Hamburger Cross Icon
Lint Clean
+
GitHub Actions Collector

Lint Clean + GitHub Actions Collector

Guardrail Collector Beta Devex Build And Ci

Enforce Lint Clean using data collected by GitHub Actions Collector. Automatically check devex build and ci standards on every PR.

Guardrail: Ensures no lint errors across CI configuration files. Reads from the normalized .ci.lint path — works with any CI vendor's lint tool (actionlint for GHA, gitlab-ci-lint for GitLab, etc.).
Data Source: Parses and lints GitHub Actions workflow files. Extracts structured data from every workflow (triggers, jobs, action references), runs actionlint for syntax and type checking, and classifies version pinning status for all third-party action references.
Get Started View on GitHub

How GitHub Actions Collector Powers This Guardrail

The GitHub Actions Collector gathers metadata from your systems. This data flows into Lunar's Component JSON, where the Lint Clean guardrail evaluates it against your standards.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.

1
GitHub Actions Collector Gathers Data Collector
Extracts metadata from code, configs, and tool outputs
2
{ } Component JSON
Data centralized in structured format for evaluation
3
Lint Clean Checks Guardrail
Pass/fail result with actionable feedback in PRs

Quick Start Configuration

Add both the collector and policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
# Step 1: Enable the GitHub Actions Collector
collectors:
  - uses: github://earthly/lunar-lib/collectors/github-actions@v1.0.5
    # with: ...

# Step 2: Enable the CI Guardrails
policies:
  - uses: github://earthly/lunar-lib/policies/ci@v1.0.5
    include: [lint-clean]
    # with: ...

What GitHub Actions Collector Collects

This collector gathers the following data that the Lint Clean guardrail evaluates.

Collector code

workflows

Parses all GitHub Actions workflow files in .github/workflows/, runs actionlint for lint errors, and classifies action version pinning (SHA, tag, branch, unpinned) for supply-chain hygiene.

Example Data Flow

Here's an example of the data that GitHub Actions Collector writes to the Component JSON, which Lint Clean then evaluates.

{ } component.json From GitHub Actions Collector 
{
  "ci": {
    "lint": {
      "source": { "tool": "actionlint", "version": "1.7.7", "integration": "code" },
      "errors": [
        {
          "file": ".github/workflows/ci.yml",
          "line": 42,
          "column": 9,
          "message": "property \"unknown_field\" is not defined",
          "rule": "syntax-check"
        }
      ],
      "error_count": 1,
      "warning_count": 0
    },
    "dependencies": {
      "source": { "tool": "github-actions", "version": "0.1.0", "integration": "code" },
      "total": 3,
      "pinned": 2,
      "unpinned": 1,
      "items": [
        { "name": "actions/checkout", "ref": "abc123def456", "pinning": "sha", "party": "1st" },
        { "name": "docker/build-push-action", "ref": "v5.1.0", "pinning": "tag", "party": "3rd" },
        { "name": "docker/login-action", "ref": "main", "pinning": "branch", "party": "3rd" }
      ],
      "third_party_unpinned": ["docker/login-action@main"]
    },
    "native": {
      "github_actions": {
        "source": { "tool": "github-actions", "version": "0.1.0", "integration": "code" },
        "workflows": [
          {
            "file": ".github/workflows/ci.yml",
            "name": "CI",
            "triggers": ["push", "pull_request"],
            "jobs": {
              "build": {
                "steps": [
                  { "uses": "actions/checkout@abc123def456", "with": { "persist-credentials": false } },
                  { "run": "make build" }
                ]
              },
              "test": {
                "steps": [
                  { "uses": "actions/checkout@abc123def456" },
                  { "run": "make test" }
                ]
              }
            },
            "permissions": { "contents": "read" },
            "actions": [
              { "uses": "actions/checkout@abc123def456", "pinning": "sha", "party": "1st" },
              { "uses": "docker/build-push-action@v5.1.0", "pinning": "tag", "party": "3rd" },
              { "uses": "docker/login-action@main", "pinning": "branch", "party": "3rd" }
            ]
          }
        ]
      }
    }
  }
}

Other Guardrails Using GitHub Actions Collector

Other guardrails in CI Guardrails that use data from GitHub Actions Collector.

Guardrail + GitHub Actions
Dependencies Pinned

Verifies all third-party CI dependencies use SHA or tag pins, not branch refs. Reads from the...
Guardrail + GitHub Actions
No Mutable Refs

Ensures no third-party CI dependencies reference mutable refs like @main, @master, or @latest. Reads...

Learn More

Guardrail · CI Guardrails Lint Clean View all compatible integrations
Collector GitHub Actions Collector View full documentation

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo