actionlint

package module
v1.6.21 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 9, 2022 License: MIT Imports: 31 Imported by: 29

README

actionlint

CI Badge API Document

actionlint is a static checker for GitHub Actions workflow files. Try it online!

Features:

  • Syntax check for workflow files to check unexpected or missing keys following workflow syntax
  • Strong type check for ${{ }} expressions to catch several semantic errors like access to not existing property, type mismatches, ...
  • Actions usage check to check that inputs at with: and outputs in steps.{id}.outputs are correct
  • Reusable workflow check to check inputs/outputs/secrets of reusable workflows and workflow calls
  • shellcheck and pyflakes integrations for scripts at run:
  • Security checks; script injection by untrusted inputs, hard-coded credentials
  • Other several useful checks; glob syntax validation, dependencies check for needs:, runner label validation, cron syntax validation, ...

See the full list of checks done by actionlint.

actionlint reports 7 errors

Example of broken workflow:

on:
  push:
    branch: main
    tags:
      - 'v\d+'
jobs:
  test:
    strategy:
      matrix:
        os: [macos-latest, linux-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node_version: 16.x
      - uses: actions/cache@v3
        with:
          path: ~/.npm
          key: ${{ matrix.platform }}-node-${{ hashFiles('**/package-lock.json') }}
        if: ${{ github.repository.permissions.admin == true }}
      - run: npm install && npm test

actionlint reports 7 errors:

test.yaml:3:5: unexpected key "branch" for "push" section. expected one of "branches", "branches-ignore", "paths", "paths-ignore", "tags", "tags-ignore", "types", "workflows" [syntax-check]
  |
3 |     branch: main
  |     ^~~~~~~
test.yaml:5:11: character '\' is invalid for branch and tag names. only special characters [, ?, +, *, \ ! can be escaped with \. see `man git-check-ref-format` for more details. note that regular expression is unavailable. note: filter pattern syntax is explained at https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet [glob]
  |
5 |       - 'v\d+'
  |           ^~~~
test.yaml:10:28: label "linux-latest" is unknown. available labels are "windows-latest", "windows-2022", "windows-2019", "windows-2016", "ubuntu-latest", "ubuntu-22.04", "ubuntu-20.04", "ubuntu-18.04", "macos-latest", "macos-12", "macos-12.0", "macos-11", "macos-11.0", "macos-10.15", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]
   |
10 |         os: [macos-latest, linux-latest]
   |                            ^~~~~~~~~~~~~
test.yaml:13:41: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions for more details [expression]
   |
13 |       - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
   |                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.yaml:17:11: input "node_version" is not defined in action "actions/setup-node@v3". available inputs are "always-auth", "architecture", "cache", "cache-dependency-path", "check-latest", "node-version", "node-version-file", "registry-url", "scope", "token" [action]
   |
17 |           node_version: 16.x
   |           ^~~~~~~~~~~~~
test.yaml:21:20: property "platform" is not defined in object type {os: string} [expression]
   |
21 |           key: ${{ matrix.platform }}-node-${{ hashFiles('**/package-lock.json') }}
   |                    ^~~~~~~~~~~~~~~
test.yaml:22:17: receiver of object dereference "permissions" must be type of object but got "string" [expression]
   |
22 |         if: ${{ github.repository.permissions.admin == true }}
   |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Why?

  • Running a workflow is time consuming. You need to push the changes and wait until the workflow runs on GitHub even if it contains some trivial mistakes. act is useful to debug the workflow locally. But it is not suitable for CI and still time consuming when your workflow gets larger.
  • Checks of workflow files by GitHub are very loose. It reports no error even if unexpected keys are in mappings (meant that some typos in keys). And also it reports no error when accessing to property which is actually not existing. For example matrix.foo when no foo is defined in matrix: section, it is evaluated to null and causes no error.
  • Some mistakes silently break a workflow. Most common case I saw is specifying missing property to cache key. In the case cache silently does not work properly but a workflow itself runs without error. So you might not notice the mistake forever.

Quick start

Install actionlint command by downloading the released binary or by Homebrew or by go install. See the installation document for more details like how to manage the command with several package managers or run via Docker container.

go install github.com/rhysd/actionlint/cmd/actionlint@latest

Basically all you need to do is run the actionlint command in your repository. actionlint automatically detects workflows and checks errors. actionlint focuses on finding out mistakes. It tries to catch errors as much as possible and make false positives as minimal as possible.

actionlint

Another option to try actionlint is the online playground. Your browser can run actionlint through WebAssembly.

See the usage document for more details.

Documents

  • Checks: Full list of all checks done by actionlint with example inputs, outputs, and playground links.
  • Installation: Installation instructions. Prebuilt binaries, Homebrew package, a Docker image, building from source, a download script (for CI) are available.
  • Usage: How to use actionlint command locally or on GitHub Actions, the online playground, an official Docker image, and integrations with reviewdog, Problem Matchers, super-linter, pre-commit, VS Code.
  • Configuration: How to configure actionlint behavior. Currently only labels of self-hosted runners can be configured.
  • Go API: How to use actionlint as Go library.
  • References: Links to resources.

Bug reporting

When you see some bugs or false positives, it is helpful to file a new issue with a minimal example of input. Giving me some feedbacks like feature requests or ideas of additional checks is also welcome.

License

actionlint is distributed under the MIT license.

Documentation

Index

Examples

Constants

View Source
const (
	// RawYAMLValueKindObject is kind for an object value of raw YAML value.
	RawYAMLValueKindObject = RawYAMLValueKind(yaml.MappingNode)
	// RawYAMLValueKindArray is kind for an array value of raw YAML value.
	RawYAMLValueKindArray = RawYAMLValueKind(yaml.SequenceNode)
	// RawYAMLValueKindString is kind for a string value of raw YAML value.
	RawYAMLValueKindString = RawYAMLValueKind(yaml.ScalarNode)
)
View Source
const (
	// ExitStatusSuccessNoProblem is the exit status when the command ran successfully with no problem found.
	ExitStatusSuccessNoProblem = 0
	// ExitStatusSuccessProblemFound is the exit status when the command ran successfully with some problem found.
	ExitStatusSuccessProblemFound = 1
	// ExitStatusInvalidCommandOption is the exit status when parsing command line options failed.
	ExitStatusInvalidCommandOption = 2
	// ExitStatusFailure is the exit status when the command stopped due to some fatal error while checking workflows.
	ExitStatusFailure = 3
)
View Source
const (
	// LogLevelNone does not output any log output.
	LogLevelNone LogLevel = 0
	// LogLevelVerbose shows verbose log output. This is equivalent to specifying -verbose option
	// to actionlint command.
	LogLevelVerbose = 1
	// LogLevelDebug shows all log output including debug information.
	LogLevelDebug = 2
)

Variables

View Source
var AllWebhookTypes = map[string][]string{
	"branch_protection_rule":      {"created", "edited", "deleted"},
	"check_run":                   {"created", "rerequested", "completed", "requested_action"},
	"check_suite":                 {"completed"},
	"create":                      {},
	"delete":                      {},
	"deployment":                  {},
	"deployment_status":           {},
	"discussion":                  {"created", "edited", "deleted", "transferred", "pinned", "unpinned", "labeled", "unlabeled", "locked", "unlocked", "category_changed", "answered", "unanswered"},
	"discussion_comment":          {"created", "edited", "deleted"},
	"fork":                        {},
	"gollum":                      {},
	"issue_comment":               {"created", "edited", "deleted"},
	"issues":                      {"opened", "edited", "deleted", "transferred", "pinned", "unpinned", "closed", "reopened", "assigned", "unassigned", "labeled", "unlabeled", "locked", "unlocked", "milestoned", "demilestoned"},
	"label":                       {"created", "edited", "deleted"},
	"merge_group":                 {"checks_requested"},
	"milestone":                   {"created", "closed", "opened", "edited", "deleted"},
	"page_build":                  {},
	"project":                     {"created", "closed", "reopened", "edited", "deleted"},
	"project_card":                {"created", "moved", "converted", "edited", "deleted"},
	"project_column":              {"created", "updated", "moved", "deleted"},
	"public":                      {},
	"pull_request":                {"assigned", "unassigned", "labeled", "unlabeled", "opened", "edited", "closed", "reopened", "synchronize", "converted_to_draft", "ready_for_review", "locked", "unlocked", "review_requested", "review_request_removed", "auto_merge_enabled", "auto_merge_disabled"},
	"pull_request_review":         {"submitted", "edited", "dismissed"},
	"pull_request_review_comment": {"created", "edited", "deleted"},
	"pull_request_target":         {"assigned", "unassigned", "labeled", "unlabeled", "opened", "edited", "closed", "reopened", "synchronize", "converted_to_draft", "ready_for_review", "locked", "unlocked", "review_requested", "review_request_removed", "auto_merge_enabled", "auto_merge_disabled"},
	"push":                        {},
	"registry_package":            {"published", "updated"},
	"release":                     {"published", "unpublished", "created", "edited", "deleted", "prereleased", "released"},
	"repository_dispatch":         {},
	"status":                      {},
	"watch":                       {"started"},
	"workflow_dispatch":           {},
	"workflow_run":                {"completed", "requested", "in_progress"},
}

AllWebhookTypes is a table of all webhooks with their types. This variable was generated by script at ./scripts/generate-webhook-events based on https://github.com/github/docs/blob/main/content/actions/using-workflows/events-that-trigger-workflows.md

View Source
var BuiltinFuncSignatures = map[string][]*FuncSignature{
	"contains": {
		{
			Name: "contains",
			Ret:  BoolType{},
			Params: []ExprType{
				StringType{},
				StringType{},
			},
		},
		{
			Name: "contains",
			Ret:  BoolType{},
			Params: []ExprType{
				&ArrayType{Elem: AnyType{}},
				AnyType{},
			},
		},
	},
	"startswith": {
		{
			Name: "startsWith",
			Ret:  BoolType{},
			Params: []ExprType{
				StringType{},
				StringType{},
			},
		},
	},
	"endswith": {
		{
			Name: "endsWith",
			Ret:  BoolType{},
			Params: []ExprType{
				StringType{},
				StringType{},
			},
		},
	},
	"format": {
		{
			Name: "format",
			Ret:  StringType{},
			Params: []ExprType{
				StringType{},
				AnyType{},
			},
			VariableLengthParams: true,
		},
	},
	"join": {
		{
			Name: "join",
			Ret:  StringType{},
			Params: []ExprType{
				&ArrayType{Elem: StringType{}},
				StringType{},
			},
		},
		{
			Name: "join",
			Ret:  StringType{},
			Params: []ExprType{
				StringType{},
				StringType{},
			},
		},

		{
			Name: "join",
			Ret:  StringType{},
			Params: []ExprType{
				&ArrayType{Elem: StringType{}},
			},
		},
		{
			Name: "join",
			Ret:  StringType{},
			Params: []ExprType{
				StringType{},
			},
		},
	},
	"tojson": {{
		Name: "toJSON",
		Ret:  StringType{},
		Params: []ExprType{
			AnyType{},
		},
	}},
	"fromjson": {{
		Name: "fromJSON",
		Ret:  AnyType{},
		Params: []ExprType{
			StringType{},
		},
	}},
	"hashfiles": {{
		Name: "hashFiles",
		Ret:  StringType{},
		Params: []ExprType{
			StringType{},
		},
		VariableLengthParams: true,
	}},
	"success": {{
		Name:   "success",
		Ret:    BoolType{},
		Params: []ExprType{},
	}},
	"always": {{
		Name:   "always",
		Ret:    BoolType{},
		Params: []ExprType{},
	}},
	"cancelled": {{
		Name:   "cancelled",
		Ret:    BoolType{},
		Params: []ExprType{},
	}},
	"failure": {{
		Name:   "failure",
		Ret:    BoolType{},
		Params: []ExprType{},
	}},
}

BuiltinFuncSignatures is a set of all builtin function signatures. All function names are in lower case because function names are compared in case insensitive. https://docs.github.com/en/actions/learn-github-actions/expressions#functions

View Source
var BuiltinGlobalVariableTypes = map[string]ExprType{

	"github": NewStrictObjectType(map[string]ExprType{
		"action":            StringType{},
		"action_path":       StringType{},
		"action_ref":        StringType{},
		"action_repository": StringType{},
		"action_status":     StringType{},
		"actor":             StringType{},
		"api_url":           StringType{},
		"base_ref":          StringType{},
		"env":               StringType{},
		"event":             NewEmptyObjectType(),
		"event_name":        StringType{},
		"event_path":        StringType{},
		"graphql_url":       StringType{},
		"head_ref":          StringType{},
		"job":               StringType{},
		"ref":               StringType{},
		"ref_name":          StringType{},
		"ref_protected":     StringType{},
		"ref_type":          StringType{},
		"path":              StringType{},
		"repository":        StringType{},
		"repository_owner":  StringType{},
		"repositoryurl":     StringType{},
		"retention_days":    NumberType{},
		"run_id":            StringType{},
		"run_number":        StringType{},
		"run_attempt":       StringType{},
		"server_url":        StringType{},
		"sha":               StringType{},
		"token":             StringType{},
		"triggering_actor":  StringType{},
		"workflow":          StringType{},
		"workspace":         StringType{},
	}),

	"env": NewMapObjectType(StringType{}),

	"job": NewStrictObjectType(map[string]ExprType{
		"container": NewStrictObjectType(map[string]ExprType{
			"id":      StringType{},
			"network": StringType{},
		}),
		"services": NewMapObjectType(
			NewStrictObjectType(map[string]ExprType{
				"id":      StringType{},
				"network": StringType{},
				"ports":   NewMapObjectType(StringType{}),
			}),
		),
		"status": StringType{},
	}),

	"steps": NewEmptyStrictObjectType(),

	"runner": NewStrictObjectType(map[string]ExprType{
		"name":       StringType{},
		"os":         StringType{},
		"arch":       StringType{},
		"temp":       StringType{},
		"tool_cache": StringType{},
		"debug":      StringType{},
		"workspace":  StringType{},
	}),

	"secrets": NewMapObjectType(StringType{}),

	"strategy": NewObjectType(map[string]ExprType{
		"fail-fast":    BoolType{},
		"job-index":    NumberType{},
		"job-total":    NumberType{},
		"max-parallel": NumberType{},
	}),

	"matrix": NewEmptyStrictObjectType(),

	"needs": NewEmptyStrictObjectType(),

	"inputs": NewEmptyStrictObjectType(),
}

BuiltinGlobalVariableTypes defines types of all global variables. All context variables are documented at https://docs.github.com/en/actions/learn-github-actions/contexts

View Source
var BuiltinUntrustedInputs = UntrustedInputSearchRoots{
	"github": NewUntrustedInputMap("github",
		NewUntrustedInputMap("event",
			NewUntrustedInputMap("issue",
				NewUntrustedInputMap("title"),
				NewUntrustedInputMap("body"),
			),
			NewUntrustedInputMap("pull_request",
				NewUntrustedInputMap("title"),
				NewUntrustedInputMap("body"),
				NewUntrustedInputMap("head",
					NewUntrustedInputMap("ref"),
					NewUntrustedInputMap("label"),
					NewUntrustedInputMap("repo",
						NewUntrustedInputMap("default_branch"),
					),
				),
			),
			NewUntrustedInputMap("comment",
				NewUntrustedInputMap("body"),
			),
			NewUntrustedInputMap("review",
				NewUntrustedInputMap("body"),
			),
			NewUntrustedInputMap("review_comment",
				NewUntrustedInputMap("body"),
			),
			NewUntrustedInputMap("pages",
				NewUntrustedInputMap("*",
					NewUntrustedInputMap("page_name"),
				),
			),
			NewUntrustedInputMap("commits",
				NewUntrustedInputMap("*",
					NewUntrustedInputMap("message"),
					NewUntrustedInputMap("author",
						NewUntrustedInputMap("email"),
						NewUntrustedInputMap("name"),
					),
				),
			),
			NewUntrustedInputMap("head_commit",
				NewUntrustedInputMap("message"),
				NewUntrustedInputMap("author",
					NewUntrustedInputMap("email"),
					NewUntrustedInputMap("name"),
				),
			),
			NewUntrustedInputMap("discussion",
				NewUntrustedInputMap("title"),
				NewUntrustedInputMap("body"),
			),
		),
		NewUntrustedInputMap("head_ref"),
	),
}

BuiltinUntrustedInputs is list of untrusted inputs. These inputs are detected as untrusted in `run:` scripts. See the URL for more details. - https://securitylab.github.com/research/github-actions-untrusted-input/ - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions - https://github.com/github/codeql/blob/main/javascript/ql/src/experimental/Security/CWE-094/ExpressionInjection.ql

View Source
var PopularActions = map[string]*ActionMetadata{}/* 173 elements not displayed */

PopularActions is data set of known popular actions. Keys are specs (owner/repo@ref) of actions and values are their metadata.

View Source
var SpecialFunctionNames = map[string][]string{"always": []string{"jobs.<job_id>.if", "jobs.<job_id>.steps.if"}, "cancelled": []string{"jobs.<job_id>.if", "jobs.<job_id>.steps.if"}, "failure": []string{"jobs.<job_id>.if", "jobs.<job_id>.steps.if"}, "hashfiles": []string{"jobs.<job_id>.steps.continue-on-error", "jobs.<job_id>.steps.env", "jobs.<job_id>.steps.if", "jobs.<job_id>.steps.name", "jobs.<job_id>.steps.run", "jobs.<job_id>.steps.timeout-minutes", "jobs.<job_id>.steps.with", "jobs.<job_id>.steps.working-directory"}, "success": []string{"jobs.<job_id>.if", "jobs.<job_id>.steps.if"}}

SpecialFunctionNames is a map from special function name to available workflow keys. Some functions are only available at specific positions. This variable is useful when you want to know which functions are special and what workflow keys support them.

This function was generated from https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability. See the script for more details: https://github.com/rhysd/actionlint/blob/main/scripts/generate-availability/

Functions

func EqualTypes added in v1.6.4

func EqualTypes(l, r ExprType) bool

EqualTypes returns if the two types are equal.

func LexExpression added in v1.6.1

func LexExpression(src string) ([]*Token, int, *ExprError)

LexExpression lexes the given string as expression syntax. The parameter must contain '}}' which represents end of expression. Otherwise this function will report an error that it encountered unexpected EOF.

func Parse

func Parse(b []byte) (*Workflow, []*Error)

Parse parses given source as byte sequence into workflow syntax tree. It returns all errors detected while parsing the input. It means that detecting one error does not stop parsing. Even if one or more errors are detected, parser will try to continue parsing and finding more errors.

func VisitExprNode added in v1.6.1

func VisitExprNode(n ExprNode, f VisitExprNodeFunc)

VisitExprNode visits the given expression syntax tree with given function f.

func WorkflowKeyAvailability added in v1.6.21

func WorkflowKeyAvailability(key string) ([]string, []string)

WorkflowKeyAvailability returns contexts and special functions availability of the given workflow key. 1st return value indicates what contexts are available. Empty slice means any contexts are available. 2nd return value indicates what special functions are available. Empty slice means no special functions are available. The 'key' parameter should represents a workflow key like "jobs.<job_id>.concurrency".

This function was generated from https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability. See the script for more details: https://github.com/rhysd/actionlint/blob/main/scripts/generate-availability/

Types

type ActionMetadata added in v1.5.0

type ActionMetadata struct {
	// Name is "name" field of action.yaml
	Name string `yaml:"name" json:"name"`
	// Inputs is "inputs" field of action.yaml
	Inputs ActionMetadataInputs `yaml:"inputs" json:"inputs"`
	// Outputs is "outputs" field of action.yaml. Key is name of output. Description is omitted
	// since actionlint does not use it.
	Outputs ActionMetadataOutputs `yaml:"outputs" json:"outputs"`
	// SkipInputs is flag to specify behavior of inputs check. When it is true, inputs for this
	// action will not be checked.
	SkipInputs bool `json:"skip_inputs"`
	// SkipOutputs is flag to specify a bit loose typing to outputs object. If it is set to
	// true, the outputs object accepts any properties along with strictly typed props.
	SkipOutputs bool `json:"skip_outputs"`
}

ActionMetadata represents structure of action.yaml. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions

type ActionMetadataInput added in v1.5.0

type ActionMetadataInput struct {
	// Name is a name of this input.
	Name string `json:"name"`
	// Required is true when this input is mandatory to run the action.
	Required bool `json:"required"`
}

ActionMetadataInput is input metadata in "inputs" section in action.yml metadata file. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputs

type ActionMetadataInputs added in v1.6.20

type ActionMetadataInputs map[string]*ActionMetadataInput

ActionMetadataInputs is a map from input ID to its metadata. Keys are in lower case since input names are case-insensitive. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputs

func (*ActionMetadataInputs) UnmarshalYAML added in v1.6.20

func (inputs *ActionMetadataInputs) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type ActionMetadataOutput added in v1.6.20

type ActionMetadataOutput struct {
	Name string `json:"name"`
}

ActionMetadataOutput is output metadata in "outputs" section in action.yml metadata file. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions

type ActionMetadataOutputs added in v1.6.20

type ActionMetadataOutputs map[string]*ActionMetadataOutput

ActionMetadataOutputs is a map from output ID to its metadata. Keys are in lower case since output names are case-insensitive. https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions

func (*ActionMetadataOutputs) UnmarshalYAML added in v1.6.20

func (inputs *ActionMetadataOutputs) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type AnyType

type AnyType struct{}

AnyType represents type which can be any type. It also indicates that a value of the type cannot be type-checked since it's type cannot be known statically.

func (AnyType) Assignable

func (ty AnyType) Assignable(_ ExprType) bool

Assignable returns if other type can be assignable to the type.

func (AnyType) DeepCopy added in v1.6.8

func (ty AnyType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (AnyType) Merge added in v1.6.4

func (ty AnyType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (AnyType) String

func (ty AnyType) String() string

type ArrayDerefNode

type ArrayDerefNode struct {
	// Receiver is an expression at receiver of array element dereference.
	Receiver ExprNode
}

ArrayDerefNode represents elements dereference of arrays like '*' in 'foo.bar.*.piyo'.

func (ArrayDerefNode) Token

func (n ArrayDerefNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type ArrayType

type ArrayType struct {
	// Elem is type of element of the array.
	Elem ExprType
	// Deref is true when this type was derived from object filtering syntax (foo.*).
	Deref bool
}

ArrayType is type for arrays.

func (*ArrayType) Assignable

func (ty *ArrayType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (*ArrayType) DeepCopy added in v1.6.8

func (ty *ArrayType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (*ArrayType) Merge added in v1.6.4

func (ty *ArrayType) Merge(other ExprType) ExprType

Merge merges two object types into one. When other object has unknown props, they are merged into current object. When both have same property, when they are assignable, it remains as-is. Otherwise, the property falls back to any type.

func (*ArrayType) String

func (ty *ArrayType) String() string

type Bool

type Bool struct {
	// Value is a raw value of the bool string.
	Value bool
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
	// Pos is a position in source.
	Pos *Pos
}

Bool represents generic boolean value in YAML file with position.

func (*Bool) String added in v1.6.18

func (b *Bool) String() string

type BoolNode

type BoolNode struct {
	// Value is value of the boolean literal.
	Value bool
	// contains filtered or unexported fields
}

BoolNode is node for boolean literal, true or false.

func (*BoolNode) Token

func (n *BoolNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type BoolType

type BoolType struct{}

BoolType is type for boolean values.

func (BoolType) Assignable

func (ty BoolType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (BoolType) DeepCopy added in v1.6.8

func (ty BoolType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (BoolType) Merge added in v1.6.4

func (ty BoolType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (BoolType) String

func (ty BoolType) String() string

type ByErrorPosition added in v1.1.2

type ByErrorPosition []*Error

ByErrorPosition is predicate for sort.Interface. It sorts errors slice by file path, line, and column.

func (ByErrorPosition) Len added in v1.1.2

func (by ByErrorPosition) Len() int

func (ByErrorPosition) Less added in v1.1.2

func (by ByErrorPosition) Less(i, j int) bool

func (ByErrorPosition) Swap added in v1.1.2

func (by ByErrorPosition) Swap(i, j int)

type ColorOptionKind added in v1.3.0

type ColorOptionKind int

ColorOptionKind is kind of colorful output behavior.

const (
	// ColorOptionKindAuto is kind to determine to colorize errors output automatically. It is
	// determined based on pty and $NO_COLOR environment variable. See document of fatih/color
	// for more details.
	ColorOptionKindAuto ColorOptionKind = iota
	// ColorOptionKindAlways is kind to always colorize errors output.
	ColorOptionKindAlways
	// ColorOptionKindNever is kind never to colorize errors output.
	ColorOptionKindNever
)

type Command added in v1.3.1

type Command struct {
	// Stdin is a reader to read input from stdin
	Stdin io.Reader
	// Stdout is a writer to write output to stdout
	Stdout io.Writer
	// Stderr is a writer to write output to stderr
	Stderr io.Writer
}

Command represents entire actionlint command. Given stdin/stdout/stderr are used for input/output.

