{"id":29239956,"url":"https://github.com/cardinal-cryptography/github-workflows-validator","last_synced_at":"2025-07-03T19:07:59.213Z","repository":{"id":143265539,"uuid":"604280312","full_name":"Cardinal-Cryptography/github-actions-validator","owner":"Cardinal-Cryptography","description":"Better syntax check for GitHub Actions","archived":false,"fork":false,"pushed_at":"2025-03-28T13:59:16.000Z","size":4142,"stargazers_count":0,"open_issues_count":2,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-22T20:50:43.558Z","etag":null,"topics":["github","github-actions"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cardinal-Cryptography.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-02-20T18:07:23.000Z","updated_at":"2025-03-28T13:59:20.000Z","dependencies_parsed_at":"2024-06-21T07:05:37.090Z","dependency_job_id":"313217f3-58c0-4f06-9033-b969d989abbc","html_url":"https://github.com/Cardinal-Cryptography/github-actions-validator","commit_stats":null,"previous_names":["cardinal-cryptography/github-workflows-validator"],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/Cardinal-Cryptography/github-actions-validator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cardinal-Cryptography%2Fgithub-actions-validator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cardinal-Cryptography%2Fgithub-actions-validator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cardinal-Cryptography%2Fgithub-actions-validator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cardinal-Cryptography%2Fgithub-actions-validator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cardinal-Cryptography","download_url":"https://codeload.github.com/Cardinal-Cryptography/github-actions-validator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cardinal-Cryptography%2Fgithub-actions-validator/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263385761,"owners_count":23458745,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","github-actions"],"created_at":"2025-07-03T19:07:58.622Z","updated_at":"2025-07-03T19:07:59.171Z","avatar_url":"https://github.com/Cardinal-Cryptography.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# github-actions-validator\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/Cardinal-Cryptography/github-actions-validator.svg)](https://pkg.go.dev/github.com/Cardinal-Cryptography/github-actions-validator) [![Go Report Card](https://goreportcard.com/badge/github.com/Cardinal-Cryptography/github-actions-validator)](https://goreportcard.com/report/github.com/Cardinal-Cryptography/github-actions-validator) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/Cardinal-Cryptography/github-actions-validator?sort=semver)\n\nQuick tool to validate workflows and actions in .github directory\n\n## Checks\nSee the checks that are performed on all the workflow and action files.  These are separate into errors\nand warnings.  Each check has a code where as one starting with `E` indicates an error, `N` indicates\na warning about invalid naming convention and, finally `W` is any other warning.\nAdditionally, code will contain either `A` if it is an action where the issue is found, and `W` if \nissue occurs in a workflow.\n\n### Errors\n\n| Code | Description |\n|------|-------------|\n| EA809 | Called step with id '%s' does not exist |\n| EA811 | Called step with id '%s' output '%s' does not exist |\n| EW203 | Job '%s' has invalid value '%s' in 'needs' field |\n| EW201 | Called variable '%s' is invalid |\n| EW202 | Called input '%s' does not exist |\n| EW203 | Job '%s' has invalid value '%s' in 'needs' field |\n| EW801 | Path to external action '%s' is invalid |\n| EW802 | Path to local action '%s' is invalid |\n| EW803 | Call to non-existing local action '%s' |\n| EW804 | Required input '%s' missing for local action '%s' |\n| EW805 | Input '%s' does not exist in local action '%s' |\n| EW806 | Required input '%s' missing for external action '%s' |\n| EW807 | Input '%s' does not exist in external action '%s' |\n| EW808 | Call to non-existing external action '%s' |\n| EW809 | Called step with id '%s' does not exist |\n| EW810 | Called step with id '%s' does not exist |\n| EW811 | Called step with id '%s' output '%s' does not exist |\n| EW254 | Called variable '%s' does not exist in provided list of available vars (when -z provided) |\n| EW255 | Called secret '%s' does not exist in provided list of available secrets (when -s provided) |\n\n### Warnings\n\n| Code | Description |\n|------|-------------|\n| WW101 | Called env var '%s' not found in global, job or step 'env' block - check it |\n| WW201 | Called var '%s' may not need to be in double quotes |\n\n### Naming convention warnings\n\n| Code | Description |\n|------|-------------|\n| NA101 | Action directory name should contain lowercase alphanumeric characters and hyphens only |\n| NA102 | Action file name should have .yml extension |\n| NA103 | Action name is empty |\n| NA104 | Action description is empty |\n| NA301 | Action input name should contain lowercase alphanumeric characters and hyphens only |\n| NA302 | Action input must have a description |\n| NA501 | Action output name should contain lowercase alphanumeric characters and hyphens only |\n| NA502 | Action output must have a description |\n| NW101 | Workflow file name should contain alphanumeric characters and hyphens only |\n| NW102 | Workflow file name should have .yml extension |\n| NW103 | Env variable name '%s' should contain uppercase alphanumeric characters and underscore only |\n| NW104 | Workflow name is empty |\n| NW106 | When workflow has only one job, it should be named 'main' |\n| NW107 | Called variable name '%s' should contain uppercase alphanumeric characters and underscore only |\n| NW301 | Workflow input name should contain lowercase alphanumeric characters and hyphens only |\n| NW302 | Workflow input must have a description |\n| NW501 | Workflow job name should contain lowercase alphanumeric characters and hyphens only |\n| NW502 | Env variable name '%s' should contain uppercase alphanumeric characters and underscore only |\n| NW701 | Env variable name '%s' should contain uppercase alphanumeric characters and underscore only |\n\n\n## Building\nRun `go build -o github-actions-validator` to compile the binary.\n\n### Building docker image\nTo build the docker image, use the following command.\n\n    docker build -t github-actions-validator .\n\n\n## Running\nCheck below help message for `validate` command:\n\n    Usage:  github-actions-validator validate [FLAGS]\n\n    Runs the validation on files from a specified directory\n\n    Required flags: \n      -p,\t --path  \tPath to .github directory\n    \n    Optional flags: \n      -s,\t --secrets-file  \tCheck if secret names exist in this file (one per line)\n      -z,\t --vars-file  \t\tCheck if variable names exist in this file (one per line)\n\nUse `-p` argument to point to `.github` directories.  The tool will search for any actions in the `actions`\ndirectory, where each action is in its own sub-directory and its filename is either `action.yaml` or\n`action.yml`.  And, it will search for workflows' `*.yml` and `*.yaml` files in `workflows` directory.\n\nAdditionally, all the variable names (meaning `${{ var.NAME }}`) as well as secrets (`${{ secret.NAME }}`)\nin the workflow can be checked against a list of possible names.  Use `-z` and `-s` arguments with paths\nto files containing a list of possible variable or secret names, with names being separated by new line or\nspace.\n\n### Example of checking secrets\n\n    % cat ~/secrets-list.txt \n    MY_SECRET_1\n    MY_SECRET_2\n    % ./github-actions-validator validate -p /path/to/.github -s ~/secrets-list.txt | grep '^EW25'\n    EW255: workflow my-workflow.yml                              Called secret 'GITHUB_TOKEN' does not exist in provided list of available secrets\n\n\n### Using docker image\nNote that the image has to be present, either built or pulled from the registry.\nReplace path to the .github directory.\n\n    docker run --rm --name tmp-gha-validator \\\n      -v /Users/me/my-repo/.github:/dot-github \\\n      github-actions-validator \\\n\t  validate -p /dot-github\n\n\n## Exit code\nCurrently, tool always exit with code 0.  To check if there are any errors, please use `grep` to filter\nthe output for errors.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcardinal-cryptography%2Fgithub-workflows-validator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcardinal-cryptography%2Fgithub-workflows-validator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcardinal-cryptography%2Fgithub-workflows-validator/lists"}