-if"`
	// Steps is `steps` configuration of action.yaml for Composite action.
	Steps []any `yaml:"steps" json:"steps"`
	// Image is `image` of action.yaml for Docker action.
	Image string `yaml:"image" json:"image"`
	// PreEntrypoint is `pre-entrypoint` of action.yaml for Docker action.
	PreEntrypoint string `yaml:"pre-entrypoint" json:"pre-entrypoint"`
	// Entrypoint is `entrypoint` of action.yaml for Docker action.
	Entrypoint string `yaml:"entrypoint" json:"entrypoint"`
	// PostEntrypoint is `post-entrypoint` of action.yaml for Docker action.
	PostEntrypoint string `yaml:"post-entrypoint" json:"post-entrypoint"`
	// Args is `args` of action.yaml for Docker action.
	Args []any `yaml:"args" json:"args"`
	// Env is `env` of action.yaml for Docker action.
	Env map[string]any `yaml:"env" json:"env"`
}

ActionMetadataRuns is "runs" section of action.yaml. It defines how the action is run. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs

type AnyType 

type AnyType struct{}

AnyType represents type which can be any type. It also indicates that a value of the type cannot be type-checked since it's type cannot be known statically.

func (AnyType) Assignable 

func (ty AnyType) Assignable(_ ExprType) bool

Assignable returns if other type can be assignable to the type.

func (AnyType) DeepCopy added in v1.6.8 

func (ty AnyType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (AnyType) Merge added in v1.6.4 

func (ty AnyType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (AnyType) String 

func (ty AnyType) String() string

type ArrayDerefNode 

type ArrayDerefNode struct {
	// Receiver is an expression at receiver of array element dereference.
	Receiver ExprNode
}

ArrayDerefNode represents elements dereference of arrays like '*' in 'foo.bar.*.piyo'.

func (ArrayDerefNode) Token 

func (n ArrayDerefNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type ArrayType 

type ArrayType struct {
	// Elem is type of element of the array.
	Elem ExprType
	// Deref is true when this type was derived from object filtering syntax (foo.*).
	Deref bool
}

ArrayType is type for arrays.

func (*ArrayType) Assignable 

func (ty *ArrayType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (*ArrayType) DeepCopy added in v1.6.8 

func (ty *ArrayType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (*ArrayType) Merge added in v1.6.4 

func (ty *ArrayType) Merge(other ExprType) ExprType

Merge merges two object types into one. When other object has unknown props, they are merged into current object. When both have same property, when they are assignable, it remains as-is. Otherwise, the property falls back to any type.

func (*ArrayType) String 

func (ty *ArrayType) String() string

type Bool 

type Bool struct {
	// Value is a raw value of the bool string.
	Value bool
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
	// Pos is a position in source.
	Pos *Pos
}

Bool represents generic boolean value in YAML file with position.

func (*Bool) String added in v1.6.18 

func (b *Bool) String() string

type BoolNode 

type BoolNode struct {
	// Value is value of the boolean literal.
	Value bool
	// contains filtered or unexported fields
}

BoolNode is node for boolean literal, true or false.

func (*BoolNode) Token 

func (n *BoolNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type BoolType 

type BoolType struct{}

BoolType is type for boolean values.

func (BoolType) Assignable 

func (ty BoolType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (BoolType) DeepCopy added in v1.6.8 

func (ty BoolType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (BoolType) Merge added in v1.6.4 

func (ty BoolType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (BoolType) String 

func (ty BoolType) String() string

type ByErrorPosition added in v1.1.2 

type ByErrorPosition []*Error

ByErrorPosition is predicate for sort.Interface. It sorts errors slice by file path, line, and column.

func (ByErrorPosition) Len added in v1.1.2 

func (by ByErrorPosition) Len() int

func (ByErrorPosition) Less added in v1.1.2 

func (by ByErrorPosition) Less(i, j int) bool

func (ByErrorPosition) Swap added in v1.1.2 

func (by ByErrorPosition) Swap(i, j int)

type ColorOptionKind added in v1.3.0 

type ColorOptionKind int

ColorOptionKind is kind of colorful output behavior. 

const (
	// ColorOptionKindAuto is kind to determine to colorize errors output automatically. It is
	// determined based on pty and $NO_COLOR environment variable. See document of fatih/color
	// for more details.
	ColorOptionKindAuto ColorOptionKind = iota
	// ColorOptionKindAlways is kind to always colorize errors output.
	ColorOptionKindAlways
	// ColorOptionKindNever is kind never to colorize errors output.
	ColorOptionKindNever
)

type Command added in v1.3.1 

type Command struct {
	// Stdin is a reader to read input from stdin
	Stdin io.Reader
	// Stdout is a writer to write output to stdout
	Stdout io.Writer
	// Stderr is a writer to write output to stderr
	Stderr io.Writer
}

Command represents entire actionlint command. Given stdin/stdout/stderr are used for input/output.

Example 
package main

import (
	"bytes"
	"fmt"
	"os"
	"path/filepath"

	"github.com/rhysd/actionlint"
)

func main() {
	// Write command output to this buffer
	var output bytes.Buffer

	// Create command instance populating stdin/stdout/stderr
	cmd := actionlint.Command{
		Stdin:  os.Stdin,
		Stdout: &output,
		Stderr: &output,
	}

	// Run the command end-to-end. Note that given args should contain program name
	workflow := filepath.Join(".github", "workflows", "release.yaml")
	status := cmd.Main([]string{"actionlint", "-shellcheck=", "-pyflakes=", workflow})

	fmt.Println("Exited with status", status)

	if status != 0 {
		panic("actionlint command failed: " + output.String())
	}
}

Output:

Exited with status 0

func (*Command) Main added in v1.3.1 

func (cmd *Command) Main(args []string) int

Main is main function of actionlint. It takes command line arguments as string slice and returns exit status. The args should be entire arguments including the program name, usually given via os.Args.

type CompareOpNode 

type CompareOpNode struct {
	// Kind is a kind of this expression to show which operator is used.
	Kind CompareOpNodeKind
	// Left is an expression for left hand side of the binary operator.
	Left ExprNode
	// Right is an expression for right hand side of the binary operator.
	Right ExprNode
}

CompareOpNode is node for binary expression to compare values; ==, !=, <, <=, > or >=.

func (*CompareOpNode) Token 

func (n *CompareOpNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type CompareOpNodeKind 

type CompareOpNodeKind int

CompareOpNodeKind is a kind of compare operators; ==, !=, <, <=, >, >=. 

const (
	// CompareOpNodeKindInvalid is invalid and initial value of CompareOpNodeKind values.
	CompareOpNodeKindInvalid CompareOpNodeKind = iota
	// CompareOpNodeKindLess is kind for < operator.
	CompareOpNodeKindLess
	// CompareOpNodeKindLessEq is kind for <= operator.
	CompareOpNodeKindLessEq
	// CompareOpNodeKindGreater is kind for > operator.
	CompareOpNodeKindGreater
	// CompareOpNodeKindGreaterEq is kind for >= operator.
	CompareOpNodeKindGreaterEq
	// CompareOpNodeKindEq is kind for == operator.
	CompareOpNodeKindEq
	// CompareOpNodeKindNotEq is kind for != operator.
	CompareOpNodeKindNotEq
)

func (CompareOpNodeKind) IsEqualityOp added in v1.7.0 

func (kind CompareOpNodeKind) IsEqualityOp() bool

IsEqualityOp returns true when it represents == or != operator.

func (CompareOpNodeKind) String added in v1.7.0 

func (kind CompareOpNodeKind) String() string

type Concurrency 

type Concurrency struct {
	// Group is name of the concurrency group.
	Group *String
	// CancelInProgress is a flag that shows if canceling this workflow cancels other jobs in progress.
	CancelInProgress *Bool
	// Pos is a position in source.
	Pos *Pos
}

Concurrency is a configuration of concurrency of the workflow. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#concurrency

type Config 

type Config struct {
	// SelfHostedRunner is configuration for self-hosted runner.
	SelfHostedRunner struct {
		// Labels is label names for self-hosted runner.
		Labels []string `yaml:"labels"`
	} `yaml:"self-hosted-runner"`
	// ConfigVariables is names of configuration variables used in the checked workflows. When this value is nil,
	// property names of `vars` context will not be checked. Otherwise actionlint will report a name which is not
	// listed here as undefined config variables.
	// https://docs.github.com/en/actions/learn-github-actions/variables
	ConfigVariables []string `yaml:"config-variables"`
	// Paths is a "paths" mapping in the configuration file. The keys are glob patterns to match file paths.
	// And the values are corresponding configurations applied to the file paths.
	Paths map[string]PathConfig `yaml:"paths"`
}

Config is configuration of actionlint. This struct instance is parsed from "actionlint.yaml" file usually put in ".github" directory.

func ParseConfig added in v1.7.4 

func ParseConfig(b []byte) (*Config, error)

ParseConfig parses the given bytes as an actionlint config file. When deserializing the YAML file or the config validation fails, this function returns an error.

func ReadConfigFile added in v1.6.24 

func ReadConfigFile(path string) (*Config, error)

ReadConfigFile reads actionlint config file (actionlint.yaml) from the given file path.

func (*Config) PathConfigs added in v1.7.4 

func (cfg *Config) PathConfigs(path string) []PathConfig

PathConfigs returns a list of all PathConfig values matching to the given file path. The path must be relative to the root of the project.

type Container 

type Container struct {
	// Image is specification of Docker image.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerimage
	Image *String
	// Credentials is credentials configuration of the Docker container.
	Credentials *Credentials
	// Env is environment variables setup in the container.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerenv
	Env *Env
	// Ports is list of port number mappings of the container.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerports
	Ports []*String
	// Volumes are list of volumes to be mounted to the container.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainervolumes
	Volumes []*String
	// Options is options string to run the container.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions
	Options *String
	// Pos is a position in source.
	Pos *Pos
}

Container is configuration of how to run the container. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainer

type Credentials 

type Credentials struct {
	// Username is username for authentication.
	Username *String
	// Password is password for authentication.
	Password *String
	// Pos is a position in source.
	Pos *Pos
}

Credentials is credentials configuration. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainercredentials

type Defaults 

type Defaults struct {
	// Run is configuration of how to run shell.
	Run *DefaultsRun
	// Pos is a position in source.
	Pos *Pos
}

Defaults is set of default configurations to run shell. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#defaults

type DefaultsRun 

type DefaultsRun struct {
	// Shell is shell name to be run.
	Shell *String
	// WorkingDirectory is a default working directory path.
	WorkingDirectory *String
	// Pos is a position in source.
	Pos *Pos
}

DefaultsRun is configuration that shell is how to be run. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#defaultsrun

type DispatchInput 

type DispatchInput struct {
	// Name is a name of input value specified on dispatching workflow manually.
	Name *String
	// Description is a description of input value specified on dispatching workflow manually.
	Description *String
	// Required is a flag to show if this input is mandatory or not on dispatching workflow manually.
	Required *Bool
	// Default is a default value of input value on dispatching workflow manually.
	Default *String
	// Type is a type of the input
	// https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#workflow_dispatch
	Type WorkflowDispatchEventInputType
	// Options is list of options of choice type
	Options []*String
}

DispatchInput is input specified on dispatching workflow manually. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#workflow_dispatch

type Env 

type Env struct {
	// Vars is mapping from env var name to env var value.
	Vars map[string]*EnvVar
	// Expression is an expression string which contains ${{ ... }}. When this value is not empty,
	// Vars should be nil.
	Expression *String
}

Env represents set of environment variables.

type EnvVar 

type EnvVar struct {
	// Name is name of the environment variable.
	Name *String
	// Value is string value of the environment variable.
	Value *String
}

EnvVar represents key-value of environment variable setup.

type Environment 

type Environment struct {
	// Name is a name of environment which the workflow uses.
	Name *String
	// URL is the URL mapped to 'environment_url' in the deployments API. Empty value means no value was specified.
	URL *String
	// Pos is a position in source.
	Pos *Pos
}

Environment is a configuration of environment. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idenvironment

type Error 

type Error struct {
	// Message is an error message.
	Message string
	// Filepath is a file path where the error occurred.
	Filepath string
	// Line is a line number where the error occurred. This value is 1-based.
	Line int
	// Column is a column number where the error occurred. This value is 1-based.
	Column int
	// Kind is a string to represent kind of the error. Usually rule name which found the error.
	Kind string
}

Error represents an error detected by actionlint rules

func (*Error) Error 

func (e *Error) Error() string

Error returns summary of the error as string.

func (*Error) GetTemplateFields added in v1.6.1 

func (e *Error) GetTemplateFields(source []byte) *ErrorTemplateFields

GetTemplateFields fields for formatting this error with Go template.

func (*Error) PrettyPrint 

func (e *Error) PrettyPrint(w io.Writer, source []byte)

PrettyPrint prints the error with user-friendly way. It prints file name, source position, error message with colorful output and source snippet with indicator. When nil is set to source, no source snippet is not printed. To disable colorful output, set true to fatih/color.NoColor.

func (*Error) String added in v1.6.18 

func (e *Error) String() string

type ErrorFormatter added in v1.6.1 

type ErrorFormatter struct {
	// contains filtered or unexported fields
}

ErrorFormatter is a formatter to format a slice of ErrorTemplateFields. It is used for formatting error messages with -format option.

Example 
package main

import (
	"os"

	"github.com/rhysd/actionlint"
)

func main() {
	// Errors returned from Linter methods
	errs := []*actionlint.Error{
		{
			Message:  "error message 1",
			Filepath: "foo.yaml",
			Line:     1,
			Column:   4,
			Kind:     "rule1",
		},
		{
			Message:  "error message 2",
			Filepath: "foo.yaml",
			Line:     3,
			Column:   1,
			Kind:     "rule2",
		},
	}

	// Create ErrorFormatter instance with template
	f, err := actionlint.NewErrorFormatter(`{{range $ := .}}{{$.Filepath}}:{{$.Line}}:{{$.Column}}: {{$.Message}}\n{{end}}`)
	if err != nil {
		// Some error happened while creating the formatter (e.g. syntax error)
		panic(err)
	}

	src := `on: push

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - run: echo
`

	// Prints all errors to stdout following the template
	if err := f.PrintErrors(os.Stdout, errs, []byte(src)); err != nil {
		panic(err)
	}

}

Output:

foo.yaml:1:4: error message 1
foo.yaml:3:1: error message 2

func NewErrorFormatter added in v1.6.1 

func NewErrorFormatter(format string) (*ErrorFormatter, error)

NewErrorFormatter creates new ErrorFormatter instance. Given format must contain at least one {{ }} placeholder. Escaped characters like \n in the format string are unescaped.

func (*ErrorFormatter) Print added in v1.6.1 

func (f *ErrorFormatter) Print(out io.Writer, t []*ErrorTemplateFields) error

Print formats the slice of template fields and prints it with given writer.

func (*ErrorFormatter) PrintErrors added in v1.6.1 

func (f *ErrorFormatter) PrintErrors(out io.Writer, errs []*Error, src []byte) error

PrintErrors prints the errors after formatting them with template.

func (*ErrorFormatter) RegisterRule added in v1.6.26 

func (f *ErrorFormatter) RegisterRule(r Rule)

RegisterRule registers the rule. Registered rules are used to get description and index of error kinds when you use `kindDescription` or `kindIndex` functions in an error format template. This method can be called multiple times safely in parallel.

type ErrorTemplateFields added in v1.6.1 

type ErrorTemplateFields struct {
	// Message is error message body.
	Message string `json:"message"`
	// Filepath is a canonical relative file path. This is empty when input was read from stdin.
	// When encoding into JSON, this field may be omitted when the file path is empty.
	Filepath string `json:"filepath,omitempty"`
	// Line is a line number of error position.
	Line int `json:"line"`
	// Column is a column number of error position.
	Column int `json:"column"`
	// Kind is a rule name the error belongs to.
	Kind string `json:"kind"`
	// Snippet is a code snippet and indicator to indicate where the error occurred.
	// When encoding into JSON, this field may be omitted when the snippet is empty.
	Snippet string `json:"snippet,omitempty"`
	// EndColumn is a column number where the error indicator (^~~~~~~) ends. When no indicator
	// can be shown, EndColumn is equal to Column.
	EndColumn int `json:"end_column"`
}

ErrorTemplateFields holds all fields to format one error message.

type Event 

type Event interface {
	// EventName returns name of the event to trigger this workflow.
	EventName() string
}

Event interface represents workflow events in 'on' section

type Exec 

type Exec interface {
	// Kind returns kind of the step execution.
	Kind() ExecKind
}

Exec is an interface how the step is executed. Step in workflow runs either an action or a script

type ExecAction 

type ExecAction struct {
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses
	Uses *String
	// Inputs represents inputs to the action to execute in 'with' section. Keys are in lower case since they are case-insensitive.
	Inputs map[string]*Input
	// Entrypoint represents optional 'entrypoint' field in 'with' section. Nil field means nothing specified
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithentrypoint
	Entrypoint *String
	// Args represents optional 'args' field in 'with' section. Nil field means nothing specified
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithargs
	Args *String
}

ExecAction is configuration how to run action at the step. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses

func (*ExecAction) Kind 

func (e *ExecAction) Kind() ExecKind

Kind returns kind of the step execution.

type ExecKind 

type ExecKind uint8

ExecKind is kind of how the step is executed. A step runs some action or runs some shell script. 

const (
	// ExecKindAction is kind for step to run action
	ExecKindAction ExecKind = iota
	// ExecKindRun is kind for step to run shell script
	ExecKindRun
)

type ExecRun 

type ExecRun struct {
	// Run is script to run.
	Run *String
	// Shell represents optional 'shell' field. Nil means nothing specified.
	Shell *String
	// WorkingDirectory represents optional 'working-directory' field. Nil means nothing specified.
	WorkingDirectory *String
	// RunPos is position of 'run' section
	RunPos *Pos
}

ExecRun is configuration how to run shell script at the step. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsrun

func (*ExecRun) Kind 

func (e *ExecRun) Kind() ExecKind

Kind returns kind of the step execution.

type ExprError 

type ExprError struct {
	// Message is an error message
	Message string
	// Offset is byte offset position which caused the error
	Offset int
	// Offset is line number position which caused the error. Note that this value is 1-based.
	Line int
	// Column is column number position which caused the error. Note that this value is 1-based.
	Column int
}

ExprError is an error type caused by lexing/parsing expression syntax. For more details, see https://docs.github.com/en/actions/learn-github-actions/expressions

func (*ExprError) Error 

func (e *ExprError) Error() string

func (*ExprError) String added in v1.6.18 

func (e *ExprError) String() string

type ExprLexer 

type ExprLexer struct {
	// contains filtered or unexported fields
}

ExprLexer is a struct to lex expression syntax. To know the syntax, see https://docs.github.com/en/actions/learn-github-actions/expressions

func NewExprLexer 

func NewExprLexer(src string) *ExprLexer

NewExprLexer makes new ExprLexer instance.

func (*ExprLexer) Err added in v1.6.1 

func (lex *ExprLexer) Err() *ExprError

Err returns an error while lexing. When multiple errors occur, the first one is returned.

func (*ExprLexer) Next added in v1.6.1 

func (lex *ExprLexer) Next() *Token

Next lexes next token to lex input incrementally. Lexer must be initialized with Init() method before the first call of this method. This method is stateful. Lexer advances offset by lexing token. To get the offset, use Offset() method.

func (*ExprLexer) Offset added in v1.6.1 

func (lex *ExprLexer) Offset() int

Offset returns the current offset (scanning position).

type ExprNode 

type ExprNode interface {
	// Token returns the first token of the node. This method is useful to get position of this node.
	Token() *Token
}

ExprNode is a node of expression syntax tree. To know the syntax, see https://docs.github.com/en/actions/learn-github-actions/expressions

type ExprParser 

type ExprParser struct {
	// contains filtered or unexported fields
}

ExprParser is a parser for expression syntax. To know the details, see https://docs.github.com/en/actions/learn-github-actions/expressions

func NewExprParser 

func NewExprParser() *ExprParser

NewExprParser creates new ExprParser instance.

func (*ExprParser) Err added in v1.6.1 

func (p *ExprParser) Err() *ExprError

Err returns an error which was caused while previous parsing.

func (*ExprParser) Parse 

func (p *ExprParser) Parse(l *ExprLexer) (ExprNode, *ExprError)

Parse parses token sequence lexed by a given lexer into syntax tree.

type ExprSemanticsChecker 

type ExprSemanticsChecker struct {
	// contains filtered or unexported fields
}

ExprSemanticsChecker is a semantics checker for expression syntax. It checks types of values in given expression syntax tree. It additionally checks other semantics like arguments of format() built-in function. To know the details of the syntax, see

- https://docs.github.com/en/actions/learn-github-actions/contexts - https://docs.github.com/en/actions/learn-github-actions/expressions

func NewExprSemanticsChecker 

func NewExprSemanticsChecker(checkUntrustedInput bool, configVars []string) *ExprSemanticsChecker

NewExprSemanticsChecker creates new ExprSemanticsChecker instance. When checkUntrustedInput is set to true, the checker will make use of possibly untrusted inputs error.

func (*ExprSemanticsChecker) Check 

func (sema *ExprSemanticsChecker) Check(expr ExprNode) (ExprType, []*ExprError)

Check checks semantics of given expression syntax tree. It returns the type of the expression as the first return value when the check was successfully done. And it returns all errors found while checking the expression as the second return value.

func (*ExprSemanticsChecker) SetContextAvailability added in v1.6.21 

func (sema *ExprSemanticsChecker) SetContextAvailability(avail []string)

SetContextAvailability sets available context names while semantics checks. Some contexts limit where they can be used. https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability

Elements of 'avail' parameter must be in lower case to check context names in case-insensitive.

If this method is not called before checks, ExprSemanticsChecker considers any contexts are available by default. Available contexts for workflow keys can be obtained from actionlint.ContextAvailability.

func (*ExprSemanticsChecker) SetSpecialFunctionAvailability added in v1.6.21 

func (sema *ExprSemanticsChecker) SetSpecialFunctionAvailability(avail []string)

SetSpecialFunctionAvailability sets names of available special functions while semantics checks. Some functions limit where they can be used. https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability

Elements of 'avail' parameter must be in lower case to check function names in case-insensitive.

If this method is not called before checks, ExprSemanticsChecker considers no special function is allowed by default. Allowed functions can be obtained from actionlint.SpecialFunctionNames global constant.

