Skills
skills/akin-ozer/cc-devops-skills/github-actions-validator

github-actions-validator

SKILL.md

GitHub Actions Validator

Overview

Validate and test GitHub Actions workflows, custom actions, and public actions using industry-standard tools (actionlint and act). This skill provides comprehensive validation including syntax checking, static analysis, local workflow execution testing, and action verification with version-aware documentation lookup.

Trigger Phrases

Use this skill when the request includes phrases like:

  • "validate this GitHub Actions workflow"
  • "check my .github/workflows/*.yml file"
  • "debug actionlint errors"
  • "test this workflow locally with act"
  • "verify GitHub Action versions or deprecations"

When to Use This Skill

Use this skill when:

  • Validating workflow files: Checking .github/workflows/*.yml for syntax errors and best practices
  • Testing workflows locally: Running workflows with act before pushing to GitHub
  • Debugging workflow failures: Identifying issues in workflow configuration
  • Validating custom actions: Checking composite, Docker, or JavaScript actions
  • Verifying public actions: Validating usage of actions from GitHub Marketplace
  • Pre-commit validation: Ensuring workflows are valid before committing

Required Execution Flow

Every validation run should follow these steps in order.

Step 1: Set Skill Path and Run Validation

Run commands from the repository root that contains .github/workflows/.

SKILL_DIR="devops-skills-plugin/skills/github-actions-validator"
bash "$SKILL_DIR/scripts/validate_workflow.sh" <workflow-file-or-directory>

Step 2: Map Each Error to a Reference

For each actionlint/act error, consult the mapping table below, then extract the matching fix pattern.

Step 3: Apply Minimal-Quote Policy

For each issue:

  1. Include the exact error line from tool output.
  2. Quote only the smallest useful snippet from references/ (prefer <=8 lines).
  3. Paraphrase the rest and cite the source file/section.
  4. Show corrected workflow code.

Step 4: Handle Unmapped Errors Explicitly

If an error does not match any mapping:

  1. Label it as UNMAPPED.
  2. Capture exact tool output, workflow file, and line number (if available).
  3. Check references/common_errors.md general sections first.
  4. If still unresolved, search official docs with the exact error string.
  5. Mark the fix as provisional until post-fix rerun passes.

Step 5: Verify Public Action Versions

For each uses: owner/action@version:

  1. Check references/action_versions.md.
  2. For unknown actions, verify against official docs.
  3. Confirm required inputs and deprecations.

Offline mode behavior:

  • If network/doc lookup is unavailable, rely on references/action_versions.md only.
  • Mark unknown actions as UNVERIFIED-OFFLINE.
  • Do not claim "latest" version without an online verification pass.

Step 6: Mandatory Post-Fix Rerun

After applying fixes, rerun validation before finalizing:

SKILL_DIR="devops-skills-plugin/skills/github-actions-validator"
bash "$SKILL_DIR/scripts/validate_workflow.sh" <workflow-file-or-directory>

Step 7: Provide Final Summary

Final output should include:

  • Issues found and fixes applied
  • Any UNMAPPED or UNVERIFIED-OFFLINE items
  • Post-fix rerun command and result
  • Remaining warnings/risk notes

Error Type to Reference File Mapping

Error Pattern in Output Reference File to Read Section to Quote
runs-on:, runner, ubuntu, macos, windows references/runners.md Runner labels
cron, schedule references/common_errors.md Schedule Errors
${{, expression, if: references/common_errors.md Expression Errors
needs:, job, dependency references/common_errors.md Job Configuration Errors
uses:, action, input references/common_errors.md Action Errors
untrusted, injection, security references/common_errors.md Script Injection section
syntax, yaml, unexpected references/common_errors.md Syntax Errors
docker, container references/act_usage.md Troubleshooting
@v3, @v4, deprecated, outdated references/action_versions.md Version table
workflow_call, reusable, oidc references/modern_features.md Relevant section
glob, path, paths:, pattern references/common_errors.md Path Filter Errors

Example: Complete Error Handling Workflow

User's workflow has this error:

runs-on: ubuntu-lastest

Step 1 - Script output:

label "ubuntu-lastest" is unknown

Step 2 - Read references/runners.md or references/common_errors.md: Find the "Invalid Runner Label" section.

Step 3 - Quote the fix to user:

Error: label "ubuntu-lastest" is unknown

Cause: Typo in runner label (from references/common_errors.md):

# Bad
runs-on: ubuntu-lastest  # Typo

Fix (from references/common_errors.md):

# Good
runs-on: ubuntu-latest

Valid runner labels (from references/runners.md):

  • ubuntu-latest, ubuntu-24.04, ubuntu-22.04
  • windows-latest, windows-2025, windows-2022
  • macos-latest, macos-15, macos-14

Step 4 - Provide corrected code:

runs-on: ubuntu-latest

Quick Start

Set once per shell session:

SKILL_DIR="devops-skills-plugin/skills/github-actions-validator"

Initial Setup

bash "$SKILL_DIR/scripts/install_tools.sh"

This installs act (local workflow execution) and actionlint (static analysis) to scripts/.tools/.

Basic Validation

# Validate a single workflow
bash "$SKILL_DIR/scripts/validate_workflow.sh" .github/workflows/ci.yml

# Validate all workflows
bash "$SKILL_DIR/scripts/validate_workflow.sh" .github/workflows/

# Lint-only (fastest)
bash "$SKILL_DIR/scripts/validate_workflow.sh" --lint-only .github/workflows/ci.yml

# Test-only with act (requires Docker)
bash "$SKILL_DIR/scripts/validate_workflow.sh" --test-only .github/workflows/

Core Validation Workflow

1. Static Analysis with actionlint

Start with static analysis to catch syntax errors and common issues:

bash "$SKILL_DIR/scripts/validate_workflow.sh" --lint-only .github/workflows/ci.yml

What actionlint checks: YAML syntax, schema compliance, expression syntax, runner labels, action inputs/outputs, job dependencies, CRON syntax, glob patterns, shell scripts, security vulnerabilities.

2. Local Testing with act

After passing static analysis, test workflow execution:

bash "$SKILL_DIR/scripts/validate_workflow.sh" --test-only .github/workflows/

Note: act has limitations - see references/act_usage.md.

3. Full Validation

bash "$SKILL_DIR/scripts/validate_workflow.sh" .github/workflows/ci.yml

Default behavior if tools/runtime are unavailable:

  • If act is missing, full validation falls back to actionlint-only.
  • If Docker is unavailable, full validation skips act and continues with actionlint.
  • --check-versions works in offline/local mode using references/action_versions.md.

Validating Resource Types

Workflows

# Single workflow
bash "$SKILL_DIR/scripts/validate_workflow.sh" .github/workflows/ci.yml

# All workflows
bash "$SKILL_DIR/scripts/validate_workflow.sh" .github/workflows/

Key validation points: triggers, job configurations, runner labels, environment variables, secrets, conditionals, matrix strategies.

Custom Local Actions

Create a test workflow that uses the custom action, then validate:

bash "$SKILL_DIR/scripts/validate_workflow.sh" .github/workflows/test-custom-action.yml

Public Actions

When workflows use public actions (e.g., actions/checkout@v6):

  1. Check references/action_versions.md first
  2. Use official docs (or web search) for unknown actions
  3. Verify required inputs and version
  4. Check for deprecation warnings
  5. Run validation script

If offline:

  • Mark unknown versions as UNVERIFIED-OFFLINE
  • Avoid "latest/current" claims until online verification is possible

Search format: "[action-name] [version] github action documentation"

Reference File Consultation Guide

Mandatory Reference Consultation

Situation Reference File Action
actionlint reports any mapped error references/common_errors.md Find matching error and apply minimal quote policy
actionlint reports unmapped error references/common_errors.md + official docs Label as UNMAPPED, capture exact output and verify by rerun
act fails with Docker/runtime error references/act_usage.md Check Troubleshooting section
act fails but workflow works on GitHub references/act_usage.md Read Limitations section
User asks about actionlint config references/actionlint_usage.md Provide examples
User asks about act options references/act_usage.md Read Advanced Options
Security vulnerability detected references/common_errors.md Quote minimal safe fix snippet
Validating action versions references/action_versions.md Check version table and offline note
Using modern features references/modern_features.md Check syntax examples
Runner questions/errors references/runners.md Check labels and availability

Script Output to Reference Mapping

Output Pattern Reference File
[syntax-check], parse, YAML errors common_errors.md - Syntax Errors
[expression], ${{, condition parsing common_errors.md - Expression Errors
[action], uses:, input/output mismatch common_errors.md - Action Errors
[events] with CRON/schedule text common_errors.md - Schedule Errors
potentially untrusted, injection warnings common_errors.md - Security section
[runner-label] or unknown runs-on label runners.md
[job-needs] dependency errors common_errors.md - Job Configuration Errors
[glob], paths, pattern errors common_errors.md - Path Filter Errors
Docker/pull/image errors from act act_usage.md - Troubleshooting
No pattern match common_errors.md + official docs (label UNMAPPED)

Reference Files Summary

File Content
references/act_usage.md Act tool usage, commands, options, limitations, troubleshooting
references/actionlint_usage.md Actionlint validation categories, configuration, integration
references/common_errors.md Common errors catalog with fixes
references/action_versions.md Current action versions, deprecation timeline, SHA pinning
references/modern_features.md Reusable workflows, SBOM, OIDC, environments, containers
references/runners.md GitHub-hosted runners (ARM64, GPU, M2 Pro, deprecations)

Troubleshooting

Issue Solution
"Tools not found" Run bash "$SKILL_DIR/scripts/install_tools.sh"
"Docker daemon not running" Start Docker or use --lint-only
"Permission denied" Run chmod +x "$SKILL_DIR"/scripts/*.sh
act fails but GitHub works See references/act_usage.md Limitations

Debug Mode

actionlint -verbose .github/workflows/ci.yml  # Verbose actionlint
act -v                                         # Verbose act
act -n                                         # Dry-run (no execution)

Best Practices

  1. Always validate locally first - Catch errors before pushing
  2. Use actionlint in CI/CD - Automate validation in pipelines
  3. Pin action versions - Use @v6 not @main for stability; SHA pinning for security
  4. Keep tools updated - Regularly update actionlint and act
  5. Use official docs for unknown actions - Verify usage and versions
  6. Check version compatibility - See references/action_versions.md
  7. Enable shellcheck - Catch shell script issues early
  8. Review security warnings - Address script injection issues

Limitations

  • act limitations: Not all GitHub Actions features work locally
  • Docker requirement: act requires Docker to be running
  • Network actions: Some GitHub API actions may fail locally
  • Private actions: Cannot validate without access
  • Runtime behavior: Static analysis cannot catch all issues
  • File location: act can only validate workflows in .github/workflows/ directory; files outside (like examples/) can only be validated with actionlint

Quick Examples

Example 1: Pre-commit Validation

SKILL_DIR="devops-skills-plugin/skills/github-actions-validator"
bash "$SKILL_DIR/scripts/validate_workflow.sh" .github/workflows/
git add .github/workflows/ && git commit -m "Update workflows"

Example 2: Debug Failing Workflow

bash "$SKILL_DIR/scripts/validate_workflow.sh" --lint-only .github/workflows/failing.yml
# Fix issues
bash "$SKILL_DIR/scripts/validate_workflow.sh" .github/workflows/failing.yml

Complete Worked Example: Multi-Error Workflow

This example demonstrates the full assistant workflow for handling multiple errors.

User's Problematic Workflow

name: Broken CI
on:
  schedule:
    - cron: '0 0 * * 8'  # ERROR 1
jobs:
  build:
    runs-on: ubuntu-lastest  # ERROR 2
    steps:
      - uses: actions/checkout@v3  # ERROR 3 (outdated)
      - run: echo ${{ github.event.issue.title }}  # ERROR 4 (security)
  deploy:
    needs: biuld  # ERROR 5 (typo)
    runs-on: ubuntu-latest
    steps:
      - run: echo "Deploying"

Step 1: Run Validation

bash "$SKILL_DIR/scripts/validate_workflow.sh" --lint-only workflow.yml

Output:

[ERROR] invalid CRON format "0 0 * * 8"
[ERROR] label "ubuntu-lastest" is unknown
[WARN] "github.event.issue.title" is potentially untrusted
[ERROR] job "deploy" needs job "biuld" which does not exist

Step 2-3: Consult References and Quote Fixes

Error 1: Invalid CRON Expression

From references/common_errors.md - Schedule Errors:

Cause: Day of week 8 doesn't exist (valid: 0-6, where 0 = Sunday)

# Bad
schedule:
  - cron: '0 0 * * 8'  # Day 8 doesn't exist

# Good
schedule:
  - cron: '0 0 * * 0'  # Sunday

CRON format: minute hour day month weekday

  • Weekday: 0-6 (0 = Sunday)

Fix: Change 8 to 0 (Sunday) or 1-6 for Monday-Saturday.

Error 2: Invalid Runner Label

From references/common_errors.md - Job Configuration Errors and references/runners.md:

Cause: Typo in runner label

# Bad
runs-on: ubuntu-lastest  # Typo

# Good
runs-on: ubuntu-latest

Valid labels (from references/runners.md):

  • ubuntu-latest (Ubuntu 24.04)
  • ubuntu-24.04, ubuntu-22.04
  • macos-latest (macOS 15)
  • windows-latest (Windows Server 2022)

Fix: Change ubuntu-lastest to ubuntu-latest.

Error 3: Outdated Action Version

From references/action_versions.md:

Action Current Version Minimum Supported
actions/checkout v6 v4

SHA Pinning Best Practice:

# Recommended: SHA pinning with version comment
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0

Fix: Update from @v3 to @v6 (or SHA-pinned version).

Error 4: Security Vulnerability (Script Injection)

From references/common_errors.md - Expression Errors:

Warning: Potential script injection via untrusted input

# Bad - vulnerable to injection
run: echo ${{ github.event.issue.title }}

# Good - use environment variables
env:
  TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE"

Why: Untrusted input (issue titles, PR bodies, commit messages) can contain malicious commands. Using environment variables sanitizes the input.

Fix: Pass untrusted input through environment variable.

Error 5: Undefined Job Dependency

From references/common_errors.md - Job Configuration Errors:

Error: Job 'deploy' depends on job 'biuld' which does not exist

# Bad
jobs:
  build:
    runs-on: ubuntu-latest
  deploy:
    needs: biuld  # Typo

# Good
jobs:
  build:
    runs-on: ubuntu-latest
  deploy:
    needs: build

Fix: Change biuld to build.

Step 4: Provide Corrected Workflow

name: Fixed CI
on:
  schedule:
    - cron: '0 0 * * 0'  # Fixed: Sunday (0-6 valid)
jobs:
  build:
    runs-on: ubuntu-latest  # Fixed: typo corrected
    steps:
      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0 - Fixed: updated version
      - name: Process issue
        env:
          TITLE: ${{ github.event.issue.title }}  # Fixed: use env var
        run: echo "$TITLE"
  deploy:
    needs: build  # Fixed: typo corrected
    runs-on: ubuntu-latest
    steps:
      - run: echo "Deploying"

Step 5: Mandatory Rerun

bash "$SKILL_DIR/scripts/validate_workflow.sh" --lint-only workflow.yml

Expected rerun result:

  • No previous errors reproduced
  • Remaining warnings, if any, are documented explicitly

Step 6: Summary

Error Type Fix Applied
CRON 0 0 * * 8 Schedule Changed to 0 0 * * 0
ubuntu-lastest Runner Changed to ubuntu-latest
checkout@v3 Outdated Action Updated to @v6.0.0 (SHA-pinned)
Direct ${{ }} in run Security Wrapped in environment variable
needs: biuld Job Dependency Changed to needs: build

Recommendations:

  • Run bash "$SKILL_DIR/scripts/validate_workflow.sh" --check-versions regularly
  • Use SHA pinning for all actions in production workflows
  • Always pass untrusted input through environment variables

Done Criteria

Validation work is complete when all are true:

  • Trigger matched and correct validation mode selected.
  • Each mapped error includes source reference and minimal quote.
  • Each unmapped error is labeled UNMAPPED with exact output captured.
  • Public action versions are verified, or marked UNVERIFIED-OFFLINE.
  • Post-fix rerun executed and result reported.

Summary

  1. Setup: Install tools with install_tools.sh
  2. Validate: Run validate_workflow.sh on workflow files
  3. Fix: Address issues using reference documentation
  4. Rerun: Verify fixes with a mandatory post-fix validation run
  5. Search: Use official docs to verify unknown actions
  6. Commit: Push validated workflows with confidence

For detailed information, consult the appropriate reference file in references/.

Weekly Installs
26
Repository
akin-ozer/cc-de…s-skills
GitHub Stars
112
First Seen
Jan 31, 2026
Security Audits
Gen Agent Trust HubFail
SocketPass
SnykWarn
Installed on
github-copilot22
opencode22
codex21
gemini-cli20
claude-code20
cursor19