GitHub Actions Linter — Catch Broken Workflows Before They Break CI

GitHub Actions is the default CI/CD fabric for GitHub-hosted teams, but its workflows are just YAML. A stray indentation, missing runs-on, or a uses: actions/checkout@master reference can lurk for weeks until you merge to main. The DevToolBox GitHub Actions Linter runs entirely in your browser and surfaces the most frequent workflow mistakes before they reach CI, including permissions gaps that can leak secrets.

What the linter checks

| Rule | Why it matters | | --- | --- | | Triggers present | A workflow with an empty on: clause never runs, even though it passes code review. | | jobs + runs-on | Every job needs a label like ubuntu-latest; missing it causes runtime errors like needs a runs-on attribute. | | Step shape | A step must define either uses: or run:; mixing both is invalid YAML that GitHub rejects. | | Pinned actions | actions/* calls pinned to @v1 or @master are deprecated. The linter inserts an inline comment reminding you to bump the version. | | Secrets permissions | Referencing ${{ secrets.* }} without a permissions: block (workflow or job level) blocks deployments in hardened orgs. | | Shell injection | Directly interpolating ${{ github.event.* }} into shell commands is a common attack path. | | Naming hygiene | Missing name: values on jobs and steps cause noisy run logs. The linter adds smart defaults in the fixed YAML tab. |

Each issue is labeled with a rule number, severity (error vs warning), and a line number so you can fix it in place. When fixes are possible—such as adding name: fields or tagging outdated uses: references—the Fixed YAML tab shows the updated manifest ready to copy.

Fast feedback loop

1. Paste any .github/workflows/*.yml content into the textarea.
2. Click Run Linter. The banner up top flips between Pass, Review, or Fail in under a second.
3. Errors appear in red, warnings in amber. Hover the copy-ready Fixed YAML tab to see the suggested patch.
4. Copy the output back into your repo or share the auto-generated link with your teammates. The tool encodes state in the URL so reviewers see the same input.

Because everything executes in the browser, no workflow data ever leaves your machine. Shareable URLs plus the "Copy link" button in the header make it easy to pass findings around with context.

Harden your CI pipelines

Beyond pre-commit linting, pair the GitHub Actions Linter with these habits:

• Pull request gates. Drop the linter into a pre-merge checklist alongside npm run lint. Catching missing permissions before CI saves hours.
• Security reviews. The shell-injection heuristic highlights scripts that interpolate webhook payloads directly. Move them into env vars or sanitize inputs.
• Platform migrations. When GitHub deprecates image labels (for example, Ubuntu 20.04), the linter’s runs-on checks remind you to stay current.
• Documentation. Export the fixed YAML and commit it to your repo to standardize structure: pinned actions, job names, probe-friendly formatting.

Ready to stop shipping broken workflows? Open the GitHub Actions Linter, paste your YAML, and let the browser do the review.