Available function names for workflow keys can be obtained from actionlint.ContextAvailability.

func (*ExprSemanticsChecker) UpdateDispatchInputs added in v1.6.8 

func (sema *ExprSemanticsChecker) UpdateDispatchInputs(ty *ObjectType)

UpdateDispatchInputs updates 'github.event.inputs' and 'inputs' objects to given object type. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch

func (*ExprSemanticsChecker) UpdateInputs added in v1.6.6 

func (sema *ExprSemanticsChecker) UpdateInputs(ty *ObjectType)

UpdateInputs updates 'inputs' context object to given object type.

func (*ExprSemanticsChecker) UpdateJobs added in v1.6.10 

func (sema *ExprSemanticsChecker) UpdateJobs(ty *ObjectType)

UpdateJobs updates 'jobs' context object to given object type.

func (*ExprSemanticsChecker) UpdateMatrix 

func (sema *ExprSemanticsChecker) UpdateMatrix(ty *ObjectType)

UpdateMatrix updates matrix object to given object type. Since matrix values change according to 'matrix' section of job configuration, the type needs to be updated.

func (*ExprSemanticsChecker) UpdateNeeds 

func (sema *ExprSemanticsChecker) UpdateNeeds(ty *ObjectType)

UpdateNeeds updates 'needs' context object to given object type.

func (*ExprSemanticsChecker) UpdateSecrets added in v1.6.6 

func (sema *ExprSemanticsChecker) UpdateSecrets(ty *ObjectType)

UpdateSecrets updates 'secrets' context object to given object type.

func (*ExprSemanticsChecker) UpdateSteps 

func (sema *ExprSemanticsChecker) UpdateSteps(ty *ObjectType)

UpdateSteps updates 'steps' context object to given object type.

type ExprType 

type ExprType interface {
	// String returns string representation of the type.
	String() string
	// Assignable returns if other type can be assignable to the type.
	Assignable(other ExprType) bool
	// Merge merges other type into this type. When other type conflicts with this type, the merged
	// result is any type as fallback.
	Merge(other ExprType) ExprType
	// DeepCopy duplicates itself. All its child types are copied recursively.
	DeepCopy() ExprType
}

ExprType is interface for types of values in expression.

type Float 

type Float struct {
	// Value is a raw value of the float string.
	Value float64
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
	// Pos is a position in source.
	Pos *Pos
}

Float represents generic float value in YAML file with position.

type FloatNode 

type FloatNode struct {
	// Value is value of the float literal.
	Value float64
	// contains filtered or unexported fields
}

FloatNode is node for float literal.

func (*FloatNode) Token 

func (n *FloatNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type FuncCallNode 

type FuncCallNode struct {
	// Callee is a name of called function. This is string value because currently only built-in
	// functions can be called.
	Callee string
	// Args is arguments of the function call.
	Args []ExprNode
	// contains filtered or unexported fields
}

FuncCallNode represents function call in expression. Note that currently only calling builtin functions is supported.

func (*FuncCallNode) Token 

func (n *FuncCallNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type FuncSignature 

type FuncSignature struct {
	// Name is a name of the function.
	Name string
	// Ret is a return type of the function.
	Ret ExprType
	// Params is a list of parameter types of the function. The final element of this list might
	// be repeated as variable length arguments.
	Params []ExprType
	// VariableLengthParams is a flag to handle variable length parameters. When this flag is set to
	// true, it means that the last type of params might be specified multiple times (including zero
	// times). Setting true implies length of Params is more than 0.
	VariableLengthParams bool
}

FuncSignature is a signature of function, which holds return and arguments types.

func (*FuncSignature) String 

func (sig *FuncSignature) String() string

type IgnorePatterns added in v1.7.4 

type IgnorePatterns []*regexp.Regexp

IgnorePatterns is a list of regular expressions. These patterns are used for filtering errors by matching the error messages.

func (IgnorePatterns) Match added in v1.7.4 

func (pats IgnorePatterns) Match(err *Error) bool

Match returns whether the given error should be ignored due to the "ignore" configuration.

func (*IgnorePatterns) UnmarshalYAML added in v1.7.4 

func (pats *IgnorePatterns) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type IndexAccessNode 

type IndexAccessNode struct {
	// Operand is an expression at operand of index access, which should be array or object.
	Operand ExprNode
	// Index is an expression at index, which should be integer or string.
	Index ExprNode
}

IndexAccessNode is node for index access, which represents dynamic object property access or array index access.

func (*IndexAccessNode) Token 

func (n *IndexAccessNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type Input 

type Input struct {
	// Name is a name of the input.
	Name *String
	// Value is a value of the input.
	Value *String
}

Input is an input field for running an action. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswith

type Int 

type Int struct {
	// Value is a raw value of the integer string.
	Value int
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
	// Pos is a position in source.
	Pos *Pos
}

Int represents generic integer value in YAML file with position.

type IntNode 

type IntNode struct {
	// Value is value of the integer literal.
	Value int
	// contains filtered or unexported fields
}

IntNode is node for integer literal.

func (*IntNode) Token 

func (n *IntNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type InvalidGlobPattern added in v1.4.0 

type InvalidGlobPattern struct {
	// Message is a human readable error message.
	Message string
	// Column is a column number of the error in the glob pattern. This value is 1-based, but zero
	// is valid value. Zero means the error occurred before reading first character. This happens
	// when a given pattern is empty. When the given pattern include a newline and line number
	// increases (invalid pattern), the column number falls back into always 0.
	Column int
}

InvalidGlobPattern is an error on invalid glob pattern.

func ValidatePathGlob added in v1.4.0 

func ValidatePathGlob(pat string) []InvalidGlobPattern

ValidatePathGlob checks a given input as glob pattern for file paths. It returns list of errors found by the validation. See the following URL for more details of the syntax: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet

func ValidateRefGlob added in v1.4.0 

func ValidateRefGlob(pat string) []InvalidGlobPattern

ValidateRefGlob checks a given input as glob pattern for Git ref names. It returns list of errors found by the validation. See the following URL for more details of the syntax: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet

func (*InvalidGlobPattern) Error added in v1.4.0 

func (err *InvalidGlobPattern) Error() string

func (*InvalidGlobPattern) String added in v1.6.18 

func (err *InvalidGlobPattern) String() string

type Job 

type Job struct {
	// ID is an ID of the job, which is key of job configuration objects.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_id
	ID *String
	// Name is a name of job that user can specify freely.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idname
	Name *String
	// Needs is list of job IDs which should be run before running this job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds
	Needs []*String
	// RunsOn is runner configuration which run the job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on
	RunsOn *Runner
	// Permissions is permission configuration for running the job.
	Permissions *Permissions
	// Environment is environment specification where the job runs.
	Environment *Environment
	// Concurrency is concurrency configuration on running the job.
	Concurrency *Concurrency
	// Outputs is map from output name to output specifications.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idoutputs
	Outputs map[string]*Output
	// Env is environment variables setup while running the job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idenv
	Env *Env
	// Defaults is default configurations of how to run scripts.
	Defaults *Defaults
	// If is a condition whether this job should be run.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idif
	If *String
	// Steps is list of steps to be run in the job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idsteps
	Steps []*Step
	// TimeoutMinutes is timeout value of running the job in minutes.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes
	TimeoutMinutes *Float
	// Strategy is strategy configuration of running the job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy
	Strategy *Strategy
	// ContinueOnError is a flag to show if execution should continue on error.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error
	ContinueOnError *Bool
	// Container is container configuration to run the job.
	Container *Container
	// Services is a services configurations.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices
	Services *Services
	// WorkflowCall is a workflow call by 'uses:'.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_iduses
	WorkflowCall *WorkflowCall
	// Pos is a position in source.
	Pos *Pos
}

Job is configuration of how to run a job. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobs

type Linter 

type Linter struct {
	// contains filtered or unexported fields
}

Linter is struct to lint workflow files.

Example 
package main

import (
	"fmt"
	"os"
	"path/filepath"

	"github.com/rhysd/actionlint"
)

func main() {
	// Specify linter options
	o := &actionlint.LinterOptions{
		IgnorePatterns: []string{`'label ".+" is unknown'`},
		// Other options...
	}

	// Create Linter instance which outputs errors to stdout
	l, err := actionlint.NewLinter(os.Stdout, o)
	if err != nil {
		panic(err)
	}

	// File to check
	f := filepath.Join("testdata", "examples", "main.yaml")

	// First return value is an array of lint errors found in the workflow files. The second return
	// value is an error of actionlint itself. This call outputs the lint errors to stdout. Use
	// io.Discard to prevent the output.
	//
	// There are several methods to run linter.
	// - LintFile: Check the given single file
	// - LintFiles: Check the given multiple files
	// - LintDir: Check all workflow files in the given single directory recursively
	// - LintRepository: Check all workflow files under .github/workflows in the given repository
	// - Lint: Check the given workflow content assuming the given file path
	errs, err := l.LintFile(f, nil)
	if err != nil {
		panic(err)
	}

	fmt.Println(len(errs), "lint errors found by actionlint")
}

Output:
Example (YourOwnRule) 
package main

import (
	"fmt"
	"io"
	"path/filepath"

	"github.com/rhysd/actionlint"
)

// A rule type to check every steps have their names.
type RuleStepName struct {
	// Embedding RuleBase struct implements the minimal Rule interface.
	actionlint.RuleBase
}

// Reimplement methods in RuleBase. Visit* methods are called on checking workflows.
func (r *RuleStepName) VisitStep(n *actionlint.Step) error {
	// Implement your own check
	if n.Name == nil {
		// RuleBase provides methods to report errors. See RuleBase.Error and RuleBase.Errorf.
		r.Error(n.Pos, "every step must have its name")
	}
	return nil
}

func NewRuleStepName() *RuleStepName {
	return &RuleStepName{
		RuleBase: actionlint.NewRuleBase("step-name", "Checks every step has their own name"),
	}
}

func main() {
	// The function set at OnRulesCreated is called after rule instances are created. You can
	// add/remove some rules and return the modified slice. This function is called on linting
	// each workflow files.
	o := &actionlint.LinterOptions{
		OnRulesCreated: func(rules []actionlint.Rule) []actionlint.Rule {
			rules = append(rules, NewRuleStepName())
			return rules
		},
	}

	l, err := actionlint.NewLinter(io.Discard, o)
	if err != nil {
		panic(err)
	}

	f := filepath.Join("testdata", "ok", "minimal.yaml")

	// First return value is an array of lint errors found in the workflow file.
	errs, err := l.LintFile(f, nil)
	if err != nil {
		panic(err)
	}

	// `errs` includes errors like below:
	//
	// testdata/examples/main.yaml:14:9: every step must have its name [step-name]
	//    |
	// 14 |       - uses: actions/checkout@v4
	//    |         ^~~~~
	fmt.Println(len(errs), "lint errors found by actionlint")
}

Output:

1 lint errors found by actionlint

func NewLinter 

func NewLinter(out io.Writer, opts *LinterOptions) (*Linter, error)

NewLinter creates a new Linter instance. The out parameter is used to output errors from Linter instance. Set io.Discard if you don't want the outputs. The opts parameter is LinterOptions instance which configures behavior of linting.

func (*Linter) GenerateDefaultConfig 

func (l *Linter) GenerateDefaultConfig(dir string) error

GenerateDefaultConfig generates default config file at ".github/actionlint.yaml" in the project which the given directory path belongs to. When the directory path is empty, the current directory will be used instead.

func (*Linter) Lint 

func (l *Linter) Lint(path string, content []byte, project *Project) ([]*Error, error)

Lint lints YAML workflow file content given as byte slice. The path parameter is used as file path where the content came from. When nil is passed to the project parameter, it tries to find the project from the path parameter.

func (*Linter) LintDir added in v1.6.17 

func (l *Linter) LintDir(dir string, project *Project) ([]*Error, error)

LintDir lints all YAML workflow files in the given directory recursively.

func (*Linter) LintFile 

func (l *Linter) LintFile(path string, project *Project) ([]*Error, error)

LintFile lints one YAML workflow file and outputs the errors to given writer. The project parameter can be nil. In the case, the project is detected from the given path.

func (*Linter) LintFiles 

func (l *Linter) LintFiles(filepaths []string, project *Project) ([]*Error, error)

LintFiles lints YAML workflow files and outputs the errors to given writer. It applies lint rules to all given files. The project parameter can be nil. In the case, a project is detected from the file path.

func (*Linter) LintRepository 

func (l *Linter) LintRepository(dir string) ([]*Error, error)

LintRepository lints YAML workflow files and outputs the errors to given writer. It finds the nearest `.github/workflows` directory based on `dir` and applies lint rules to all YAML workflow files under the directory. When the directory path is empty, the current working directory will be used instead.

func (*Linter) LintStdin added in v1.7.4 

func (l *Linter) LintStdin(stdin io.Reader) ([]*Error, error)

LintStdin lints the content read from STDIN. The stdin parameter is a reader to read from STDIN, which is usually os.Stdin. The file name is determined by LinterOptions.StdinFileName. When the option is empty, "<stdin>" is the default value.

type LinterOptions 

type LinterOptions struct {
	// Verbose is flag if verbose log output is enabled.
	Verbose bool
	// Debug is flag if debug log output is enabled.
	Debug bool
	// LogWriter is io.Writer object to use to print log outputs. Note that error outputs detected
	// by the linter are not included in the log outputs.
	LogWriter io.Writer
	// Color is option for colorizing error outputs. See ColorOptionKind document for each enum values.
	Color ColorOptionKind
	// Oneline is flag if one line output is enabled. When enabling it, one error is output per one
	// line. It is useful when reading outputs from programs.
	Oneline bool
	// Shellcheck is executable for running shellcheck external command. It can be command name like
	// "shellcheck" or file path like "/path/to/shellcheck", "path/to/shellcheck". When this value
	// is empty, shellcheck won't run to check scripts in workflow file.
	Shellcheck string
	// Pyflakes is executable for running pyflakes external command. It can be command name like "pyflakes"
	// or file path like "/path/to/pyflakes", "path/to/pyflakes". When this value is empty, pyflakes
	// won't run to check scripts in workflow file.
	Pyflakes string
	// IgnorePatterns is list of regular expression to filter errors. The pattern is applied to error
	// messages. When an error is matched, the error is ignored.
	IgnorePatterns []string
	// ConfigFile is a path to config file. Empty string means no config file path is given. In
	// the case, actionlint will try to read config from .github/actionlint.yaml.
	ConfigFile string
	// Format is a custom template to format error messages. It must follow Go Template format and
	// contain at least one {{ }} placeholder. https://pkg.go.dev/text/template
	Format string
	// StdinFileName is a file name when reading input from stdin. When this value is empty, "<stdin>"
	// is used as the default value.
	StdinFileName string
	// WorkingDir is a file path to the current working directory. When this value is empty, os.Getwd
	// will be used to get a working directory.
	WorkingDir string
	// OnRulesCreated is a hook to add or remove the check rules. This function is called on checking
	// every workflow files. Rules created by Linter instance are passed to the argument and the
	// function should return the modified rules.
	// Note that syntax errors may be reported even if this function returns nil or an empty slice.
	OnRulesCreated func([]Rule) []Rule
}

LinterOptions is set of options for Linter instance. This struct is used for NewLinter factory function call. The zero value LinterOptions{} represents the default behavior.

type LocalActionsCache added in v1.5.0 

type LocalActionsCache struct {
	// contains filtered or unexported fields
}

LocalActionsCache is cache for local actions' metadata. It avoids repeating to find/read/parse local action's metadata file (action.yml). This cache is not available across multiple repositories. One LocalActionsCache instance needs to be created per one repository.

func NewLocalActionsCache added in v1.5.0 

func NewLocalActionsCache(proj *Project, dbg io.Writer) *LocalActionsCache

NewLocalActionsCache creates new LocalActionsCache instance for the given project.

func (*LocalActionsCache) FindMetadata added in v1.5.0 

func (c *LocalActionsCache) FindMetadata(spec string) (*ActionMetadata, bool, error)

FindMetadata finds metadata for given spec. The spec should indicate for local action hence it should start with "./". The first return value can be nil even if error did not occur. LocalActionCache caches that the action was not found. At first search, it returns an error that the action was not found. But at the second search, it does not return an error even if the result is nil. This behavior prevents repeating to report the same error from multiple places. Calling this method is thread-safe.

type LocalActionsCacheFactory added in v1.6.16 

type LocalActionsCacheFactory struct {
	// contains filtered or unexported fields
}

LocalActionsCacheFactory is a factory to create LocalActionsCache instances. LocalActionsCache should be created for each repositories. LocalActionsCacheFactory creates new LocalActionsCache instance per repository (project).

func NewLocalActionsCacheFactory added in v1.6.16 

func NewLocalActionsCacheFactory(dbg io.Writer) *LocalActionsCacheFactory

NewLocalActionsCacheFactory creates a new LocalActionsCacheFactory instance.

func (*LocalActionsCacheFactory) GetCache added in v1.6.16 

func (f *LocalActionsCacheFactory) GetCache(p *Project) *LocalActionsCache

GetCache returns LocalActionsCache instance for the given project. One LocalActionsCache is created per one repository. Created instances are cached and will be used when caches are requested for the same projects. This method is not thread safe.

type LocalReusableWorkflowCache added in v1.6.18 

type LocalReusableWorkflowCache struct {
	// contains filtered or unexported fields
}

LocalReusableWorkflowCache is a cache for local reusable workflow metadata files. It avoids find/read/parse local reusable workflow YAML files. This cache is dedicated for a single project (repository) indicated by 'proj' field. One LocalReusableWorkflowCache instance needs to be created per one project.

func NewLocalReusableWorkflowCache added in v1.6.18 

func NewLocalReusableWorkflowCache(proj *Project, cwd string, dbg io.Writer) *LocalReusableWorkflowCache

NewLocalReusableWorkflowCache creates a new LocalReusableWorkflowCache instance for the given project. 'cwd' is a current working directory as an absolute file path. The 'Local' means that the cache instance is project-local. It is not available across multiple projects.

func (*LocalReusableWorkflowCache) FindMetadata added in v1.6.18 

func (c *LocalReusableWorkflowCache) FindMetadata(spec string) (*ReusableWorkflowMetadata, error)

FindMetadata finds/parses a reusable workflow metadata located by the 'spec' argument. When project is not set to 'proj' field or the spec does not start with "./", this method immediately returns with nil.

Note that an error is not cached. At first search, let's say this method returned an error since the reusable workflow is invalid. In this case, calling this method with the same spec later will not return the error again. It just will return nil. This behavior prevents repeating to report the same error from multiple places.

Calling this method is thread-safe.

func (*LocalReusableWorkflowCache) WriteWorkflowCallEvent added in v1.6.18 

func (c *LocalReusableWorkflowCache) WriteWorkflowCallEvent(wpath string, event *WorkflowCallEvent)

WriteWorkflowCallEvent writes reusable workflow metadata by converting from WorkflowCallEvent AST node. The 'wpath' parameter is a path to the workflow file of the AST, which is a relative to the project root directory or an absolute path. This method does nothing when (1) no project is set, (2) it could not convert the workflow path to workflow call spec, (3) some cache for the workflow is already existing. This method is thread safe.

type LocalReusableWorkflowCacheFactory added in v1.6.18 

type LocalReusableWorkflowCacheFactory struct {
	// contains filtered or unexported fields
}

LocalReusableWorkflowCacheFactory is a factory object to create a LocalReusableWorkflowCache instance per project.

func NewLocalReusableWorkflowCacheFactory added in v1.6.18 

func NewLocalReusableWorkflowCacheFactory(cwd string, dbg io.Writer) *LocalReusableWorkflowCacheFactory

NewLocalReusableWorkflowCacheFactory creates a new LocalReusableWorkflowCacheFactory instance.

func (*LocalReusableWorkflowCacheFactory) GetCache added in v1.6.18 

func (f *LocalReusableWorkflowCacheFactory) GetCache(p *Project) *LocalReusableWorkflowCache

GetCache returns a new or existing LocalReusableWorkflowCache instance per project. When a instance was already created for the project, this method returns the existing instance. Otherwise it creates a new instance and returns it.

type LogLevel 

type LogLevel int

LogLevel is log level of logger used in Linter instance.

type LogicalOpNode 

type LogicalOpNode struct {
	// Kind is a kind to show which operator is used.
	Kind LogicalOpNodeKind
	// Left is an expression for left hand side of the binary operator.
	Left ExprNode
	// Right is an expression for right hand side of the binary operator.
	Right ExprNode
}

LogicalOpNode is node for logical binary operators; && or ||.

func (*LogicalOpNode) Token 

func (n *LogicalOpNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type LogicalOpNodeKind 

type LogicalOpNodeKind int

LogicalOpNodeKind is a kind of logical operators; && and ||. 

const (
	// LogicalOpNodeKindInvalid is an invalid and initial value of LogicalOpNodeKind.
	LogicalOpNodeKindInvalid LogicalOpNodeKind = iota
	// LogicalOpNodeKindAnd is a kind for && operator.
	LogicalOpNodeKindAnd
	// LogicalOpNodeKindOr is a kind for || operator.
	LogicalOpNodeKindOr
)

func (LogicalOpNodeKind) String 

func (k LogicalOpNodeKind) String() string

type Matrix 

type Matrix struct {
	// Values stores mappings from name to values. Keys are in lower case since they are case-insensitive.
	Rows map[string]*MatrixRow
	// Include is list of combinations of matrix values and additional values on running matrix combinations.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-including-additional-values-into-combinations
	Include *MatrixCombinations
	// Exclude is list of combinations of matrix values which should not be run. Combinations in
	// this list will be removed from combinations of matrix to run.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-excluding-configurations-from-a-matrix
	Exclude *MatrixCombinations
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
	// Pos is a position in source.
	Pos *Pos
}

Matrix is matrix variations configuration of a job. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

type MatrixAssign 

type MatrixAssign struct {
	// Key is a name of the matrix value.
	Key *String
	// Value is the value selected from values in row.
	Value RawYAMLValue
}

MatrixAssign represents which value should be taken in the row of the matrix. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

type MatrixCombination 

type MatrixCombination struct {
	Assigns map[string]*MatrixAssign
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
}

MatrixCombination is combination of matrix value assignments to define one of matrix variations. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

type MatrixCombinations 

type MatrixCombinations struct {
	Combinations []*MatrixCombination
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
}

MatrixCombinations is list of combinations of matrix assignments used for 'include' and 'exclude' sections. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

func (*MatrixCombinations) ContainsExpression 

func (cs *MatrixCombinations) ContainsExpression() bool

ContainsExpression returns if the combinations section includes at least one expression node.

type MatrixRow 

type MatrixRow struct {
	// Name is a name of matrix value.
	Name *String
	// Values is variations of values which the matrix value can take.
	Values []RawYAMLValue
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
}

MatrixRow is one row of matrix. One matrix row can take multiple values. Those variations are stored as row of values in this struct. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

type NotOpNode 

type NotOpNode struct {
	// Operand is an expression at operand of ! operator.
	Operand ExprNode
	// contains filtered or unexported fields
}