Example
var output bytes.Buffer

// Create command instance populating stdin/stdout/stderr
cmd := Command{
	Stdin:  os.Stdin,
	Stdout: &output,
	Stderr: &output,
}

// Run the command end-to-end. Note that given args should contain program name
workflow := filepath.Join(".github", "workflows", "release.yaml")
status := cmd.Main([]string{"actionlint", "-shellcheck=", "-pyflakes=", workflow})

fmt.Println("Exited with status", status)
Output:

Exited with status 0

func (*Command) Main added in v1.3.1

func (cmd *Command) Main(args []string) int

Main is main function of actionlint. It takes command line arguments as string slice and returns exit status. The args should be entire arguments including the program name, usually given via os.Args.

type CompareOpNode

type CompareOpNode struct {
	// Kind is a kind of this expression to show which operator is used.
	Kind CompareOpNodeKind
	// Left is an expression for left hand side of the binary operator.
	Left ExprNode
	// Right is an expression for right hand side of the binary operator.
	Right ExprNode
}

CompareOpNode is node for binary expression to compare values; ==, !=, <, <=, > or >=.

func (*CompareOpNode) Token

func (n *CompareOpNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type CompareOpNodeKind

type CompareOpNodeKind int

CompareOpNodeKind is a kind of compare operators; ==, !=, <, <=, >, >=.

const (
	// CompareOpNodeKindInvalid is invalid and initial value of CompareOpNodeKind values.
	CompareOpNodeKindInvalid CompareOpNodeKind = iota
	// CompareOpNodeKindLess is kind for < operator.
	CompareOpNodeKindLess
	// CompareOpNodeKindLessEq is kind for <= operator.
	CompareOpNodeKindLessEq
	// CompareOpNodeKindGreater is kind for > operator.
	CompareOpNodeKindGreater
	// CompareOpNodeKindGreaterEq is kind for >= operator.
	CompareOpNodeKindGreaterEq
	// CompareOpNodeKindEq is kind for == operator.
	CompareOpNodeKindEq
	// CompareOpNodeKindNotEq is kind for != operator.
	CompareOpNodeKindNotEq
)

type Concurrency

type Concurrency struct {
	// Group is name of the concurrency group.
	Group *String
	// CancelInProgress is a flag that shows if canceling this workflow cancels other jobs in progress.
	CancelInProgress *Bool
	// Pos is a position in source.
	Pos *Pos
}

Concurrency is a configuration of concurrency of the workflow. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#concurrency

type Config

type Config struct {
	// SelfHostedRunner is configuration for self-hosted runner.
	SelfHostedRunner struct {
		// Labels is label names for self-hosted runner.
		Labels []string `yaml:"labels"`
	} `yaml:"self-hosted-runner"`
}

Config is configuration of actionlint. This struct instance is parsed from "actionlint.yaml" file usually put in ".github" directory.

type Container

type Container struct {
	// Image is specification of Docker image.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerimage
	Image *String
	// Credentials is credentials configuration of the Docker container.
	Credentials *Credentials
	// Env is environment variables setup in the container.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerenv
	Env *Env
	// Ports is list of port number mappings of the container.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerports
	Ports []*String
	// Volumes are list of volumes to be mounted to the container.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainervolumes
	Volumes []*String
	// Options is options string to run the container.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions
	Options *String
	// Pos is a position in source.
	Pos *Pos
}

Container is configuration of how to run the container. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainer

type Credentials

type Credentials struct {
	// Username is username for authentication.
	Username *String
	// Password is password for authentication.
	Password *String
	// Pos is a position in source.
	Pos *Pos
}

Credentials is credentials configuration. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainercredentials

type Defaults

type Defaults struct {
	// Run is configuration of how to run shell.
	Run *DefaultsRun
	// Pos is a position in source.
	Pos *Pos
}

Defaults is set of default configurations to run shell. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#defaults

type DefaultsRun

type DefaultsRun struct {
	// Shell is shell name to be run.
	Shell *String
	// WorkingDirectory is a default working directory path.
	WorkingDirectory *String
	// Pos is a position in source.
	Pos *Pos
}

DefaultsRun is configuration that shell is how to be run. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#defaultsrun

type DispatchInput

type DispatchInput struct {
	// Name is a name of input value specified on dispatching workflow manually.
	Name *String
	// Description is a description of input value specified on dispatching workflow manually.
	Description *String
	// Required is a flag to show if this input is mandatory or not on dispatching workflow manually.
	Required *Bool
	// Default is a default value of input value on dispatching workflow manually.
	Default *String
	// Type is a type of the input
	// https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#workflow_dispatch
	Type WorkflowDispatchEventInputType
	// Options is list of options of choice type
	Options []*String
}

DispatchInput is input specified on dispatching workflow manually. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#workflow_dispatch

type Env

type Env struct {
	// Vars is mapping from env var name to env var value.
	Vars map[string]*EnvVar
	// Expression is an expression string which contains ${{ ... }}. When this value is not empty,
	// Vars should be nil.
	Expression *String
}

Env represents set of environment variables.

type EnvVar

type EnvVar struct {
	// Name is name of the environment variable.
	Name *String
	// Value is string value of the environment variable.
	Value *String
}

EnvVar represents key-value of environment variable setup.

type Environment

type Environment struct {
	// Name is a name of environment which the workflow uses.
	Name *String
	// URL is the URL mapped to 'environment_url' in the deployments API. Empty value means no value was specified.
	URL *String
	// Pos is a position in source.
	Pos *Pos
}

Environment is a configuration of environment. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idenvironment

type Error

type Error struct {
	// Message is an error message.
	Message string
	// Filepath is a file path where the error occurred.
	Filepath string
	// Line is a line number where the error occurred. This value is 1-based.
	Line int
	// Column is a column number where the error occurred. This value is 1-based.
	Column int
	// Kind is a string to represent kind of the error. Usually rule name which found the error.
	Kind string
}

Error represents an error detected by actionlint rules

func (*Error) Error

func (e *Error) Error() string

Error returns summary of the error as string.

func (*Error) GetTemplateFields added in v1.6.1

func (e *Error) GetTemplateFields(source []byte) *ErrorTemplateFields

GetTemplateFields fields for formatting this error with Go template.

func (*Error) PrettyPrint

func (e *Error) PrettyPrint(w io.Writer, source []byte)

PrettyPrint prints the error with user-friendly way. It prints file name, source position, error message with colorful output and source snippet with indicator. When nil is set to source, no source snippet is not printed. To disable colorful output, set true to fatih/color.NoColor.

func (*Error) String added in v1.6.18

func (e *Error) String() string

type ErrorFormatter added in v1.6.1

type ErrorFormatter struct {
	// contains filtered or unexported fields
}

ErrorFormatter is a formatter to format a slice of ErrorTemplateFields. It is used for formatting error messages with -format option.

func NewErrorFormatter added in v1.6.1

func NewErrorFormatter(format string) (*ErrorFormatter, error)

NewErrorFormatter creates new ErrorFormatter instance. Given format must contain at least one {{ }} placeholder. Escaped characters like \n in the format string are unescaped.

func (*ErrorFormatter) Print added in v1.6.1

func (f *ErrorFormatter) Print(out io.Writer, t []*ErrorTemplateFields) error

Print formats the slice of template fields and prints it with given writer.

func (*ErrorFormatter) PrintErrors added in v1.6.1

func (f *ErrorFormatter) PrintErrors(out io.Writer, errs []*Error, src []byte) error

PrintErrors prints the errors after formatting them with template.

type ErrorTemplateFields added in v1.6.1

type ErrorTemplateFields struct {
	// Message is error message body.
	Message string `json:"message"`
	// Filepath is a canonical relative file path. This is empty when input was read from stdin.
	// When encoding into JSON, this field may be omitted when the file path is empty.
	Filepath string `json:"filepath,omitempty"`
	// Line is a line number of error position.
	Line int `json:"line"`
	// Column is a column number of error position.
	Column int `json:"column"`
	// Kind is a rule name the error belongs to.
	Kind string `json:"kind"`
	// Snippet is a code snippet and indicator to indicate where the error occurred.
	// When encoding into JSON, this field may be omitted when the snippet is empty.
	Snippet string `json:"snippet,omitempty"`
	// EndColumn is a column number where the error indicator (^~~~~~~) ends. When no indicator
	// can be shown, EndColumn is equal to Column.
	EndColumn int `json:"end_column"`
}

ErrorTemplateFields holds all fields to format one error message.

type Event

type Event interface {
	// EventName returns name of the event to trigger this workflow.
	EventName() string
}

Event interface represents workflow events in 'on' section

type Exec

type Exec interface {
	// Kind returns kind of the step execution.
	Kind() ExecKind
}

Exec is an interface how the step is executed. Step in workflow runs either an action or a script

type ExecAction

type ExecAction struct {
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses
	Uses *String
	// Inputs represents inputs to the action to execute in 'with' section. Keys are in lower case since they are case-insensitive.
	Inputs map[string]*Input
	// Entrypoint represents optional 'entrypoint' field in 'with' section. Nil field means nothing specified
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithentrypoint
	Entrypoint *String
	// Args represents optional 'args' field in 'with' section. Nil field means nothing specified
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithargs
	Args *String
}

ExecAction is configuration how to run action at the step. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses

func (*ExecAction) Kind

func (e *ExecAction) Kind() ExecKind

Kind returns kind of the step execution.

type ExecKind

type ExecKind uint8

ExecKind is kind of how the step is executed. A step runs some action or runs some shell script.

const (
	// ExecKindAction is kind for step to run action
	ExecKindAction ExecKind = iota
	// ExecKindRun is kind for step to run shell script
	ExecKindRun
)

type ExecRun

type ExecRun struct {
	// Run is script to run.
	Run *String
	// Shell represents optional 'shell' field. Nil means nothing specified.
	Shell *String
	// WorkingDirectory represents optional 'working-directory' field. Nil means nothing specified.
	WorkingDirectory *String
	// RunPos is position of 'run' section
	RunPos *Pos
}

ExecRun is configuration how to run shell script at the step. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsrun

func (*ExecRun) Kind

func (e *ExecRun) Kind() ExecKind

Kind returns kind of the step execution.

type ExprError

type ExprError struct {
	// Message is an error message
	Message string
	// Offset is byte offset position which caused the error
	Offset int
	// Offset is line number position which caused the error. Note that this value is 1-based.
	Line int
	// Column is column number position which caused the error. Note that this value is 1-based.
	Column int
}

ExprError is an error type caused by lexing/parsing expression syntax. For more details, see https://docs.github.com/en/actions/learn-github-actions/expressions

func (*ExprError) Error

func (e *ExprError) Error() string

func (*ExprError) String added in v1.6.18

func (e *ExprError) String() string

type ExprLexer

type ExprLexer struct {
	// contains filtered or unexported fields
}

ExprLexer is a struct to lex expression syntax. To know the syntax, see https://docs.github.com/en/actions/learn-github-actions/expressions

func NewExprLexer

func NewExprLexer(src string) *ExprLexer

NewExprLexer makes new ExprLexer instance.

func (*ExprLexer) Err added in v1.6.1

func (lex *ExprLexer) Err() *ExprError

Err returns an error while lexing. When multiple errors occur, the first one is returned.

func (*ExprLexer) Next added in v1.6.1

func (lex *ExprLexer) Next() *Token

Next lexes next token to lex input incrementally. Lexer must be initialized with Init() method before the first call of this method. This method is stateful. Lexer advances offset by lexing token. To get the offset, use Offset() method.

func (*ExprLexer) Offset added in v1.6.1

func (lex *ExprLexer) Offset() int

Offset returns the current offset (scanning position).

type ExprNode

type ExprNode interface {
	// Token returns the first token of the node. This method is useful to get position of this node.
	Token() *Token
}

ExprNode is a node of expression syntax tree. To know the syntax, see https://docs.github.com/en/actions/learn-github-actions/expressions

type ExprParser

type ExprParser struct {
	// contains filtered or unexported fields
}

ExprParser is a parser for expression syntax. To know the details, see https://docs.github.com/en/actions/learn-github-actions/expressions

func NewExprParser

func NewExprParser() *ExprParser

NewExprParser creates new ExprParser instance.

func (*ExprParser) Err added in v1.6.1

func (p *ExprParser) Err() *ExprError

Err returns an error which was caused while previous parsing.

func (*ExprParser) Parse

func (p *ExprParser) Parse(l *ExprLexer) (ExprNode, *ExprError)

Parse parses token sequence lexed by a given lexer into syntax tree.

type ExprSemanticsChecker

type ExprSemanticsChecker struct {
	// contains filtered or unexported fields
}

ExprSemanticsChecker is a semantics checker for expression syntax. It checks types of values in given expression syntax tree. It additionally checks other semantics like arguments of format() built-in function. To know the details of the syntax, see

- https://docs.github.com/en/actions/learn-github-actions/contexts - https://docs.github.com/en/actions/learn-github-actions/expressions

func NewExprSemanticsChecker

func NewExprSemanticsChecker(checkUntrustedInput bool) *ExprSemanticsChecker

NewExprSemanticsChecker creates new ExprSemanticsChecker instance. When checkUntrustedInput is set to true, the checker will make use of possibly untrusted inputs error.

func (*ExprSemanticsChecker) Check

func (sema *ExprSemanticsChecker) Check(expr ExprNode) (ExprType, []*ExprError)

Check checks sematics of given expression syntax tree. It returns the type of the expression as the first return value when the check was successfully done. And it returns all errors found while checking the expression as the second return value.

func (*ExprSemanticsChecker) SetContextAvailability added in v1.6.21

func (sema *ExprSemanticsChecker) SetContextAvailability(avail []string)

SetContextAvailability sets available context names while semantics checks. Some contexts limit where they can be used. https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability

Elements of 'avail' parameter must be in lower case to check context names in case-insensitive.

If this method is not called before checks, ExprSemanticsChecker considers any contexts are available by default. Available contexts for workflow keys can be obtained from actionlint.ContextAvailability.

func (*ExprSemanticsChecker) SetSpecialFunctionAvailability added in v1.6.21

func (sema *ExprSemanticsChecker) SetSpecialFunctionAvailability(avail []string)

SetSpecialFunctionAvailability sets names of available special functions while semantics checks. Some functions limit where they can be used. https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability

Elements of 'avail' parameter must be in lower case to check function names in case-insensitive.

If this method is not called before checks, ExprSemanticsChecker considers no special function is allowed by default. Allowed functions can be obtained from actionlint.SpecialFunctionNames global constant.

Available function names for workflow keys can be obtained from actionlint.ContextAvailability.

func (*ExprSemanticsChecker) UpdateDispatchInputs added in v1.6.8

func (sema *ExprSemanticsChecker) UpdateDispatchInputs(ty *ObjectType)

UpdateDispatchInputs updates 'github.event.inputs' and 'inputs' objects to given object type. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch

func (*ExprSemanticsChecker) UpdateInputs added in v1.6.6

func (sema *ExprSemanticsChecker) UpdateInputs(ty *ObjectType)

UpdateInputs updates 'inputs' context object to given object type.

func (*ExprSemanticsChecker) UpdateJobs added in v1.6.10

func (sema *ExprSemanticsChecker) UpdateJobs(ty *ObjectType)

UpdateJobs updates 'jobs' context object to given object type.

func (*ExprSemanticsChecker) UpdateMatrix

func (sema *ExprSemanticsChecker) UpdateMatrix(ty *ObjectType)

UpdateMatrix updates matrix object to given object type. Since matrix values change according to 'matrix' section of job configuration, the type needs to be updated.

func (*ExprSemanticsChecker) UpdateNeeds

func (sema *ExprSemanticsChecker) UpdateNeeds(ty *ObjectType)

UpdateNeeds updates 'needs' context object to given object type.

func (*ExprSemanticsChecker) UpdateSecrets added in v1.6.6

func (sema *ExprSemanticsChecker) UpdateSecrets(ty *ObjectType)

UpdateSecrets updates 'secrets' context object to given object type.

func (*ExprSemanticsChecker) UpdateSteps

func (sema *ExprSemanticsChecker) UpdateSteps(ty *ObjectType)

UpdateSteps updates 'steps' context object to given object type.

type ExprType

type ExprType interface {
	// String returns string representation of the type.
	String() string
	// Assignable returns if other type can be assignable to the type.
	Assignable(other ExprType) bool
	// Merge merges other type into this type. When other type conflicts with this type, the merged
	// result is any type as fallback.
	Merge(other ExprType) ExprType
	// DeepCopy duplicates itself. All its child types are copied recursively.
	DeepCopy() ExprType
}

ExprType is interface for types of values in expression.

type Float

type Float struct {
	// Value is a raw value of the float string.
	Value float64
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
	// Pos is a position in source.
	Pos *Pos
}

Float represents generic float value in YAML file with position.

type FloatNode

type FloatNode struct {
	// Value is value of the float literal.
	Value float64
	// contains filtered or unexported fields
}

FloatNode is node for float literal.

func (*FloatNode) Token

func (n *FloatNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type FuncCallNode

type FuncCallNode struct {
	// Callee is a name of called function. This is string value because currently only built-in
	// functions can be called.
	Callee string
	// Args is arguments of the function call.
	Args []ExprNode
	// contains filtered or unexported fields
}

FuncCallNode represents function call in expression. Note that currently only calling builtin functions is supported.

func (*FuncCallNode) Token

func (n *FuncCallNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type FuncSignature

type FuncSignature struct {
	// Name is a name of the function.
	Name string
	// Ret is a return type of the function.
	Ret ExprType
	// Params is a list of parameter types of the function. The final element of this list might
	// be repeated as variable length arguments.
	Params []ExprType
	// VariableLengthParams is a flag to handle variable length parameters. When this flag is set to
	// true, it means that the last type of params might be specified multiple times (including zero
	// times). Setting true implies length of Params is more than 0.
	VariableLengthParams bool
}

FuncSignature is a signature of function, which holds return and arguments types.

func (*FuncSignature) String

func (sig *FuncSignature) String() string

type IndexAccessNode

type IndexAccessNode struct {
	// Operand is an expression at operand of index access, which should be array or object.
	Operand ExprNode
	// Index is an expression at index, which should be integer or string.
	Index ExprNode
}

IndexAccessNode is node for index access, which represents dynamic object property access or array index access.

func (*IndexAccessNode) Token

func (n *IndexAccessNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type Input

type Input struct {
	// Name is a name of the input.
	Name *String
	// Value is a value of the input.
	Value *String
}

Input is an input field for running an action. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswith

type Int

type Int struct {
	// Value is a raw value of the integer string.
	Value int
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
	// Pos is a position in source.
	Pos *Pos
}

Int represents generic integer value in YAML file with position.

type IntNode

type IntNode struct {
	// Value is value of the integer literal.
	Value int
	// contains filtered or unexported fields
}

IntNode is node for integer literal.

func (*IntNode) Token

func (n *IntNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type InvalidGlobPattern added in v1.4.0

type InvalidGlobPattern struct {
	// Message is a human readable error message.
	Message string
	// Column is a column number of the error in the glob pattern. This value is 1-based, but zero
	// is valid value. Zero means the error occurred before reading first character. This happens
	// when a given pattern is empty. When the given pattern include a newline and line number
	// increases (invalid pattern), the column number falls back into always 0.
	Column int
}

InvalidGlobPattern is an error on invalid glob pattern.

func ValidatePathGlob added in v1.4.0

func ValidatePathGlob(pat string) []InvalidGlobPattern

ValidatePathGlob checks a given input as glob pattern for file paths. It returns list of errors found by the validation. See the following URL for more details of the syntax: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet

func ValidateRefGlob added in v1.4.0

func ValidateRefGlob(pat string) []InvalidGlobPattern

ValidateRefGlob checks a given input as glob pattern for Git ref names. It returns list of errors found by the validation. See the following URL for more details of the syntax: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet

func (*InvalidGlobPattern) Error added in v1.4.0

func (err *InvalidGlobPattern) Error() string

func (*InvalidGlobPattern) String added in v1.6.18

func (err *InvalidGlobPattern) String() string

type Job

type Job struct {
	// ID is an ID of the job, which is key of job configuration objects.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_id
	ID *String
	// Name is a name of job that user can specify freely.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idname
	Name *String
	// Needs is list of job IDs which should be run before running this job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds
	Needs []*String
	// RunsOn is runner configuration which run the job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on
	RunsOn *Runner
	// Permissions is permission configuration for running the job.
	Permissions *Permissions
	// Environment is environment specification where the job runs.
	Environment *Environment
	// Concurrency is concurrency configuration on running the job.
	Concurrency *Concurrency
	// Outputs is map from output name to output specifications.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idoutputs
	Outputs map[string]*Output
	// Env is environment variables setup while running the job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idenv
	Env *Env
	// Defaults is default configurations of how to run scripts.
	Defaults *Defaults
	// If is a condition whether this job should be run.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idif
	If *String
	// Steps is list of steps to be run in the job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idsteps
	Steps []*Step
	// TimeoutMinutes is timeout value of running the job in minutes.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes
	TimeoutMinutes *Float
	// Strategy is strategy configuration of running the job.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy
	Strategy *Strategy
	// ContinueOnError is a flag to show if execution should continue on error.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error
	ContinueOnError *Bool
	// Container is container configuration to run the job.
	Container *Container
	// Services is map from service names to service configurations. Keys are in lower case since they are case-insensitive.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices
	Services map[string]*Service
	// WorkflowCall is a workflow call by 'uses:'.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_iduses
	WorkflowCall *WorkflowCall
	// Pos is a position in source.
	Pos *Pos
}

Job is configuration of how to run a job. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobs

type Linter

type Linter struct {
	// contains filtered or unexported fields
}

Linter is struct to lint workflow files.

func NewLinter

func NewLinter(out io.Writer, opts *LinterOptions) (*Linter, error)

NewLinter creates a new Linter instance. The out parameter is used to output errors from Linter instance. Set io.Discard if you don't want the outputs. The opts parameter is LinterOptions instance which configures behavior of linting.

func (*Linter) GenerateDefaultConfig

func (l *Linter) GenerateDefaultConfig(dir string) error

GenerateDefaultConfig generates default config file at ".github/actionlint.yaml" in project which the given directory path belongs to.

func (*Linter) Lint

func (l *Linter) Lint(path string, content []byte, project *Project) ([]*Error, error)

Lint lints YAML workflow file content given as byte sequence. The path parameter is used as file path the content came from. Setting "<stdin>" to path parameter indicates the output came from STDIN. Note that only given Project instance is used for configuration. No config is automatically loaded based on path parameter.

func (*Linter) LintDir added in v1.6.17

func (l *Linter) LintDir(dir string, project *Project) ([]*Error, error)

LintDir lints all YAML workflow files in the given directory recursively.

func (*Linter) LintFile

func (l *Linter) LintFile(path string, project *Project) ([]*Error, error)

LintFile lints one YAML workflow file and outputs the errors to given writer. The project parameter can be nil. In the case, the project is detected from the given path.

func (*Linter) LintFiles

func (l *Linter) LintFiles(filepaths []string, project *Project) ([]*Error, error)

LintFiles lints YAML workflow files and outputs the errors to given writer. It applies lint rules to all given files. The project parameter can be nil. In the case, a project is detected from the file path.

func (*Linter) LintRepository

func (l *Linter) LintRepository(dir string) ([]*Error, error)

LintRepository lints YAML workflow files and outputs the errors to given writer. It finds the nearest `.github/workflows` directory based on `dir` and applies lint rules to all YAML workflow files under the directory.

