DevBolt
Processed in your browser. Your data never leaves your device.

How do I validate a GitHub Actions workflow YAML online?

Paste your workflow YAML and click Validate to check for syntax errors, missing required fields, broken job dependencies, deprecated action versions, and common misconfigurations. The validator flags errors, warnings, and best-practice suggestions with specific fix guidance. Everything runs in your browser — your workflow files never leave your device.

Validate workflow YAML
Input
name: CI
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npm ci
      - run: npm test
Output
✓ Valid GitHub Actions workflow
Triggers: push, pull_request
Jobs: 1 (test)
Steps: 4
Runner: ubuntu-latest
No issues found
← Back to tools

GitHub Actions YAML Validator

Validate GitHub Actions workflow files for syntax errors, missing fields, deprecated actions, broken job dependencies, and common misconfigurations. Runs entirely in your browser.

About GitHub Actions Workflow Validation

GitHub Actions workflows are YAML files in .github/workflows/ that define CI/CD automation — building, testing, deploying, and more.

What we check:

  • Required fields — on (triggers), jobs, runs-on, steps
  • Trigger validation — event names, cron schedules, workflow_dispatch inputs
  • Job structure — runs-on, needs dependencies, timeout, strategy/matrix
  • Step validation — uses vs run, action version pinning, id uniqueness
  • Deprecated actions — flags outdated action versions with upgrade suggestions
  • Permissions — validates permission scopes and values
  • Expression syntax — unclosed ${{ }} expressions
  • Reusable workflows — validates uses/steps exclusivity
  • Best practices — timeouts, concurrency groups, naming

Everything runs in your browser — no data is sent over the network.

Tips & Best Practices

Pro Tip

Pin action versions to full commit SHAs, not tags

Using `uses: actions/checkout@v4` trusts that the tag won't be moved to malicious code. Pin to a specific SHA: `uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11`. Tags can be reassigned; commit SHAs are immutable.

Common Pitfall

GitHub Actions secrets are not available in pull requests from forks

For security, GitHub doesn't expose repository secrets to workflows triggered by pull_request from forks. This breaks CI for open-source projects. Use pull_request_target (carefully) or run secret-dependent tests only on push to protected branches.

Real-World Example

Use concurrency groups to cancel outdated workflow runs

Add `concurrency: { group: '${{ github.workflow }}-${{ github.ref }}', cancel-in-progress: true }` to cancel previous runs when you push again to the same branch. This saves CI minutes and speeds up feedback on the latest code.

Security Note

Never use ${{ github.event.*.body }} in run: steps without sanitization

PR titles, branch names, and issue bodies are user-controlled. Using them directly in shell commands enables injection: a branch named `; rm -rf /` executes as shell code. Always assign to an environment variable first and quote it.

Frequently Asked Questions

How do I validate a GitHub Actions workflow YAML file online?
Paste your workflow YAML into the editor and click Validate. The tool checks for syntax errors, missing required fields (on, jobs, runs-on, steps), broken job dependencies (needs referencing undefined jobs), deprecated action versions with upgrade suggestions, invalid trigger events, permission scope errors, and common misconfigurations. Results are categorized as errors, warnings, and info. Everything runs client-side — your workflow files never leave your browser.
What are the most common GitHub Actions workflow errors?
Frequent errors include missing runs-on (every job needs a runner), steps with both uses and run (only one allowed per step), action references without version pinning (@v4), broken needs dependencies referencing non-existent jobs, invalid trigger event names, incorrect permission values, and YAML indentation mistakes. Security issues include using outdated action versions with known vulnerabilities and missing timeout-minutes allowing runaway jobs.
How do I pin GitHub Action versions for reproducible builds?
Always reference actions with a version tag like actions/checkout@v4 or a commit SHA for maximum security. Avoid @latest or @main which can change unexpectedly. DevBolt's validator flags unpinned actions and outdated versions, suggesting the latest stable release. For critical workflows, pin to a full commit SHA (actions/checkout@abc123) to prevent supply chain attacks through tag mutation.
How do I fix broken job dependencies in GitHub Actions?
The needs field references other job IDs that must complete before the current job starts. If needs references a job ID that does not exist in the workflow, GitHub will reject it. Check that job IDs match exactly (case-sensitive). DevBolt's validator cross-references all needs values against defined job IDs and flags any missing references, self-references, and circular dependencies.

Related Inspect Tools

IP

IP / CIDR Toolkit

Subnet calculator, VLSM divider, IP range to CIDR converter, and IP address classifier

OG

Open Graph Preview

Preview and debug Open Graph, Twitter Card, and SEO meta tags for social sharing

JS

JS/TS Playground

Run JavaScript and TypeScript code in your browser with instant console output

JSON Diff

Compare two JSON objects and see structural differences — added, removed, and changed keys