gha-lint 0.1.0

Static analyzer for GitHub Actions workflows. It scans `.github/workflows/*.yml` / `*.yaml`, parses YAML, and runs deterministic checks. It **DOES NOT** include network requests, dry-runs, or command execution. It's a **linter**. So no network requests, no dry-run, no command execution.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

# gha-lint

[![CI](https://github.com/thegreatbey/gha-lint/actions/workflows/ci.yml/badge.svg)](https://github.com/thegreatbey/gha-lint/actions/workflows/ci.yml)
[![Crates.io](https://img.shields.io/crates/v/gha-lint.svg)](https://crates.io/crates/gha-lint)
[![Docs.rs](https://docs.rs/gha-lint/badge.svg)](https://docs.rs/gha-lint)
[![License: MIT/Apache-2.0](https://img.shields.io/badge/License-MIT%2FApache--2.0-blue.svg)](LICENSE)

Static analyzer for GitHub Actions workflows. It scans `.github/workflows/*.yml` / `*.yaml`, parses YAML, and runs deterministic checks. It **DOES NOT** include network requests, dry-runs, or command execution. It's a **linter**. So no network requests, no dry-run, no command execution.

## Status

V0 static analysis implemented. Exits non-zero if any error-level diagnostic occurs.

## Install

From source:

```bash
git clone https://github.com/thegreatbey/gha-lint.git
cd gha-lint
cargo build --release
```

Optionally, once published:

```bash
cargo install gha-lint
```

## Usage

```bash
# analyze current repo
gha-lint

# or provide a path
gha-lint C:\path\to\repo

# version / help
gha-lint --version
gha-lint --help
```

Diagnostics follow a Clippy-like style:

```
error[ci::missing-on]: workflow is missing the top-level 'on:' trigger (file: .github/workflows/ci.yml, line: 12)
  help: add an 'on:' block (push/pull_request/schedule/etc)

error[ci::invalid-uses]: invalid 'uses:' value: "checkout@v4" (file: .github/workflows/build.yml, line: 12)
  help: actions must follow 'owner/repo@ref', e.g. 'actions/checkout@v4'  
```

Exit codes:
- `0`: no error-level diagnostics
- `1`: at least one error-level diagnostic

## Checks (v0)

- Missing `on:` block
- Missing jobs or empty `jobs:`
- Invalid `needs:` references (unknown job ids or wrong types)
- Invalid `uses:` syntax (owner/repo@ref, docker://, or ./local-path)
- Rust workflow hint: uses `cargo`/`rustc` without toolchain setup (warning)
- Missing checkout when steps run commands (warning)
- Invalid `working-directory` paths
- Steps referencing files that do not exist (e.g., `./scripts/foo.sh`, local actions)

## What gets analyzed

What gets analyzed?

  - **gha-lint** reads all .yml / .yaml files under **.github/workflows/**

## Scope / Non-Goals

- Static analysis only (no workflow execution, no dry-run, no network)
- No secret resolution, no runtime simulation, no undocumented fields

## License

Dual-licensed under MIT and Apache-2.0.