Commit 097f89d
Add CI check rejecting \${{ secrets.* }} in action manifests
GitHub's action manifest loader parses every field of an action.yml for
\${{ ... }} template expressions and rejects any whose context isn't
available at load time, including occurrences inside description
docstrings. The \$\${{ escape documented for workflow expressions does
not apply at the manifest-loader layer.
The new `manifest-template-check` CI job greps every action.yml for
\${{ ...secrets.* ... }} patterns and fails the build if any are found.
Regression-proofs against the same bug we hit twice today.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 106b1b5 commit 097f89d
1 file changed
Lines changed: 24 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
41 | 41 | | |
42 | 42 | | |
43 | 43 | | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
44 | 68 | | |
45 | 69 | | |
46 | 70 | | |
| |||
0 commit comments