Install command
Provided
Validates GitHub Actions workflow files for syntax errors and best practices.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Provided
Config snippet
Provided
Copy snippet
Provided
Prerequisites
None
Platforms
1 listed
Difficulty
0/100
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Safety & privacy surface
1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens, permissions & scopes.
#!/usr/bin/env bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Check if this is a GitHub Actions workflow file
if [[ "$FILE_PATH" == *.github/workflows/*.yml ]] || [[ "$FILE_PATH" == *.github/workflows/*.yaml ]]; then
echo "🔄 Validating GitHub Actions workflow: $(basename "$FILE_PATH")" >&2
# Initialize validation counters
WARNINGS=0
ERRORS=0
SUGGESTIONS=0
# Function to report issues
report_issue() {
local level="$1"
local message="$2"
case "$level" in
"ERROR")
echo "❌ ERROR: $message" >&2
ERRORS=$((ERRORS + 1))
;;
"WARNING")
echo "⚠️ WARNING: $message" >&2
WARNINGS=$((WARNINGS + 1))
;;
"SUGGESTION")
echo "💡 SUGGESTION: $message" >&2
SUGGESTIONS=$((SUGGESTIONS + 1))
;;
"INFO")
echo "ℹ️ INFO: $message" >&2
;;
esac
}
# Check if file exists and is readable
if [ ! -f "$FILE_PATH" ]; then
report_issue "ERROR" "Workflow file not found: $FILE_PATH"
exit 1
fi
# 1. YAML Syntax Validation
echo "📋 Checking YAML syntax..." >&2
# Try actionlint first (most comprehensive)
if command -v actionlint &> /dev/null; then
echo " Using actionlint for comprehensive validation..." >&2
ACTIONLINT_OUTPUT=$(actionlint "$FILE_PATH" 2>&1)
ACTIONLINT_EXIT_CODE=$?
if [ $ACTIONLINT_EXIT_CODE -eq 0 ]; then
echo " ✅ actionlint validation passed" >&2
else
report_issue "ERROR" "actionlint validation failed"
echo "$ACTIONLINT_OUTPUT" >&2
fi
else
# Fallback to yamllint
if command -v yamllint &> /dev/null; then
echo " Using yamllint for YAML validation..." >&2
if yamllint "$FILE_PATH" 2>/dev/null; then
echo " ✅ YAML syntax valid (yamllint)" >&2
else
report_issue "WARNING" "yamllint found issues in YAML syntax"
fi
# Fallback to Python YAML parser
elif command -v python3 &> /dev/null; then
echo " Using Python YAML parser for validation..." >&2
if python3 -c "import yaml; yaml.safe_load(open('$FILE_PATH'))" 2>/dev/null; then
echo " ✅ YAML syntax valid (Python)" >&2
else
report_issue "ERROR" "Invalid YAML syntax detected"
fi
else
report_issue "WARNING" "No YAML validator available (actionlint, yamllint, or python3)"
fi
fi
# 2. Action Version Validation
echo "🔍 Checking action versions..." >&2
# Check for outdated action versions
OUTDATED_ACTIONS=(
"actions/checkout@v[12]"
"actions/setup-node@v[12]"
"actions/setup-python@v[12]"
"actions/cache@v[12]"
"actions/upload-artifact@v[12]"
"actions/download-artifact@v[12]"
)
for pattern in "${OUTDATED_ACTIONS[@]}"; do
if grep -q "$pattern" "$FILE_PATH" 2>/dev/null; then
ACTION_NAME=$(echo "$pattern" | cut -d'@' -f1)
report_issue "WARNING" "Using outdated $ACTION_NAME version - consider upgrading to latest"
fi
done
# Check for unpinned action versions (security risk)
if grep -E 'uses:.*@(main|master|develop)' "$FILE_PATH" >&2 2>/dev/null; then
report_issue "WARNING" "Actions using branch references instead of pinned versions detected"
echo " 💡 Use specific version tags or commit SHAs for security" >&2
fi
# 3. Security Best Practices
echo "🔒 Checking security best practices..." >&2
# Check for explicit permissions
if ! grep -q "permissions:" "$FILE_PATH" 2>/dev/null; then
report_issue "SUGGESTION" "Consider adding explicit 'permissions:' for better security"
echo " Example: permissions: { contents: read, actions: read }" >&2
fi
# Check for pull_request_target usage (potential security risk)
if grep -q "pull_request_target:" "$FILE_PATH" 2>/dev/null; then
report_issue "WARNING" "pull_request_target can be a security risk - ensure proper handling"
fi
# Check for secrets in plain text (basic check)
if grep -iE '(password|secret|token|key).*:.*[a-zA-Z0-9]+' "$FILE_PATH" | grep -v '\${{' >&2 2>/dev/null; then
report_issue "ERROR" "Potential hardcoded secrets detected - use GitHub secrets instead"
fi
# 4. Performance and Best Practices
echo "⚡ Checking performance best practices..." >&2
# Check for caching
if ! grep -q "cache" "$FILE_PATH" 2>/dev/null && (grep -q "npm install" "$FILE_PATH" || grep -q "pip install" "$FILE_PATH" || grep -q "bundle install" "$FILE_PATH") 2>/dev/null; then
report_issue "SUGGESTION" "Consider adding caching for dependencies to improve workflow speed"
fi
# Check for matrix strategy usage
if ! grep -q "strategy:" "$FILE_PATH" 2>/dev/null && grep -q "runs-on:" "$FILE_PATH" 2>/dev/null; then
report_issue "SUGGESTION" "Consider using matrix strategy for testing multiple versions/platforms"
fi
# Check for conditional job execution
if ! grep -q "if:" "$FILE_PATH" 2>/dev/null; then
report_issue "SUGGESTION" "Consider using conditional execution to optimize workflow runs"
fi
# 5. Workflow Structure Validation
echo "📋 Checking workflow structure..." >&2
# Check for required fields
if ! grep -q "name:" "$FILE_PATH" 2>/dev/null; then
report_issue "WARNING" "Workflow should have a descriptive 'name' field"
fi
if ! grep -q "on:" "$FILE_PATH" 2>/dev/null; then
report_issue "ERROR" "Workflow must have 'on:' trigger definition"
fi
if ! grep -q "jobs:" "$FILE_PATH" 2>/dev/null; then
report_issue "ERROR" "Workflow must have 'jobs:' section"
fi
# Check for environment variables
if grep -q "env:" "$FILE_PATH" 2>/dev/null; then
echo " ✅ Environment variables defined" >&2
fi
# 6. Action-Specific Checks
echo "🎯 Checking action-specific patterns..." >&2
# Check for Node.js setup
if grep -q "actions/setup-node" "$FILE_PATH" 2>/dev/null; then
if ! grep -q "node-version" "$FILE_PATH" 2>/dev/null; then
report_issue "WARNING" "setup-node should specify node-version"
fi
if ! grep -q "cache:" "$FILE_PATH" 2>/dev/null; then
report_issue "SUGGESTION" "Consider enabling cache for setup-node (e.g., cache: npm)"
fi
fi
# Check for Python setup
if grep -q "actions/setup-python" "$FILE_PATH" 2>/dev/null; then
if ! grep -q "python-version" "$FILE_PATH" 2>/dev/null; then
report_issue "WARNING" "setup-python should specify python-version"
fi
fi
# Check for checkout action
if grep -q "actions/checkout" "$FILE_PATH" 2>/dev/null; then
# Check if fetch-depth is appropriate for the use case
if grep -q "fetch-depth: 0" "$FILE_PATH" 2>/dev/null; then
report_issue "INFO" "Using full history checkout - ensure this is necessary"
fi
fi
# 7. Generate Summary Report
echo "" >&2
echo "📊 GitHub Actions Validation Summary:" >&2
echo "=====================================" >&2
echo " 📄 Workflow: $(basename "$FILE_PATH")" >&2
echo " ❌ Errors: $ERRORS" >&2
echo " ⚠️ Warnings: $WARNINGS" >&2
echo " 💡 Suggestions: $SUGGESTIONS" >&2
if [ "$ERRORS" -eq 0 ] && [ "$WARNINGS" -eq 0 ]; then
echo " ✅ Validation Status: PASSED" >&2
elif [ "$ERRORS" -eq 0 ]; then
echo " ✅ Validation Status: PASSED (with warnings)" >&2
else
echo " ❌ Validation Status: FAILED" >&2
fi
echo "" >&2
echo "💡 GitHub Actions Best Practices:" >&2
echo " • Pin actions to specific versions or commit SHAs" >&2
echo " • Use explicit permissions for security" >&2
echo " • Cache dependencies to improve performance" >&2
echo " • Use matrix strategies for cross-platform testing" >&2
echo " • Add conditional execution to optimize runs" >&2
echo " • Keep secrets out of workflow files" >&2
# Exit with error if there are critical issues
if [ "$ERRORS" -gt 0 ]; then
echo "⚠️ Workflow has critical errors that should be fixed" >&2
exit 1
fi
else
# Not a GitHub Actions workflow file
exit 0
fi
exit 0{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/github-actions-workflow-validator.sh",
"matchers": [
"write",
"edit"
]
}
}
}.claude/settings.local.json~/.claude/settings.json.claude/settings.json{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/github-actions-workflow-validator.sh",
"matchers": ["write", "edit"]
}
}
}
#!/usr/bin/env bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Check if this is a GitHub Actions workflow file
if [[ "$FILE_PATH" == *.github/workflows/*.yml ]] || [[ "$FILE_PATH" == *.github/workflows/*.yaml ]]; then
echo "🔄 Validating GitHub Actions workflow: $(basename "$FILE_PATH")" >&2
# Initialize validation counters
WARNINGS=0
ERRORS=0
SUGGESTIONS=0
# Function to report issues
report_issue() {
local level="$1"
local message="$2"
case "$level" in
"ERROR")
echo "❌ ERROR: $message" >&2
ERRORS=$((ERRORS + 1))
;;
"WARNING")
echo "⚠️ WARNING: $message" >&2
WARNINGS=$((WARNINGS + 1))
;;
"SUGGESTION")
echo "💡 SUGGESTION: $message" >&2
SUGGESTIONS=$((SUGGESTIONS + 1))
;;
"INFO")
echo "ℹ️ INFO: $message" >&2
;;
esac
}
# Check if file exists and is readable
if [ ! -f "$FILE_PATH" ]; then
report_issue "ERROR" "Workflow file not found: $FILE_PATH"
exit 1
fi
# 1. YAML Syntax Validation
echo "📋 Checking YAML syntax..." >&2
# Try actionlint first (most comprehensive)
if command -v actionlint &> /dev/null; then
echo " Using actionlint for comprehensive validation..." >&2
ACTIONLINT_OUTPUT=$(actionlint "$FILE_PATH" 2>&1)
ACTIONLINT_EXIT_CODE=$?
if [ $ACTIONLINT_EXIT_CODE -eq 0 ]; then
echo " ✅ actionlint validation passed" >&2
else
report_issue "ERROR" "actionlint validation failed"
echo "$ACTIONLINT_OUTPUT" >&2
fi
else
# Fallback to yamllint
if command -v yamllint &> /dev/null; then
echo " Using yamllint for YAML validation..." >&2
if yamllint "$FILE_PATH" 2>/dev/null; then
echo " ✅ YAML syntax valid (yamllint)" >&2
else
report_issue "WARNING" "yamllint found issues in YAML syntax"
fi
# Fallback to Python YAML parser
elif command -v python3 &> /dev/null; then
echo " Using Python YAML parser for validation..." >&2
if python3 -c "import yaml; yaml.safe_load(open('$FILE_PATH'))" 2>/dev/null; then
echo " ✅ YAML syntax valid (Python)" >&2
else
report_issue "ERROR" "Invalid YAML syntax detected"
fi
else
report_issue "WARNING" "No YAML validator available (actionlint, yamllint, or python3)"
fi
fi
# 2. Action Version Validation
echo "🔍 Checking action versions..." >&2
# Check for outdated action versions
OUTDATED_ACTIONS=(
"actions/checkout@v[12]"
"actions/setup-node@v[12]"
"actions/setup-python@v[12]"
"actions/cache@v[12]"
"actions/upload-artifact@v[12]"
"actions/download-artifact@v[12]"
)
for pattern in "${OUTDATED_ACTIONS[@]}"; do
if grep -q "$pattern" "$FILE_PATH" 2>/dev/null; then
ACTION_NAME=$(echo "$pattern" | cut -d'@' -f1)
report_issue "WARNING" "Using outdated $ACTION_NAME version - consider upgrading to latest"
fi
done
# Check for unpinned action versions (security risk)
if grep -E 'uses:.*@(main|master|develop)' "$FILE_PATH" >&2 2>/dev/null; then
report_issue "WARNING" "Actions using branch references instead of pinned versions detected"
echo " 💡 Use specific version tags or commit SHAs for security" >&2
fi
# 3. Security Best Practices
echo "🔒 Checking security best practices..." >&2
# Check for explicit permissions
if ! grep -q "permissions:" "$FILE_PATH" 2>/dev/null; then
report_issue "SUGGESTION" "Consider adding explicit 'permissions:' for better security"
echo " Example: permissions: { contents: read, actions: read }" >&2
fi
# Check for pull_request_target usage (potential security risk)
if grep -q "pull_request_target:" "$FILE_PATH" 2>/dev/null; then
report_issue "WARNING" "pull_request_target can be a security risk - ensure proper handling"
fi
# Check for secrets in plain text (basic check)
if grep -iE '(password|secret|token|key).*:.*[a-zA-Z0-9]+' "$FILE_PATH" | grep -v '\${{' >&2 2>/dev/null; then
report_issue "ERROR" "Potential hardcoded secrets detected - use GitHub secrets instead"
fi
# 4. Performance and Best Practices
echo "⚡ Checking performance best practices..." >&2
# Check for caching
if ! grep -q "cache" "$FILE_PATH" 2>/dev/null && (grep -q "npm install" "$FILE_PATH" || grep -q "pip install" "$FILE_PATH" || grep -q "bundle install" "$FILE_PATH") 2>/dev/null; then
report_issue "SUGGESTION" "Consider adding caching for dependencies to improve workflow speed"
fi
# Check for matrix strategy usage
if ! grep -q "strategy:" "$FILE_PATH" 2>/dev/null && grep -q "runs-on:" "$FILE_PATH" 2>/dev/null; then
report_issue "SUGGESTION" "Consider using matrix strategy for testing multiple versions/platforms"
fi
# Check for conditional job execution
if ! grep -q "if:" "$FILE_PATH" 2>/dev/null; then
report_issue "SUGGESTION" "Consider using conditional execution to optimize workflow runs"
fi
# 5. Workflow Structure Validation
echo "📋 Checking workflow structure..." >&2
# Check for required fields
if ! grep -q "name:" "$FILE_PATH" 2>/dev/null; then
report_issue "WARNING" "Workflow should have a descriptive 'name' field"
fi
if ! grep -q "on:" "$FILE_PATH" 2>/dev/null; then
report_issue "ERROR" "Workflow must have 'on:' trigger definition"
fi
if ! grep -q "jobs:" "$FILE_PATH" 2>/dev/null; then
report_issue "ERROR" "Workflow must have 'jobs:' section"
fi
# Check for environment variables
if grep -q "env:" "$FILE_PATH" 2>/dev/null; then
echo " ✅ Environment variables defined" >&2
fi
# 6. Action-Specific Checks
echo "🎯 Checking action-specific patterns..." >&2
# Check for Node.js setup
if grep -q "actions/setup-node" "$FILE_PATH" 2>/dev/null; then
if ! grep -q "node-version" "$FILE_PATH" 2>/dev/null; then
report_issue "WARNING" "setup-node should specify node-version"
fi
if ! grep -q "cache:" "$FILE_PATH" 2>/dev/null; then
report_issue "SUGGESTION" "Consider enabling cache for setup-node (e.g., cache: npm)"
fi
fi
# Check for Python setup
if grep -q "actions/setup-python" "$FILE_PATH" 2>/dev/null; then
if ! grep -q "python-version" "$FILE_PATH" 2>/dev/null; then
report_issue "WARNING" "setup-python should specify python-version"
fi
fi
# Check for checkout action
if grep -q "actions/checkout" "$FILE_PATH" 2>/dev/null; then
# Check if fetch-depth is appropriate for the use case
if grep -q "fetch-depth: 0" "$FILE_PATH" 2>/dev/null; then
report_issue "INFO" "Using full history checkout - ensure this is necessary"
fi
fi
# 7. Generate Summary Report
echo "" >&2
echo "📊 GitHub Actions Validation Summary:" >&2
echo "=====================================" >&2
echo " 📄 Workflow: $(basename "$FILE_PATH")" >&2
echo " ❌ Errors: $ERRORS" >&2
echo " ⚠️ Warnings: $WARNINGS" >&2
echo " 💡 Suggestions: $SUGGESTIONS" >&2
if [ "$ERRORS" -eq 0 ] && [ "$WARNINGS" -eq 0 ]; then
echo " ✅ Validation Status: PASSED" >&2
elif [ "$ERRORS" -eq 0 ]; then
echo " ✅ Validation Status: PASSED (with warnings)" >&2
else
echo " ❌ Validation Status: FAILED" >&2
fi
echo "" >&2
echo "💡 GitHub Actions Best Practices:" >&2
echo " • Pin actions to specific versions or commit SHAs" >&2
echo " • Use explicit permissions for security" >&2
echo " • Cache dependencies to improve performance" >&2
echo " • Use matrix strategies for cross-platform testing" >&2
