Update module github.com/rhysd/actionlint to v1.7.7 (#791)

viceice-bot · earl-warren · commit 5285f39e6b4b · 2025-08-02T17:56:34.000Z
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) | `v1.6.27` -> `v1.7.7` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2frhysd%2factionlint/v1.7.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2frhysd%2factionlint/v1.6.27/v1.7.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>rhysd/actionlint (github.com/rhysd/actionlint)</summary> ### [`v1.7.7`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v177---2025-01-19) [Compare Source](rhysd/actionlint@v1.7.6...v1.7.7) - Support runner labels for [Linux arm64 hosted runners](https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/). ([#&#8203;503](rhysd/actionlint#503), [#&#8203;504](rhysd/actionlint#504), thanks [@&#8203;martincostello](https://github.com/martincostello)) - `ubuntu-24.04-arm` - `ubuntu-22.04-arm` - Update Go dependencies to the latest. - Update the popular actions data set to the latest. - Add Linux arm64 job to the CI workflow. Now actionlint is tested on the platform. ([#&#8203;507](rhysd/actionlint#507), thanks [@&#8203;cclauss](https://github.com/cclauss)) \[Changes]\[v1.7.7] <a id="v1.7.6"></a> ### [`v1.7.6`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v176---2025-01-04) [Compare Source](rhysd/actionlint@v1.7.5...v1.7.6) - Using contexts at specific workflow keys is incorrectly reported as not allowed. Affected workflow keys are as follows. ([#&#8203;495](rhysd/actionlint#495), [#&#8203;497](rhysd/actionlint#497), [#&#8203;498](rhysd/actionlint#498), [#&#8203;500](rhysd/actionlint#500)) - `jobs.<job_id>.steps.with.args` - `jobs.<job_id>.steps.with.entrypoint` - `jobs.<job_id>.services.<service_id>.env` - Update Go dependencies to the latest. \[Changes]\[v1.7.6] <a id="v1.7.5"></a> ### [`v1.7.5`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v175---2024-12-28) [Compare Source](rhysd/actionlint@v1.7.4...v1.7.5) - Strictly check available contexts in `${{ }}` placeholders following the ['Context availability' table](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#context-availability) in the official document. - For example, `jobs.<job_id>.defaults.run.shell` allows `env` context but `shell` workflow keys in other places allow no context. ```yaml defaults: run: ``` ### ERROR: No context is available here ``` shell: ${{ env.SHELL }} jobs: test: runs-on: ubuntu-latest defaults: run: ``` ### OK: 'env' context is available here ``` shell: ${{ env.SHELL }} steps: - run: echo hello ``` ### ERROR: No context is available here ```` shell: ${{ env.SHELL}} ``` ```` - Check a string literal passed to `fromJSON()` call. This pattern is [popular](https://github.com/search?q=fromJSON%28%27+lang%3Ayaml\&type=code) to create array or object constants because GitHub Actions does not provide the literal syntax for them. See the [document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#contexts-and-built-in-functions) for more details. ([#&#8203;464](rhysd/actionlint#464)) ```yaml jobs: test: ``` ### ERROR: Key 'mac' does not exist in the object returned by the fromJSON() ``` runs-on: ${{ fromJSON('{"win":"windows-latest","linux":"ubuntul-latest"}')['mac'] }} steps: - run: echo This is a special branch! ``` ### ERROR: Broken JSON string passed to fromJSON. ``` if: contains(fromJSON('["main","release","dev"'), github.ref_name) ``` ```` - Allow passing command arguments to `-shellcheck` argument. ([#&#8203;483](rhysd/actionlint#483), thanks [@&#8203;anuraaga](https://github.com/anuraaga)) - This is useful when you want to use alternative build of shellcheck like [go-shellcheck](https://github.com/wasilibs/go-shellcheck/). ```sh actionlint -shellcheck="go run github.com/wasilibs/go-shellcheck/cmd/shellcheck@latest" ``` - Support undocumented `repository_visibility`, `artifact_cache_size_limit`, `step_summary`, `output`, `state` properties in `github` context. ([#&#8203;489](rhysd/actionlint#489), thanks [@&#8203;rasa](https://github.com/rasa) for adding `repository_visibility` property) - Remove `macos-12` runner label from known labels because it was [dropped](actions/runner-images#10721) from GitHub-hosted runners on Dec. 3 and is no longer available. - Add `windows-2025` runner label to the known labels. The runner is in [public preview](https://github.blog/changelog/2024-12-19-windows-server-2025-is-now-in-public-preview/). ([#&#8203;491](rhysd/actionlint#491), thanks [@&#8203;ericcornelissen](https://github.com/ericcornelissen)) - Add `black` to the list of colors for `branding.color` action metadata. ([#&#8203;485](rhysd/actionlint#485), thanks [@&#8203;eifinger](https://github.com/eifinger)) - Add `table` to the list of icons for `branding.icon` action metadata. - Fix parsing escaped `{` in `format()` function call's first argument. - Fix the incorrect `join()` function overload. `join(s1: string, s2: string)` was wrongly accepted. - Update popular actions data set to the latest. - Add `download-artifact/v3-node20` to the data set. ([#&#8203;468](rhysd/actionlint#468)) - Fix missing the `reviewdog/action-hadolint@v1` action input. ([#&#8203;487](rhysd/actionlint#487), thanks [@&#8203;mi-wada](https://github.com/mi-wada)) - Link to the documents of the stable version in actionlint `man` page and `-help` output. - Refactor `LintStdin()` API example and some unit tests. ([#&#8203;472](rhysd/actionlint#472), [#&#8203;475](rhysd/actionlint#475), thanks [@&#8203;alexandear](https://github.com/alexandear)) - Improve the configuration example in `actionlint.yaml` document to explain glob patterns for `paths`. ([#&#8203;481](rhysd/actionlint#481)) [Changes][v1.7.5] <a id="v1.7.4"></a> ```` ### [`v1.7.4`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v174---2024-11-04) [Compare Source](rhysd/actionlint@v1.7.3...v1.7.4) - Disallow the usage of popular actions that run on `node16` runner. The `node16` runner [will reach the end of life on November 12](https://github.blog/changelog/2024-09-25-end-of-life-for-actions-node16/). - In case of the error, please update your actions to the latest version so that they run on the latest `node20` runner. - If you're using self-hosted runner and you cannot upgrade your runner to `node20` soon, please consider to ignore the error by the `paths` configuration described below. - If you're using `actions/upload-artifact@v3` and `actions/download-artifact@v3` on GHES, please replace them with `actions/upload-artifact@v3-node20` and `actions/download-artifact@v3-node20`. ([#&#8203;468](rhysd/actionlint#468)) - Provide the configuration for ignoring errors by regular expressions in `actionlint.yml` (or `actionlint.yaml`). Please see the [document](https://github.com/rhysd/actionlint/blob/v1.7.4/docs/config.md) for more details. ([#&#8203;217](rhysd/actionlint#217), [#&#8203;342](rhysd/actionlint#342)) - The `paths` is a mapping from the file path glob pattern to the corresponding configuration. The `ignore` configuration is a list of regular expressions to match error messages (similar to the `-ignore` command line option). ```yaml paths: ``` ### This pattern matches any YAML file under the '.github/workflows/' directory. ``` .github/workflows/**/*.yaml: ignore: ``` ### Ignore the specific error from shellcheck ``` - 'shellcheck reported issue in this script: SC2086:.+' ``` ### This pattern only matches '.github/workflows/release.yaml' file. ``` .github/workflows/release.yaml: ignore: ``` ### Ignore errors from the old runner check. This may be useful for (outdated) self-hosted runner environment. ```` - 'the runner of ".+" action is too old to run on GitHub Actions' ``` ```` - This configuration was not implemented initially because I wanted to keep the configuration as minimal as possible. However, due to several requests for it, the configuration has now been added. - Untrusted inputs check is safely skipped inside specific function calls. ([#&#8203;459](rhysd/actionlint#459), thanks [@&#8203;IlyaGulya](https://github.com/IlyaGulya)) - For example, the following step contains the untrusted input `github.head_ref`, but it is safe because it's passed to the `contains()` argument. ```yaml - run: echo "is_release_branch=${{ contains(github.head_ref, 'release') }}" >> "$GITHUB_OUTPUT" ``` - For more details, please read the [rule document](https://github.com/rhysd/actionlint/blob/v1.7.4/docs/checks.md#untrusted-inputs). - Recognize `gcr.io` and `gcr.dev` as the correct container registry hosts. ([#&#8203;463](rhysd/actionlint#463), thanks [@&#8203;takaidohigasi](https://github.com/takaidohigasi)) - Note that it is recommended explicitly specifying the scheme like `docker://gcr.io/...`. - Remove `macos-x.0` runner labels which are no longer available. ([#&#8203;452](rhysd/actionlint#452)) - Disable shellcheck [`SC2043`](https://www.shellcheck.net/wiki/SC2043) rule because it can cause false positives on checking `run:`. ([#&#8203;355](rhysd/actionlint#355)) - The [rule document](https://github.com/rhysd/actionlint/blob/v1.7.4/docs/checks.md#check-shellcheck-integ) was updated as well. ([#&#8203;466](rhysd/actionlint#466), thanks [@&#8203;risu729](https://github.com/risu729)) - Fix the error message was not deterministic when detecting cycles in `needs` dependencies. - Fix the check for `format()` function was not applied when the function name contains upper case like `Format()`. Note that function names in `${{ }}` placeholders are case-insensitive. - Update the popular actions data set to the latest. - This includes the [new `ref` and `commit` outputs](actions/checkout#1180) of `actions/checkout`. - Add [`actions/cache/save`](https://github.com/actions/cache/tree/main/save) and [`actions/cache/restore`](https://github.com/actions/cache/tree/main/restore) to the popular actions data set. - Links in the [README.md](https://github.com/rhysd/actionlint/blob/main/README.md) now point to the document of the latest version tag instead of HEAD of `main` branch. - Add [`Linter.LintStdin`](https://pkg.go.dev/github.com/rhysd/actionlint#Linter.LintStdin) method dedicated to linting STDIN instead of handling STDIN in `Command`. - (Dev) Add new [`check-checks` script](https://github.com/rhysd/actionlint/tree/main/scripts/check-checks) to maintain the ['Checks' document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md). It automatically updates the outputs and playground links for example inputs in the document. It also checks the document is up-to-date on CI. Please read the [document](https://github.com/rhysd/actionlint/blob/main/scripts/check-checks/README.md) for more details. [Documentation](https://github.com/rhysd/actionlint/tree/v1.7.4/docs) \[Changes]\[v1.7.4] <a id="v1.7.3"></a> ### [`v1.7.3`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v173---2024-09-29) [Compare Source](rhysd/actionlint@v1.7.2...v1.7.3) - Remove `macos-11` runner labels because [macOS 11 runner was dropped on 6/28/2024](https://github.blog/changelog/2024-05-20-actions-upcoming-changes-to-github-hosted-macos-runners/#macos-11-deprecation-and-removal). ([#&#8203;451](rhysd/actionlint#451), thanks [@&#8203;muzimuzhi](https://github.com/muzimuzhi)) - Support `macos-15`, `macos-15-large`, and `macos-15-xlarge` runner labels. The macOS 15 runner is not globally available yet, but [they are available in beta](https://github.com/actions/runner-images?tab=readme-ov-file#available-images). ([#&#8203;453](rhysd/actionlint#453), thanks [@&#8203;muzimuzhi](https://github.com/muzimuzhi)) - Release artifact includes checksums for the released binaries. The file name is `actionlint_{version}_checksums.txt`. ([#&#8203;449](rhysd/actionlint#449)) - For example, the checksums for v1.7.3 can be found [here](https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_checksums.txt). - Fix `download-path` output is missing in `actions/download-artifact@v3` action. ([#&#8203;442](rhysd/actionlint#442)) - Note that the latest version `actions/download-artifact@v4` was not affected by this issue. - Support Go 1.23. [Documentation](https://github.com/rhysd/actionlint/blob/v1.7.3/docs/checks.md) \[Changes]\[v1.7.3] <a id="v1.7.2"></a> ### [`v1.7.2`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v172---2024-09-23) [Compare Source](rhysd/actionlint@v1.7.1...v1.7.2) - Fix child processes to run in parallel. - Update the popular actions data set to the latest. ([#&#8203;442](rhysd/actionlint#442), [#&#8203;445](rhysd/actionlint#445), [#&#8203;446](rhysd/actionlint#446), [#&#8203;447](rhysd/actionlint#447), thanks [@&#8203;maikelvdh](https://github.com/maikelvdh)) - Add support for checking branch filters on [`merge_group` event](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#merge_group). ([#&#8203;448](rhysd/actionlint#448), thanks [@&#8203;muzimuzhi](https://github.com/muzimuzhi)) - [The playground](https://rhysd.github.io/actionlint/) now supports both light and dark modes and automatically applies the system's theme. - Fix releasing a failure on making a new winget package. ([#&#8203;438](rhysd/actionlint#438), thanks [@&#8203;vedantmgoyal9](https://github.com/vedantmgoyal9)) \[Changes]\[v1.7.2] <a id="v1.7.1"></a> ### [`v1.7.1`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v171---2024-05-28) [Compare Source](rhysd/actionlint@v1.7.0...v1.7.1) - Support `ubuntu-24.04` runner label, which was [recently introduced as beta](https://github.blog/changelog/2024-05-14-github-hosted-runners-public-beta-of-ubuntu-24-04-is-now-available/). ([#&#8203;425](rhysd/actionlint#425), thanks [@&#8203;bitcoin-tools](https://github.com/bitcoin-tools)) - Remove the support for `macos-10` runner label which was [officially dropped about 2 years ago](https://github.blog/changelog/2022-07-20-github-actions-the-macos-10-15-actions-runner-image-is-being-deprecated-and-will-be-removed-by-8-30-22/). - Remove the support for `windows-2016` runner label which was [officially dropped about 2 years ago](https://github.blog/changelog/2021-10-19-github-actions-the-windows-2016-runner-image-will-be-removed-from-github-hosted-runners-on-march-15-2022/). - Document URLs used in help output and links in the playground prefer specific version tag rather than `main` branch. For example, - Before: https://github.com/rhysd/actionlint/tree/main/docs - After: https://github.com/rhysd/actionlint/tree/v1.7.1/docs - Fix actionlint wrongly reports an error when using `ghcr.io` or `docker.io` at `image` field of action metadata file of Docker action without `docker://` scheme. ([#&#8203;428](rhysd/actionlint#428)) ```yaml runs: using: 'docker' ``` ### This should be OK ``` image: 'ghcr.io/user/repo:latest' ``` ``` - Fix checking `preactjs/compressed-size-action@v2` usage caused a false positive. ([#&#8203;422](rhysd/actionlint#422)) - Fix an error message when invalid escaping is found in globs. - The design of the [playground page](https://rhysd.github.io/actionlint/) is overhauled following the upgrade of bulma package to v1. - Current actionlint version is shown in the heading. - The color theme is changed to the official dark theme. - The list of useful links is added to the bottom of the page as 'Resources' section. [Changes][v1.7.1] <a id="v1.7.0"></a> ``` ### [`v1.7.0`](https://github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v170---2024-05-08) [Compare Source](rhysd/actionlint@v1.6.27...v1.7.0) - From this version, actionlint starts to check action metadata file `action.yml` (or `action.yaml`). At this point, only very basic checks are implemented and contents of `steps:` are not checked yet. - It checks properties under `runs:` section (e.g. `main:` can be specified when it is a JavaScript action), `branding:` properties, and so on. ```yaml name: 'My action' author: '...' ``` ### ERROR: 'description' section is missing ``` branding: ``` ### ERROR: Invalid icon name ``` icon: dog runs: ``` ### ERROR: Node.js runtime version is too old ``` using: 'node12' ``` ### ERROR: The source file being run by this action does not exist ``` main: 'this-file-does-not-exist.js' ``` ### ERROR: 'env' configuration is only allowed for Docker actions ```` env: SOME_VAR: SOME_VALUE ``` ```` - actionlint still focuses on checking workflow files. So there is no way to directly specify `action.yml` as an argument of `actionlint` command. actionlint checks all local actions which are used by given workflows. If you want to use actionlint for your action development, prepare a test/example workflow which uses your action, and check it with actionlint instead. - Checks for `steps:` contents are planned to be implemented. Since several differences are expected between `steps:` in workflow file and `steps:` in action metadata file (e.g. available contexts), the implementation is delayed to later version. And the current implementation of action metadata parser is ad hoc. I'm planning a large refactorying and breaking changes Go API around it are expected. - Add `runner.environment` property. ([#&#8203;412](rhysd/actionlint#412)) ```yaml - run: echo 'Run by GitHub-hosted runner' if: runner.environment == 'github-hosted' ``` - Using outdated popular actions is now detected at error. See [the document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#detect-outdated-popular-actions) for more details. - Here 'outdated' means actions which use runtimes no longer supported by GitHub-hosted runners such as `node12`. ```yaml ``` ### ERROR: actions/checkout@v2 is using the outdated runner 'node12' ```` - uses: actions/checkout@v2 ``` ```` - Support `attestations` permission which was [recently added to GitHub Actions as beta](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). ([#&#8203;418](rhysd/actionlint#418), thanks [@&#8203;bdehamer](https://github.com/bdehamer)) ```yaml permissions: id-token: write contents: read attestations: write ``` - Check comparison expressions more strictly. Arbitrary types of operands can be compared as [the official document](https://docs.github.com/en/actions/learn-github-actions/expressions#operators) explains. However, comparisons between some types are actually meaningless because the values are converted to numbers implicitly. actionlint catches such meaningless comparisons as errors. Please see [the check document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#check-comparison-types) for more details. ```yaml on: workflow_call: inputs: timeout: type: boolean jobs: test: runs-on: ubuntu-latest steps: - run: echo 'called!' ``` ### ERROR: Comparing string to object is always evaluated to false ``` if: ${{ github.event == 'workflow_call' }} - run: echo 'timeout is too long' ``` ### ERROR: Comparing boolean value with `>` doesn't make sense ``` if: ${{ inputs.timeout > 60 }} ``` ```` - Follow the update that `macos-latest` is now an alias to `macos-14` runner. - Support a custom python shell by `pyflakes` rule. - Add workaround actionlint reports that `dorny/paths-filter`'s `predicate-quantifier` input is not defined. ([#&#8203;416](rhysd/actionlint#416)) - Fix the type of a conditional expression by comparison operators is wider than expected by implementing type narrowing. ([#&#8203;384](rhysd/actionlint#384)) - For example, the type of following expression should be `number` but it was actually `string | number` and actionlint complained that `timeout-minutes` must take a number value. ```yaml timeout-minutes: ${{ env.FOO && 10 || 60 }} ``` - Fix `${{ }}` placeholder is not available at `jobs.<job_id>.services`. ([#&#8203;402](rhysd/actionlint#402)) ```yaml jobs: test: services: ${{ fromJSON('...') }} runs-on: ubuntu-latest steps: - run: ... ```` - Do not check outputs of `google-github-actions/get-secretmanager-secrets` because this action sets outputs dynamically. ([#&#8203;404](rhysd/actionlint#404)) - Fix `defaults.run` is ignored on detecting the shell used in `run:`. ([#&#8203;409](rhysd/actionlint#409)) ```yaml defaults: run: shell: pwsh jobs: test: runs-on: ubuntu-latest steps: ``` ### This was wrongly detected as bash script ``` - run: $Env:FOO = "FOO" ``` ```` - Fix parsing a syntax error reported from pyflakes when checking a Python script in `run:`. ([#&#8203;411](rhysd/actionlint#411)) ```yaml - run: print( shell: python ```` - Skip checking `exclude:` items in `matrix:` when they are constructed from `${{ }}` dynamically. ([#&#8203;414](rhysd/actionlint#414)) ```yaml matrix: foo: ['a', 'b'] exclude: ``` ### actionlint complained this value didn't exist in matrix combinations ``` - foo: ${{ env.EXCLUDE_FOO }} ``` ```` - Fix checking `exclude:` items when `${{ }}` is used in nested arrays at matrix items. ```yaml matrix: foo: - ["${{ fromJSON('...') }}"] exclude: ### actionlint complained this value didn't match to any matrix combinations - foo: ['foo'] ```` - Update popular actions data set. New major versions are added and the following actions are newly added. - `peaceiris/actions-hugo` - `actions/attest-build-provenance` - `actions/add-to-project` - `octokit/graphql-action` - Update Go dependencies to the latest. - Reduce the size of `actionlint` executable by removing redundant data from popular actions data set. - x86\_64 executable binary size was reduced from 6.9MB to 6.7MB (2.9% smaller). - Wasm binary size was reduced from 9.4MB to 8.9MB (5.3% smaller). - Describe how to [integrate actionlint to Pulsar Edit](https://web.pulsar-edit.dev/packages/linter-github-actions) in [the document](https://github.com/rhysd/actionlint/blob/main/docs/usage.md#pulsar-edit). ([#&#8203;408](rhysd/actionlint#408), thanks [@&#8203;mschuchard](https://github.com/mschuchard)) - Update outdated action versions in the usage document. ([#&#8203;413](rhysd/actionlint#413), thanks [@&#8203;naglis](https://github.com/naglis)) \[Changes]\[v1.7.0] <a id="v1.6.27"></a> </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/791 Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org> Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>
diff --git a/go.mod b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/opencontainers/selinux v1.11.0
 	github.com/pkg/errors v0.9.1
-	github.com/rhysd/actionlint v1.6.27
+	github.com/rhysd/actionlint v1.7.7
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
@@ -48,6 +48,7 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.1.3 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.8.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
@@ -56,7 +57,7 @@ require (
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/fatih/color v1.16.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
@@ -70,8 +71,9 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
diff --git a/go.sum b/go.sum
@@ -21,6 +21,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk=
 github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
+github.com/bmatcuk/doublestar/v4 v4.8.0 h1:DSXtrypQddoug1459viM9X9D3dp1Z7993fw36I2kNcQ=
+github.com/bmatcuk/doublestar/v4 v4.8.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
@@ -55,8 +57,8 @@ github.com/elazarl/goproxy v1.2.3 h1:xwIyKHbaP5yfT6O9KIeYJR5549MXRQkoQMRXGztz8YQ
 github.com/elazarl/goproxy v1.2.3/go.mod h1:YfEbZtqP4AetfO6d40vWchF3znWX7C7Vd6ZMfdL8z64=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
-github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
@@ -115,13 +117,14 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
+github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
@@ -154,8 +157,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rhysd/actionlint v1.6.27 h1:xxwe8YmveBcC8lydW6GoHMGmB6H/MTqUU60F2p10wjw=
-github.com/rhysd/actionlint v1.6.27/go.mod h1:m2nFUjAnOrxCMXuOMz9evYBRCLUsMnKY2IJl/N5umbk=
+github.com/rhysd/actionlint v1.7.7 h1:0KgkoNTrYY7vmOCs9BW2AHxLvvpoY9nEUzgBHiPUr0k=
+github.com/rhysd/actionlint v1.7.7/go.mod h1:AE6I6vJEkNaIfWqC2GNE5spIJNhxf8NCtLEKU4NnUXg=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -256,7 +259,6 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
