v1.6.0

• Check potentially untrusted inputs to prevent a script injection vulnerability at run: and script input of actions/github-script. See the rule document for more explanations and workflow example. (thanks @azu for the feature request at #19)

Incorrect code

- run: echo '${{ github.event.pull_request.title }}'

should be replaced with

- run: echo "issue ${TITLE}"
  env:
    TITLE: ${{github.event.issue.title}}

• Add -format option to actionlint command. It allows to flexibly format error messages as you like with Go template syntax. See the usage document for more details. (thanks @ybiquitous for the feature request at #20)

Simple example to output error messages as JSON:

actionlint -format '{{json .}}'

More compliated example to output error messages as markdown:

actionlint -format '{{range $ := .}}### Error at line {{$.Line}}, col {{$.Column}} of `{{$.Filepath}}`\n\n{{$.Message}}\n\n```\n{{$.Snippet}}\n```\n\n{{end}}'

• Documents are reorganized. Long README.md is separated into several document files (#28)
  • README.md: Introduction, Quick start, Document links
  • docs/checks.md: Full list of all checks done by actionlint with example inputs, outputs, and playground links
  • docs/install.md: Installation instruction
  • docs/usage.md: Advanced usage of actionlint command, usage of playground, integration with reviewdog, Problem Matchers, super-linter
  • docs/config.md: About configuration file
  • doc/api.md: Using actionlint as Go library
  • doc/reference.md: Links to resources
• Fix checking shell names was not case-insensitive, for example PowerShell was detected as invalid shell name
• Update popular actions data set to the latest
• Make lexer errors on checking ${{ }} expressions more meaningful