fix jobs.<job_id>.services.<service_id>.env should allow contexts (#500)

rhysd · rhysd · commit 895f01acb7e2 · 2025-01-04T21:45:59.000+09:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,22 +2,24 @@
 # [v1.7.5](https://github.com/rhysd/actionlint/releases/tag/v1.7.5) - 2024-12-28
 
 - Strictly check available contexts in `${{ }}` placeholders following the ['Context availability' table](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#context-availability) in the official document.
-  - For example, `jobs.<job>.env` allows `github` context but `jobs.<job>.services.<service>.env` doesn't allow any contexts. Now actionlint can catch the mistake.
+  - For example, `jobs.<job_id>.defaults.run.shell` allows `env` context but `shell` workflow keys in other places allow no context.
     ```yaml
+    defaults:
+      run:
+        # ERROR: No context is available here
+        shell: ${{ env.SHELL }}
+
     jobs:
       test:
         runs-on: ubuntu-latest
-        env:
-          # OK. `github` context is available here.
-          COMMIT_SHA: ${{ github.sha }}
-        services:
-          redis:
-            image: redis
-            env:
-              # ERROR: No context is available here.
-              COMMIT_SHA: ${{ github.sha }}
+        defaults:
+          run:
+            # OK: 'env' context is available here
+            shell: ${{ env.SHELL }}
         steps:
-          - ...
+          - run: echo hello
+            # ERROR: No context is available here
+            shell: ${{ env.SHELL}}
     ```
 - Check a string literal passed to `fromJSON()` call. This pattern is [popular](https://github.com/search?q=fromJSON%28%27+lang%3Ayaml&type=code) to create array or object constants because GitHub Actions does not provide the literal syntax for them. See the [document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#contexts-and-built-in-functions) for more details. ([#464](https://github.com/rhysd/actionlint/issues/464))
   ```yaml
@@ -796,7 +798,7 @@
 - Allow workflow calls are available in matrix jobs. See [the official announcement](https://github.blog/changelog/2022-08-22-github-actions-improvements-to-reusable-workflows-2/) for more details. ([#197](https://github.com/rhysd/actionlint/issues/197))
   ```yaml
   jobs:
-    ReusableMatrixJobForDeployment:
+    ReuseableMatrixJobForDeployment:
       strategy:
         matrix:
           target: [dev, stage, prod]
@@ -929,7 +931,7 @@
   ```
 - Fix usage of local actions (`uses: ./path/to/action`) was not checked when multiple workflow files were passed to `actionlint` command. ([#173](https://github.com/rhysd/actionlint/issues/173))
 - Allow `description:` is missing in `secrets:` of reusable workflow call definition since it is optional. ([#174](https://github.com/rhysd/actionlint/issues/174))
-- Fix type of property of `github.event.inputs` is string unlike `inputs` context. See [the document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#workflow-dispatch-event-validation) for more details. ([#181](https://github.com/rhysd/actionlint/issues/181))
+- Fix type of propery of `github.event.inputs` is string unlike `inputs` context. See [the document](https://github.com/rhysd/actionlint/blob/main/docs/checks.md#workflow-dispatch-event-validation) for more details. ([#181](https://github.com/rhysd/actionlint/issues/181))
   ```yaml
   on:
     workflow_dispatch:
diff --git a/docs/checks.md b/docs/checks.md
@@ -2626,8 +2626,10 @@ Example input:
 ```yaml
 on: push
 
-env:
-  NAME: rhysd
+defaults:
+  run:
+    # ERROR: No context is available here
+    shell: ${{ env.SHELL }}
 
 jobs:
   test:
@@ -2639,19 +2641,19 @@ jobs:
           # ERROR: 'runner' context is not available here
           - ${{ runner.temp }}
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        # OK: 'env' context is available here
+        shell: ${{ env.SHELL }}
     env:
       # ERROR: 'env' context is not available here
-      NAME: ${{ env.NAME }}
-    services:
-      redis:
-        image: redis
-        env:
-          # ERROR: No context is allowed here
-          COMMIT_SHA: ${{ github.sha }}
+      FOO: ${{ env.BAR }}
     steps:
       - env:
           # OK: 'env' context is available here
-          NAME: ${{ env.NAME }}
+          FOO: ${{ env.BAR }}
+        # ERROR: No context is available here
+        shell: ${{ env.SHELL}}
         # ERROR: 'success()' function is not available here
         run: echo 'Success? ${{ success() }}'
         # OK: 'success()' function is available here
@@ -2661,25 +2663,29 @@ jobs:
 Output:
 
 ```
-test.yaml:14:17: context "runner" is not allowed here. available contexts are "github", "inputs", "needs", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
+test.yaml:6:16: context "env" is not allowed here. no context is available here. see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
+  |
+6 |     shell: ${{ env.SHELL }}
+  |                ^~~~~~~~~
+test.yaml:16:17: context "runner" is not allowed here. available contexts are "github", "inputs", "needs", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
    |
-14 |           - ${{ runner.temp }}
+16 |           - ${{ runner.temp }}
    |                 ^~~~~~~~~~~
-test.yaml:18:17: context "env" is not allowed here. available contexts are "github", "inputs", "matrix", "needs", "secrets", "strategy", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
+test.yaml:24:16: context "env" is not allowed here. available contexts are "github", "inputs", "matrix", "needs", "secrets", "strategy", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
    |
-18 |       NAME: ${{ env.NAME }}
-   |                 ^~~~~~~~
-test.yaml:24:27: context "github" is not allowed here. no context is available here. see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
+24 |       FOO: ${{ env.BAR }}
+   |                ^~~~~~~
+test.yaml:30:20: context "env" is not allowed here. no context is available here. see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
    |
-24 |           COMMIT_SHA: ${{ github.sha }}
-   |                           ^~~~~~~~~~
-test.yaml:30:33: calling function "success" is not allowed here. "success" is only available in "jobs.<job_id>.if", "jobs.<job_id>.steps.if". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
+30 |         shell: ${{ env.SHELL}}
+   |                    ^~~~~~~~~~~
+test.yaml:32:33: calling function "success" is not allowed here. "success" is only available in "jobs.<job_id>.if", "jobs.<job_id>.steps.if". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details [expression]
    |
-30 |         run: echo 'Success? ${{ success() }}'
+32 |         run: echo 'Success? ${{ success() }}'
    |                                 ^~~~~~~~~
 ```
 
-[Playground](https://rhysd.github.io/actionlint/#eNp0j8FOwzAMhu99Ch+QBof2AXJBE0KCQ+Ew7ihNvSawJpXtdFRT3x1lXdsJNF+i/7f953PwCrrINsvQ9yoDeNuWzwrIDlxn2VeoOJmCLOkFYCEt2AyTAmi1kPuZFUDtCI0EGlYLIIe70wkaJzZWxTHQ9/4QjjCO/0Yoeo9UCLbd3KboOU+UsYpeYn7QCebcuhCnmqhTBPq+SGreZ6TeGeR5krB2vMK5VjeoJncxr4JTPb2X5evH5+5lq64PYauXTwS7JTT/u38b7nKgAjQ2wGYXjUHmx/MsT+L+AcZxs/Lu1dr5DQAA//+iDXkG)
+[Playground](https://rhysd.github.io/actionlint/#eNp8j81qwzAQhO96ijkU0h6cB/CltNDSQyDQPIHtrGO3imT2J2kIfvciJ45NIT2J0Xy7MxtDjs6kcW5LdWFeJXcAW0gPIA15n+PhfAaFw3Lz8bZaoe+d+4rlQCqJXlHlQml3uihgXyi3P6MCti1TpZFP0xeQDat3rTZWLo+Rv2sfjyngL8IWAvFSad+NNluQLPW30oJa5otUZrDmt1zRKfXeTcmjcBjB9/V6gl5fPkdElLrb4mw+8d/UveCZnUqCqiZisbGqIpHngZWLeHxC3y9udFvnk/MbAAD//3L9fcg=)
 
 Some contexts are only available in some places. For example, `env` context is not available at `jobs.<job_id>.env`, but it is
 available at `jobs.<job_id>.steps.env`.
diff --git a/rule_expression.go b/rule_expression.go
@@ -485,7 +485,7 @@ func (rule *RuleExpression) checkContainer(c *Container, workflowKey, childWorkf
 		rule.checkString(c.Credentials.Username, k)
 		rule.checkString(c.Credentials.Password, k)
 	}
-	rule.checkEnv(c.Env, workflowKey+".env.<env_id>") // e.g. jobs.<job_id>.container.env.<env_id>
+	rule.checkEnv(c.Env, childWorkflowKey+".env.<env_id>") // e.g. jobs.<job_id>.container.env.<env_id>
 	rule.checkStrings(c.Ports, workflowKey)
 	rule.checkStrings(c.Volumes, workflowKey)
 	rule.checkString(c.Options, workflowKey)
diff --git a/testdata/err/context_availability.out b/testdata/err/context_availability.out
@@ -17,7 +17,6 @@
 /test\.yaml:106:18: context "runner" is not allowed here\. .+ \[expression\]/
 /test\.yaml:111:20: context "env" is not allowed here\. .+ \[expression\]/
 /test\.yaml:115:25: context "runner" is not allowed here\. .+ \[expression\]/
-/test\.yaml:121:23: context "runner" is not allowed here\. .+ \[expression\]/
 /test\.yaml:127:17: context "env" is not allowed here\. .+ \[expression\]/
 /test\.yaml:134:23: context "env" is not allowed here\. .+ \[expression\]/
 /test\.yaml:139:23: context "env" is not allowed here\. .+ \[expression\]/
diff --git a/testdata/err/context_availability.yaml b/testdata/err/context_availability.yaml
@@ -111,13 +111,13 @@ jobs:
         image: ${{ env.IMAGE_NAME }}
         # jobs.<job_id>.services.<service_id>.credentials
         credentials:
-          # ERROR
+          # ERROR because runner is not available
           username: ${{ runner.name }}
           # OK
           password: ${{ env.MY_PASSWORD }}
         # jobs.<job_id>.services.<service_id>.env.<env_id>
         env:
-          # ERROR
+          # OK (#500)
           RUNNER: ${{ runner.name }}
     # jobs.<job_id>.strategy
     strategy:
diff --git a/testdata/err/shell_key_context_availability.out b/testdata/err/shell_key_context_availability.out
@@ -0,0 +1,2 @@
+/test\.yaml:6:16: context "env" is not allowed here\. no context is available here\. .+ \[expression\]/
+/test\.yaml:18:20: context "env" is not allowed here\. no context is available here\. .+ \[expression\]/
diff --git a/testdata/err/shell_key_context_availability.yaml b/testdata/err/shell_key_context_availability.yaml
@@ -0,0 +1,18 @@
+on: push
+
+defaults:
+  run:
+    # ERROR: No context is available here
+    shell: ${{ env.SHELL }}
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        # OK: 'env' context is available here
+        shell: ${{ env.SHELL }}
+    steps:
+      - run: echo hello
+        # ERROR: No context is available here
+        shell: ${{ env.SHELL}}

Original file line number	Diff line number	Diff line change
`@@ -485,7 +485,7 @@ func (rule RuleExpression) checkContainer(c Container, workflowKey, childWorkf`
`485`	`485`	`rule.checkString(c.Credentials.Username, k)`
`486`	`486`	`rule.checkString(c.Credentials.Password, k)`
`487`	`487`	`}`
`488`		`- rule.checkEnv(c.Env, workflowKey+".env.<env_id>") // e.g. jobs.<job_id>.container.env.<env_id>`
	`488`	`+ rule.checkEnv(c.Env, childWorkflowKey+".env.<env_id>") // e.g. jobs.<job_id>.container.env.<env_id>`
`489`	`489`	`rule.checkStrings(c.Ports, workflowKey)`
`490`	`490`	`rule.checkStrings(c.Volumes, workflowKey)`
`491`	`491`	`rule.checkString(c.Options, workflowKey)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+/test\.yaml:6:16: context "env" is not allowed here\. no context is available here\. .+ \[expression\]/`
	`2`	`+/test\.yaml:18:20: context "env" is not allowed here\. no context is available here\. .+ \[expression\]/`