Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
@actions/workflow-parser
Advanced tools
actions/workflow-parser
@actions/workflow-parser is a library to parse GitHub Actions workflows.
Installation
The package contains TypeScript types and compiled ECMAScript modules.
npm install @actions/workflow-parser
Usage
The parser is driven by a custom schema defined in worflows-v1.0.json.
Simple example
parseWorkflow parses the workflow YAML into an intermediate representation and validates that it conforms to the schema. Any parsing errors are returned in the errors property of the result context.
var trace: TraceWriter;
const result = parseWorkflow(
{
name: "test.yaml",
content: `on: push
jobs:
build:
runs-on: ubuntu-latest
steps:
- run: echo 'hello'`
},
trace
);
convertWorkflowTemplate then takes that intermediate representation and converts it to a WorkflowTemplate object, which is a more convenient representation for working with workflows.
const workflowTemplate = await convertWorkflowTemplate(result.context, result.value);
// workflowTemplate.jobs[0].id === "build"
// workflowTemplate.jobs[0].steps[0].run === "echo 'hello'"
Contributing
See CONTRIBUTING.md at the root of the repository for general guidelines and recommendations.
Similar to `actions/expressions, this project is just one of multiple implementations of the GitHub Actions workflow parser. We therefore cannot accept contributions that significantly modify the schema or the overall behavior of the parser. If you would like to propose changes to Actions itself, please use our Community Forum.
If you do want to contribute, please run prettier to format your code and add unit tests as appropriate before submitting your PR. ./testdata contains test cases that all implementations should pass, please also make sure those tests are still passing.
Build
npm run build
or to watch for changes
npm run watch
Test
npm test
or to watch for changes and run tests:
npm run test-watch
Lint
npm run format-check
License
This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.
FAQs
Unknown package
The npm package @actions/workflow-parser receives a total of 339 weekly downloads. As such, @actions/workflow-parser popularity was classified as not popular.
We found that @actions/workflow-parser demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 7 open source maintainers collaborating on the project.
Package last updated on 02 Jan 2026
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025