echo " • Add conditional execution to optimize runs" >&2
echo " • Keep secrets out of workflow files" >&2
# Exit with error if there are critical issues
if [ "$ERRORS" -gt 0 ]; then
echo "⚠️ Workflow has critical errors that should be fixed" >&2
exit 1
fi
else
# Not a GitHub Actions workflow file
exit 0
fi
exit 0
Complete hook script that performs GitHub Actions workflow validation
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
if [[ "$FILE_PATH" == *.github/workflows/*.yml ]] || [[ "$FILE_PATH" == *.github/workflows/*.yaml ]]; then
echo "🔄 Validating GitHub Actions workflow: $(basename "$FILE_PATH")" >&2
if command -v actionlint &> /dev/null; then
if actionlint "$FILE_PATH" 2>&1; then
echo "✅ actionlint validation passed" >&2
else
echo "❌ actionlint validation failed" >&2
exit 1
fi
elif command -v yamllint &> /dev/null; then
if yamllint "$FILE_PATH" 2>/dev/null; then
echo "✅ YAML syntax valid" >&2
else
echo "⚠️ YAML syntax issues found" >&2
fi
fi
fi
exit 0
Complete hook configuration for .claude/settings.json to enable workflow validation
{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/github-actions-workflow-validator.sh",
"matchers": ["write", "edit"]
}
}
}
Enhanced hook script for security best practices validation
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *.github/workflows/*.yml ]] || [[ "$FILE_PATH" == *.github/workflows/*.yaml ]]; then
if grep -E 'uses:.*@(main|master|develop)' "$FILE_PATH" >&2 2>/dev/null; then
echo "⚠️ WARNING: Actions using branch references instead of pinned versions detected" >&2
echo "💡 Use specific version tags or commit SHAs for security" >&2
fi
if ! grep -q "permissions:" "$FILE_PATH" 2>/dev/null; then
echo "💡 SUGGESTION: Consider adding explicit 'permissions:' for better security" >&2
echo " Example: permissions: { contents: read, actions: read }" >&2
fi
if grep -iE '(password|secret|token|key).*:.*[a-zA-Z0-9]+' "$FILE_PATH" | grep -v '\${{' >&2 2>/dev/null; then
echo "❌ ERROR: Potential hardcoded secrets detected - use GitHub secrets instead" >&2
exit 1
fi
fi
exit 0
Enhanced hook script for action version detection and performance suggestions
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *.github/workflows/*.yml ]] || [[ "$FILE_PATH" == *.github/workflows/*.yaml ]]; then
OUTDATED_ACTIONS=("actions/checkout@v[12]" "actions/setup-node@v[12]" "actions/setup-python@v[12]")
for pattern in "${OUTDATED_ACTIONS[@]}"; do
if grep -q "$pattern" "$FILE_PATH" 2>/dev/null; then
ACTION_NAME=$(echo "$pattern" | cut -d'@' -f1)
echo "⚠️ WARNING: Using outdated $ACTION_NAME version - consider upgrading to latest" >&2
fi
done
if ! grep -q "cache" "$FILE_PATH" 2>/dev/null && (grep -q "npm install" "$FILE_PATH" || grep -q "pip install" "$FILE_PATH"); then
echo "💡 SUGGESTION: Consider adding caching for dependencies to improve workflow speed" >&2
fi
fi
exit 0
Enhanced hook script for workflow structure and required fields validation
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *.github/workflows/*.yaml ]] || [[ "$FILE_PATH" == *.github/workflows/*.yml ]]; then
if ! grep -q "name:" "$FILE_PATH" 2>/dev/null; then
echo "⚠️ WARNING: Workflow should have a descriptive 'name' field" >&2
fi
if ! grep -q "on:" "$FILE_PATH" 2>/dev/null; then
echo "❌ ERROR: Workflow must have 'on:' trigger definition" >&2
exit 1
fi
if ! grep -q "jobs:" "$FILE_PATH" 2>/dev/null; then
echo "❌ ERROR: Workflow must have 'jobs:' section" >&2
exit 1
fi
if grep -q "actions/setup-node" "$FILE_PATH" 2>/dev/null; then
if ! grep -q "node-version" "$FILE_PATH" 2>/dev/null; then
echo "⚠️ WARNING: setup-node should specify node-version" >&2
fi
fi
fi
exit 0