type LinterOptions

type LinterOptions struct {
	// Verbose is flag if verbose log output is enabled.
	Verbose bool
	// Debug is flag if debug log output is enabled.
	Debug bool
	// LogWriter is io.Writer object to use to print log outputs. Note that error outputs detected
	// by the linter are not included in the log outputs.
	LogWriter io.Writer
	// Color is option for colorizing error outputs. See ColorOptionKind document for each enum values.
	Color ColorOptionKind
	// Oneline is flag if one line output is enabled. When enabling it, one error is output per one
	// line. It is useful when reading outputs from programs.
	Oneline bool
	// Shellcheck is executable for running shellcheck external command. It can be command name like
	// "shellcheck" or file path like "/path/to/shellcheck", "path/to/shellcheck". When this value
	// is empty, shellcheck won't run to check scripts in workflow file.
	Shellcheck string
	// Pyflakes is executable for running pyflakes external command. It can be command name like "pyflakes"
	// or file path like "/path/to/pyflakes", "path/to/pyflakes". When this value is empty, pyflakes
	// won't run to check scripts in workflow file.
	Pyflakes string
	// IgnorePatterns is list of regular expression to filter errors. The pattern is applied to error
	// messages. When an error is matched, the error is ignored.
	IgnorePatterns []string
	// ConfigFile is a path to config file. Empty string means no config file path is given. In
	// the case, actionlint will try to read config from .github/actionlint.yaml.
	ConfigFile string
	// Format is a custom template to format error messages. It must follow Go Template format and
	// contain at least one {{ }} placeholder. https://pkg.go.dev/text/template
	Format string
	// StdinFileName is a file name when reading input from stdin. When this value is empty, "<stdin>"
	// is used as the default value.
	StdinFileName string
	// WorkingDir is a file path to the current working directory. When this value is empty, os.Getwd
	// will be used to get a working directory.
	WorkingDir string
}

LinterOptions is set of options for Linter instance. This struct should be created by user and given to NewLinter factory function.

type LocalActionsCache added in v1.5.0

type LocalActionsCache struct {
	// contains filtered or unexported fields
}

LocalActionsCache is cache for local actions' metadata. It avoids repeating to find/read/parse local action's metadata file (action.yml). This cache is not available across multiple repositories. One LocalActionsCache instance needs to be created per one repository.

func NewLocalActionsCache added in v1.5.0

func NewLocalActionsCache(proj *Project, dbg io.Writer) *LocalActionsCache

NewLocalActionsCache creates new LocalActionsCache instance for the given project.

func (*LocalActionsCache) FindMetadata added in v1.5.0

func (c *LocalActionsCache) FindMetadata(spec string) (*ActionMetadata, error)

FindMetadata finds metadata for given spec. The spec should indicate for local action hence it should start with "./". The first return value can be nil even if error did not occur. LocalActionCache caches that the action was not found. At first search, it returns an error that the action was not found. But at the second search, it does not return an error even if the result is nil. This behavior prevents repeating to report the same error from multiple places. Calling this method is thread-safe.

type LocalActionsCacheFactory added in v1.6.16

type LocalActionsCacheFactory struct {
	// contains filtered or unexported fields
}

LocalActionsCacheFactory is a factory to create LocalActionsCache instances. LocalActionsCache should be created for each repositories. LocalActionsCacheFactory creates new LocalActionsCache instance per repository (project).

func NewLocalActionsCacheFactory added in v1.6.16

func NewLocalActionsCacheFactory(dbg io.Writer) *LocalActionsCacheFactory

NewLocalActionsCacheFactory creates a new LocalActionsCacheFactory instance.

func (*LocalActionsCacheFactory) GetCache added in v1.6.16

GetCache returns LocalActionsCache instance for the given project. One LocalActionsCache is created per one repository. Created instances are cached and will be used when caches are requested for the same projects. This method is not thread safe.

type LocalReusableWorkflowCache added in v1.6.18

type LocalReusableWorkflowCache struct {
	// contains filtered or unexported fields
}

LocalReusableWorkflowCache is a cache for local reusable workflow metadata files. It avoids find/read/parse local reusable workflow YAML files. This cache is dedicated for a single project (repository) indicated by 'proj' field. One LocalReusableWorkflowCache instance needs to be created per one project.

func NewLocalReusableWorkflowCache added in v1.6.18

func NewLocalReusableWorkflowCache(proj *Project, cwd string, dbg io.Writer) *LocalReusableWorkflowCache

NewLocalReusableWorkflowCache creates a new LocalReusableWorkflowCache instance for the given project. 'cwd' is a current working directory as an absolute file path. The 'Local' means that the cache instance is project-local. It is not available accross multiple projects.

func (*LocalReusableWorkflowCache) FindMetadata added in v1.6.18

FindMetadata finds/parses a reusable workflow metadata located by the 'spec' argument. When project is not set to 'proj' field or the spec does not start with "./", this method immediately returns with nil.

Note that an error is not cached. At first search, let's say this method returned an error since the reusable workflow is invalid. In this case, calling this method with the same spec later will not return the error again. It just will return nil. This behavior prevents repeating to report the same error from multiple places.

Calling this method is thread-safe.

func (*LocalReusableWorkflowCache) WriteWorkflowCallEvent added in v1.6.18

func (c *LocalReusableWorkflowCache) WriteWorkflowCallEvent(wpath string, event *WorkflowCallEvent)

WriteWorkflowCallEvent writes reusable workflow metadata by converting from WorkflowCallEvent AST node. The 'wpath' parameter is a path to the workflow file of the AST, which is a relative to the project root directory or an absolute path. This method does nothing when (1) no project is set, (2) it could not convert the workflow path to workflow call spec, (3) some cache for the workflow is already existing. This method is thread safe.

type LocalReusableWorkflowCacheFactory added in v1.6.18

type LocalReusableWorkflowCacheFactory struct {
	// contains filtered or unexported fields
}

LocalReusableWorkflowCacheFactory is a factory object to create a LocalReusableWorkflowCache instance per project.

func NewLocalReusableWorkflowCacheFactory added in v1.6.18

func NewLocalReusableWorkflowCacheFactory(cwd string, dbg io.Writer) *LocalReusableWorkflowCacheFactory

NewLocalReusableWorkflowCacheFactory creates a new LocalReusableWorkflowCacheFactory instance.

func (*LocalReusableWorkflowCacheFactory) GetCache added in v1.6.18

GetCache returns a new or existing LocalReusableWorkflowCache instance per project. When a instance was already created for the project, this method returns the existing instance. Otherwise it creates a new instance and returns it.

type LogLevel

type LogLevel int

LogLevel is log level of logger used in Linter instance.

type LogicalOpNode

type LogicalOpNode struct {
	// Kind is a kind to show which operator is used.
	Kind LogicalOpNodeKind
	// Left is an expression for left hand side of the binary operator.
	Left ExprNode
	// Right is an expression for right hand side of the binary operator.
	Right ExprNode
}

LogicalOpNode is node for logical binary operators; && or ||.

func (*LogicalOpNode) Token

func (n *LogicalOpNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type LogicalOpNodeKind

type LogicalOpNodeKind int

LogicalOpNodeKind is a kind of logical operators; && and ||.

const (
	// LogicalOpNodeKindInvalid is an invalid and initial value of LogicalOpNodeKind.
	LogicalOpNodeKindInvalid LogicalOpNodeKind = iota
	// LogicalOpNodeKindAnd is a kind for && operator.
	LogicalOpNodeKindAnd
	// LogicalOpNodeKindOr is a kind for || operator.
	LogicalOpNodeKindOr
)

func (LogicalOpNodeKind) String

func (k LogicalOpNodeKind) String() string

type Matrix

type Matrix struct {
	// Values stores mappings from name to values. Keys are in lower case since they are case-insensitive.
	Rows map[string]*MatrixRow
	// Include is list of combinations of matrix values and additional values on running matrix combinations.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-including-additional-values-into-combinations
	Include *MatrixCombinations
	// Exclude is list of combinations of matrix values which should not be run. Combinations in
	// this list will be removed from combinations of matrix to run.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-excluding-configurations-from-a-matrix
	Exclude *MatrixCombinations
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
	// Pos is a position in source.
	Pos *Pos
}

Matrix is matrix variations configuration of a job. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

type MatrixAssign

type MatrixAssign struct {
	// Key is a name of the matrix value.
	Key *String
	// Value is the value selected from values in row.
	Value RawYAMLValue
}

MatrixAssign represents which value should be taken in the row of the matrix. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

type MatrixCombination

type MatrixCombination struct {
	Assigns map[string]*MatrixAssign
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
}

MatrixCombination is combination of matrix value assignments to define one of matrix variations. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

type MatrixCombinations

type MatrixCombinations struct {
	Combinations []*MatrixCombination
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
}

MatrixCombinations is list of combinations of matrix assignments used for 'include' and 'exclude' sections. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

func (*MatrixCombinations) ContainsExpression

func (cs *MatrixCombinations) ContainsExpression() bool

ContainsExpression returns if the combinations section includes at least one expression node.

type MatrixRow

type MatrixRow struct {
	// Name is a name of matrix value.
	Name *String
	// Values is variations of values which the matrix value can take.
	Values []RawYAMLValue
	// Expression is a string when expression syntax ${{ }} is used for this section.
	Expression *String
}

MatrixRow is one row of matrix. One matrix row can take multiple values. Those variations are stored as row of values in this struct. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix

type NotOpNode

type NotOpNode struct {
	// Operand is an expression at operand of ! operator.
	Operand ExprNode
	// contains filtered or unexported fields
}

NotOpNode is node for unary ! operator.

func (*NotOpNode) Token

func (n *NotOpNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type NullNode

type NullNode struct {
	// contains filtered or unexported fields
}

NullNode is node for null literal.

func (*NullNode) Token

func (n *NullNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type NullType

type NullType struct{}

NullType is type for null value.

func (NullType) Assignable

func (ty NullType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (NullType) DeepCopy added in v1.6.8

func (ty NullType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (NullType) Merge added in v1.6.4

func (ty NullType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (NullType) String

func (ty NullType) String() string

type NumberType

type NumberType struct{}

NumberType is type for number values such as integer or float.

func (NumberType) Assignable

func (ty NumberType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (NumberType) DeepCopy added in v1.6.8

func (ty NumberType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (NumberType) Merge added in v1.6.4

func (ty NumberType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (NumberType) String

func (ty NumberType) String() string

type ObjectDerefNode

type ObjectDerefNode struct {
	// Receiver is an expression at receiver of property dereference.
	Receiver ExprNode
	// Property is a name of property to access.
	Property string
}

ObjectDerefNode represents property dereference of object like 'foo.bar'.

func (ObjectDerefNode) Token

func (n ObjectDerefNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type ObjectType

type ObjectType struct {
	// Props is map from properties name to their type.
	Props map[string]ExprType
	// Mapped is an element type of this object. This means all props have the type. For example,
	// The element type of env context is string.
	// AnyType means its property types can be any type so it shapes a loose object. Setting nil
	// means propreties are mapped to no type so it shapes a strict object.
	//
	// Invariant: All types in Props field must be assignable to this type.
	Mapped ExprType
}

ObjectType is type for objects, which can hold key-values.

func NewEmptyObjectType added in v1.6.4

func NewEmptyObjectType() *ObjectType

NewEmptyObjectType creates new loose ObjectType instance which allows unknown props. When accessing to unknown props, their values will fall back to any.

func NewEmptyStrictObjectType added in v1.6.4

func NewEmptyStrictObjectType() *ObjectType

NewEmptyStrictObjectType creates new ObjectType instance which does not allow unknown props.

func NewMapObjectType added in v1.6.4

func NewMapObjectType(t ExprType) *ObjectType

NewMapObjectType creates new ObjectType which maps keys to a specific type value.

func NewObjectType

func NewObjectType(props map[string]ExprType) *ObjectType

NewObjectType creates new loose ObjectType instance which allows unknown props with given props.

func NewStrictObjectType

func NewStrictObjectType(props map[string]ExprType) *ObjectType

NewStrictObjectType creates new ObjectType instance which does not allow unknown props with given prop types.

func (*ObjectType) Assignable

func (ty *ObjectType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type. In other words, rhs type is more strict than lhs (receiver) type.

func (*ObjectType) DeepCopy added in v1.6.8

func (ty *ObjectType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (*ObjectType) IsLoose added in v1.6.4

func (ty *ObjectType) IsLoose() bool

IsLoose returns if the type is a loose object, which allows any unknown props.

func (*ObjectType) IsStrict added in v1.6.4

func (ty *ObjectType) IsStrict() bool

IsStrict returns if the type is a strict object, which means no unknown prop is allowed.

func (*ObjectType) Loose added in v1.6.4

func (ty *ObjectType) Loose()

Loose sets the object is loose, which means any properties can be set.

func (*ObjectType) Merge added in v1.6.4

func (ty *ObjectType) Merge(other ExprType) ExprType

Merge merges two object types into one. When other object has unknown props, they are merged into current object. When both have same property, when they are assignable, it remains as-is. Otherwise, the property falls back to any type.

func (*ObjectType) Strict added in v1.6.4

func (ty *ObjectType) Strict()

Strict sets the object is strict, which means only known properties are allowed.

func (*ObjectType) String

func (ty *ObjectType) String() string

type Output

type Output struct {
	// Name is name of output.
	Name *String
	// Value is value of output.
	Value *String
}

