github-actions-validator

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

GitHub Actions Validator

GitHub Actions 验证工具

Overview

概述

Validate and test GitHub Actions workflows, custom actions, and public actions using industry-standard tools (actionlint and act). This skill provides comprehensive validation including syntax checking, static analysis, local workflow execution testing, and action verification with version-aware documentation lookup.

使用行业标准工具（actionlint和act）验证和测试GitHub Actions工作流、自定义Action以及公共Action。该工具提供全面的验证功能，包括语法检查、静态分析、本地工作流执行测试，以及支持版本感知的文档查询来验证Action。

When to Use This Skill

适用场景

Use this skill when:

Validating workflow files: Checking
```
.github/workflows/*.yml
```
for syntax errors and best practices
Testing workflows locally: Running workflows with
```
act
```
before pushing to GitHub
Debugging workflow failures: Identifying issues in workflow configuration
Validating custom actions: Checking composite, Docker, or JavaScript actions
Verifying public actions: Validating usage of actions from GitHub Marketplace
Pre-commit validation: Ensuring workflows are valid before committing

在以下场景中使用该工具：

验证工作流文件：检查
```
.github/workflows/*.yml
```
文件的语法错误和最佳实践
本地测试工作流：推送到GitHub之前，使用
```
act
```
运行工作流
调试工作流失败问题：识别工作流配置中的问题
验证自定义Action：检查复合Action、Docker Action或JavaScript Action
验证公共Action：验证GitHub Marketplace中Action的使用情况
提交前验证：确保提交前工作流是有效的

CRITICAL: Assistant Workflow (MUST FOLLOW)

重要提示：助手工作流（必须遵循）

Every validation MUST follow these steps. Skipping any step is non-compliant.

所有验证必须遵循以下步骤，跳过任何步骤均不符合规范。

Step 1: Run Validation Script

步骤1：运行验证脚本

bash

cd .claude/skills/github-actions-validator
bash scripts/validate_workflow.sh <workflow-file-or-directory>

bash

cd .claude/skills/github-actions-validator
bash scripts/validate_workflow.sh <workflow-file-or-directory>

Step 2: For EACH Error - Consult Reference File

步骤2：针对每个错误 - 查阅参考文件

When actionlint or act reports ANY error, you MUST:

Read the appropriate reference file (see mapping below)
Find the matching error pattern
Extract the fix/solution

当actionlint或act报告任何错误时，你必须：

阅读对应的参考文件（见下方映射表）
找到匹配的错误模式
提取修复方案

Step 3: Quote the Fix to User

步骤3：向用户提供修复方案

For each error, provide:

Error message (from script output)
Explanation (from reference file)
Fix code (quoted from reference file)
Corrected code (applied to user's workflow)

针对每个错误，需提供：

错误信息（来自脚本输出）
错误说明（来自参考文件）
修复代码（引用自参考文件）
修正后的代码（应用到用户的工作流中）

Step 4: Verify Public Actions (if present)

步骤4：验证公共Action（如果存在）

For any public actions (

uses: owner/action@version

First check
references/action_versions.md
for known actions and versions

Use web search for unknown actions:

"[action-name] [version] github action documentation"

Verify required inputs match
Check for deprecation warnings

对于任何公共Action（格式：

uses: owner/action@version

）：

首先查看
references/action_versions.md
，查找已知Action及其版本

使用网络搜索查询未知Action：

"[action-name] [version] github action documentation"

验证必填输入是否匹配
检查是否有弃用警告

Step 5: Provide Complete Summary

步骤5：提供完整总结

After all errors are addressed:

List all fixes applied
Note any warnings
Recommend best practices from
```
references/
```

解决所有错误后：

列出所有已应用的修复
记录任何警告信息
推荐
```
references/
```
目录中的最佳实践

Error Type to Reference File Mapping

错误类型与参考文件映射表

Error Pattern in Output	Reference File to Read	Section to Quote
`runs-on:` , `runner` , `ubuntu` , `macos` , `windows`	`references/runners.md`	Runner labels
`cron` , `schedule`	`references/common_errors.md`	Schedule Errors
`${{` , `expression` , `if:`	`references/common_errors.md`	Expression Errors
`needs:` , `job` , `dependency`	`references/common_errors.md`	Job Configuration Errors
`uses:` , `action` , `input`	`references/common_errors.md`	Action Errors
`untrusted` , `injection` , `security`	`references/common_errors.md`	Script Injection section
`syntax` , `yaml` , `unexpected`	`references/common_errors.md`	Syntax Errors
`docker` , `container`	`references/act_usage.md`	Troubleshooting
`@v3` , `@v4` , `deprecated` , `outdated`	`references/action_versions.md`	Version table
`workflow_call` , `reusable` , `oidc`	`references/modern_features.md`	Relevant section
`glob` , `path` , `paths:` , `pattern`	`references/common_errors.md`	Path Filter Errors

输出中的错误模式	需阅读的参考文件	需引用的章节
`runs-on:` , `runner` , `ubuntu` , `macos` , `windows`	`references/runners.md`	Runner标签
`cron` , `schedule`	`references/common_errors.md`	调度错误
`${{` , `expression` , `if:`	`references/common_errors.md`	表达式错误
`needs:` , `job` , `dependency`	`references/common_errors.md`	任务配置错误
`uses:` , `action` , `input`	`references/common_errors.md`	Action错误
`untrusted` , `injection` , `security`	`references/common_errors.md`	脚本注入章节
`syntax` , `yaml` , `unexpected`	`references/common_errors.md`	语法错误
`docker` , `container`	`references/act_usage.md`	故障排除
`@v3` , `@v4` , `deprecated` , `outdated`	`references/action_versions.md`	版本表
`workflow_call` , `reusable` , `oidc`	`references/modern_features.md`	相关章节
`glob` , `path` , `paths:` , `pattern`	`references/common_errors.md`	路径过滤错误

Example: Complete Error Handling Workflow

示例：完整错误处理流程

User's workflow has this error:

runs-on: ubuntu-lastest

Step 1 - Script output:

label "ubuntu-lastest" is unknown

Step 2 - Read
references/runners.md
or
references/common_errors.md
: Find the "Invalid Runner Label" section.

Step 3 - Quote the fix to user:

Error:

label "ubuntu-lastest" is unknown

Cause: Typo in runner label (from

references/common_errors.md

yaml

# Bad
runs-on: ubuntu-lastest  # Typo

Fix (from

references/common_errors.md

yaml

# Good
runs-on: ubuntu-latest

Valid runner labels (from

references/runners.md

```
ubuntu-latest
```
,
```
ubuntu-24.04
```
,
```
ubuntu-22.04
```
```
windows-latest
```
,
```
windows-2025
```
,
```
windows-2022
```
```
macos-latest
```
,
```
macos-15
```
,
```
macos-14
```

Step 4 - Provide corrected code:

yaml

runs-on: ubuntu-latest

用户的工作流存在以下错误：

runs-on: ubuntu-lastest

步骤1 - 脚本输出：

label "ubuntu-lastest" is unknown

步骤2 - 阅读
references/runners.md
或
references/common_errors.md
：找到“无效Runner标签”章节。

步骤3 - 向用户提供修复方案：

错误：
label "ubuntu-lastest" is unknown
原因： Runner标签存在拼写错误（来自
references/common_errors.md
）：
yaml
# 错误写法
runs-on: ubuntu-lastest  # 拼写错误
修复方案（来自
references/common_errors.md
）：
yaml
# 正确写法
runs-on: ubuntu-latest
有效Runner标签（来自
references/runners.md
）：
ubuntu-latest
,
ubuntu-24.04
,
ubuntu-22.04
windows-latest
,
windows-2025
,
windows-2022
macos-latest
,
macos-15
,
macos-14

步骤4 - 提供修正后的代码：

yaml

runs-on: ubuntu-latest

Quick Start

快速开始

Initial Setup

初始设置

bash

cd .claude/skills/github-actions-validator
bash scripts/install_tools.sh

This installs act (local workflow execution) and actionlint (static analysis) to

scripts/.tools/

bash

cd .claude/skills/github-actions-validator
bash scripts/install_tools.sh

该脚本会将act（本地工作流执行工具）和actionlint（静态分析工具）安装到

scripts/.tools/

目录。

Basic Validation

基础验证

bash

undefined

bash

undefined

Validate a single workflow

验证单个工作流

bash scripts/validate_workflow.sh .github/workflows/ci.yml

Validate all workflows

验证所有工作流

bash scripts/validate_workflow.sh .github/workflows/

Lint-only (fastest)