Hook falls back to yamllint or Python YAML parser automatically. Install actionlint with brew install actionlint on macOS or download from GitHub releases for comprehensive validation. Verify installation: 'command -v actionlint'. Add actionlint to PATH if installed but not found.
Update the OUTDATED_ACTIONS array in the hook script to exclude specific action patterns. Use version pinning with commit SHAs instead of version tags to avoid warnings. Verify action versions are actually deprecated before updating patterns. Check GitHub Actions marketplace for latest versions.
This is a security warning, not failure. Review pull_request_target usage carefully and ensure proper checkout action configuration with explicit ref parameter for untrusted code. Consider using pull_request instead of pull_request_target when possible. Verify workflow security requirements.
Install actionlint for GitHub-specific validation beyond YAML syntax. Check for GitHub Actions context variables, expression syntax, and action version compatibility issues. Verify workflow triggers and job dependencies. Test workflow in GitHub Actions UI for runtime errors.
Suggestions are recommendations, not errors. Customize the hook script to skip specific checks by commenting out sections or adjust thresholds in the performance validation logic. Add SKIP_PERFORMANCE_CHECKS environment variable. Configure project-specific validation rules.
Refine secret detection patterns to exclude test files: 'if echo "$FILE_PATH" | grep -qE "(test|spec|example|sample)"; then continue; fi'. Add whitelist for known safe patterns. Use git-secrets or similar tools for more accurate detection. Consider using SKIP_SECURITY_CHECKS for development.
Custom actions may not follow standard versioning. Add custom action patterns to exclusion list. Verify custom action versioning scheme. Use commit SHA pinning for custom actions. Document custom action versioning in project documentation.
actionlint supports workflow includes and reusable workflows. Install actionlint for comprehensive validation. For basic validation, check main workflow file structure. Verify included workflow files exist and are valid. Use actionlint --format json for detailed validation output.
Show that GitHub Actions Validator is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/hooks/github-actions-workflow-validator)GitHub Actions Validator side by side with 2 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Validates GitHub Actions workflow files for syntax errors and best practices. Open dossier | Validates Kubernetes YAML manifests for syntax and best practices when modified. Open dossier | Validates AWS CloudFormation templates for syntax errors and best practices using cfn-lint v1.40.4+ and AWS CLI v2.27.54+. Open dossier |
|---|---|---|---|
| Next steps | |||
| Trust | |||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed |
| Submitter | — | — | — |
| Install risk | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | |||
| Category | hooks | hooks | hooks |
| Source | source-backed | source-backed | source-backed |
| Author | JSONbored | JSONbored | JSONbored |
| Added | 2025-09-19 | 2025-09-19 | 2025-09-19 |
| Platforms | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — |
| Safety notes | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. |
| Privacy notes | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. |
| Prerequisites | — none listed | — none listed | — none listed |
| Install | | | |
| Config | | | |
| Citations | |||
| Claim | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Automate business and engineering processes with headless Claude Code, GitHub Actions, and scheduled routines.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.