[go-fan] Go Module Review: actionlint

[github-actions[bot]]

🐹 Go Fan Report: rhysd/actionlint

Module: github.com/rhysd/actionlint · Version in use: v1.7.11 · Latest: v1.7.12 (released 2026-03-30, yesterday!)

---

Module Overview

actionlint is a static checker for GitHub Actions workflow files with 40+ checks covering syntax, expressions, runner labels, permissions, secrets, context availability, shellcheck/pyflakes integration, and more. It exposes both a CLI binary and a Go API, and produces structured JSON output for machine-readable parsing.

---

Current Usage in gh-aw

File	Role
tools.go	Blank import under //go:build tools to pin CLI binary in go.mod
pkg/cli/actionlint.go	Core integration: runs via Docker, parses JSON output, displays compiler errors
pkg/cli/docker_images.go	Defines ActionlintImage = "rhysd/actionlint:latest" constant
pkg/workflow/glob_validation.go	Vendored copy of glob.go from actionlint v1.7.11

• Execution mode: Docker (docker run rhysd/actionlint:latest -format '\{\{json .}}')
• Output parsing: Structured JSON → actionlintError struct (message, filepath, line, column, kind, snippet, end_column)
• Error display: Compiler-style diagnostics with doc URL per error kind
• Strict mode: treats lint errors as compile failures; non-strict mode logs and continues
• Statistics: tracks errors per kind, integration failures, and total workflows checked

The module is used in two distinct ways: as a Docker-executed CLI for live linting, and as a vendored Go snippet (glob_validation.go) for lightweight glob pattern validation that avoids importing the full package.

---

Research Findings

Recent Updates

v1.7.12 (released yesterday, 2026-03-30) — the project is one version behind:

• ✨ IANA timezone validation in on.schedule.cron.timezone — catches invalid timezone strings in scheduled workflows
• ✨ Support for jobs.<job_name>.environment.deployment configuration
• ✨ macos-26-intel runner label support
• 🐛 Fixed outdated webhook activity types table (scraped from scratch)
• 🔧 Go 1.26 support, Go 1.24 dropped

v1.7.11 (current) added:

• case() expression function support
• macos-26-large / windows-2025-vs2026 runner labels
• Artifact attestations for supply-chain verification
• Reports ./ path filter prefix as error (reflected in glob_validation.go vendored copy)

Best Practices from Maintainers

• Use -format '\{\{json .}}' for machine-readable output (✅ already done)
• Pin to a specific version tag for reproducible CI — maintainer provides signed artifact attestations since v1.7.11
• The Go API (github.com/rhysd/actionlint package) can be used programmatically to avoid Docker entirely

---

Improvement Opportunities

🏃 Quick Wins

1. Use the ActionlintImage constant (low effort, high consistency)

docker_images.go already defines:

ActionlintImage = "rhysd/actionlint:latest"
```

But `actionlint.go` hardcodes `"rhysd/actionlint:latest"` in **4 separate places** (lines ~164, ~235 in docker args, ~251 in the verbose display string). Using the constant centralises the image name so a version bump is a single-file change.

**2. Upgrade to v1.7.12**

```
go get github.com/rhysd/actionlint@v1.7.12

Gains timezone validation, macos-26-intel label support, and webhook table fixes. After upgrading, update the version reference comment in pkg/workflow/glob_validation.go (line 4 references v1.7.11/glob.go).

✨ Feature Opportunities

3. Use EndColumn for richer error display

The actionlintError struct parses EndColumn from the JSON output, but it's never used:

type actionlintError struct {
    // ...
    EndColumn int `json:"end_column"`  // parsed but unused
}

console.FormatError could use it to draw an underline spanning the full error range (from Column to EndColumn) rather than just the start position — giving much clearer visual highlighting for multi-token errors.

4. Leverage v1.7.12's timezone checks

No code change needed — just upgrading the dependency means on.schedule workflows with invalid timezone: values will now be caught. Worth calling out in release notes / changelog.

📐 Best Practice Alignment

5. Pin the Docker image to a specific version

Using :latest means the Docker image can silently change between runs when a new actionlint version is published. This breaks reproducibility — the same workflow file could produce different errors on different days.

Recommended approach: derive the pinned tag from go.mod at build time or set a version constant:

const ActionlintImage = "rhysd/actionlint:1.7.12"

Since v1.7.11, actionlint publishes signed artifact attestations, making version pinning even more valuable for supply-chain security.

6. Context propagation in getActionlintVersion()

getActionlintVersion() creates its own context.WithTimeout(context.Background(), 30*time.Second) rather than accepting a context from the caller. If the parent operation is cancelled (e.g., user Ctrl-C), the version check continues independently. Threading the parent context through would make cancellation work end-to-end.

🔧 General Improvements

7. Track glob_validation.go drift from upstream

glob_validation.go is a vendored copy of actionlint's glob.go pinned at v1.7.11. Any upstream bug fixes to glob validation require manual re-copy. The comment at the top provides attribution (good!), but there's no automated check to catch drift. Adding a note to the upgrade checklist or a simple comparison test would help ensure the vendored copy stays in sync after each actionlint upgrade.

---

Recommendations

Priority	Action
🔴 High	Upgrade to v1.7.12 — it was released yesterday with a security/correctness fix for webhook types and new timezone validation
🟡 Medium	Pin Docker image to a specific version tag for reproducibility and supply-chain safety
🟡 Medium	Use ActionlintImage constant in actionlint.go instead of 4 hardcoded strings
🟢 Low	Thread parent context into getActionlintVersion()
🟢 Low	Use EndColumn in error display for better visual underlines
🟢 Low	Add a drift-check note for glob_validation.go to the upgrade runbook

Next Steps

• Run go get github.com/rhysd/actionlint@v1.7.12 and update the glob_validation.go version comment
• Consider pinning ActionlintImage to "rhysd/actionlint:1.7.12" for build reproducibility
• Replace the 4 hardcoded "rhysd/actionlint:latest" strings in actionlint.go with ActionlintImage

---

Module summary saved to: scratchpad/mods/actionlint.md
Selected via round-robin (most recently updated, not reviewed in last 7 days) — §23785679887

References:

• https://github.com/rhysd/actionlint/releases/tag/v1.7.12
• https://github.com/rhysd/actionlint/releases/tag/v1.7.11
• https://github.com/github/gh-aw/actions/runs/23785679887

AI generated by Go Fan · history

• expires on Apr 1, 2026, 7:35 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Go Fan.

A newer discussion is available at Discussion #23848.