pantheon-ai/github-actions-validator

Comprehensive toolkit for validating, linting, and testing GitHub Actions workflow files, custom local actions, and public actions. Use this skill when working with GitHub Actions YAML files (.github/workflows/*.yml), validating workflow syntax, testing workflow execution with act, or debugging workflow issues.

Overall
score

93%

Review — 93%

Does it follow best practices?

Validation — 11 / 11 Passed

Validation for skill structure

name:: github-actions-validator
description:: Comprehensive toolkit for validating, linting, and testing GitHub Actions workflow files, custom local actions, and public actions. Use this skill when working with GitHub Actions YAML files (.github/workflows/*.yml), validating workflow syntax, testing workflow execution with act, or debugging workflow issues.

GitHub Actions Validator

Name: pantheon-ai/github-actions-validator
Author: pantheon-ai

Overview

Validate and test GitHub Actions workflows, custom actions, and public actions using industry-standard tools (actionlint and act). This skill provides comprehensive validation including syntax checking, static analysis, local workflow execution testing, and action verification with version-aware documentation lookup.

CRITICAL: Assistant Workflow (MUST FOLLOW)

Every validation MUST follow these steps. Skipping any step is non-compliant.

Step 1: Run Validation Script

cd .claude/skills/github-actions-validator
bash scripts/validate_workflow.sh <workflow-file-or-directory>

Step 2: For EACH Error - Consult Reference File

When actionlint or act reports ANY error, you MUST:

Read the appropriate reference file (see mapping below)
Find the matching error pattern
Extract the fix/solution

Step 3: Quote the Fix to User

For each error, provide:

Error message (from script output)
Explanation (from reference file)
Fix code (quoted from reference file)
Corrected code (applied to user's workflow)

Step 4: Verify Public Actions (if present)

For any public actions (uses: owner/action@version):

First check references/action_versions.md for known actions and versions
Use web search for unknown actions: "[action-name] [version] github action documentation"
Verify required inputs match
Check for deprecation warnings

Step 5: Provide Complete Summary

After all errors are addressed:

List all fixes applied
Note any warnings
Recommend best practices from references/

Error-to-Reference Mapping

Error Pattern / Output Category	Reference File	Section to Consult
`runs-on:`, `runner`, `ubuntu`, `macos`, `windows`	`references/runners.md`	Runner labels
`cron`, `schedule` / `[SCHEDULE]`	`references/common_errors.md`	Schedule Errors
`${{`, `expression`, `if:` / `[EXPRESSION]`	`references/common_errors.md`	Expression Errors
`needs:`, `job`, `dependency` / `[SYNTAX]`	`references/common_errors.md`	Job Configuration Errors
`uses:`, `action`, `input` / `[ACTION]`	`references/common_errors.md`	Action Errors
`untrusted`, `injection`, `security` / `[SECURITY]`	`references/common_errors.md`	Script Injection section
`syntax`, `yaml`, `unexpected`	`references/common_errors.md`	Syntax Errors
`docker`, `container` / `[DOCKER]`	`references/act_usage.md`	Troubleshooting
`[ACT-LIMIT]`, act fails but GitHub works	`references/act_usage.md`	Limitations
`@v3`, `@v4`, `deprecated`, `outdated`	`references/action_versions.md`	Version table
`workflow_call`, `reusable`, `oidc`	`references/modern_features.md`	Relevant section
`glob`, `path`, `paths:`, `pattern`	`references/common_errors.md`	Path Filter Errors
User asks about actionlint config	`references/actionlint_usage.md`	Provide examples
Runner questions/errors	`references/runners.md`	Labels and availability

Quick Start

Initial Setup

cd .claude/skills/github-actions-validator
bash scripts/install_tools.sh

This installs act (local workflow execution) and actionlint (static analysis) to scripts/.tools/.

Basic Validation

# Validate a single workflow
bash scripts/validate_workflow.sh .github/workflows/ci.yml

# Validate all workflows
bash scripts/validate_workflow.sh .github/workflows/

# Lint-only (fastest)
bash scripts/validate_workflow.sh --lint-only .github/workflows/ci.yml

# Test-only with act (requires Docker)
bash scripts/validate_workflow.sh --test-only .github/workflows/

Core Validation Workflow

Run the three stages in order:

Static analysis — catches syntax errors and common issues first:
```
bash scripts/validate_workflow.sh --lint-only .github/workflows/ci.yml
```
actionlint checks: YAML syntax, schema compliance, expression syntax, runner labels, action inputs/outputs, job dependencies, CRON syntax, glob patterns, shell scripts, security vulnerabilities.
Local execution test — after passing static analysis, test workflow execution (requires Docker):
```
bash scripts/validate_workflow.sh --test-only .github/workflows/
```
Note: act has limitations — see references/act_usage.md.

Full validation — both stages together:

bash scripts/validate_workflow.sh .github/workflows/ci.yml

Validating Resource Types

Workflows

# Single workflow
bash scripts/validate_workflow.sh .github/workflows/ci.yml

# All workflows
bash scripts/validate_workflow.sh .github/workflows/

Key validation points: triggers, job configurations, runner labels, environment variables, secrets, conditionals, matrix strategies.

Custom Local Actions

Create a test workflow that uses the custom action, then validate:

bash scripts/validate_workflow.sh .github/workflows/test-custom-action.yml

Public Actions

When workflows use public actions (e.g., actions/checkout@v6):

Use web search to find action documentation
Verify required inputs and version
Check for deprecation warnings
Run validation script

Search format: "[action-name] [version] github action documentation"

Reference Files Summary

File	Content
`references/act_usage.md`	Act tool usage, commands, options, limitations, troubleshooting
`references/actionlint_usage.md`	Actionlint validation categories, configuration, integration
`references/common_errors.md`	Common errors catalog with fixes
`references/action_versions.md`	Current action versions, deprecation timeline, SHA pinning
`references/modern_features.md`	Reusable workflows, SBOM, OIDC, environments, containers
`references/runners.md`	GitHub-hosted runners (ARM64, GPU, M2 Pro, deprecations)

Troubleshooting

Issue	Solution
"Tools not found"	Run `bash scripts/install_tools.sh`
"Docker daemon not running"	Start Docker or use `--lint-only`
"Permission denied"	Run `chmod +x scripts/*.sh`
act fails but GitHub works	See `references/act_usage.md` Limitations

Debug Mode

actionlint -verbose .github/workflows/ci.yml  # Verbose actionlint
act -v                                         # Verbose act
act -n                                         # Dry-run (no execution)

Best Practices

Always validate locally first - Catch errors before pushing
Use actionlint in CI/CD - Automate validation in pipelines
Pin action versions - Use @v6 not @main for stability; SHA pinning for security
Keep tools updated - Regularly update actionlint and act
Use web search for unknown actions - Verify usage with documentation
Check version compatibility - See references/action_versions.md
Enable shellcheck - Catch shell script issues early
Review security warnings - Address script injection issues

Limitations

act limitations: Not all GitHub Actions features work locally
Docker requirement: act requires Docker to be running
Network actions: Some GitHub API actions may fail locally
Private actions: Cannot validate without access
Runtime behavior: Static analysis cannot catch all issues
File location: act can only validate workflows in .github/workflows/ directory; files outside (like assets/) can only be validated with actionlint

Quick Examples

Example 1: Pre-commit Validation

cd .claude/skills/github-actions-validator
bash scripts/validate_workflow.sh .github/workflows/
git add .github/workflows/ && git commit -m "Update workflows"

Example 2: Debug Failing Workflow

bash scripts/validate_workflow.sh --lint-only .github/workflows/failing.yml
# Fix issues
bash scripts/validate_workflow.sh .github/workflows/failing.yml

Complete Worked Example: Multi-Error Workflow

User's Problematic Workflow

name: Broken CI
on:
  schedule:
    - cron: '0 0 * * 8'  # ERROR 1
jobs:
  build:
    runs-on: ubuntu-lastest  # ERROR 2
    steps:
      - uses: actions/checkout@v3  # ERROR 3 (outdated)
      - run: echo ${{ github.event.issue.title }}  # ERROR 4 (security)
  deploy:
    needs: biuld  # ERROR 5 (typo)
    runs-on: ubuntu-latest
    steps:
      - run: echo "Deploying"

Step 1: Run Validation

bash scripts/validate_workflow.sh --lint-only workflow.yml

Output:

[ERROR] invalid CRON format "0 0 * * 8"
[ERROR] label "ubuntu-lastest" is unknown
[WARN] "github.event.issue.title" is potentially untrusted
[ERROR] job "deploy" needs job "biuld" which does not exist

Step 2-3: Consult References and Quote Fixes to User

Using the Error-to-Reference Mapping table above, consult the relevant reference file for each error and quote the fix to the user:

#	Error	Reference File	Fix
1	`invalid CRON format "0 0 * * 8"`	`common_errors.md` - Schedule Errors	Change `8` to `0` (weekday range is 0–6)
2	`label "ubuntu-lastest" is unknown`	`common_errors.md` + `runners.md`	Change to `ubuntu-latest`
3	`checkout@v3` (outdated)	`action_versions.md`	Update to `@v6` or SHA-pinned equivalent
4	Untrusted input in `run:`	`common_errors.md` - Script Injection	Pass through environment variable
5	`needs: biuld` (typo)	`common_errors.md` - Job Configuration	Change to `needs: build`

Step 4: Corrected Workflow

name: Fixed CI
on:
  schedule:
    - cron: '0 0 * * 0'  # Fixed: Sunday (valid range 0-6)
jobs:
  build:
    runs-on: ubuntu-latest  # Fixed: typo corrected
    steps:
      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0
      - name: Process issue
        env:
          TITLE: ${{ github.event.issue.title }}  # Fixed: sanitized via env var
        run: echo "$TITLE"
  deploy:
    needs: build  # Fixed: typo corrected
    runs-on: ubuntu-latest
    steps:
      - run: echo "Deploying"

Step 5: Summary

Error	Type	Fix Applied
CRON `0 0 * * 8`	Schedule	Changed to `0 0 * * 0`
`ubuntu-lastest`	Runner	Changed to `ubuntu-latest`
`checkout@v3`	Outdated Action	Updated to `@v6.0.0` (SHA-pinned)
Direct `${{ }}` in run	Security	Wrapped in environment variable
`needs: biuld`	Job Dependency	Changed to `needs: build`

Recommendations:

Run bash scripts/validate_workflow.sh --check-versions regularly
Use SHA pinning for all actions in production workflows
Always pass untrusted input through environment variables

Summary

Setup: Install tools with install_tools.sh
Validate: Run validate_workflow.sh on workflow files
Fix: Address issues using reference documentation
Test: Verify locally with act (when possible)
Search: Use web search to verify unknown actions
Commit: Push validated workflows with confidence

For detailed information, consult the appropriate reference file in references/.

Install with Tessl CLI

npx tessl i pantheon-ai/github-actions-validator@0.1.0

assets

references

scripts

SKILL.md

tile.json