仅检查语法（最快）

bash scripts/validate_workflow.sh --lint-only .github/workflows/ci.yml

Test-only with act (requires Docker)

仅使用act测试（需要Docker）

bash scripts/validate_workflow.sh --test-only .github/workflows/

undefined

bash scripts/validate_workflow.sh --test-only .github/workflows/

undefined

Core Validation Workflow

核心验证流程

1. Static Analysis with actionlint

1. 使用actionlint进行静态分析

Start with static analysis to catch syntax errors and common issues:

bash

bash scripts/validate_workflow.sh --lint-only .github/workflows/ci.yml

What actionlint checks: YAML syntax, schema compliance, expression syntax, runner labels, action inputs/outputs, job dependencies, CRON syntax, glob patterns, shell scripts, security vulnerabilities.

首先通过静态分析捕获语法错误和常见问题：

bash

bash scripts/validate_workflow.sh --lint-only .github/workflows/ci.yml

actionlint检查内容： YAML语法、 schema合规性、表达式语法、Runner标签、Action输入/输出、任务依赖、CRON语法、glob模式、Shell脚本、安全漏洞。

2. Local Testing with act

2. 使用act进行本地测试

After passing static analysis, test workflow execution:

bash

bash scripts/validate_workflow.sh --test-only .github/workflows/

Note: act has limitations - see

references/act_usage.md

通过静态分析后，测试工作流执行情况：

bash

bash scripts/validate_workflow.sh --test-only .github/workflows/

注意： act存在局限性 - 详见

references/act_usage.md

。

3. Full Validation

3. 完整验证

bash

bash scripts/validate_workflow.sh .github/workflows/ci.yml

bash

bash scripts/validate_workflow.sh .github/workflows/ci.yml

Validating Resource Types

验证资源类型

Workflows

工作流

bash

undefined

bash

undefined

Single workflow

单个工作流

bash scripts/validate_workflow.sh .github/workflows/ci.yml

All workflows

所有工作流

bash scripts/validate_workflow.sh .github/workflows/


**Key validation points:** triggers, job configurations, runner labels, environment variables, secrets, conditionals, matrix strategies.

bash scripts/validate_workflow.sh .github/workflows/


**关键验证点：** 触发器、任务配置、Runner标签、环境变量、密钥、条件判断、矩阵策略。

Custom Local Actions

自定义本地Action

Create a test workflow that uses the custom action, then validate:

bash

bash scripts/validate_workflow.sh .github/workflows/test-custom-action.yml

创建一个使用该自定义Action的测试工作流，然后进行验证：

bash

bash scripts/validate_workflow.sh .github/workflows/test-custom-action.yml

Public Actions

公共Action

When workflows use public actions (e.g.,

actions/checkout@v6

Use web search to find action documentation
Verify required inputs and version
Check for deprecation warnings
Run validation script

Search format:

"[action-name] [version] github action documentation"

当工作流使用公共Action（例如

actions/checkout@v6

）时：

使用网络搜索查找Action文档
验证必填输入和版本
检查是否有弃用警告
运行验证脚本

搜索格式：

"[action-name] [version] github action documentation"

Reference File Consultation Guide

参考文件查阅指南

MANDATORY Reference Consultation

必须查阅的参考文件

Situation	Reference File	Action
actionlint reports ANY error	`references/common_errors.md`	Find matching error, quote solution
act fails with Docker error	`references/act_usage.md`	Check Troubleshooting section
act fails but workflow works on GitHub	`references/act_usage.md`	Read Limitations section
User asks about actionlint config	`references/actionlint_usage.md`	Provide examples
User asks about act options	`references/act_usage.md`	Read Advanced Options
Security vulnerability detected	`references/common_errors.md`	Quote fix
Validating action versions	`references/action_versions.md`	Check version table
Using modern features	`references/modern_features.md`	Check syntax examples
Runner questions/errors	`references/runners.md`	Check labels and availability

场景	参考文件	操作
actionlint报告任何错误	`references/common_errors.md`	查找匹配错误，引用解决方案
act因Docker错误失败	`references/act_usage.md`	查看故障排除章节
act失败但GitHub上工作流正常运行	`references/act_usage.md`	查看局限性章节
用户询问actionlint配置	`references/actionlint_usage.md`	提供示例
用户询问act选项	`references/act_usage.md`	查看高级选项
检测到安全漏洞	`references/common_errors.md`	引用修复方案
验证Action版本	`references/action_versions.md`	查看版本表
使用现代功能	`references/modern_features.md`	查看语法示例
Runner相关问题/错误	`references/runners.md`	查看标签和可用性

Script Output to Reference Mapping

脚本输出与参考文件映射

Output Category	Reference File
`[SYNTAX]`	`common_errors.md` - Syntax Errors
`[EXPRESSION]`	`common_errors.md` - Expression Errors
`[ACTION]`	`common_errors.md` - Action Errors
`[SCHEDULE]`	`common_errors.md` - Schedule Errors
`[SECURITY]`	`common_errors.md` - Security section
`[DOCKER]`	`act_usage.md` - Troubleshooting
`[ACT-LIMIT]`	`act_usage.md` - Limitations

输出类别	参考文件
`[SYNTAX]`	`common_errors.md` - 语法错误
`[EXPRESSION]`	`common_errors.md` - 表达式错误
`[ACTION]`	`common_errors.md` - Action错误
`[SCHEDULE]`	`common_errors.md` - 调度错误
`[SECURITY]`	`common_errors.md` - 安全章节
`[DOCKER]`	`act_usage.md` - 故障排除
`[ACT-LIMIT]`	`act_usage.md` - 局限性

Reference Files Summary

参考文件摘要

File	Content
`references/act_usage.md`	Act tool usage, commands, options, limitations, troubleshooting
`references/actionlint_usage.md`	Actionlint validation categories, configuration, integration
`references/common_errors.md`	Common errors catalog with fixes
`references/action_versions.md`	Current action versions, deprecation timeline, SHA pinning
`references/modern_features.md`	Reusable workflows, SBOM, OIDC, environments, containers
`references/runners.md`	GitHub-hosted runners (ARM64, GPU, M2 Pro, deprecations)

文件	内容
`references/act_usage.md`	Act工具使用方法、命令、选项、局限性、故障排除
`references/actionlint_usage.md`	Actionlint验证类别、配置、集成
`references/common_errors.md`	常见错误目录及修复方案
`references/action_versions.md`	当前Action版本、弃用时间线、SHA固定
`references/modern_features.md`	可复用工作流、SBOM、OIDC、环境、容器
`references/runners.md`	GitHub托管的Runner（ARM64、GPU、M2 Pro、弃用信息）

Troubleshooting

故障排除

Issue	Solution
"Tools not found"	Run `bash scripts/install_tools.sh`
"Docker daemon not running"	Start Docker or use `--lint-only`
"Permission denied"	Run `chmod +x scripts/*.sh`
act fails but GitHub works	See `references/act_usage.md` Limitations

问题	解决方案
"Tools not found"	运行 `bash scripts/install_tools.sh`
"Docker daemon not running"	启动Docker或使用 `--lint-only`
"Permission denied"	运行 `chmod +x scripts/*.sh`
act失败但GitHub上正常	查看 `references/act_usage.md` 的局限性章节

Debug Mode

调试模式

bash

actionlint -verbose .github/workflows/ci.yml  # Verbose actionlint
act -v                                         # Verbose act
act -n                                         # Dry-run (no execution)

bash

actionlint -verbose .github/workflows/ci.yml  # 详细输出actionlint信息
act -v                                         # 详细输出act信息
act -n                                         # 空运行（不执行）

Best Practices

最佳实践

Always validate locally first - Catch errors before pushing
Use actionlint in CI/CD - Automate validation in pipelines
Pin action versions - Use
```
@v6
```
not
```
@main
```
for stability; SHA pinning for security
Keep tools updated - Regularly update actionlint and act
Use web search for unknown actions - Verify usage with documentation
Check version compatibility - See
```
references/action_versions.md
```
Enable shellcheck - Catch shell script issues early
Review security warnings - Address script injection issues

始终先在本地验证 - 推送前捕获错误
在CI/CD中使用actionlint - 在流水线中自动执行验证
固定Action版本 - 使用
```
@v6
```
而非
```
@main
```
以保证稳定性；使用SHA固定版本提升安全性
保持工具更新 - 定期更新actionlint和act
对未知Action使用网络搜索 - 查阅文档验证使用方法
检查版本兼容性 - 详见
```
references/action_versions.md
```
启用shellcheck - 及早发现Shell脚本问题
查看安全警告 - 解决脚本注入问题

Limitations

局限性

act limitations: Not all GitHub Actions features work locally
Docker requirement: act requires Docker to be running
Network actions: Some GitHub API actions may fail locally
Private actions: Cannot validate without access
Runtime behavior: Static analysis cannot catch all issues
File location: act can only validate workflows in
```
.github/workflows/
```
directory; files outside (like
```
examples/
```
) can only be validated with actionlint

act局限性：并非所有GitHub Actions功能都能在本地运行
Docker依赖：act需要Docker处于运行状态
网络Action：部分GitHub API Action可能在本地运行失败
私有Action：无访问权限时无法验证
运行时行为：静态分析无法捕获所有问题
文件位置：act仅能验证
```
.github/workflows/
```
目录中的工作流；该目录外的文件（如
```
examples/
```
）仅能通过actionlint验证

Quick Examples

快速示例

Example 1: Pre-commit Validation

示例1：提交前验证

bash

cd .claude/skills/github-actions-validator
bash scripts/validate_workflow.sh .github/workflows/
git add .github/workflows/ && git commit -m "Update workflows"

bash

cd .claude/skills/github-actions-validator
bash scripts/validate_workflow.sh .github/workflows/
git add .github/workflows/ && git commit -m "Update workflows"

Example 2: Debug Failing Workflow

示例2：调试失败的工作流

bash

bash scripts/validate_workflow.sh --lint-only .github/workflows/failing.yml

bash

bash scripts/validate_workflow.sh --lint-only .github/workflows/failing.yml

Fix issues

修复问题

bash scripts/validate_workflow.sh .github/workflows/failing.yml

undefined

bash scripts/validate_workflow.sh .github/workflows/failing.yml

undefined

Complete Worked Example: Multi-Error Workflow

完整示例：多错误工作流修复

This example demonstrates the full assistant workflow for handling multiple errors.

本示例展示处理多个错误的完整助手流程。

User's Problematic Workflow

用户的问题工作流

yaml

name: Broken CI
on:
  schedule:
    - cron: '0 0 * * 8'  # ERROR 1
jobs:
  build:
    runs-on: ubuntu-lastest  # ERROR 2
    steps:
      - uses: actions/checkout@v3  # ERROR 3 (outdated)
      - run: echo ${{ github.event.issue.title }}  # ERROR 4 (security)
  deploy:
    needs: biuld  # ERROR 5 (typo)
    runs-on: ubuntu-latest
    steps:
      - run: echo "Deploying"

yaml

name: Broken CI
on:
  schedule:
    - cron: '0 0 * * 8'  # 错误1
jobs:
  build:
    runs-on: ubuntu-lastest  # 错误2
    steps:
      - uses: actions/checkout@v3  # 错误3（版本过时）
      - run: echo ${{ github.event.issue.title }}  # 错误4（安全问题）
  deploy:
    needs: biuld  # 错误5（拼写错误）
    runs-on: ubuntu-latest
    steps:
      - run: echo "Deploying"

Step 1: Run Validation

步骤1：运行验证

bash

bash scripts/validate_workflow.sh --lint-only workflow.yml

Output:

[ERROR] invalid CRON format "0 0 * * 8"
[ERROR] label "ubuntu-lastest" is unknown
[WARN] "github.event.issue.title" is potentially untrusted
[ERROR] job "deploy" needs job "biuld" which does not exist

bash

bash scripts/validate_workflow.sh --lint-only workflow.yml

输出：

[ERROR] invalid CRON format "0 0 * * 8"
[ERROR] label "ubuntu-lastest" is unknown
[WARN] "github.event.issue.title" is potentially untrusted
[ERROR] job "deploy" needs job "biuld" which does not exist

