GitHub Actions Validator
Overview
Validate and test GitHub Actions workflows, custom actions, and public actions using industry-standard tools (actionlint and act). This skill provides comprehensive validation including syntax checking, static analysis, local workflow execution testing, and action verification with version-aware documentation lookup.
When to Use This Skill
Use this skill when:
- Validating workflow files: Checking for syntax errors and best practices
- Testing workflows locally: Running workflows with before pushing to GitHub
- Debugging workflow failures: Identifying issues in workflow configuration
- Validating custom actions: Checking composite, Docker, or JavaScript actions
- Verifying public actions: Validating usage of actions from GitHub Marketplace
- Pre-commit validation: Ensuring workflows are valid before committing
CRITICAL: Assistant Workflow (MUST FOLLOW)
Every validation MUST follow these steps. Skipping any step is non-compliant.
Step 1: Run Validation Script
bash
cd .claude/skills/github-actions-validator
bash scripts/validate_workflow.sh <workflow-file-or-directory>
Step 2: For EACH Error - Consult Reference File
When actionlint or act reports ANY error, you MUST:
- Read the appropriate reference file (see mapping below)
- Find the matching error pattern
- Extract the fix/solution
Step 3: Quote the Fix to User
For each error, provide:
- Error message (from script output)
- Explanation (from reference file)
- Fix code (quoted from reference file)
- Corrected code (applied to user's workflow)
Step 4: Verify Public Actions (if present)
For any public actions (
uses: owner/action@version
):
- First check
references/action_versions.md
- Use web search for unknown actions:
"[action-name] [version] github action documentation"
- Verify required inputs match
- Check for deprecation warnings
Step 5: Provide Complete Summary
After all errors are addressed:
- List all fixes applied
- Note any warnings
- Recommend best practices from
Error Type to Reference File Mapping
| Error Pattern in Output | Reference File to Read | Section to Quote |
|---|
| , , , , | | Runner labels |
| , | references/common_errors.md
| Schedule Errors |
| , , | references/common_errors.md
| Expression Errors |
| , , | references/common_errors.md
| Job Configuration Errors |
| , , | references/common_errors.md
| Action Errors |
| , , | references/common_errors.md
| Script Injection section |
| , , | references/common_errors.md
| Syntax Errors |
| , | | Troubleshooting |
| , , , | references/action_versions.md
| Version table |
| , , | references/modern_features.md
| Relevant section |
| , , , | references/common_errors.md
| Path Filter Errors |
Example: Complete Error Handling Workflow
User's workflow has this error:
Step 1 - Script output:
label "ubuntu-lastest" is unknown
Step 2 - Read or references/common_errors.md
Find the "Invalid Runner Label" section.
Step 3 - Quote the fix to user:
Error: label "ubuntu-lastest" is unknown
Cause: Typo in runner label (from
references/common_errors.md
):
yaml
# Bad
runs-on: ubuntu-lastest # Typo
Fix (from
references/common_errors.md
):
yaml
# Good
runs-on: ubuntu-latest
Valid runner labels (from
):
Step 4 - Provide corrected code:
Quick Start
Initial Setup
bash
cd .claude/skills/github-actions-validator
bash scripts/install_tools.sh
This installs
act (local workflow execution) and
actionlint (static analysis) to
.
Basic Validation
bash
# Validate a single workflow
bash scripts/validate_workflow.sh .github/workflows/ci.yml
# Validate all workflows
bash scripts/validate_workflow.sh .github/workflows/
# Lint-only (fastest)
bash scripts/validate_workflow.sh --lint-only .github/workflows/ci.yml
# Test-only with act (requires Docker)
bash scripts/validate_workflow.sh --test-only .github/workflows/
Core Validation Workflow
1. Static Analysis with actionlint
Start with static analysis to catch syntax errors and common issues:
bash
bash scripts/validate_workflow.sh --lint-only .github/workflows/ci.yml
What actionlint checks: YAML syntax, schema compliance, expression syntax, runner labels, action inputs/outputs, job dependencies, CRON syntax, glob patterns, shell scripts, security vulnerabilities.
2. Local Testing with act
After passing static analysis, test workflow execution:
bash
bash scripts/validate_workflow.sh --test-only .github/workflows/
Note: act has limitations - see
.
3. Full Validation
bash
bash scripts/validate_workflow.sh .github/workflows/ci.yml
Validating Resource Types
Workflows
bash
# Single workflow
bash scripts/validate_workflow.sh .github/workflows/ci.yml
# All workflows
bash scripts/validate_workflow.sh .github/workflows/
Key validation points: triggers, job configurations, runner labels, environment variables, secrets, conditionals, matrix strategies.
Custom Local Actions
Create a test workflow that uses the custom action, then validate:
bash
bash scripts/validate_workflow.sh .github/workflows/test-custom-action.yml
Public Actions
When workflows use public actions (e.g.,
):
- Use web search to find action documentation
- Verify required inputs and version
- Check for deprecation warnings
- Run validation script
Search format: "[action-name] [version] github action documentation"
Reference File Consultation Guide
MANDATORY Reference Consultation
| Situation | Reference File | Action |
|---|
| actionlint reports ANY error | references/common_errors.md
| Find matching error, quote solution |
| act fails with Docker error | | Check Troubleshooting section |
| act fails but workflow works on GitHub | | Read Limitations section |
| User asks about actionlint config | references/actionlint_usage.md
| Provide examples |
| User asks about act options | | Read Advanced Options |
| Security vulnerability detected | references/common_errors.md
| Quote fix |
| Validating action versions | references/action_versions.md
| Check version table |
| Using modern features | references/modern_features.md
| Check syntax examples |
| Runner questions/errors | | Check labels and availability |
Script Output to Reference Mapping
| Output Category | Reference File |
|---|
| - Syntax Errors |
| - Expression Errors |
| - Action Errors |
| - Schedule Errors |
| - Security section |
| - Troubleshooting |
| - Limitations |
Reference Files Summary
| File | Content |
|---|
| Act tool usage, commands, options, limitations, troubleshooting |
references/actionlint_usage.md
| Actionlint validation categories, configuration, integration |
references/common_errors.md
| Common errors catalog with fixes |
references/action_versions.md
| Current action versions, deprecation timeline, SHA pinning |
references/modern_features.md
| Reusable workflows, SBOM, OIDC, environments, containers |
| GitHub-hosted runners (ARM64, GPU, M2 Pro, deprecations) |
Troubleshooting
| Issue | Solution |
|---|
| "Tools not found" | Run bash scripts/install_tools.sh
|
| "Docker daemon not running" | Start Docker or use |
| "Permission denied" | Run |
| act fails but GitHub works | See Limitations |
Debug Mode
bash
actionlint -verbose .github/workflows/ci.yml # Verbose actionlint
act -v # Verbose act
act -n # Dry-run (no execution)
Best Practices
- Always validate locally first - Catch errors before pushing
- Use actionlint in CI/CD - Automate validation in pipelines
- Pin action versions - Use not for stability; SHA pinning for security
- Keep tools updated - Regularly update actionlint and act
- Use web search for unknown actions - Verify usage with documentation
- Check version compatibility - See
references/action_versions.md
- Enable shellcheck - Catch shell script issues early
- Review security warnings - Address script injection issues
Limitations
- act limitations: Not all GitHub Actions features work locally
- Docker requirement: act requires Docker to be running
- Network actions: Some GitHub API actions may fail locally
- Private actions: Cannot validate without access
- Runtime behavior: Static analysis cannot catch all issues
- File location: act can only validate workflows in directory; files outside (like ) can only be validated with actionlint
Quick Examples
Example 1: Pre-commit Validation
bash
cd .claude/skills/github-actions-validator
bash scripts/validate_workflow.sh .github/workflows/
git add .github/workflows/ && git commit -m "Update workflows"
Example 2: Debug Failing Workflow
bash
bash scripts/validate_workflow.sh --lint-only .github/workflows/failing.yml
# Fix issues
bash scripts/validate_workflow.sh .github/workflows/failing.yml
Complete Worked Example: Multi-Error Workflow
This example demonstrates the full assistant workflow for handling multiple errors.
User's Problematic Workflow
yaml
name: Broken CI
on:
schedule:
- cron: '0 0 * * 8' # ERROR 1
jobs:
build:
runs-on: ubuntu-lastest # ERROR 2
steps:
- uses: actions/checkout@v3 # ERROR 3 (outdated)
- run: echo ${{ github.event.issue.title }} # ERROR 4 (security)
deploy:
needs: biuld # ERROR 5 (typo)
runs-on: ubuntu-latest
steps:
- run: echo "Deploying"
Step 1: Run Validation
bash
bash scripts/validate_workflow.sh --lint-only workflow.yml
Output:
[ERROR] invalid CRON format "0 0 * * 8"
[ERROR] label "ubuntu-lastest" is unknown
[WARN] "github.event.issue.title" is potentially untrusted
[ERROR] job "deploy" needs job "biuld" which does not exist
Step 2-3: Consult References and Quote Fixes
Error 1: Invalid CRON Expression
From references/common_errors.md
Cause: Day of week 8 doesn't exist (valid: 0-6, where 0 = Sunday)
yaml
# Bad
schedule:
- cron: '0 0 * * 8' # Day 8 doesn't exist
# Good
schedule:
- cron: '0 0 * * 0' # Sunday
CRON format: minute hour day month weekday
- Weekday: 0-6 (0 = Sunday)
Fix: Change
to
(Sunday) or
for Monday-Saturday.
Error 2: Invalid Runner Label
From references/common_errors.md
Cause: Typo in runner label
yaml
# Bad
runs-on: ubuntu-lastest # Typo
# Good
runs-on: ubuntu-latest
- (Ubuntu 24.04)
- ,
- (macOS 15)
- (Windows Server 2022)
Error 3: Outdated Action Version
From references/action_versions.md
| Action | Current Version | Minimum Supported |
|---|
| v6 | v4 |
SHA Pinning Best Practice:
yaml
# Recommended: SHA pinning with version comment
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
Fix: Update from
to
(or SHA-pinned version).
Error 4: Security Vulnerability (Script Injection)
From references/common_errors.md
Warning: Potential script injection via untrusted input
yaml
# Bad - vulnerable to injection
run: echo ${{ github.event.issue.title }}
# Good - use environment variables
env:
TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE"
Why: Untrusted input (issue titles, PR bodies, commit messages) can contain malicious commands. Using environment variables sanitizes the input.
Fix: Pass untrusted input through environment variable.
Error 5: Undefined Job Dependency
From references/common_errors.md
Error: Job 'deploy' depends on job 'biuld' which does not exist
yaml
# Bad
jobs:
build:
runs-on: ubuntu-latest
deploy:
needs: biuld # Typo
# Good
jobs:
build:
runs-on: ubuntu-latest
deploy:
needs: build
Step 4: Provide Corrected Workflow
yaml
name: Fixed CI
on:
schedule:
- cron: '0 0 * * 0' # Fixed: Sunday (0-6 valid)
jobs:
build:
runs-on: ubuntu-latest # Fixed: typo corrected
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - Fixed: updated version
- name: Process issue
env:
TITLE: ${{ github.event.issue.title }} # Fixed: use env var
run: echo "$TITLE"
deploy:
needs: build # Fixed: typo corrected
runs-on: ubuntu-latest
steps:
- run: echo "Deploying"
Step 5: Summary
| Error | Type | Fix Applied |
|---|
| CRON | Schedule | Changed to |
| Runner | Changed to |
| Outdated Action | Updated to (SHA-pinned) |
| Direct in run | Security | Wrapped in environment variable |
| Job Dependency | Changed to |
Recommendations:
- Run
bash scripts/validate_workflow.sh --check-versions
- Use SHA pinning for all actions in production workflows
- Always pass untrusted input through environment variables
Summary
- Setup: Install tools with
- Validate: Run on workflow files
- Fix: Address issues using reference documentation
- Test: Verify locally with act (when possible)
- Search: Use web search to verify unknown actions
- Commit: Push validated workflows with confidence
For detailed information, consult the appropriate reference file in
.