Skip to content

tmknom/secure-actionlint-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

secure-actionlint-action

Run actionlint in an isolated Docker container to securely lint workflow files.

Description

This action securely runs actionlint in a Docker container to lint GitHub Actions workflow files. It automatically checks all YAML files in the .github/workflows directory.

This action reduces security risks associated with software supply chain attacks, such as compromised third-party tools or tampered container images. To achieve this, it enforces strict container isolation, disables network connections, and drops unnecessary privileges.

Usage

Default

  steps:
    - name: Secure actionlint
      uses: tmknom/secure-actionlint-action@23ef4b1bfd498bb9fadbfeab1d881c565f6ee36f # v0.3.1

Custom

  steps:
    - name: Secure actionlint
      uses: tmknom/secure-actionlint-action@23ef4b1bfd498bb9fadbfeab1d881c565f6ee36f # v0.3.1
      with:
        configuration-path: actionlint.yml
        ignore: |-
          "jobs" section is missing in workflow
          "on" section is missing .+

Inputs

Name Description Default Required
configuration-path The path for the actionlint configurations. n/a no
ignore Specify regular expressions to ignore actionlint error messages, one per line. n/a no

Outputs

N/A

Permissions

N/A

FAQ

What is actionlint?

actionlint is a linter for GitHub Actions workflow files. It detects errors, security issues, and best practice violations, helping you maintain safer and more reliable workflows.

Why should I use this action instead of directly using actionlint?

Running third-party tools directly in your environment may expose your repository and credentials to compromised or malicious code. This action significantly reduces such risks by strictly isolating the environment:

  • Network access is completely disabled (--network none)
  • All unnecessary Linux capabilities are dropped (--cap-drop all)
  • Privilege escalation is explicitly disabled (--security-opt no-new-privileges)
  • The action runs as a non-root, restricted user (--user guest)
  • The filesystem is strictly read-only (--read-only)
  • The repository directory is mounted as read-only (--volume "${PWD}:${PWD}:ro")

What specific security risks does this action protect against?

This action specifically prevents threats related to software supply chain security (attacks targeting third-party software or tools used in workflows), such as:

  • Unauthorized outbound connections from runners, significantly reducing the risk of data leakage
  • Malicious updates or compromised tools exploiting elevated privileges or unrestricted network access

How does this action ensure the Docker image used for actionlint is secure?

This action explicitly specifies the Docker image using its digest (SHA256). Using a digest ensures that exactly the intended and verified image is used every time, eliminating the risk of malicious updates or image tampering.

Are network connections permitted inside the Docker container used by this action?

No. Network connections are completely disabled within the container. Even if the tool were compromised or contained malicious code, disabling network access effectively prevents communication with external attackers, significantly reducing the risk of data leaks.

Does this action run with elevated (root) privileges?

No. The action runs as a non-root, restricted user without privilege escalation.

Should I pin this action using a commit SHA?

Yes, strongly recommended.

To further protect your workflows from unintended or malicious modifications, it's a best practice to pin the action to a specific commit SHA (commit hash). Doing so ensures the immutability of both the action’s code and any resources it references, such as Docker images, further reducing the risk of software supply chain attacks.

Recommended (more secure):

- uses: tmknom/secure-actionlint-action@23ef4b1bfd498bb9fadbfeab1d881c565f6ee36f # v0.3.1

Not recommended:

- uses: tmknom/secure-actionlint-action@v0

Can I customize the actionlint parameters?

Yes. You can customize actionlint parameters through the inputs described in the Inputs section. See Custom Usage for an example.

For more details on configuring actionlint, refer to the official documentation:

This action intentionally limits arbitrary customization to ensure secure, isolated, and predictable execution. If you require further customization, consider creating your own fork of this action.

Does using this action significantly impact my CI/CD performance?

No. The impact is minimal, primarily due to the overhead of pulling and executing a small Docker container. Typically, this added overhead is negligible, and the security improvements provided by the action justify its use.

Can I run this action without Docker?

No. This action strictly requires Docker to be installed on your GitHub Actions runner. Without Docker, the action will fail to execute, as it relies on Docker’s isolation mechanisms to run securely.

Related projects

N/A

Release notes

See GitHub Releases.

About

Run actionlint in an isolated Docker container to securely lint workflow files.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 4

v0.3.1 Latest
Apr 18, 2025
+ 3 releases

Packages

 
 
 

Contributors

Languages

Generated from tmknom/template-composite-action