Step 2-3: Consult References and Quote Fixes

步骤2-3：查阅参考文件并提供修复方案

Error 1: Invalid CRON Expression

From
references/common_errors.md
- Schedule Errors:

Cause: Day of week 8 doesn't exist (valid: 0-6, where 0 = Sunday)
yaml
# Bad
schedule:
  - cron: '0 0 * * 8'  # Day 8 doesn't exist

# Good
schedule:
  - cron: '0 0 * * 0'  # Sunday
CRON format:
minute hour day month weekday
Weekday: 0-6 (0 = Sunday)

Fix: Change

(Sunday) or

1-6

for Monday-Saturday.

Error 2: Invalid Runner Label

From
references/common_errors.md
- Job Configuration Errors and
references/runners.md
:

Cause: Typo in runner label
yaml
# Bad
runs-on: ubuntu-lastest  # Typo

# Good
runs-on: ubuntu-latest
Valid labels (from
references/runners.md
):
ubuntu-latest
(Ubuntu 24.04)
ubuntu-24.04
,
ubuntu-22.04
macos-latest
(macOS 15)
windows-latest
(Windows Server 2022)

Fix: Change

ubuntu-lastest

ubuntu-latest

Error 3: Outdated Action Version

From
references/action_versions.md
:

Action Current Version Minimum Supported
actions/checkout
v6
v4
SHA Pinning Best Practice:
yaml
# Recommended: SHA pinning with version comment
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0

Action	Current Version	Minimum Supported
`actions/checkout`	v6	v4

Fix: Update from

@v3

@v6

(or SHA-pinned version).

Error 4: Security Vulnerability (Script Injection)

From
references/common_errors.md
- Expression Errors:

Warning: Potential script injection via untrusted input
yaml
# Bad - vulnerable to injection
run: echo ${{ github.event.issue.title }}

# Good - use environment variables
env:
  TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE"
Why: Untrusted input (issue titles, PR bodies, commit messages) can contain malicious commands. Using environment variables sanitizes the input.

Fix: Pass untrusted input through environment variable.

Error 5: Undefined Job Dependency

From
references/common_errors.md
- Job Configuration Errors:

Error: Job 'deploy' depends on job 'biuld' which does not exist

yaml

# Bad
jobs:
  build:
    runs-on: ubuntu-latest
  deploy:
    needs: biuld  # Typo

# Good
jobs:
  build:
    runs-on: ubuntu-latest
  deploy:
    needs: build

Fix: Change

biuld

build

错误1：无效CRON表达式

来自
references/common_errors.md
- 调度错误：

原因： 星期值8不存在（有效值：0-6，其中0=周日）
yaml
# 错误写法
schedule:
  - cron: '0 0 * * 8'  # 星期8不存在

# 正确写法
schedule:
  - cron: '0 0 * * 0'  # 周日
CRON格式：
minute hour day month weekday
星期：0-6（0=周日）

修复： 将

改为

（周日）或

1-6

（周一至周六）。

错误2：无效Runner标签

来自
references/common_errors.md
- 任务配置错误和
references/runners.md
：

原因： Runner标签存在拼写错误
yaml
# 错误写法
runs-on: ubuntu-lastest  # 拼写错误

# 正确写法
runs-on: ubuntu-latest
有效标签（来自
references/runners.md
）：
ubuntu-latest
（Ubuntu 24.04）
ubuntu-24.04
,
ubuntu-22.04
macos-latest
（macOS 15）
windows-latest
（Windows Server 2022）

修复： 将

ubuntu-lastest

改为

ubuntu-latest

。

错误3：过时的Action版本

来自
references/action_versions.md
：

Action 当前版本最低支持版本
actions/checkout
v6
v4
SHA固定最佳实践：
yaml
# 推荐写法：SHA固定并添加版本注释
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0

Action	当前版本	最低支持版本
`actions/checkout`	v6	v4

修复： 从

@v3

更新为

@v6

（或SHA固定版本）。

错误4：安全漏洞（脚本注入）

来自
references/common_errors.md
- 表达式错误：

警告： 不可信输入可能导致脚本注入
yaml
# 错误写法 - 存在注入风险
run: echo ${{ github.event.issue.title }}

# 正确写法 - 使用环境变量
env:
  TITLE: ${{ github.event.issue.title }}
run: echo "$TITLE"
原因： 不可信输入（如Issue标题、PR内容、提交信息）可能包含恶意命令。使用环境变量可以对输入进行清理。

修复： 通过环境变量传递不可信输入。

错误5：未定义的任务依赖

来自
references/common_errors.md
- 任务配置错误：

错误： 任务'deploy'依赖的任务'biuld'不存在

yaml

# 错误写法
jobs:
  build:
    runs-on: ubuntu-latest
  deploy:
    needs: biuld  # 拼写错误

# 正确写法
jobs:
  build:
    runs-on: ubuntu-latest
  deploy:
    needs: build

修复： 将

biuld

改为

build

。

Step 4: Provide Corrected Workflow

步骤4：提供修正后的工作流

yaml

name: Fixed CI
on:
  schedule:
    - cron: '0 0 * * 0'  # Fixed: Sunday (0-6 valid)
jobs:
  build:
    runs-on: ubuntu-latest  # Fixed: typo corrected
    steps:
      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0 - Fixed: updated version
      - name: Process issue
        env:
          TITLE: ${{ github.event.issue.title }}  # Fixed: use env var
        run: echo "$TITLE"
  deploy:
    needs: build  # Fixed: typo corrected
    runs-on: ubuntu-latest
    steps:
      - run: echo "Deploying"

yaml

name: Fixed CI
on:
  schedule:
    - cron: '0 0 * * 0'  # 已修复：周日（有效值0-6）
jobs:
  build:
    runs-on: ubuntu-latest  # 已修复：修正拼写错误
    steps:
      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3  # v6.0.0 - 已修复：更新版本
      - name: 处理Issue
        env:
          TITLE: ${{ github.event.issue.title }}  # 已修复：使用环境变量
        run: echo "$TITLE"
  deploy:
    needs: build  # 已修复：修正拼写错误
    runs-on: ubuntu-latest
    steps:
      - run: echo "Deploying"

Step 5: Summary

步骤5：总结

Error	Type	Fix Applied
CRON `0 0 * * 8`	Schedule	Changed to `0 0 * * 0`
`ubuntu-lastest`	Runner	Changed to `ubuntu-latest`
`checkout@v3`	Outdated Action	Updated to `@v6.0.0` (SHA-pinned)
Direct `${{ }}` in run	Security	Wrapped in environment variable
`needs: biuld`	Job Dependency	Changed to `needs: build`

Recommendations:

Run

bash scripts/validate_workflow.sh --check-versions

regularly

Use SHA pinning for all actions in production workflows
Always pass untrusted input through environment variables

错误	类型	应用的修复
CRON `0 0 * * 8`	调度	改为 `0 0 * * 0`
`ubuntu-lastest`	Runner	改为 `ubuntu-latest`
`checkout@v3`	过时Action	更新为 `@v6.0.0` （SHA固定）
直接在run中使用 `${{ }}`	安全	封装为环境变量
`needs: biuld`	任务依赖	改为 `needs: build`

建议：

定期运行

bash scripts/validate_workflow.sh --check-versions

在生产工作流中对所有Action使用SHA固定版本
始终通过环境变量传递不可信输入

Summary

总结

Setup: Install tools with
```
install_tools.sh
```
Validate: Run
```
validate_workflow.sh
```
on workflow files
Fix: Address issues using reference documentation
Test: Verify locally with act (when possible)
Search: Use web search to verify unknown actions
Commit: Push validated workflows with confidence

For detailed information, consult the appropriate reference file in

references/

设置：使用
```
install_tools.sh
```
安装工具
验证：对工作流文件运行
```
validate_workflow.sh
```
修复：使用参考文档解决问题
测试：尽可能使用act在本地验证
搜索：使用网络搜索验证未知Action
提交：放心推送已验证的工作流

如需详细信息，请查阅

references/

目录中的对应参考文件。