Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

github.com/cardinal-cryptography/github-workflows-validator

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/cardinal-cryptography/github-workflows-validator

  • v0.6.0
  • Source
  • Go
  • Socket score

Version published
Created
Source

github-actions-validator

Go Reference Go Report Card GitHub release (latest SemVer)

Quick tool to validate workflows and actions in .github directory

Checks

See the checks that are performed on all the workflow and action files. These are separate into errors and warnings. Each check has a code where as one starting with E indicates an error, N indicates a warning about invalid naming convention and, finally W is any other warning. Additionally, code will contain either A if it is an action where the issue is found, and W if issue occurs in a workflow.

Errors

CodeDescription
EA809Called step with id '%s' does not exist
EA811Called step with id '%s' output '%s' does not exist
EW203Job '%s' has invalid value '%s' in 'needs' field
EW201Called variable '%s' is invalid
EW202Called input '%s' does not exist
EW203Job '%s' has invalid value '%s' in 'needs' field
EW801Path to external action '%s' is invalid
EW802Path to local action '%s' is invalid
EW803Call to non-existing local action '%s'
EW804Required input '%s' missing for local action '%s'
EW805Input '%s' does not exist in local action '%s'
EW806Required input '%s' missing for external action '%s'
EW807Input '%s' does not exist in external action '%s'
EW808Call to non-existing external action '%s'
EW809Called step with id '%s' does not exist
EW810Called step with id '%s' does not exist
EW811Called step with id '%s' output '%s' does not exist
EW254Called variable '%s' does not exist in provided list of available vars (when -z provided)
EW255Called secret '%s' does not exist in provided list of available secrets (when -s provided)

Warnings

CodeDescription
WW101Called env var '%s' not found in global, job or step 'env' block - check it
WW201Called var '%s' may not need to be in double quotes

Naming convention warnings

CodeDescription
NA101Action directory name should contain lowercase alphanumeric characters and hyphens only
NA102Action file name should have .yml extension
NA103Action name is empty
NA104Action description is empty
NA301Action input name should contain lowercase alphanumeric characters and hyphens only
NA302Action input must have a description
NA501Action output name should contain lowercase alphanumeric characters and hyphens only
NA502Action output must have a description
NW101Workflow file name should contain alphanumeric characters and hyphens only
NW102Workflow file name should have .yml extension
NW103Env variable name '%s' should contain uppercase alphanumeric characters and underscore only
NW104Workflow name is empty
NW106When workflow has only one job, it should be named 'main'
NW107Called variable name '%s' should contain uppercase alphanumeric characters and underscore only
NW301Workflow input name should contain lowercase alphanumeric characters and hyphens only
NW302Workflow input must have a description
NW501Workflow job name should contain lowercase alphanumeric characters and hyphens only
NW502Env variable name '%s' should contain uppercase alphanumeric characters and underscore only
NW701Env variable name '%s' should contain uppercase alphanumeric characters and underscore only

Building

Run go build -o github-actions-validator to compile the binary.

Building docker image

To build the docker image, use the following command.

docker build -t github-actions-validator .

Running

Check below help message for validate command:

Usage:  github-actions-validator validate [FLAGS]

Runs the validation on files from a specified directory

Required flags: 
  -p,	 --path  	Path to .github directory

Optional flags: 
  -s,	 --secrets-file  	Check if secret names exist in this file (one per line)
  -z,	 --vars-file  		Check if variable names exist in this file (one per line)

Use -p argument to point to .github directories. The tool will search for any actions in the actions directory, where each action is in its own sub-directory and its filename is either action.yaml or action.yml. And, it will search for workflows' *.yml and *.yaml files in workflows directory.

Additionally, all the variable names (meaning ${{ var.NAME }}) as well as secrets (${{ secret.NAME }}) in the workflow can be checked against a list of possible names. Use -z and -s arguments with paths to files containing a list of possible variable or secret names, with names being separated by new line or space.

Example of checking secrets

% cat ~/secrets-list.txt 
MY_SECRET_1
MY_SECRET_2
% ./github-actions-validator validate -p /path/to/.github -s ~/secrets-list.txt | grep '^EW25'
EW255: workflow my-workflow.yml                              Called secret 'GITHUB_TOKEN' does not exist in provided list of available secrets

Using docker image

Note that the image has to be present, either built or pulled from the registry. Replace path to the .github directory.

docker run --rm --name tmp-gha-validator \
  -v /Users/me/my-repo/.github:/dot-github \
  github-actions-validator \
  validate -p /dot-github

Exit code

Currently, tool always exit with code 0. To check if there are any errors, please use grep to filter the output for errors.

FAQs

Package last updated on 23 Oct 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc