Update module github.com/rhysd/actionlint to v1.7.10 #1272

Merged
viceice merged 1 commit from renovate/github.com-rhysd-actionlint-1.7.x into main 2026-01-12 16:48:15 +00:00
Member

This PR contains the following updates:

Package Change Age Confidence
github.com/rhysd/actionlint v1.7.8 -> v1.7.10 age confidence

Release Notes

rhysd/actionlint (github.com/rhysd/actionlint)

v1.7.10

Compare Source

  • Support YAML anchors and aliases (&anchor and *anchor) in workflow files. In addition to parsing YAML anchors correctly, actionlint checks unused and undefined anchors. See the document for more details. (#​133, thanks @​srz-zumix for the initial implementation at #​568 and @​alexaandru for trying another approach at #​557)
    jobs:
      test:
        runs-on: ubuntu-latest
        services:
          nginx:
            image: nginx:latest
            credentials: &credentials
              username: ${{ secrets.user }}
              password: ${{ secrets.password }}
        steps:
          - run: ./download.sh
            # OK: Valid alias to &credentials
            env: *credentials
          - run: ./check.sh
            # ERROR: Undefined anchor 'credential'
            env: *credential
          - run: ./upload.sh
            # ERROR: Unused anchor 'credentials'
            env: &credentials
    
  • Remove support for *-xl macOS runner labels because they were dropped. (#​592, thanks @​muzimuzhi)
  • Remove support for the macOS 13 runner labels because they were dropped on Dec 4, 2025. (#​593, thanks @​muzimuzhi)
    • macos-13
    • macos-13-large
    • macos-13-xlarge
  • Increase the maximum number of inputs in the workflow_dispatch event from 10 to 25 because the limitation was recently relaxed. (#​598, thanks @​Haegi)
  • Support artifact-metadata permission for workflow permissions. (#​602, thanks @​martincostello)
  • Detect more complicated constants at if: conditions as error. See the rule document for more details.
  • Refactor the workflow parser with Go iterators. This slightly improves the performance and memory usage.
  • Fix parsing extra { and } characters in format string of format() function call. For example v1.7.9 didn't parse "{{0} {1} {2}}" correctly.
  • Detect an invalid value at type in workflow call inputs as error.
  • Report YAML merge key << as error because GitHub Actions doesn't support the syntax.
  • Check available contexts in expressions at jobs.<job_id>.snapshot.if.
    snapshot:
      image-name: my-custom-image
      # ERROR: `env` context is not allowed here
      if: ${{ env.USE_SNAPSHOT == 'true' }}
    
  • Fix the instruction to install actionlint with mise in the installation document. (#​591, thanks @​risu729)
  • Update the popular actions data set to the latest to include new major versions of the actions.

[Changes][v1.7.10]

v1.7.9

Compare Source

  • Add support for ubuntu-slim runner label. (#​585, thanks @​cestorer)
  • Check input deprecation in action by checking deprecationMessage property. Using a deprecated input is reported as error if it is not marked as required. See the document for more details. (#​580)
    - uses: reviewdog/action-actionlint@v1
      with:
        # ERROR: Using a deprecated input
        fail_on_error: true
    
  • Add support for the Custom images feature.
  • Report constant conditions at if: like if: true as error. Only very simple expressions like true or false are detected for now. See the document for more details.
  • Check unexpected keys in inputs in action metadata.
    inputs:
      some_input:
        # Error: `type` is not supported for inputs in action metadata
        type: boolean
    
  • Fix some invalid permissions are not reported as error in id-token and models scopes. (#​582, thanks @​holtkampjs)
  • Fix args and entrypoint inputs are not recognized at uses: when it's not a Docker action. (#​550)
  • Set correct column in source position of YAML parse error.
  • Fix credentials cannot be configured with ${{ }}. (#​590)
  • Improve messages in syntax errors on parsing steps (run: and uses:). Available keys suggestion is now more accurate and unexpected keys are detected more accurately.
  • Fix the order of errors can be non-deterministic when multiple errors are caused at the same source positions.
  • Improve error messages showing suggestions on detecting invalid permissions.
  • Add instruction for installing actionlint with mise package manager. (#​589, thanks @​jylenhof)
  • Fix outdated URLs in the document.
  • Add new actionlint.AllContexts map constant in Go API that contains the information about all context availability.
  • Update popular actions data set to the latest with several major versions of actions and the following new actions.
    • anthropics/claude-code-action
    • openai/codex-action
    • google-github-actions/run-gemini-cli
  • Add make cov task to easily generate a code coverage report.
  • Make installing the formula version of actionlint pacakge from tap of this repository with Homebrew a hard error. Install the cask version instead following the instruction in the error message.

