Skip to content

Feature: warn when workflow YAML validates but would fail at runtime (schema vs runner gap) #611

Description

@chirag127

Summary

Extension validates workflow YAML against the schema, but many mistakes only surface after git push triggers a runner:

  • runs-on: referencing a self-hosted label that has no online runner
  • uses: owner/repo@ref where ref no longer resolves (deleted tag/branch, moved SHA)
  • secrets: inherit on a reusable workflow whose caller does not actually inherit
  • permissions: narrower than what a step needs (e.g. contents: read + a step that pushes)
  • if: expression referencing a context that is empty for the trigger (e.g. github.event.pull_request.* on push)

Each case validates green locally, then burns a runner minute and a red X on the PR.

Proposal

A "runtime-plausibility" pass, opt-in (github-actions.runtimeChecks.enabled), that runs alongside schema validation and surfaces Information-level diagnostics for:

  1. Unresolvable uses: refs (HEAD probe via the authenticated session already used for the API tree)
  2. runs-on: labels not present in the repo's runner list
  3. permissions: narrower than the union of permissions declared by any resolvable action's action.yml
  4. Context references that are empty for the declared on: triggers

None block save; all are dismissible. Runs on open + on save, cached by workflow-file hash.

Why not act / nektos

act runs the whole workflow in Docker; this is a static, seconds-scale lint. Complementary, not overlapping.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Backlog 🗒

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions