github.com/cardinal-cryptography/github-actions-validator
Quick tool to validate workflows and actions in .github directory
See the checks that are performed on all the workflow and action files. These are separate into errors
and warnings. Each check has a code where as one starting with E indicates an error, N indicates
a warning about invalid naming convention and, finally W is any other warning.
Additionally, code will contain either A if it is an action where the issue is found, and W if
issue occurs in a workflow.
| Code | Description |
|---|---|
| EA809 | Called step with id '%s' does not exist |
| EA811 | Called step with id '%s' output '%s' does not exist |
| EW203 | Job '%s' has invalid value '%s' in 'needs' field |
| EW201 | Called variable '%s' is invalid |
| EW202 | Called input '%s' does not exist |
| EW203 | Job '%s' has invalid value '%s' in 'needs' field |
| EW801 | Path to external action '%s' is invalid |
| EW802 | Path to local action '%s' is invalid |
| EW803 | Call to non-existing local action '%s' |
| EW804 | Required input '%s' missing for local action '%s' |
| EW805 | Input '%s' does not exist in local action '%s' |
| EW806 | Required input '%s' missing for external action '%s' |
| EW807 | Input '%s' does not exist in external action '%s' |
| EW808 | Call to non-existing external action '%s' |
| EW809 | Called step with id '%s' does not exist |
| EW810 | Called step with id '%s' does not exist |
| EW811 | Called step with id '%s' output '%s' does not exist |
| EW254 | Called variable '%s' does not exist in provided list of available vars (when -z provided) |
| EW255 | Called secret '%s' does not exist in provided list of available secrets (when -s provided) |
| Code | Description |
|---|---|
| WW101 | Called env var '%s' not found in global, job or step 'env' block - check it |
| WW201 | Called var '%s' may not need to be in double quotes |
| Code | Description |
|---|---|
| NA101 | Action directory name should contain lowercase alphanumeric characters and hyphens only |
| NA102 | Action file name should have .yml extension |
| NA103 | Action name is empty |
| NA104 | Action description is empty |
| NA301 | Action input name should contain lowercase alphanumeric characters and hyphens only |
| NA302 | Action input must have a description |
| NA501 | Action output name should contain lowercase alphanumeric characters and hyphens only |
| NA502 | Action output must have a description |
| NW101 | Workflow file name should contain alphanumeric characters and hyphens only |
| NW102 | Workflow file name should have .yml extension |
| NW103 | Env variable name '%s' should contain uppercase alphanumeric characters and underscore only |
| NW104 | Workflow name is empty |
| NW106 | When workflow has only one job, it should be named 'main' |
| NW107 | Called variable name '%s' should contain uppercase alphanumeric characters and underscore only |
| NW301 | Workflow input name should contain lowercase alphanumeric characters and hyphens only |
| NW302 | Workflow input must have a description |
| NW501 | Workflow job name should contain lowercase alphanumeric characters and hyphens only |
| NW502 | Env variable name '%s' should contain uppercase alphanumeric characters and underscore only |
| NW701 | Env variable name '%s' should contain uppercase alphanumeric characters and underscore only |
Run go build -o github-actions-validator to compile the binary.
To build the docker image, use the following command.
docker build -t github-actions-validator .
Check below help message for validate command:
Usage: github-actions-validator validate [FLAGS]
Runs the validation on files from a specified directory
Required flags:
-p, --path Path to .github directory
Optional flags:
-s, --secrets-file Check if secret names exist in this file (one per line)
-z, --vars-file Check if variable names exist in this file (one per line)
Use -p argument to point to .github directories. The tool will search for any actions in the actions
directory, where each action is in its own sub-directory and its filename is either action.yaml or
action.yml. And, it will search for workflows' *.yml and *.yaml files in workflows directory.
Additionally, all the variable names (meaning ${{ var.NAME }}) as well as secrets (${{ secret.NAME }})
in the workflow can be checked against a list of possible names. Use -z and -s arguments with paths
to files containing a list of possible variable or secret names, with names being separated by new line or
space.
% cat ~/secrets-list.txt
MY_SECRET_1
MY_SECRET_2
% ./github-actions-validator validate -p /path/to/.github -s ~/secrets-list.txt | grep '^EW25'
EW255: workflow my-workflow.yml Called secret 'GITHUB_TOKEN' does not exist in provided list of available secrets
Note that the image has to be present, either built or pulled from the registry. Replace path to the .github directory.
docker run --rm --name tmp-gha-validator \
-v /Users/me/my-repo/.github:/dot-github \
github-actions-validator \
validate -p /dot-github
Currently, tool always exit with code 0. To check if there are any errors, please use grep to filter
the output for errors.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.