NotOpNode is node for unary ! operator.

func (*NotOpNode) Token 

func (n *NotOpNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type NullNode 

type NullNode struct {
	// contains filtered or unexported fields
}

NullNode is node for null literal.

func (*NullNode) Token 

func (n *NullNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type NullType 

type NullType struct{}

NullType is type for null value.

func (NullType) Assignable 

func (ty NullType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (NullType) DeepCopy added in v1.6.8 

func (ty NullType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (NullType) Merge added in v1.6.4 

func (ty NullType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (NullType) String 

func (ty NullType) String() string

type NumberType 

type NumberType struct{}

NumberType is type for number values such as integer or float.

func (NumberType) Assignable 

func (ty NumberType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (NumberType) DeepCopy added in v1.6.8 

func (ty NumberType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (NumberType) Merge added in v1.6.4 

func (ty NumberType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (NumberType) String 

func (ty NumberType) String() string

type ObjectDerefNode 

type ObjectDerefNode struct {
	// Receiver is an expression at receiver of property dereference.
	Receiver ExprNode
	// Property is a name of property to access.
	Property string
}

ObjectDerefNode represents property dereference of object like 'foo.bar'.

func (ObjectDerefNode) Token 

func (n ObjectDerefNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type ObjectType 

type ObjectType struct {
	// Props is map from properties name to their type.
	Props map[string]ExprType
	// Mapped is an element type of this object. This means all props have the type. For example,
	// The element type of env context is string.
	// AnyType means its property types can be any type so it shapes a loose object. Setting nil
	// means properties are mapped to no type so it shapes a strict object.
	//
	// Invariant: All types in Props field must be assignable to this type.
	Mapped ExprType
}

ObjectType is type for objects, which can hold key-values.

func NewEmptyObjectType added in v1.6.4 

func NewEmptyObjectType() *ObjectType

NewEmptyObjectType creates new loose ObjectType instance which allows unknown props. When accessing to unknown props, their values will fall back to any.

func NewEmptyStrictObjectType added in v1.6.4 

func NewEmptyStrictObjectType() *ObjectType

NewEmptyStrictObjectType creates new ObjectType instance which does not allow unknown props.

func NewMapObjectType added in v1.6.4 

func NewMapObjectType(t ExprType) *ObjectType

NewMapObjectType creates new ObjectType which maps keys to a specific type value.

func NewObjectType 

func NewObjectType(props map[string]ExprType) *ObjectType

NewObjectType creates new loose ObjectType instance which allows unknown props with given props.

func NewStrictObjectType 

func NewStrictObjectType(props map[string]ExprType) *ObjectType

NewStrictObjectType creates new ObjectType instance which does not allow unknown props with given prop types.

func (*ObjectType) Assignable 

func (ty *ObjectType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type. In other words, rhs type is more strict than lhs (receiver) type.

func (*ObjectType) DeepCopy added in v1.6.8 

func (ty *ObjectType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (*ObjectType) IsLoose added in v1.6.4 

func (ty *ObjectType) IsLoose() bool

IsLoose returns if the type is a loose object, which allows any unknown props.

func (*ObjectType) IsStrict added in v1.6.4 

func (ty *ObjectType) IsStrict() bool

IsStrict returns if the type is a strict object, which means no unknown prop is allowed.

func (*ObjectType) Loose added in v1.6.4 

func (ty *ObjectType) Loose()

Loose sets the object is loose, which means any properties can be set.

func (*ObjectType) Merge added in v1.6.4 

func (ty *ObjectType) Merge(other ExprType) ExprType

Merge merges two object types into one. When other object has unknown props, they are merged into current object. When both have same property, when they are assignable, it remains as-is. Otherwise, the property falls back to any type.

func (*ObjectType) Strict added in v1.6.4 

func (ty *ObjectType) Strict()

Strict sets the object is strict, which means only known properties are allowed.

func (*ObjectType) String 

func (ty *ObjectType) String() string

type Output 

type Output struct {
	// Name is name of output.
	Name *String
	// Value is value of output.
	Value *String
}

Output is output entry of the job. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idoutputs

type Pass 

type Pass interface {
	// VisitStep is callback when visiting Step node. It returns internal error when it cannot continue the process
	VisitStep(node *Step) error
	// VisitJobPre is callback when visiting Job node before visiting its children. It returns internal error when it cannot continue the process
	VisitJobPre(node *Job) error
	// VisitJobPost is callback when visiting Job node after visiting its children. It returns internal error when it cannot continue the process
	VisitJobPost(node *Job) error
	// VisitWorkflowPre is callback when visiting Workflow node before visiting its children. It returns internal error when it cannot continue the process
	VisitWorkflowPre(node *Workflow) error
	// VisitWorkflowPost is callback when visiting Workflow node after visiting its children. It returns internal error when it cannot continue the process
	VisitWorkflowPost(node *Workflow) error
}

Pass is an interface to traverse a workflow syntax tree

type PathConfig added in v1.7.4 

type PathConfig struct {
	// Ignore is a list of patterns. They are used for ignoring errors by matching to the error messages.
	// It is similar to the "-ignore" command line option.
	Ignore IgnorePatterns `yaml:"ignore"`
}

PathConfig is a configuration for specific file path pattern. This is for values of the "paths" mapping in the configuration file.

type PermissionScope added in v1.5.0 

type PermissionScope struct {
	// Name is name of the scope.
	Name *String
	// Value is permission value of the scope.
	Value *String
}

PermissionScope is struct for respective permission scope like "issues", "checks", ... https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

type Permissions 

type Permissions struct {
	// All represents a permission value for all the scopes at once.
	All *String
	// Scopes is mappings from scope name to its permission configuration
	Scopes map[string]*PermissionScope
	// Pos is a position in source.
	Pos *Pos
}

Permissions is set of permission configurations in workflow file. All permissions can be set at once. Or each permission can be configured respectively. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions

type Pos 

type Pos struct {
	// Line is a line number of the position. This value is 1-based.
	Line int
	// Col is a column number of the position. This value is 1-based.
	Col int
}

Pos represents position in the file.

func (*Pos) IsBefore added in v1.6.14 

func (p *Pos) IsBefore(other *Pos) bool

IsBefore returns if the position is before the other position. If they are equal, this function returns false.

func (*Pos) String 

func (p *Pos) String() string

type Project 

type Project struct {
	// contains filtered or unexported fields
}

Project represents one GitHub project. One Git repository corresponds to one project.

func NewProject added in v1.6.26 

func NewProject(root string) (*Project, error)

NewProject creates a new instance with a file path to the root directory of the repository. This function returns an error when failing to parse an actionlint config file in the repository.

func (*Project) Config 

func (p *Project) Config() *Config

Config returns config object of the GitHub project repository. The config file was read from ".github/actionlint.yaml" or ".github/actionlint.yml" when this Project instance was created. When no config was found, this method returns nil.

func (*Project) Knows 

func (p *Project) Knows(path string) bool

Knows returns true when the project knows the given file. When a file is included in the project's directory, the project knows the file.

func (*Project) RootDir 

func (p *Project) RootDir() string

RootDir returns a root directory path of the GitHub project repository.

func (*Project) WorkflowsDir 

func (p *Project) WorkflowsDir() string

WorkflowsDir returns a ".github/workflows" directory path of the GitHub project repository. This method does not check if the directory exists.

type Projects 

type Projects struct {
	// contains filtered or unexported fields
}

Projects represents set of projects. It caches Project instances which was created previously and reuses them.

func NewProjects 

func NewProjects() *Projects

NewProjects creates new Projects instance.

func (*Projects) At 

func (ps *Projects) At(path string) (*Project, error)

At returns the Project instance which the path belongs to. It returns nil if no project is found from the path.

type RawYAMLArray 

type RawYAMLArray struct {
	// Elems is list of elements of the array value.
	Elems []RawYAMLValue
	// contains filtered or unexported fields
}

RawYAMLArray is raw YAML sequence value.

func (*RawYAMLArray) Equals 

func (a *RawYAMLArray) Equals(other RawYAMLValue) bool

Equals returns if the other value is equal to the value.

func (*RawYAMLArray) Kind 

func (a *RawYAMLArray) Kind() RawYAMLValueKind

Kind returns kind of raw YAML value.

func (*RawYAMLArray) Pos 

func (a *RawYAMLArray) Pos() *Pos

Pos returns the start position of the value in the source file

func (*RawYAMLArray) String 

func (a *RawYAMLArray) String() string

type RawYAMLObject 

type RawYAMLObject struct {
	// Props is map from property names to their values. Keys are in lower case since they are case-insensitive.
	Props map[string]RawYAMLValue
	// contains filtered or unexported fields
}

RawYAMLObject is raw YAML mapping value.

func (*RawYAMLObject) Equals 

func (o *RawYAMLObject) Equals(other RawYAMLValue) bool

Equals returns if the other value is equal to the value.

func (*RawYAMLObject) Kind 

func (o *RawYAMLObject) Kind() RawYAMLValueKind

Kind returns kind of raw YAML value.

func (*RawYAMLObject) Pos 

func (o *RawYAMLObject) Pos() *Pos

Pos returns the start position of the value in the source file

func (*RawYAMLObject) String 

func (o *RawYAMLObject) String() string

type RawYAMLString 

type RawYAMLString struct {

	// Value is string representation of the scalar node.
	Value string
	// contains filtered or unexported fields
}

RawYAMLString is raw YAML scalar value.

func (*RawYAMLString) Equals 

func (s *RawYAMLString) Equals(other RawYAMLValue) bool

Equals returns if the other value is equal to the value.

func (*RawYAMLString) Kind 

func (s *RawYAMLString) Kind() RawYAMLValueKind

Kind returns kind of raw YAML value.

func (*RawYAMLString) Pos 

func (s *RawYAMLString) Pos() *Pos

Pos returns the start position of the value in the source file

func (*RawYAMLString) String 

func (s *RawYAMLString) String() string

type RawYAMLValue 

type RawYAMLValue interface {
	// Kind returns kind of raw YAML value.
	Kind() RawYAMLValueKind
	// Equals returns if the other value is equal to the value.
	Equals(other RawYAMLValue) bool
	// Pos returns the start position of the value in the source file
	Pos() *Pos
	// String returns string representation of the value
	String() string
}

RawYAMLValue is a value at matrix variation. Any value can be put at matrix variations including mappings and arrays.

type RawYAMLValueKind 

type RawYAMLValueKind int

RawYAMLValueKind is kind of raw YAML values

type RepositoryDispatchEvent 

type RepositoryDispatchEvent struct {
	// Types is list of types which can trigger workflow.
	Types []*String
	// Pos is a position in source.
	Pos *Pos
}

RepositoryDispatchEvent is repository_dispatch event configuration. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#repository_dispatch

func (*RepositoryDispatchEvent) EventName 

func (e *RepositoryDispatchEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type ReusableWorkflowMetadata added in v1.6.18 

type ReusableWorkflowMetadata struct {
	Inputs  ReusableWorkflowMetadataInputs  `yaml:"inputs"`
	Outputs ReusableWorkflowMetadataOutputs `yaml:"outputs"`
	Secrets ReusableWorkflowMetadataSecrets `yaml:"secrets"`
}

ReusableWorkflowMetadata is metadata to validate local reusable workflows. This struct does not contain all metadata from YAML file. It only contains metadata which is necessary to validate reusable workflow files by actionlint.