Output is output entry of the job. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idoutputs

type Pass

type Pass interface {
	// VisitStep is callback when visiting Step node. It returns internal error when it cannot continue the process
	VisitStep(node *Step) error
	// VisitJobPre is callback when visiting Job node before visiting its children. It returns internal error when it cannot continue the process
	VisitJobPre(node *Job) error
	// VisitJobPost is callback when visiting Job node after visiting its children. It returns internal error when it cannot continue the process
	VisitJobPost(node *Job) error
	// VisitWorkflowPre is callback when visiting Workflow node before visiting its children. It returns internal error when it cannot continue the process
	VisitWorkflowPre(node *Workflow) error
	// VisitWorkflowPost is callback when visiting Workflow node after visiting its children. It returns internal error when it cannot continue the process
	VisitWorkflowPost(node *Workflow) error
}

Pass is an interface to traverse a workflow syntax tree

type PermissionScope added in v1.5.0

type PermissionScope struct {
	// Name is name of the scope.
	Name *String
	// Value is permission value of the scope.
	Value *String
}

PermissionScope is struct for respective permission scope like "issues", "checks", ... https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

type Permissions

type Permissions struct {
	// All represents a permission value for all the scopes at once.
	All *String
	// Scopes is mappings from scope name to its permission configuration
	Scopes map[string]*PermissionScope
	// Pos is a position in source.
	Pos *Pos
}

Permissions is set of permission configurations in workflow file. All permissions can be set at once. Or each permission can be configured respectively. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions

type Pos

type Pos struct {
	// Line is a line number of the position. This value is 1-based.
	Line int
	// Col is a column number of the position. This value is 1-based.
	Col int
}

Pos represents position in the file.

func (*Pos) IsBefore added in v1.6.14

func (p *Pos) IsBefore(other *Pos) bool

IsBefore returns if the position is before the other position. If they are equal, this function returns false.

func (*Pos) String

func (p *Pos) String() string

type Project

type Project struct {
	// contains filtered or unexported fields
}

Project represents one GitHub project. One Git repository corresponds to one project.

func (*Project) Config

func (p *Project) Config() (*Config, error)

Config returns config object of the GitHub project repository. The config file is read from ".github/actionlint.yaml" or ".github/actionlint.yml".

func (*Project) Knows

func (p *Project) Knows(path string) bool

Knows returns true when the project knows the given file. When a file is included in the project's directory, the project knows the file.

func (*Project) RootDir

func (p *Project) RootDir() string

RootDir returns a root directory path of the GitHub project repository.

func (*Project) WorkflowsDir

func (p *Project) WorkflowsDir() string

WorkflowsDir returns a ".github/workflows" directory path of the GitHub project repository. This method does not check if the directory exists.

type Projects

type Projects struct {
	// contains filtered or unexported fields
}

Projects represents set of projects. It caches Project instances which was created previously and reuses them.

func NewProjects

func NewProjects() *Projects

NewProjects creates new Projects instance.

func (*Projects) At

func (ps *Projects) At(path string) *Project

At returns the Project instance which the path belongs to.

type RawYAMLArray

type RawYAMLArray struct {
	// Elems is list of elements of the array value.
	Elems []RawYAMLValue
	// contains filtered or unexported fields
}

RawYAMLArray is raw YAML sequence value.

func (*RawYAMLArray) Equals

func (a *RawYAMLArray) Equals(other RawYAMLValue) bool

Equals returns if the other value is equal to the value.

func (*RawYAMLArray) Kind

func (a *RawYAMLArray) Kind() RawYAMLValueKind

Kind returns kind of raw YAML value.

func (*RawYAMLArray) Pos

func (a *RawYAMLArray) Pos() *Pos

Pos returns the start position of the value in the source file

func (*RawYAMLArray) String

func (a *RawYAMLArray) String() string

type RawYAMLObject

type RawYAMLObject struct {
	// Props is map from property names to their values. Keys are in lower case since they are case-insensitive.
	Props map[string]RawYAMLValue
	// contains filtered or unexported fields
}

RawYAMLObject is raw YAML mapping value.

func (*RawYAMLObject) Equals

func (o *RawYAMLObject) Equals(other RawYAMLValue) bool

Equals returns if the other value is equal to the value.

func (*RawYAMLObject) Kind

func (o *RawYAMLObject) Kind() RawYAMLValueKind

Kind returns kind of raw YAML value.

func (*RawYAMLObject) Pos

func (o *RawYAMLObject) Pos() *Pos

Pos returns the start position of the value in the source file

func (*RawYAMLObject) String

func (o *RawYAMLObject) String() string

type RawYAMLString

type RawYAMLString struct {

	// Value is string representation of the scalar node.
	Value string
	// contains filtered or unexported fields
}

RawYAMLString is raw YAML scalar value.

func (*RawYAMLString) Equals

func (s *RawYAMLString) Equals(other RawYAMLValue) bool

Equals returns if the other value is equal to the value.

func (*RawYAMLString) Kind

func (s *RawYAMLString) Kind() RawYAMLValueKind

Kind returns kind of raw YAML value.

func (*RawYAMLString) Pos

func (s *RawYAMLString) Pos() *Pos

Pos returns the start position of the value in the source file

func (*RawYAMLString) String

func (s *RawYAMLString) String() string

type RawYAMLValue

type RawYAMLValue interface {
	// Kind returns kind of raw YAML value.
	Kind() RawYAMLValueKind
	// Equals returns if the other value is equal to the value.
	Equals(other RawYAMLValue) bool
	// Pos returns the start position of the value in the source file
	Pos() *Pos
	// String returns string representation of the value
	String() string
}

RawYAMLValue is a value at matrix variation. Any value can be put at matrix variations including mappings and arrays.

type RawYAMLValueKind

type RawYAMLValueKind int

RawYAMLValueKind is kind of raw YAML values

type RepositoryDispatchEvent

type RepositoryDispatchEvent struct {
	// Types is list of types which can trigger workflow.
	Types []*String
	// Pos is a position in source.
	Pos *Pos
}

RepositoryDispatchEvent is repository_dispatch event configuration. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#repository_dispatch

func (*RepositoryDispatchEvent) EventName

func (e *RepositoryDispatchEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type ReusableWorkflowMetadata added in v1.6.18

type ReusableWorkflowMetadata struct {
	Inputs  ReusableWorkflowMetadataInputs  `yaml:"inputs"`
	Outputs ReusableWorkflowMetadataOutputs `yaml:"outputs"`
	Secrets ReusableWorkflowMetadataSecrets `yaml:"secrets"`
}

ReusableWorkflowMetadata is metadata to validate local reusable workflows. This struct does not contain all metadata from YAML file. It only contains metadata which is necessary to validate reusable workflow files by actionlint.

type ReusableWorkflowMetadataInput added in v1.6.18

type ReusableWorkflowMetadataInput struct {
	// Name is a name of the input defined in the reusable workflow.
	Name string
	// Required is true when 'required' field of the input is set to true and no default value is set.
	Required bool
	// Type is a type of the input. When the input type is unknown, 'any' type is set.
	Type ExprType
}

ReusableWorkflowMetadataInput is an input metadata for validating local reusable workflow file.

func (*ReusableWorkflowMetadataInput) UnmarshalYAML added in v1.6.18

func (input *ReusableWorkflowMetadataInput) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type ReusableWorkflowMetadataInputs added in v1.6.19

type ReusableWorkflowMetadataInputs map[string]*ReusableWorkflowMetadataInput

ReusableWorkflowMetadataInputs is a map from input name to reusable wokflow input metadata. The keys are in lower case since input names of workflow calls are case insensitive.

func (*ReusableWorkflowMetadataInputs) UnmarshalYAML added in v1.6.19

func (inputs *ReusableWorkflowMetadataInputs) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type ReusableWorkflowMetadataOutput added in v1.6.19

type ReusableWorkflowMetadataOutput struct {
	// Name is a name of the output in the reusable workflow.
	Name string
}

ReusableWorkflowMetadataOutput is an output metadata for validating local reusable workflow file.

type ReusableWorkflowMetadataOutputs added in v1.6.19

type ReusableWorkflowMetadataOutputs map[string]*ReusableWorkflowMetadataOutput

ReusableWorkflowMetadataOutputs is a map from output name to reusable wokflow output metadata. The keys are in lower case since output names of workflow calls are case insensitive.

func (*ReusableWorkflowMetadataOutputs) UnmarshalYAML added in v1.6.19

func (outputs *ReusableWorkflowMetadataOutputs) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type ReusableWorkflowMetadataSecret added in v1.6.19

type ReusableWorkflowMetadataSecret struct {
	// Name is a name of the secret in the reusable workflow.
	Name string
	// Required indicates wether the secret is required by its reusable workflow. When this value is
	// true, workflow calls must set this secret unless secrets are not inherited.
	Required bool `yaml:"required"`
}

ReusableWorkflowMetadataSecret is a secret metadata for validating local reusable workflow file.

type ReusableWorkflowMetadataSecrets added in v1.6.19

type ReusableWorkflowMetadataSecrets map[string]*ReusableWorkflowMetadataSecret

ReusableWorkflowMetadataSecrets is a map from secret name to reusable wokflow secret metadata. The keys are in lower case since secret names of workflow calls are case insensitive.

func (*ReusableWorkflowMetadataSecrets) UnmarshalYAML added in v1.6.19

func (secrets *ReusableWorkflowMetadataSecrets) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML implements yaml.Unmarshaler.

type Rule

type Rule interface {
	Pass
	Errs() []*Error
	Name() string
	EnableDebug(out io.Writer)
}

Rule is an interface which all rule structs must meet

type RuleAction

type RuleAction struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleAction is a rule to check running action in steps of jobs. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses

func NewRuleAction

func NewRuleAction(cache *LocalActionsCache) *RuleAction

NewRuleAction creates new RuleAction instance.

func (*RuleAction) VisitStep

func (rule *RuleAction) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

type RuleBase

type RuleBase struct {
	// contains filtered or unexported fields
}

RuleBase is a struct to be a base of rule structs. Embed this struct to define default methods automatically

func (*RuleBase) EnableDebug added in v1.2.0

func (r *RuleBase) EnableDebug(out io.Writer)

EnableDebug enables debug output from the rule. Given io.Writer instance is used to print debug information to console

func (*RuleBase) Errs

func (r *RuleBase) Errs() []*Error

Errs returns errors found by the rule.

func (*RuleBase) Name

func (r *RuleBase) Name() string

Name is name of the rule.

func (*RuleBase) VisitJobPost

func (r *RuleBase) VisitJobPost(node *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RuleBase) VisitJobPre

func (r *RuleBase) VisitJobPre(node *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleBase) VisitStep

func (r *RuleBase) VisitStep(node *Step) error

VisitStep is callback when visiting Step node.

func (*RuleBase) VisitWorkflowPost

func (r *RuleBase) VisitWorkflowPost(node *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children.

func (*RuleBase) VisitWorkflowPre

func (r *RuleBase) VisitWorkflowPre(node *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleCredentials

type RuleCredentials struct {
	RuleBase
}

RuleCredentials is a rule to check credentials in workflows

func NewRuleCredentials

func NewRuleCredentials() *RuleCredentials

NewRuleCredentials creates new RuleCredentials instance

func (*RuleCredentials) VisitJobPre

func (rule *RuleCredentials) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

type RuleEnvVar

type RuleEnvVar struct {
	RuleBase
}

RuleEnvVar is a rule checker to check environment variables setup.

func NewRuleEnvVar

func NewRuleEnvVar() *RuleEnvVar

NewRuleEnvVar creates new RuleEnvVar instance.

func (*RuleEnvVar) VisitJobPre

func (rule *RuleEnvVar) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleEnvVar) VisitStep

func (rule *RuleEnvVar) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RuleEnvVar) VisitWorkflowPre

func (rule *RuleEnvVar) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleEvents

type RuleEvents struct {
	RuleBase
}

RuleEvents is a rule to check 'on' field in workflow. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows

func NewRuleEvents

func NewRuleEvents() *RuleEvents

NewRuleEvents creates new RuleEvents instance.

func (*RuleEvents) VisitWorkflowPre

func (rule *RuleEvents) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleExpression

type RuleExpression struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleExpression is a rule checker to check expression syntax in string values of workflow syntax. It checks syntax and semantics of the expressions including type checks and functions/contexts definitions. For more details see - https://docs.github.com/en/actions/learn-github-actions/contexts - https://docs.github.com/en/actions/learn-github-actions/expressions

func NewRuleExpression

func NewRuleExpression(actionsCache *LocalActionsCache, workflowCache *LocalReusableWorkflowCache) *RuleExpression