[Changes][v1.7.9]


Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) | `v1.7.8` -> `v1.7.10` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2frhysd%2factionlint/v1.7.10?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2frhysd%2factionlint/v1.7.8/v1.7.10?slim=true) | --- ### Release Notes <details> <summary>rhysd/actionlint (github.com/rhysd/actionlint)</summary> ### [`v1.7.10`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v1710---2025-12-30) [Compare Source](https://github.com/rhysd/actionlint/compare/v1.7.9...v1.7.10) - Support [YAML anchors and aliases](https://yaml.org/spec/1.2.2/#&#8203;71-alias-nodes) (`&anchor` and `*anchor`) in workflow files. In addition to parsing YAML anchors correctly, actionlint checks unused and undefined anchors. See the [document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#yaml-anchors) for more details. ([#&#8203;133](https://github.com/rhysd/actionlint/issues/133), thanks [@&#8203;srz-zumix](https://github.com/srz-zumix) for the initial implementation at [#&#8203;568](https://github.com/rhysd/actionlint/issues/568) and [@&#8203;alexaandru](https://github.com/alexaandru) for trying another approach at [#&#8203;557](https://github.com/rhysd/actionlint/issues/557)) ```yaml jobs: test: runs-on: ubuntu-latest services: nginx: image: nginx:latest credentials: &credentials username: ${{ secrets.user }} password: ${{ secrets.password }} steps: - run: ./download.sh # OK: Valid alias to &credentials env: *credentials - run: ./check.sh # ERROR: Undefined anchor 'credential' env: *credential - run: ./upload.sh # ERROR: Unused anchor 'credentials' env: &credentials ``` - Remove support for `*-xl` macOS runner labels because they were [dropped](https://github.blog/changelog/2024-08-19-notice-of-upcoming-deprecations-and-breaking-changes-in-github-actions-runners/). ([#&#8203;592](https://github.com/rhysd/actionlint/issues/592), thanks [@&#8203;muzimuzhi](https://github.com/muzimuzhi)) - Remove support for the macOS 13 runner labels because they were [dropped on Dec 4, 2025](https://github.blog/changelog/2025-09-19-github-actions-macos-13-runner-image-is-closing-down/). ([#&#8203;593](https://github.com/rhysd/actionlint/issues/593), thanks [@&#8203;muzimuzhi](https://github.com/muzimuzhi)) - `macos-13` - `macos-13-large` - `macos-13-xlarge` - Increase the maximum number of inputs in the `workflow_dispatch` event from 10 to 25 because the limitation [was recently relaxed](https://github.blog/changelog/2025-12-04-actions-workflow-dispatch-workflows-now-support-25-inputs/). ([#&#8203;598](https://github.com/rhysd/actionlint/issues/598), thanks [@&#8203;Haegi](https://github.com/Haegi)) - Support [`artifact-metadata` permission](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes) for workflow permissions. ([#&#8203;602](https://github.com/rhysd/actionlint/issues/602), thanks [@&#8203;martincostello](https://github.com/martincostello)) - Detect more complicated constants at `if:` conditions as error. See the [rule document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#if-cond-constant) for more details. - Refactor the workflow parser with [Go iterators](https://pkg.go.dev/iter#hdr-Iterators). This slightly improves the performance and memory usage. - Fix parsing extra `{` and `}` characters in format string of `format()` function call. For example v1.7.9 didn't parse `"{{0} {1} {2}}"` correctly. - Detect an invalid value at `type` in workflow call inputs as error. - Report [YAML merge key](https://yaml.org/type/merge.html) `<<` as error because GitHub Actions doesn't support the syntax. - Check available contexts in expressions at `jobs.<job_id>.snapshot.if`. ```yaml snapshot: image-name: my-custom-image # ERROR: `env` context is not allowed here if: ${{ env.USE_SNAPSHOT == 'true' }} ``` - Fix the instruction to install actionlint with `mise` in the installation document. ([#&#8203;591](https://github.com/rhysd/actionlint/issues/591), thanks [@&#8203;risu729](https://github.com/risu729)) - Update the popular actions data set to the latest to include new major versions of the actions. \[Changes]\[v1.7.10] <a id="v1.7.9"></a> ### [`v1.7.9`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v179---2025-11-21) [Compare Source](https://github.com/rhysd/actionlint/compare/v1.7.8...v1.7.9) - Add support for [`ubuntu-slim` runner](https://github.blog/changelog/2025-10-28-1-vcpu-linux-runner-now-available-in-github-actions-in-public-preview/) label. ([#&#8203;585](https://github.com/rhysd/actionlint/issues/585), thanks [@&#8203;cestorer](https://github.com/cestorer)) - Check input deprecation in action by checking [`deprecationMessage` property](https://docs.github.com/en/actions/reference/workflows-and-actions/metadata-syntax#inputsinput_iddeprecationmessage). Using a deprecated input is reported as error if it is not marked as `required`. See [the document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#deprecated-inputs-usage) for more details. ([#&#8203;580](https://github.com/rhysd/actionlint/issues/580)) ```yaml - uses: reviewdog/action-actionlint@v1 with: # ERROR: Using a deprecated input fail_on_error: true ``` - Add support for the [Custom images](https://docs.github.com/en/actions/how-tos/manage-runners/larger-runners/use-custom-images) feature. - Support [`image_version` workflow trigger](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#image_version). ```yaml on: image_version: names: - "MyNewImage" - "MyOtherImage" versions: - 1.* - 2.* ``` - Support [`jobs.<job_id>.snapshot` syntax](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsnapshot). To make actionlint recognize your own image generation runner, use [`self-hosted-runner.labels` config](https://github.com/rhysd/actionlint/blob/main/docs/config.md). ```yaml jobs: build: runs-on: my-image-generation-runner snapshot: image-name: my-custom-image version: 2.* ``` - Report constant conditions at `if:` like `if: true` as error. Only very simple expressions like `true` or `false` are detected for now. See the [document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#if-cond-constant) for more details. - Check unexpected keys in inputs in [action metadata](https://docs.github.com/en/actions/reference/workflows-and-actions/metadata-syntax). ```yaml inputs: some_input: # Error: `type` is not supported for inputs in action metadata type: boolean ``` - Fix some invalid permissions are not reported as error in `id-token` and `models` scopes. ([#&#8203;582](https://github.com/rhysd/actionlint/issues/582), thanks [@&#8203;holtkampjs](https://github.com/holtkampjs)) - Fix `args` and `entrypoint` inputs are not recognized at `uses:` when it's not a Docker action. ([#&#8203;550](https://github.com/rhysd/actionlint/issues/550)) - Set correct column in source position of YAML parse error. - Fix `credentials` cannot be configured with `${{ }}`. ([#&#8203;590](https://github.com/rhysd/actionlint/issues/590)) - Improve messages in syntax errors on parsing steps (`run:` and `uses:`). Available keys suggestion is now more accurate and unexpected keys are detected more accurately. - Fix the order of errors can be non-deterministic when multiple errors are caused at the same source positions. - Improve error messages showing suggestions on detecting invalid permissions. - Add instruction for installing actionlint with [mise package manager](https://mise.jdx.dev/getting-started.html). ([#&#8203;589](https://github.com/rhysd/actionlint/issues/589), thanks [@&#8203;jylenhof](https://github.com/jylenhof)) - Fix outdated URLs in the document. - Add new [`actionlint.AllContexts` map constant](https://pkg.go.dev/github.com/rhysd/actionlint#pkg-variables) in Go API that contains the information about all context availability. - Update popular actions data set to the latest with several major versions of actions and the following new actions. - `anthropics/claude-code-action` - `openai/codex-action` - `google-github-actions/run-gemini-cli` - Add `make cov` task to easily generate a code coverage report. - Make installing the formula version of `actionlint` pacakge from tap of this repository with Homebrew a hard error. Install the cask version instead following the instruction in the error message. \[Changes]\[v1.7.9] <a id="v1.7.8"></a> </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43OC4xIiwidXBkYXRlZEluVmVyIjoiNDIuNzguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9EZXBlbmRlbmN5VXBkYXRlIiwicnVuLWVuZC10by1lbmQtdGVzdHMiXX0=-->
Update module github.com/rhysd/actionlint to v1.7.10
All checks were successful
issue-labels / release-notes (pull_request_target) Has been skipped
checks / validate pre-commit-hooks file (pull_request) Successful in 59s
checks / validate mocks (pull_request) Successful in 1m10s
checks / build and test (pull_request) Successful in 2m20s
Integration tests for the release process / release-simulation (pull_request) Successful in 5m38s
checks / integration tests (docker-latest) (pull_request) Successful in 10m53s
checks / runner exec tests (pull_request) Successful in 30s
checks / integration tests (docker-stable) (pull_request) Successful in 13m8s
checks / runner integration tests (pull_request) Successful in 4m27s
cascade / debug (pull_request_target) Has been skipped
cascade / end-to-end (pull_request_target) Successful in 6s
cascade / forgejo (pull_request_target) Successful in 18s
d4a5ca886b
Author
Member

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 3 additional dependencies were updated

Details:

Package Change
golang.org/x/sys v0.38.0 -> v0.39.0
go.yaml.in/yaml/v4 v4.0.0-rc.2 -> v4.0.0-rc.3
golang.org/x/sync v0.17.0 -> v0.19.0
### ℹ️ Artifact update notice ##### File name: go.mod In order to perform the update(s) described in the table above, Renovate ran the `go get` command, which resulted in the following additional change(s): - 3 additional dependencies were updated Details: | **Package** | **Change** | | :------------------- | :----------------------------- | | `golang.org/x/sys` | `v0.38.0` -> `v0.39.0` | | `go.yaml.in/yaml/v4` | `v4.0.0-rc.2` -> `v4.0.0-rc.3` | | `golang.org/x/sync` | `v0.17.0` -> `v0.19.0` |
Contributor

cascading-pr updated at actions/setup-forgejo#816

cascading-pr updated at https://code.forgejo.org/actions/setup-forgejo/pulls/816
viceice approved these changes 2026-01-12 16:48:06 +00:00
viceice deleted branch renovate/github.com-rhysd-actionlint-1.7.x 2026-01-12 16:48:15 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/runner!1272
No description provided.