type ReusableWorkflowMetadataInput added in v1.6.18 

type ReusableWorkflowMetadataInput struct {
	// Name is a name of the input defined in the reusable workflow.
	Name string
	// Required is true when 'required' field of the input is set to true and no default value is set.
	Required bool
	// Type is a type of the input. When the input type is unknown, 'any' type is set.
	Type ExprType
}

ReusableWorkflowMetadataInput is an input metadata for validating local reusable workflow file.

func (*ReusableWorkflowMetadataInput) UnmarshalYAML added in v1.6.18 

func (input *ReusableWorkflowMetadataInput) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type ReusableWorkflowMetadataInputs added in v1.6.19 

type ReusableWorkflowMetadataInputs map[string]*ReusableWorkflowMetadataInput

ReusableWorkflowMetadataInputs is a map from input name to reusable wokflow input metadata. The keys are in lower case since input names of workflow calls are case insensitive.

func (*ReusableWorkflowMetadataInputs) UnmarshalYAML added in v1.6.19 

func (inputs *ReusableWorkflowMetadataInputs) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type ReusableWorkflowMetadataOutput added in v1.6.19 

type ReusableWorkflowMetadataOutput struct {
	// Name is a name of the output in the reusable workflow.
	Name string
}

ReusableWorkflowMetadataOutput is an output metadata for validating local reusable workflow file.

type ReusableWorkflowMetadataOutputs added in v1.6.19 

type ReusableWorkflowMetadataOutputs map[string]*ReusableWorkflowMetadataOutput

ReusableWorkflowMetadataOutputs is a map from output name to reusable wokflow output metadata. The keys are in lower case since output names of workflow calls are case insensitive.

func (*ReusableWorkflowMetadataOutputs) UnmarshalYAML added in v1.6.19 

func (outputs *ReusableWorkflowMetadataOutputs) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type ReusableWorkflowMetadataSecret added in v1.6.19 

type ReusableWorkflowMetadataSecret struct {
	// Name is a name of the secret in the reusable workflow.
	Name string
	// Required indicates whether the secret is required by its reusable workflow. When this value
	// is true, workflow calls must set this secret unless secrets are not inherited.
	Required bool `yaml:"required"`
}

ReusableWorkflowMetadataSecret is a secret metadata for validating local reusable workflow file.

type ReusableWorkflowMetadataSecrets added in v1.6.19 

type ReusableWorkflowMetadataSecrets map[string]*ReusableWorkflowMetadataSecret

ReusableWorkflowMetadataSecrets is a map from secret name to reusable wokflow secret metadata. The keys are in lower case since secret names of workflow calls are case insensitive.

func (*ReusableWorkflowMetadataSecrets) UnmarshalYAML added in v1.6.19 

func (secrets *ReusableWorkflowMetadataSecrets) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type Rule 

type Rule interface {
	Pass
	Errs() []*Error
	Name() string
	Description() string
	EnableDebug(out io.Writer)
	SetConfig(cfg *Config)
	Config() *Config
}

Rule is an interface which all rule structs must meet.

type RuleAction 

type RuleAction struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleAction is a rule to check running action in steps of jobs. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses

func NewRuleAction 

func NewRuleAction(cache *LocalActionsCache) *RuleAction

NewRuleAction creates new RuleAction instance.

func (*RuleAction) VisitStep 

func (rule *RuleAction) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

type RuleBase 

type RuleBase struct {
	// contains filtered or unexported fields
}

RuleBase is a struct to be a base of rule structs. Embed this struct to define default methods automatically

func NewRuleBase added in v1.6.26 

func NewRuleBase(name string, desc string) RuleBase

NewRuleBase creates a new RuleBase instance. It should be embedded to your own rule instance.

func (*RuleBase) Config added in v1.6.27 

func (r *RuleBase) Config() *Config

Config returns the user configuration of actionlint. When no config was set to this rule by SetConfig, this method returns nil.

func (*RuleBase) Debug added in v1.6.26 

func (r *RuleBase) Debug(format string, args ...interface{})

Debug prints debug log to the output. The output is specified by the argument of EnableDebug method. By default, no output is set so debug log is not printed.

func (*RuleBase) Description added in v1.6.26 

func (r *RuleBase) Description() string

Description returns the description of the rule.

func (*RuleBase) EnableDebug added in v1.2.0 

func (r *RuleBase) EnableDebug(out io.Writer)

EnableDebug enables debug output from the rule. Given io.Writer instance is used to print debug information to console. Setting nil means disabling debug output.

func (*RuleBase) Error added in v1.6.26 

func (r *RuleBase) Error(pos *Pos, msg string)

Error creates a new error from the source position and the error message and stores it in the rule instance. The errors can be accessed by Errs method.

func (*RuleBase) Errorf added in v1.6.26 

func (r *RuleBase) Errorf(pos *Pos, format string, args ...interface{})

Errorf reports a new error with the source position and the formatted error message and stores it in the rule instance. The errors can be accessed by Errs method.

func (*RuleBase) Errs 

func (r *RuleBase) Errs() []*Error

Errs returns errors found by the rule.

func (*RuleBase) Name 

func (r *RuleBase) Name() string

Name returns the name of the rule.

func (*RuleBase) SetConfig added in v1.6.24 

func (r *RuleBase) SetConfig(cfg *Config)

SetConfig populates user configuration of actionlint to the rule. When no config is set, rules should behave as if the default configuration is set.

func (*RuleBase) VisitJobPost 

func (r *RuleBase) VisitJobPost(node *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RuleBase) VisitJobPre 

func (r *RuleBase) VisitJobPre(node *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleBase) VisitStep 

func (r *RuleBase) VisitStep(node *Step) error

VisitStep is callback when visiting Step node.

func (*RuleBase) VisitWorkflowPost 

func (r *RuleBase) VisitWorkflowPost(node *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children.

func (*RuleBase) VisitWorkflowPre 

func (r *RuleBase) VisitWorkflowPre(node *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleCredentials 

type RuleCredentials struct {
	RuleBase
}

RuleCredentials is a rule to check credentials in workflows

func NewRuleCredentials 

func NewRuleCredentials() *RuleCredentials

NewRuleCredentials creates new RuleCredentials instance

func (*RuleCredentials) VisitJobPre 

func (rule *RuleCredentials) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

type RuleDeprecatedCommands added in v1.6.22 

type RuleDeprecatedCommands struct {
	RuleBase
}

RuleDeprecatedCommands is a rule checker to detect deprecated workflow commands. Currently 'set-state', 'set-output', `set-env' and 'add-path' are detected as deprecated.

- https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ - https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

func NewRuleDeprecatedCommands added in v1.6.22 

func NewRuleDeprecatedCommands() *RuleDeprecatedCommands

NewRuleDeprecatedCommands creates a new RuleDeprecatedCommands instance.

func (*RuleDeprecatedCommands) VisitStep added in v1.6.22 

func (rule *RuleDeprecatedCommands) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

type RuleEnvVar 

type RuleEnvVar struct {
	RuleBase
}

RuleEnvVar is a rule checker to check environment variables setup.

func NewRuleEnvVar 

func NewRuleEnvVar() *RuleEnvVar

NewRuleEnvVar creates new RuleEnvVar instance.

func (*RuleEnvVar) VisitJobPre 

func (rule *RuleEnvVar) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleEnvVar) VisitStep 

func (rule *RuleEnvVar) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RuleEnvVar) VisitWorkflowPre 

func (rule *RuleEnvVar) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleEvents 

type RuleEvents struct {
	RuleBase
}

RuleEvents is a rule to check 'on' field in workflow. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows

func NewRuleEvents 

func NewRuleEvents() *RuleEvents

NewRuleEvents creates new RuleEvents instance.

func (*RuleEvents) VisitWorkflowPre 

func (rule *RuleEvents) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleExpression 

type RuleExpression struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleExpression is a rule checker to check expression syntax in string values of workflow syntax. It checks syntax and semantics of the expressions including type checks and functions/contexts definitions. For more details see - https://docs.github.com/en/actions/learn-github-actions/contexts - https://docs.github.com/en/actions/learn-github-actions/expressions

func NewRuleExpression 

func NewRuleExpression(actionsCache *LocalActionsCache, workflowCache *LocalReusableWorkflowCache) *RuleExpression

NewRuleExpression creates new RuleExpression instance.

func (*RuleExpression) VisitJobPost 

func (rule *RuleExpression) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children

func (*RuleExpression) VisitJobPre 

func (rule *RuleExpression) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleExpression) VisitStep 

func (rule *RuleExpression) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RuleExpression) VisitWorkflowPost 

func (rule *RuleExpression) VisitWorkflowPost(n *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children

func (*RuleExpression) VisitWorkflowPre 

func (rule *RuleExpression) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleGlob added in v1.4.0 

type RuleGlob struct {
	RuleBase
}

RuleGlob is a rule to check glob syntax. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet

func NewRuleGlob added in v1.4.0 

func NewRuleGlob() *RuleGlob

NewRuleGlob creates new RuleGlob instance.

func (*RuleGlob) VisitWorkflowPre added in v1.4.0 

func (rule *RuleGlob) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleID added in v1.6.16 

type RuleID struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleID is a rule to check step IDs in workflow.

func NewRuleID added in v1.6.16 

func NewRuleID() *RuleID

NewRuleID creates a new RuleID instance.

func (*RuleID) VisitJobPost added in v1.6.16 

func (rule *RuleID) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RuleID) VisitJobPre added in v1.6.16 

func (rule *RuleID) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleID) VisitStep added in v1.6.16 

func (rule *RuleID) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

type RuleIfCond added in v1.6.26 

type RuleIfCond struct {
	RuleBase
}

RuleIfCond is a rule to check if: conditions.

func NewRuleIfCond added in v1.6.26 

func NewRuleIfCond() *RuleIfCond

NewRuleIfCond creates new RuleIfCond instance.

func (*RuleIfCond) VisitJobPre added in v1.6.26 

func (rule *RuleIfCond) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleIfCond) VisitStep added in v1.6.26 

func (rule *RuleIfCond) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

type RuleJobNeeds 

type RuleJobNeeds struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleJobNeeds is a rule to check 'needs' field in each job configuration. For more details, see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds

func NewRuleJobNeeds 

func NewRuleJobNeeds() *RuleJobNeeds

NewRuleJobNeeds creates new RuleJobNeeds instance.

func (*RuleJobNeeds) VisitJobPre 

func (rule *RuleJobNeeds) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleJobNeeds) VisitWorkflowPost 

func (rule *RuleJobNeeds) VisitWorkflowPost(n *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children.

type RuleMatrix 

type RuleMatrix struct {
	RuleBase
}

RuleMatrix is a rule checker to check 'matrix' field of job.

func NewRuleMatrix 

func NewRuleMatrix() *RuleMatrix

NewRuleMatrix creates new RuleMatrix instance.

func (*RuleMatrix) VisitJobPre 

func (rule *RuleMatrix) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

type RulePermissions added in v1.5.0 

type RulePermissions struct {
	RuleBase
}

RulePermissions is a rule checker to check permission configurations in a workflow. https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

func NewRulePermissions added in v1.5.0 

func NewRulePermissions() *RulePermissions

NewRulePermissions creates new RulePermissions instance.

func (*RulePermissions) VisitJobPre added in v1.5.0 

func (rule *RulePermissions) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RulePermissions) VisitWorkflowPre added in v1.5.0 

func (rule *RulePermissions) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RulePyflakes added in v1.2.0 

type RulePyflakes struct {
	RuleBase
	// contains filtered or unexported fields
}

RulePyflakes is a rule to check Python scripts at 'run:' using pyflakes. https://github.com/PyCQA/pyflakes

func NewRulePyflakes added in v1.2.0 

func NewRulePyflakes(executable string, proc *concurrentProcess) (*RulePyflakes, error)

NewRulePyflakes creates new RulePyflakes instance. Parameter executable can be command name or relative/absolute file path. When the given executable is not found in system, it returns an error.

func (*RulePyflakes) VisitJobPost added in v1.2.0 

func (rule *RulePyflakes) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RulePyflakes) VisitJobPre added in v1.2.0 

func (rule *RulePyflakes) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RulePyflakes) VisitStep added in v1.2.0 

func (rule *RulePyflakes) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RulePyflakes) VisitWorkflowPost added in v1.2.0 

func (rule *RulePyflakes) VisitWorkflowPost(n *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children.

func (*RulePyflakes) VisitWorkflowPre added in v1.2.0 

func (rule *RulePyflakes) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleRunnerLabel 

type RuleRunnerLabel struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleRunnerLabel is a rule to check runner label like "ubuntu-latest". There are two types of runners, GitHub-hosted runner and Self-hosted runner. GitHub-hosted runner is described at https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners . And Self-hosted runner is described at https://docs.github.com/en/actions/hosting-your-own-runners/using-self-hosted-runners-in-a-workflow .

func NewRuleRunnerLabel 

func NewRuleRunnerLabel() *RuleRunnerLabel

NewRuleRunnerLabel creates new RuleRunnerLabel instance.

func (*RuleRunnerLabel) VisitJobPre 

func (rule *RuleRunnerLabel) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

type RuleShellName 

type RuleShellName struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleShellName is a rule to check 'shell' field. For more details, see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell

func NewRuleShellName 

func NewRuleShellName() *RuleShellName

NewRuleShellName creates new RuleShellName instance.

func (*RuleShellName) VisitJobPost 

func (rule *RuleShellName) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RuleShellName) VisitJobPre 

func (rule *RuleShellName) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleShellName) VisitStep 

func (rule *RuleShellName) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RuleShellName) VisitWorkflowPre 

func (rule *RuleShellName) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleShellcheck 

type RuleShellcheck struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleShellcheck is a rule to check shell scripts at 'run:' using shellcheck. https://github.com/koalaman/shellcheck

func NewRuleShellcheck 

func NewRuleShellcheck(executable string, proc *concurrentProcess) (*RuleShellcheck, error)

NewRuleShellcheck creates new RuleShellcheck instance. The executable argument can be command name or relative/absolute file path. When the given executable is not found in system, it returns an error as 2nd return value.

func (*RuleShellcheck) VisitJobPost 

func (rule *RuleShellcheck) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RuleShellcheck) VisitJobPre 

func (rule *RuleShellcheck) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleShellcheck) VisitStep 

func (rule *RuleShellcheck) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RuleShellcheck) VisitWorkflowPost 

func (rule *RuleShellcheck) VisitWorkflowPost(n *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children.

func (*RuleShellcheck) VisitWorkflowPre 

func (rule *RuleShellcheck) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleWorkflowCall added in v1.6.5 

type RuleWorkflowCall struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleWorkflowCall is a rule checker to check workflow call at jobs.<job_id>.

func NewRuleWorkflowCall added in v1.6.5 

func NewRuleWorkflowCall(workflowPath string, cache *LocalReusableWorkflowCache) *RuleWorkflowCall

NewRuleWorkflowCall creates a new RuleWorkflowCall instance. 'workflowPath' is a file path to the workflow which is relative to a project root directory or an absolute path.

func (*RuleWorkflowCall) VisitJobPre added in v1.6.5 

func (rule *RuleWorkflowCall) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleWorkflowCall) VisitWorkflowPre added in v1.6.6 

func (rule *RuleWorkflowCall) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type Runner 

type Runner struct {
	// Labels is list label names to select a runner to run a job. There are preset labels and user
	// defined labels. Runner matching to the labels is selected.
	Labels []*String
	// LabelsExpr is a string when expression syntax ${{ }} is used for this section. Related issue is #164.
	LabelsExpr *String
	// Group is a group of runners specified in runs-on: section. It is nil when no group is specified.
	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#choosing-runners-in-a-group
	Group *String
}

Runner is struct for runner configuration. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on

type ScheduledEvent 

type ScheduledEvent struct {
	// Cron is list of cron strings which schedules workflow.
	Cron []*String
	// Pos is a position in source.
	Pos *Pos
}

ScheduledEvent is event scheduled by workflow. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#scheduled-events

func (*ScheduledEvent) EventName 

func (e *ScheduledEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type Service 

type Service struct {
	// Name is name of the service.
	Name *String
	// Container is configuration of container which runs the service.
	Container *Container
}

Service is configuration to run a service like database. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices

type Services added in v1.7.0 

type Services struct {
	// Value is a mapping from service ID to its Service instances. Keys are in lower case since
	// they are case-insensitive.
	Value map[string]*Service
	// Expression is an expression assigned to the services mapping by ${{ }} placeholder. Otherwise
	// this field is nil.
	Expression *String
	// Pos is a position in source.
	Pos *Pos
}

Services is a mapping from service ID to its configuration. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices

type Step 

type Step struct {
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsid
	ID *String
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsif
	If *String
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsname
	Name *String
	Exec Exec
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv
	Env *Env
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error
	ContinueOnError *Bool
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes
	TimeoutMinutes *Float
	// Pos is a position in source.
	Pos *Pos
}

Step is step configuration. Step runs one action or one shell script. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idsteps

type Strategy 

type Strategy struct {
	// Matrix is matrix of combinations of values. Each combination will run the job once.
	Matrix *Matrix
	// FailFast is flag to show if other jobs should stop when one job fails.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast
	FailFast *Bool
	// MaxParallel is how many jobs should be run at once.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel
	MaxParallel *Int
	// Pos is a position in source.
	Pos *Pos
}

Strategy is strategy configuration of how the job is run. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy

type String 

type String struct {
	// Value is a raw value of the string.
	Value string
	// Quoted represents the string is quoted with ' or " in the YAML source.
	Quoted bool
	// Pos is a position of the string in source.
	Pos *Pos
}

String represents generic string value in YAML file with position.

func (*String) ContainsExpression added in v1.6.26 

func (s *String) ContainsExpression() bool

ContainsExpression returns whether the string contains at least one ${{ }} expression.

func (*String) IsExpressionAssigned added in v1.6.26 

func (s *String) IsExpressionAssigned() bool

IsExpressionAssigned returns whether a single expression is assigned to the string.

type StringNode 

type StringNode struct {
	// Value is value of the string literal. Escapes are resolved and quotes at both edges are
	// removed.
	Value string
	// contains filtered or unexported fields
}

StringNode is node for string literal.

func (*StringNode) Token 

func (n *StringNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type StringType 

type StringType struct{}

StringType is type for string values.

func (StringType) Assignable 

func (ty StringType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (StringType) DeepCopy added in v1.6.8 

func (ty StringType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (StringType) Merge added in v1.6.4 

func (ty StringType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (StringType) String 

func (ty StringType) String() string

type Token 

type Token struct {
	// Kind is kind of the token.
	Kind TokenKind
	// Value is string representation of the token.
	Value string
	// Offset is byte offset of token string starting.
	Offset int
	// Line is line number of start position of the token. Note that this value is 1-based.
	Line int
	// Column is column number of start position of the token. Note that this value is 1-based.
	Column int
}

Token is a token lexed from expression syntax. For more details, see https://docs.github.com/en/actions/learn-github-actions/expressions

func (*Token) String 

func (t *Token) String() string

type TokenKind 

type TokenKind int

TokenKind is kind of token. 

const (
	// TokenKindUnknown is a default value of token as unknown token value.
	TokenKindUnknown TokenKind = iota
	// TokenKindEnd is a token for end of token sequence. Sequence without this
	// token means invalid.
	TokenKindEnd
	// TokenKindIdent is a token for identifier.
	TokenKindIdent
	// TokenKindString is a token for string literals.
	TokenKindString
	// TokenKindInt is a token for integers including hex integers.
	TokenKindInt
	// TokenKindFloat is a token for float numbers.
	TokenKindFloat
	// TokenKindLeftParen is a token for '('.
	TokenKindLeftParen
	// TokenKindRightParen is a token for ')'.
	TokenKindRightParen
	// TokenKindLeftBracket is a token for '['.
	TokenKindLeftBracket
	// TokenKindRightBracket is a token for ']'.
	TokenKindRightBracket
	// TokenKindDot is a token for '.'.
	TokenKindDot
	// TokenKindNot is a token for '!'.
	TokenKindNot
	// TokenKindLess is a token for '<'.
	TokenKindLess
	// TokenKindLessEq is a token for '<='.
	TokenKindLessEq
	// TokenKindGreater is a token for '>'.
	TokenKindGreater
	// TokenKindGreaterEq is a token for '>='.
	TokenKindGreaterEq
	// TokenKindEq is a token for '=='.
	TokenKindEq
	// TokenKindNotEq is a token for '!='.
	TokenKindNotEq
	// TokenKindAnd is a token for '&&'.
	TokenKindAnd
	// TokenKindOr is a token for '||'.
	TokenKindOr
	// TokenKindStar is a token for '*'.
	TokenKindStar
	// TokenKindComma is a token for ','.
	TokenKindComma
)

func (TokenKind) String 

func (t TokenKind) String() string

type UntrustedInputChecker added in v1.6.1 

type UntrustedInputChecker struct {
	// contains filtered or unexported fields
}

UntrustedInputChecker is a checker to detect untrusted inputs in an expression syntax tree. This checker checks object property accesses, array index accesses, and object filters. And detects paths to untrusted inputs. Found errors are stored in this instance and can be get via Errs method.

Note: To avoid breaking the state of checking property accesses on nested property accesses like foo[aaa.bbb].bar, IndexAccessNode.Index must be visited before IndexAccessNode.Operand.

func NewUntrustedInputChecker added in v1.6.1 

func NewUntrustedInputChecker(roots UntrustedInputSearchRoots) *UntrustedInputChecker

NewUntrustedInputChecker creates a new UntrustedInputChecker instance. The roots argument is a search tree which defines untrusted input paths as trees.

func (*UntrustedInputChecker) Errs added in v1.6.1 

func (u *UntrustedInputChecker) Errs() []*ExprError

Errs returns errors detected by this checker. This method should be called after visiting all nodes in a syntax tree.

func (*UntrustedInputChecker) Init added in v1.6.1 

func (u *UntrustedInputChecker) Init()

Init initializes a state of checker.

func (*UntrustedInputChecker) OnVisitEnd added in v1.6.8 

func (u *UntrustedInputChecker) OnVisitEnd()

OnVisitEnd is a callback which should be called after visiting whole syntax tree. This callback is necessary to handle the case where an untrusted input access is at root of expression.

func (*UntrustedInputChecker) OnVisitNodeEnter added in v1.7.4 

func (u *UntrustedInputChecker) OnVisitNodeEnter(n ExprNode)

func (*UntrustedInputChecker) OnVisitNodeLeave added in v1.6.8 

func (u *UntrustedInputChecker) OnVisitNodeLeave(n ExprNode)

OnVisitNodeLeave is a callback which should be called on visiting node after visiting its children.

type UntrustedInputMap added in v1.6.1 

type UntrustedInputMap struct {
	Name     string
	Parent   *UntrustedInputMap
	Children map[string]*UntrustedInputMap
}

UntrustedInputMap is a recursive map to match context object property dereferences. Root of this map represents each context names and their ancestors represent recursive properties.

func NewUntrustedInputMap added in v1.6.8 

func NewUntrustedInputMap(name string, children ...*UntrustedInputMap) *UntrustedInputMap

NewUntrustedInputMap creates new instance of UntrustedInputMap. It is used for node of search tree of untrusted input checker.

func (*UntrustedInputMap) String added in v1.6.8 

func (m *UntrustedInputMap) String() string

type UntrustedInputSearchRoots added in v1.6.8 

type UntrustedInputSearchRoots map[string]*UntrustedInputMap

UntrustedInputSearchRoots is a list of untrusted inputs. It forms tree structure to detect untrusted inputs in nested object property access, array index access, and object filters efficiently. Each value of this map represents a root of the search so their names are context names.

func (UntrustedInputSearchRoots) AddRoot added in v1.6.8 

func (ms UntrustedInputSearchRoots) AddRoot(m *UntrustedInputMap)

AddRoot adds a new root to search for detecting untrusted input.

type VariableNode 

type VariableNode struct {
	// Name is name of the variable
	Name string
	// contains filtered or unexported fields
}

VariableNode is node for variable access.

func (*VariableNode) Token 

func (n *VariableNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type VisitExprNodeFunc added in v1.6.1 

type VisitExprNodeFunc func(node, parent ExprNode, entering bool)

VisitExprNodeFunc is a visitor function for VisitExprNode(). The entering argument is set to true when it is called before visiting children. It is set to false when it is called after visiting children. It means that this function is called twice for the same node. The parent argument is the parent of the node. When the node is root, its parent is nil.

type Visitor 

type Visitor struct {
	// contains filtered or unexported fields
}

Visitor visits syntax tree from root in depth-first order

func NewVisitor 

func NewVisitor() *Visitor

NewVisitor creates Visitor instance

func (*Visitor) AddPass 

func (v *Visitor) AddPass(p Pass)

AddPass adds new pass which is called on traversing a syntax tree

func (*Visitor) EnableDebug 

func (v *Visitor) EnableDebug(w io.Writer)

EnableDebug enables debug output when non-nil io.Writer value is given. All debug outputs from visitor will be written to the writer.

func (*Visitor) Visit 

func (v *Visitor) Visit(n *Workflow) error

Visit visits given syntax tree in depth-first order

type WebhookEvent 

type WebhookEvent struct {
	// Hook is a name of the webhook event.
	Hook *String
	// Types is list of types of the webhook event. Only the types enumerated here will trigger
	// the workflow.
	Types []*String
	// Branches is 'branches' filter. This value is nil when it is omitted.
	Branches *WebhookEventFilter
	// BranchesIgnore is 'branches-ignore' filter. This value is nil when it is omitted.
	BranchesIgnore *WebhookEventFilter
	// Tags is 'tags' filter. This value is nil when it is omitted.
	Tags *WebhookEventFilter
	// TagsIgnore is 'tags-ignore' filter. This value is nil when it is omitted.
	TagsIgnore *WebhookEventFilter
	// Paths is 'paths' filter. This value is nil when it is omitted.
	Paths *WebhookEventFilter
	// PathsIgnore is 'paths-ignore' filter. This value is nil when it is omitted.
	PathsIgnore *WebhookEventFilter
	// Workflows is list of workflow names which are triggered by 'workflow_run' event.
	Workflows []*String
	// Pos is a position in source.
	Pos *Pos
}

WebhookEvent represents event type based on webhook events. Some events can't have 'types' field. Only 'push' and 'pull' events can have 'tags', 'tags-ignore', 'paths' and 'paths-ignore' fields. Only 'workflow_run' event can have 'workflows' field. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onevent_nametypes

func (*WebhookEvent) EventName 

func (e *WebhookEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type WebhookEventFilter added in v1.6.14 

type WebhookEventFilter struct {
	// Name is a name of filter such like 'branches', 'tags'
	Name *String
	// Values is a list of filter values.
	Values []*String
}

WebhookEventFilter is a filter for Webhook events such as 'branches', 'paths-ignore', ... Webhook events are filtered by those filters. Some filters are exclusive. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#using-filters

func (*WebhookEventFilter) IsEmpty added in v1.6.14 

func (f *WebhookEventFilter) IsEmpty() bool

IsEmpty returns true when it has no value. This may mean the WebhookEventFilter instance itself is nil.

type Workflow 

type Workflow struct {
	// Name is name of the workflow. This field can be nil when user didn't specify the name explicitly.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#name
	Name *String
	// RunName is the name of workflow runs. This field can be set dynamically using ${{ }}.
	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#run-name
	RunName *String
	// On is list of events which can trigger this workflow.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
	On []Event
	// Permissions is configuration of permissions of this workflow.
	Permissions *Permissions
	// Env is a default set of environment variables while running this workflow.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#env
	Env *Env
	// Defaults is default configuration of how to run scripts.
	Defaults *Defaults
	// Concurrency is concurrency configuration of entire workflow. Each jobs also can their own
	// concurrency configurations.
	Concurrency *Concurrency
	// Jobs is mappings from job ID to the job object. Keys are in lower case since they are case-insensitive.
	Jobs map[string]*Job
}

Workflow is root of workflow syntax tree, which represents one workflow configuration file. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions

func (*Workflow) FindWorkflowCallEvent added in v1.6.10 

func (w *Workflow) FindWorkflowCallEvent() (*WorkflowCallEvent, bool)

FindWorkflowCallEvent returns workflow_call event node if exists

type WorkflowCall added in v1.6.5 

type WorkflowCall struct {
	// Uses is a workflow specification to be called. This field is mandatory.
	Uses *String
	// Inputs is a map from input name to input value at 'with:'. Keys are in lower case since input names
	// are case-insensitive.
	Inputs map[string]*WorkflowCallInput
	// Secrets is a map from secret name to secret value at 'secrets:'. Keys are in lower case since input
	// names are case-insensitive.
	Secrets map[string]*WorkflowCallSecret
	// InheritSecrets is true when 'secrets: inherit' is specified. In this case, Secrets must be empty.
	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callsecretsinherit
	InheritSecrets bool
}

WorkflowCall is a struct to represent workflow call at jobs.<job_id>. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_iduses

type WorkflowCallEvent added in v1.6.5 

type WorkflowCallEvent struct {
	// Inputs is an array of inputs of the workflow_call event. This value is not a map unlike other fields of this
	// struct since its order is important when checking the default values of inputs.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callinputs
	Inputs []*WorkflowCallEventInput
	// Secrets is a map from name of secret to secret configuration. When 'secrets' is omitted, nil is set to this
	// field. Keys are in lower case since they are case-insensitive.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecrets
	Secrets map[string]*WorkflowCallEventSecret
	// Outputs is a map from name of output to output configuration. Keys are in lower case since they are case-insensitive.
	// https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow
	Outputs map[string]*WorkflowCallEventOutput
	// Pos is a position in source.
	Pos *Pos
}

WorkflowCallEvent is workflow_call event configuration. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#workflow-reuse-events

func (*WorkflowCallEvent) EventName added in v1.6.5 

func (e *WorkflowCallEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type WorkflowCallEventInput added in v1.6.5 

type WorkflowCallEventInput struct {
	// Name is a name of the input.
	Name *String
	// Description is a description of the input.
	Description *String
	// Default is a default value of the input. Nil means no default value.
	Default *String
	// Required represents if the input is required or optional. When this value is nil, it was not explicitly specified.
	// In the case the default value is 'not required'.
	Required *Bool
	// Type of the input, which must be one of 'boolean', 'number' or 'string'. This property is required.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callinput_idtype
	Type WorkflowCallEventInputType
	// ID is an ID of the input. Input ID is in lower case because it is case-insensitive.
	ID string
}

WorkflowCallEventInput is an input configuration of workflow_call event. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callinputs

func (*WorkflowCallEventInput) IsRequired added in v1.6.14 

func (i *WorkflowCallEventInput) IsRequired() bool

IsRequired returns if the input is marked as required or not. require

type WorkflowCallEventInputType added in v1.6.5 

type WorkflowCallEventInputType uint8

WorkflowCallEventInputType is a type of inputs at workflow_call event. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callinput_idtype 

const (
	// WorkflowCallEventInputTypeInvalid represents invalid type input as default value of the type.
	WorkflowCallEventInputTypeInvalid WorkflowCallEventInputType = iota
	// WorkflowCallEventInputTypeBoolean represents boolean type input.
	WorkflowCallEventInputTypeBoolean
	// WorkflowCallEventInputTypeNumber represents number type input.
	WorkflowCallEventInputTypeNumber
	// WorkflowCallEventInputTypeString represents string type input.
	WorkflowCallEventInputTypeString
)

type WorkflowCallEventOutput added in v1.6.10 

type WorkflowCallEventOutput struct {
	// Name is a name of the output.
	Name *String
	// Description is a description of the output.
	Description *String
	// Value is an expression for the value of the output.
	Value *String
}

WorkflowCallEventOutput is an output configuration of workflow_call event. https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow

type WorkflowCallEventSecret added in v1.6.5 

type WorkflowCallEventSecret struct {
	// Name is a name of the secret.
	Name *String
	// Description is a description of the secret.
	Description *String
	// Required represents if the secret is required or optional. When this value is nil, it means optional.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecretssecret_idrequired
	Required *Bool
}

WorkflowCallEventSecret is a secret configuration of workflow_call event. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecrets

type WorkflowCallInput added in v1.6.5 

type WorkflowCallInput struct {
	// Name is a name of the input.
	Name *String
	// Value is a value of the input.
	Value *String
}

WorkflowCallInput is a normal input for workflow call.

type WorkflowCallSecret added in v1.6.5 

type WorkflowCallSecret struct {
	// Name is a name of the secret
	Name *String
	// Value is a value of the secret
	Value *String
}

WorkflowCallSecret is a secret input for workflow call. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idwith

type WorkflowDispatchEvent 

type WorkflowDispatchEvent struct {
	// Inputs is map from input names to input attributes. Keys are in lower case since they are case insensitive.
	Inputs map[string]*DispatchInput
	// Pos is a position in source.
	Pos *Pos
}

WorkflowDispatchEvent is event on dispatching workflow manually. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#workflow_dispatch

func (*WorkflowDispatchEvent) EventName 

func (e *WorkflowDispatchEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type WorkflowDispatchEventInputType added in v1.6.8 

type WorkflowDispatchEventInputType uint8

WorkflowDispatchEventInputType is a type for input types of workflow_dispatch events. https://github.blog/changelog/2021-11-10-github-actions-input-types-for-manual-workflows/ 

const (
	// WorkflowDispatchEventInputTypeNone represents no type is specified to the input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeNone WorkflowDispatchEventInputType = iota
	// WorkflowDispatchEventInputTypeString is string type of input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeString
	// WorkflowDispatchEventInputTypeNumber is number type of input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeNumber
	// WorkflowDispatchEventInputTypeBoolean is boolean type of input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeBoolean
	// WorkflowDispatchEventInputTypeChoice is choice type of input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeChoice
	// WorkflowDispatchEventInputTypeEnvironment is environment type of input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeEnvironment
)

Source Files

View all Source files

Directories

Path Synopsis
cmd
actionlint
scripts
check-checks
generate-availability
generate-popular-actions
generate-webhook-events

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.