NewRuleExpression creates new RuleExpression instance.

func (*RuleExpression) VisitJobPost

func (rule *RuleExpression) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children

func (*RuleExpression) VisitJobPre

func (rule *RuleExpression) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleExpression) VisitStep

func (rule *RuleExpression) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RuleExpression) VisitWorkflowPost

func (rule *RuleExpression) VisitWorkflowPost(n *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children

func (*RuleExpression) VisitWorkflowPre

func (rule *RuleExpression) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleGlob added in v1.4.0

type RuleGlob struct {
	RuleBase
}

RuleGlob is a rule to check glob syntax. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet

func NewRuleGlob added in v1.4.0

func NewRuleGlob() *RuleGlob

NewRuleGlob creates new RuleGlob instance.

func (*RuleGlob) VisitWorkflowPre added in v1.4.0

func (rule *RuleGlob) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleID added in v1.6.16

type RuleID struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleID is a rule to check step IDs in workflow.

func NewRuleID added in v1.6.16

func NewRuleID() *RuleID

NewRuleID creates a new RuleID instance.

func (*RuleID) VisitJobPost added in v1.6.16

func (rule *RuleID) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RuleID) VisitJobPre added in v1.6.16

func (rule *RuleID) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleID) VisitStep added in v1.6.16

func (rule *RuleID) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

type RuleJobNeeds

type RuleJobNeeds struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleJobNeeds is a rule to check 'needs' field in each job configuration. For more details, see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds

func NewRuleJobNeeds

func NewRuleJobNeeds() *RuleJobNeeds

NewRuleJobNeeds creates new RuleJobNeeds instance.

func (*RuleJobNeeds) VisitJobPre

func (rule *RuleJobNeeds) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleJobNeeds) VisitWorkflowPost

func (rule *RuleJobNeeds) VisitWorkflowPost(n *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children.

type RuleMatrix

type RuleMatrix struct {
	RuleBase
}

RuleMatrix is a rule checker to check 'matrix' field of job.

func NewRuleMatrix

func NewRuleMatrix() *RuleMatrix

NewRuleMatrix creates new RuleMatrix instance.

func (*RuleMatrix) VisitJobPre

func (rule *RuleMatrix) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

type RulePermissions added in v1.5.0

type RulePermissions struct {
	RuleBase
}

RulePermissions is a rule checker to check permission configurations in a workflow. https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

func NewRulePermissions added in v1.5.0

func NewRulePermissions() *RulePermissions

NewRulePermissions creates new RulePermissions instance.

func (*RulePermissions) VisitJobPre added in v1.5.0

func (rule *RulePermissions) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RulePermissions) VisitWorkflowPre added in v1.5.0

func (rule *RulePermissions) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RulePyflakes added in v1.2.0

type RulePyflakes struct {
	RuleBase
	// contains filtered or unexported fields
}

RulePyflakes is a rule to check Python scripts at 'run:' using pyflakes. https://github.com/PyCQA/pyflakes

func NewRulePyflakes added in v1.2.0

func NewRulePyflakes(executable string, proc *concurrentProcess) (*RulePyflakes, error)

NewRulePyflakes creates new RulePyflakes instance. Parameter executable can be command name or relative/absolute file path. When the given executable is not found in system, it returns an error.

func (*RulePyflakes) VisitJobPost added in v1.2.0

func (rule *RulePyflakes) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RulePyflakes) VisitJobPre added in v1.2.0

func (rule *RulePyflakes) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RulePyflakes) VisitStep added in v1.2.0

func (rule *RulePyflakes) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RulePyflakes) VisitWorkflowPost added in v1.2.0

func (rule *RulePyflakes) VisitWorkflowPost(n *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children.

func (*RulePyflakes) VisitWorkflowPre added in v1.2.0

func (rule *RulePyflakes) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleRunnerLabel

type RuleRunnerLabel struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleRunnerLabel is a rule to check runner label like "ubuntu-latest". There are two types of runners, GitHub-hosted runner and Self-hosted runner. GitHub-hosted runner is described at https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners . And Self-hosted runner is described at https://docs.github.com/en/actions/hosting-your-own-runners/using-self-hosted-runners-in-a-workflow .

func NewRuleRunnerLabel

func NewRuleRunnerLabel(labels []string) *RuleRunnerLabel

NewRuleRunnerLabel creates new RuleRunnerLabel instance.

func (*RuleRunnerLabel) VisitJobPre

func (rule *RuleRunnerLabel) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

type RuleShellName

type RuleShellName struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleShellName is a rule to check 'shell' field. For more details, see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell

func NewRuleShellName

func NewRuleShellName() *RuleShellName

NewRuleShellName creates new RuleShellName instance.

func (*RuleShellName) VisitJobPost

func (rule *RuleShellName) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RuleShellName) VisitJobPre

func (rule *RuleShellName) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleShellName) VisitStep

func (rule *RuleShellName) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RuleShellName) VisitWorkflowPre

func (rule *RuleShellName) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleShellcheck

type RuleShellcheck struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleShellcheck is a rule to check shell scripts at 'run:' using shellcheck. https://github.com/koalaman/shellcheck

func NewRuleShellcheck

func NewRuleShellcheck(executable string, proc *concurrentProcess) (*RuleShellcheck, error)

NewRuleShellcheck craetes new RuleShellcheck instance. Parameter executable can be command name or relative/absolute file path. When the given executable is not found in system, it returns an error as 2nd return value.

func (*RuleShellcheck) VisitJobPost

func (rule *RuleShellcheck) VisitJobPost(n *Job) error

VisitJobPost is callback when visiting Job node after visiting its children.

func (*RuleShellcheck) VisitJobPre

func (rule *RuleShellcheck) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleShellcheck) VisitStep

func (rule *RuleShellcheck) VisitStep(n *Step) error

VisitStep is callback when visiting Step node.

func (*RuleShellcheck) VisitWorkflowPost

func (rule *RuleShellcheck) VisitWorkflowPost(n *Workflow) error

VisitWorkflowPost is callback when visiting Workflow node after visiting its children.

func (*RuleShellcheck) VisitWorkflowPre

func (rule *RuleShellcheck) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type RuleWorkflowCall added in v1.6.5

type RuleWorkflowCall struct {
	RuleBase
	// contains filtered or unexported fields
}

RuleWorkflowCall is a rule checker to check workflow call at jobs.<job_id>.

func NewRuleWorkflowCall added in v1.6.5

func NewRuleWorkflowCall(workflowPath string, cache *LocalReusableWorkflowCache) *RuleWorkflowCall

NewRuleWorkflowCall creates a new RuleWorkflowCall instance. 'workflowPath' is a file path to the workflow which is relative to a project root directory or an absolute path.

func (*RuleWorkflowCall) VisitJobPre added in v1.6.5

func (rule *RuleWorkflowCall) VisitJobPre(n *Job) error

VisitJobPre is callback when visiting Job node before visiting its children.

func (*RuleWorkflowCall) VisitWorkflowPre added in v1.6.6

func (rule *RuleWorkflowCall) VisitWorkflowPre(n *Workflow) error

VisitWorkflowPre is callback when visiting Workflow node before visiting its children.

type Runner

type Runner struct {
	// Labels is list label names to select a runner to run a job. There are preset labels and user
	// defined labels. Runner matching to the labels is selected.
	Labels []*String
	// Expression is a string when expression syntax ${{ }} is used for this section. Related issue is #164.
	Expression *String
}

Runner is struct for runner configuration. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on

type ScheduledEvent

type ScheduledEvent struct {
	// Cron is list of cron strings which schedules workflow.
	Cron []*String
	// Pos is a position in source.
	Pos *Pos
}

ScheduledEvent is event scheduled by workflow. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#scheduled-events

func (*ScheduledEvent) EventName

func (e *ScheduledEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type Service

type Service struct {
	// Name is name of the service.
	Name *String
	// Container is configuration of container which runs the service.
	Container *Container
}

Service is configuration to run a service like database. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices

type Strategy

type Strategy struct {
	// Matrix is matrix of combinations of values. Each combination will run the job once.
	Matrix *Matrix
	// FailFast is flag to show if other jobs should stop when one job fails.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast
	FailFast *Bool
	// MaxParallel is how many jobs should be run at once.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel
	MaxParallel *Int
	// Pos is a position in source.
	Pos *Pos
}

Strategy is strategy configuration of how the job is run. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy

type String

type String struct {
	// Value is a raw value of the string.
	Value string
	// Quoted represents the string is quoted with ' or " in the YAML source.
	Quoted bool
	// Pos is a position of the string in source.
	Pos *Pos
}

String represents generic string value in YAML file with position.

type StringNode

type StringNode struct {
	// Value is value of the string literal. Escapes are resolved and quotes at both edges are
	// removed.
	Value string
	// contains filtered or unexported fields
}

StringNode is node for string literal.

func (*StringNode) Token

func (n *StringNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type StringType

type StringType struct{}

StringType is type for string values.

func (StringType) Assignable

func (ty StringType) Assignable(other ExprType) bool

Assignable returns if other type can be assignable to the type.

func (StringType) DeepCopy added in v1.6.8

func (ty StringType) DeepCopy() ExprType

DeepCopy duplicates itself. All its child types are copied recursively.

func (StringType) Merge added in v1.6.4

func (ty StringType) Merge(other ExprType) ExprType

Merge merges other type into this type. When other type conflicts with this type, the merged result is any type as fallback.

func (StringType) String

func (ty StringType) String() string

type Token

type Token struct {
	// Kind is kind of the token.
	Kind TokenKind
	// Value is string representation of the token.
	Value string
	// Offset is byte offset of token string starting.
	Offset int
	// Line is line number of start position of the token. Note that this value is 1-based.
	Line int
	// Column is column number of start position of the token. Note that this value is 1-based.
	Column int
}

Token is a token lexed from expression syntax. For more details, see https://docs.github.com/en/actions/learn-github-actions/expressions

func (*Token) String

func (t *Token) String() string

type TokenKind

type TokenKind int

TokenKind is kind of token.

const (
	// TokenKindUnknown is a default value of token as unknown token value.
	TokenKindUnknown TokenKind = iota
	// TokenKindEnd is a token for end of token sequence. Sequence without this
	// token means invalid.
	TokenKindEnd
	// TokenKindIdent is a token for identifier.
	TokenKindIdent
	// TokenKindString is a token for string literals.
	TokenKindString
	// TokenKindInt is a token for integers including hex integers.
	TokenKindInt
	// TokenKindFloat is a token for float numbers.
	TokenKindFloat
	// TokenKindLeftParen is a token for '('.
	TokenKindLeftParen
	// TokenKindRightParen is a token for ')'.
	TokenKindRightParen
	// TokenKindLeftBracket is a token for '['.
	TokenKindLeftBracket
	// TokenKindRightBracket is a token for ']'.
	TokenKindRightBracket
	// TokenKindDot is a token for '.'.
	TokenKindDot
	// TokenKindNot is a token for '!'.
	TokenKindNot
	// TokenKindLess is a token for '<'.
	TokenKindLess
	// TokenKindLessEq is a token for '<='.
	TokenKindLessEq
	// TokenKindGreater is a token for '>'.
	TokenKindGreater
	// TokenKindGreaterEq is a token for '>='.
	TokenKindGreaterEq
	// TokenKindEq is a token for '=='.
	TokenKindEq
	// TokenKindNotEq is a token for '!='.
	TokenKindNotEq
	// TokenKindAnd is a token for '&&'.
	TokenKindAnd
	// TokenKindOr is a token for '||'.
	TokenKindOr
	// TokenKindStar is a token for '*'.
	TokenKindStar
	// TokenKindComma is a token for ','.
	TokenKindComma
)

func (TokenKind) String

func (t TokenKind) String() string

type UntrustedInputChecker added in v1.6.1

type UntrustedInputChecker struct {
	// contains filtered or unexported fields
}

UntrustedInputChecker is a checker to detect untrusted inputs in an expression syntax tree. This checker checks object property accesses, array index accesses, and object filters. And detects paths to untrusted inputs. Found errors are stored in this instance and can be get via Errs method.

