Summary
Extension validates workflow YAML against the schema, but many mistakes only surface after git push triggers a runner:
runs-on: referencing a self-hosted label that has no online runner
uses: owner/repo@ref where ref no longer resolves (deleted tag/branch, moved SHA)
secrets: inherit on a reusable workflow whose caller does not actually inherit
permissions: narrower than what a step needs (e.g. contents: read + a step that pushes)
if: expression referencing a context that is empty for the trigger (e.g. github.event.pull_request.* on push)
Each case validates green locally, then burns a runner minute and a red X on the PR.
Proposal
A "runtime-plausibility" pass, opt-in (github-actions.runtimeChecks.enabled), that runs alongside schema validation and surfaces Information-level diagnostics for:
- Unresolvable
uses: refs (HEAD probe via the authenticated session already used for the API tree)
runs-on: labels not present in the repo's runner list
permissions: narrower than the union of permissions declared by any resolvable action's action.yml
- Context references that are empty for the declared
on: triggers
None block save; all are dismissible. Runs on open + on save, cached by workflow-file hash.
Why not act / nektos
act runs the whole workflow in Docker; this is a static, seconds-scale lint. Complementary, not overlapping.
Related
Summary
Extension validates workflow YAML against the schema, but many mistakes only surface after
git pushtriggers a runner:runs-on:referencing a self-hosted label that has no online runneruses: owner/repo@refwhererefno longer resolves (deleted tag/branch, moved SHA)secrets: inheriton a reusable workflow whose caller does not actually inheritpermissions:narrower than what a step needs (e.g.contents: read+ a step that pushes)if:expression referencing a context that is empty for the trigger (e.g.github.event.pull_request.*onpush)Each case validates green locally, then burns a runner minute and a red X on the PR.
Proposal
A "runtime-plausibility" pass, opt-in (
github-actions.runtimeChecks.enabled), that runs alongside schema validation and surfacesInformation-level diagnostics for:uses:refs (HEAD probe via the authenticated session already used for the API tree)runs-on:labels not present in the repo's runner listpermissions:narrower than the union of permissions declared by any resolvable action'saction.ymlon:triggersNone block save; all are dismissible. Runs on open + on save, cached by workflow-file hash.
Why not
act/ nektosactruns the whole workflow in Docker; this is a static, seconds-scale lint. Complementary, not overlapping.Related
uses:" surface