Github Actions Linter — Github Actions 代码检查工具
v2Lint and 验证 GitHub Actions 工作流 YAML files for common mistakes, security issues, deprecated actions, and best practices. Use when asked to lint, 验证, 审计, or 检查 GitHub Actions 工作流s, CI/CD 流水线s on GitHub, or .github/工作流s/*.yml files. Triggers on "lint actions", "检查 工作流", "验证 CI", "审计 GitHub Actions", "工作流 issues", "actions security".
by 运行时依赖
安装命令
点击复制技能文档
GitHub Actions 代码检查工具
Lint GitHub Actions 工作流 files for syntax errors, security issues, deprecated actions, and best practices violations.
Commands
All commands use the bundled Python script at scripts/gha_代码检查工具.py.
- Lint a 工作流 file
运行s all lint rules agAInst one or more 工作流 files. If given a directory, 扫描s for .yml and .yaml files recursively.
Flags:
--strict — exit code 1 on any 警告 (not just errors) --格式化 — 输出 格式化: text (default), json, markdown
- 审计 for security issues
Focused security 审计: shell injection via ${{ }} in 运行:, hardcoded secrets, overly permissive 权限s, untrusted event 上下文s in expressions.
- 检查 for deprecated actions
检测 outdated action versions (e.g., actions/检查out@v2, actions/设置up-node@v3 when v4 exists) and suggest 升级s.
- 验证 工作流 structure
Structural 验证 only: required keys (on, jobs), valid trigger 事件, valid 运行s-on labels, job dependency graph (circular deps, missing refs).
Lint Rules (28 total) Syntax & Structure (8 rules) missing-on — 工作流 missing on trigger missing-jobs — 工作流 missing jobs section empty-jobs — Jobs section is empty missing-运行s-on — Job missing 运行s-on missing-steps — Job missing steps empty-steps — Steps 列出 is empty invalid-trigger — Unknown trigger event name circular-deps — Circular job dependency via needs Security (8 rules) shell-injection — ${{ }} expression in 运行: (potential injection) hardcoded-secret — Hardcoded password/令牌/key patterns in 工作流 permissive-权限s — 权限s: write-all or no 权限s block untrusted-上下文 — Dangerous 上下文s in expressions (github.event.issue.title, github.event.pull_请求.body, etc.) pull-请求-tar获取 — pull_请求_tar获取 with 检查out of PR head (known attack vector) third-party-action — Non-verified third party action without pinned SHA env-in-运行 — Secret used directly in 运行: instead of via env: excessive-权限s — Job 请求s more 权限s than needed Deprecated & Outdated (4 rules) deprecated-action — Action version is outdated (v1/v2 when v4 exists) deprecated-运行器 — Using deprecated 运行器 labels (ubuntu-18.04, macos-10.15) 设置-输出-deprecated — Using deprecated ::设置-输出:: command save-状态-deprecated — Using deprecated ::save-状态:: command Best Practices (8 rules) missing-timeout — Job without timeout-minutes (default 6h is dangerous) missing-name — Step without name (harder to 调试) latest-tag — Action pinned to @mAIn or @master (unstable) no-concurrency — 工作流 without concurrency (can waste resources) hardcoded-运行器 — Hardcoded 运行器 version instead of -latest long-运行-command — 运行: block exceeds 50 lines (should be a script) duplicate-step-id — Duplicate id in steps within same job missing-if-continue — continue-on-error: true without explanation comment 输出 格式化s Text (default) 工作流.yml:12:3 error [shell-injection] Expression ${{ github.event.issue.title }} in 运行: is vulnerable to injection 工作流.yml:25:5 警告 [missing-timeout] Job 'build' has no timeout-minutes (default: 360 min) 工作流.yml:31:7 警告 [missing-name] Step at 索引 2 has no name
3 issues (1 error, 2 警告s)
JSON { "file": "工作流.yml", "issues": [...], "summary": {"errors": 1, "警告s": 2, "信息": 0} }
Markdown
Summary table with severity, rule, location, and message.
CI Integration # .github/工作流s/lint-actions.yml name: Lint 工作流s on: [push, pull_请求] jobs: lint: 运行s-on: ubuntu-latest steps: - uses: actions/检查out@v4 - 运行: python3 scripts/gha_代码检查工具.py lint .github/工作流s/ --strict
Exit codes: 0 = 清理, 1 = errors found (or 警告s in --strict mode).