Note: To avoid breaking the state of checking property accesses on nested property accesses like foo[aaa.bbb].bar, IndexAccessNode.Index must be visited before IndexAccessNode.Operand.

func NewUntrustedInputChecker added in v1.6.1

func NewUntrustedInputChecker(roots UntrustedInputSearchRoots) *UntrustedInputChecker

NewUntrustedInputChecker creates a new UntrustedInputChecker instance. The roots argument is a search tree which defines untrusted input paths as trees.

func (*UntrustedInputChecker) Errs added in v1.6.1

func (u *UntrustedInputChecker) Errs() []*ExprError

Errs returns errors detected by this checker. This method should be called after visiting all nodes in a syntax tree.

func (*UntrustedInputChecker) Init added in v1.6.1

func (u *UntrustedInputChecker) Init()

Init initializes a state of checker.

func (*UntrustedInputChecker) OnVisitEnd added in v1.6.8

func (u *UntrustedInputChecker) OnVisitEnd()

OnVisitEnd is a callback which should be called after visiting whole syntax tree. This callback is necessary to handle the case where an untrusted input access is at root of expression.

func (*UntrustedInputChecker) OnVisitNodeLeave added in v1.6.8

func (u *UntrustedInputChecker) OnVisitNodeLeave(n ExprNode)

OnVisitNodeLeave is a callback which should be called on visiting node after visiting its children.

type UntrustedInputMap added in v1.6.1

type UntrustedInputMap struct {
	Name     string
	Parent   *UntrustedInputMap
	Children map[string]*UntrustedInputMap
}

UntrustedInputMap is a recursive map to match context object property dereferences. Root of this map represents each context names and their ancestors represent recursive properties.

func NewUntrustedInputMap added in v1.6.8

func NewUntrustedInputMap(name string, children ...*UntrustedInputMap) *UntrustedInputMap

NewUntrustedInputMap creates new instance of UntrustedInputMap. It is used for node of search tree of untrusted input checker.

func (*UntrustedInputMap) String added in v1.6.8

func (m *UntrustedInputMap) String() string

type UntrustedInputSearchRoots added in v1.6.8

type UntrustedInputSearchRoots map[string]*UntrustedInputMap

UntrustedInputSearchRoots is a list of untrusted inputs. It forms tree structure to detect untrusted inputs in nested object property access, array index access, and object filters efficiently. Each value of this map represents a root of the search so their names are context names.

func (UntrustedInputSearchRoots) AddRoot added in v1.6.8

AddRoot adds a new root to search for detecting untrusted input.

type VariableNode

type VariableNode struct {
	// Name is name of the variable
	Name string
	// contains filtered or unexported fields
}

VariableNode is node for variable access.

func (*VariableNode) Token

func (n *VariableNode) Token() *Token

Token returns the first token of the node. This method is useful to get position of this node.

type VisitExprNodeFunc added in v1.6.1

type VisitExprNodeFunc func(node, parent ExprNode, entering bool)

VisitExprNodeFunc is a visitor function for VisitExprNode(). The entering argument is set to true when it is called before visiting children. It is set to false when it is called after visiting children. It means that this function is called twice for the same node. The parent argument is the parent of the node. When the node is root, its parent is nil.

type Visitor

type Visitor struct {
	// contains filtered or unexported fields
}

Visitor visits syntax tree from root in depth-first order

func NewVisitor

func NewVisitor() *Visitor

NewVisitor creates Visitor instance

func (*Visitor) AddPass

func (v *Visitor) AddPass(p Pass)

AddPass adds new pass which is called on traversing a syntax tree

func (*Visitor) EnableDebug

func (v *Visitor) EnableDebug(w io.Writer)

EnableDebug enables debug output when non-nil io.Writer value is given. All debug outputs from visitor will be written to the writer.

func (*Visitor) Visit

func (v *Visitor) Visit(n *Workflow) error

Visit visits given syntax tree in depth-first order

type WebhookEvent

type WebhookEvent struct {
	// Hook is a name of the webhook event.
	Hook *String
	// Types is list of types of the webhook event. Only the types enumerated here will trigger
	// the workflow.
	Types []*String
	// Branches is 'branches' filter. This value is nil when it is omitted.
	Branches *WebhookEventFilter
	// BranchesIgnore is 'branches-ignore' filter. This value is nil when it is omitted.
	BranchesIgnore *WebhookEventFilter
	// Tags is 'tags' filter. This value is nil when it is omitted.
	Tags *WebhookEventFilter
	// TagsIgnore is 'tags-ignore' filter. This value is nil when it is omitted.
	TagsIgnore *WebhookEventFilter
	// Paths is 'paths' filter. This value is nil when it is omitted.
	Paths *WebhookEventFilter
	// PathsIgnore is 'paths-ignore' filter. This value is nil when it is omitted.
	PathsIgnore *WebhookEventFilter
	// Workflows is list of workflow names which are triggered by 'workflow_run' event.
	Workflows []*String
	// Pos is a position in source.
	Pos *Pos
}

WebhookEvent represents event type based on webhook events. Some events can't have 'types' field. Only 'push' and 'pull' events can have 'tags', 'tags-ignore', 'paths' and 'paths-ignore' fields. Only 'workflow_run' event can have 'workflows' field. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onevent_nametypes

func (*WebhookEvent) EventName

func (e *WebhookEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type WebhookEventFilter added in v1.6.14

type WebhookEventFilter struct {
	// Name is a name of filter such like 'branches', 'tags'
	Name *String
	// Values is a list of filter values.
	Values []*String
}

WebhookEventFilter is a filter for Webhook events such as 'branches', 'paths-ignore', ... Webhook events are filtered by those filters. Some filters are exclusive. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#using-filters

func (*WebhookEventFilter) IsEmpty added in v1.6.14

func (f *WebhookEventFilter) IsEmpty() bool

IsEmpty returns true when it has no value. This may mean the WebhookEventFilter instance itself is nil.

type Workflow

type Workflow struct {
	// Name is name of the workflow. This field can be nil when user didn't specify the name explicitly.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#name
	Name *String
	// RunName is the name of workflow runs. This field can be set dynamically using ${{ }}.
	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#run-name
	RunName *String
	// On is list of events which can trigger this workflow.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
	On []Event
	// Permissions is configuration of permissions of this workflow.
	Permissions *Permissions
	// Env is a default set of environment variables while running this workflow.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#env
	Env *Env
	// Defaults is default configuration of how to run scripts.
	Defaults *Defaults
	// Concurrency is concurrency configuration of entire workflow. Each jobs also can their own
	// concurrency configurations.
	Concurrency *Concurrency
	// Jobs is mappings from job ID to the job object. Keys are in lower case since they are case-insensitive.
	Jobs map[string]*Job
}

Workflow is root of workflow syntax tree, which represents one workflow configuration file. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions

func (*Workflow) FindWorkflowCallEvent added in v1.6.10

func (w *Workflow) FindWorkflowCallEvent() (*WorkflowCallEvent, bool)

FindWorkflowCallEvent returns workflow_call event node if exists

type WorkflowCall added in v1.6.5

type WorkflowCall struct {
	// Uses is a workflow specification to be called. This field is mandatory.
	Uses *String
	// Inputs is a map from input name to input value at 'with:'. Keys are in lower case since input names
	// are case-insensitive.
	Inputs map[string]*WorkflowCallInput
	// Secrets is a map from secret name to secret value at 'secrets:'. Keys are in lower case since input
	// names are case-insensitive.
	Secrets map[string]*WorkflowCallSecret
	// InheritSecrets is true when 'secrets: inherit' is specified. In this case, Secrets must be empty.
	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callsecretsinherit
	InheritSecrets bool
}

WorkflowCall is a struct to represent workflow call at jobs.<job_id>. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_iduses

type WorkflowCallEvent added in v1.6.5

type WorkflowCallEvent struct {
	// Inputs is a map from input name to input configuration. Keys are in lower case since they are case-insensitive.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callinputs
	Inputs map[string]*WorkflowCallEventInput
	// Secrets is a map from name of secret to secret configuration. When 'secrets' is omitted, nil is set to this
	// field. Keys are in lower case since they are case-insensitive.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecrets
	Secrets map[string]*WorkflowCallEventSecret
	// Outputs is a map from name of output to output configuration. Keys are in lower case since they are case-insensitive.
	// https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow
	Outputs map[string]*WorkflowCallEventOutput
	// Pos is a position in source.
	Pos *Pos
}

WorkflowCallEvent is workflow_call event configuration. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#workflow-reuse-events

func (*WorkflowCallEvent) EventName added in v1.6.5

func (e *WorkflowCallEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type WorkflowCallEventInput added in v1.6.5

type WorkflowCallEventInput struct {
	// Name is a name of the input.
	Name *String
	// Description is a description of the input.
	Description *String
	// Default is a default value of the input. Nil means no default value.
	Default *String
	// Required represents if the input is required or optional. When this value is nil, it was not explicitly specified.
	// In the case the default value is 'not required'.
	Required *Bool
	// Type of the input, which must be one of 'boolean', 'number' or 'string'. This property is required.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callinput_idtype
	Type WorkflowCallEventInputType
}

WorkflowCallEventInput is an input configuration of workflow_call event. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callinputs

func (*WorkflowCallEventInput) IsRequired added in v1.6.14

func (i *WorkflowCallEventInput) IsRequired() bool

IsRequired returns if the input is marked as required or not. require

type WorkflowCallEventInputType added in v1.6.5

type WorkflowCallEventInputType uint8

WorkflowCallEventInputType is a type of inputs at workflow_call event. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callinput_idtype

const (
	// WorkflowCallEventInputTypeInvalid represents invalid type input as default value of the type.
	WorkflowCallEventInputTypeInvalid WorkflowCallEventInputType = iota
	// WorkflowCallEventInputTypeBoolean represents boolean type input.
	WorkflowCallEventInputTypeBoolean
	// WorkflowCallEventInputTypeNumber represents number type input.
	WorkflowCallEventInputTypeNumber
	// WorkflowCallEventInputTypeString represents string type input.
	WorkflowCallEventInputTypeString
)

type WorkflowCallEventOutput added in v1.6.10

type WorkflowCallEventOutput struct {
	// Name is a name of the output.
	Name *String
	// Description is a description of the output.
	Description *String
	// Value is an expression for the value of the output.
	Value *String
}

WorkflowCallEventOutput is an output configuration of workflow_call event. https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow

type WorkflowCallEventSecret added in v1.6.5

type WorkflowCallEventSecret struct {
	// Name is a name of the secret.
	Name *String
	// Description is a description of the secret.
	Description *String
	// Required represents if the secret is required or optional. When this value is nil, it means optional.
	// https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecretssecret_idrequired
	Required *Bool
}

WorkflowCallEventSecret is a secret configuration of workflow_call event. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecrets

type WorkflowCallInput added in v1.6.5

type WorkflowCallInput struct {
	// Name is a name of the input.
	Name *String
	// Value is a value of the input.
	Value *String
}

WorkflowCallInput is a normal input for workflow call.

type WorkflowCallSecret added in v1.6.5

type WorkflowCallSecret struct {
	// Name is a name of the secret
	Name *String
	// Value is a value of the secret
	Value *String
}

WorkflowCallSecret is a secret input for workflow call. https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idwith

type WorkflowDispatchEvent

type WorkflowDispatchEvent struct {
	// Inputs is map from input names to input attributes. Keys are in lower case since they are case insensitive.
	Inputs map[string]*DispatchInput
	// Pos is a position in source.
	Pos *Pos
}

WorkflowDispatchEvent is event on dispatching workflow manually. https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#workflow_dispatch

func (*WorkflowDispatchEvent) EventName

func (e *WorkflowDispatchEvent) EventName() string

EventName returns name of the event to trigger this workflow.

type WorkflowDispatchEventInputType added in v1.6.8

type WorkflowDispatchEventInputType uint8

WorkflowDispatchEventInputType is a type for input types of workflow_dispatch events. https://github.blog/changelog/2021-11-10-github-actions-input-types-for-manual-workflows/

const (
	// WorkflowDispatchEventInputTypeNone represents no type is specified to the input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeNone WorkflowDispatchEventInputType = iota
	// WorkflowDispatchEventInputTypeString is string type of input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeString
	// WorkflowDispatchEventInputTypeBoolean is boolean type of input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeBoolean
	// WorkflowDispatchEventInputTypeChoice is choice type of input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeChoice
	// WorkflowDispatchEventInputTypeEnvironment is environment type of input of workflow_dispatch event.
	WorkflowDispatchEventInputTypeEnvironment
)

Directories

Path Synopsis
cmd
+build gofuzz
+build gofuzz
scripts

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL