Hamburger Cross Icon
GitHub Actions Collector - Lunar Collector

GitHub Actions Collector

Collector Beta Ci Cd

Parses and lints GitHub Actions workflow files. Extracts structured data from every workflow (triggers, jobs, action references), runs actionlint for syntax and type checking, and classifies version pinning status for all third-party action references.

Add github-actions to your lunar-config.yml:
uses: github://earthly/lunar-lib/collectors/github-actions@v1.0.5
Get Started View on GitHub

What This Integration Collects

This integration includes 1 collector that gather metadata from your systems.

Collector code

workflows

Parses all GitHub Actions workflow files in .github/workflows/, runs actionlint for lint errors, and classifies action version pinning (SHA, tag, branch, unpinned) for supply-chain hygiene.

github-actions actionlint workflows pinning lint
Book a demo

How Collectors Fit into Lunar

Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.

Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.

Learn How Lunar Works
1
Collectors Gather Data This Integration
Triggered by code changes or CI pipelines, collectors extract metadata from config files, tool outputs, test results, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
Guardrails Enforce Standards
Real-time feedback in PRs and AI workflows

Example Collected Data

This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:

{ } component.json Component JSON 
{
  "ci": {
    "lint": {
      "source": { "tool": "actionlint", "version": "1.7.7", "integration": "code" },
      "errors": [
        {
          "file": ".github/workflows/ci.yml",
          "line": 42,
          "column": 9,
          "message": "property \"unknown_field\" is not defined",
          "rule": "syntax-check"
        }
      ],
      "error_count": 1,
      "warning_count": 0
    },
    "dependencies": {
      "source": { "tool": "github-actions", "version": "0.1.0", "integration": "code" },
      "total": 3,
      "pinned": 2,
      "unpinned": 1,
      "items": [
        { "name": "actions/checkout", "ref": "abc123def456", "pinning": "sha", "party": "1st" },
        { "name": "docker/build-push-action", "ref": "v5.1.0", "pinning": "tag", "party": "3rd" },
        { "name": "docker/login-action", "ref": "main", "pinning": "branch", "party": "3rd" }
      ],
      "third_party_unpinned": ["docker/login-action@main"]
    },
    "native": {
      "github_actions": {
        "source": { "tool": "github-actions", "version": "0.1.0", "integration": "code" },
        "workflows": [
          {
            "file": ".github/workflows/ci.yml",
            "name": "CI",
            "triggers": ["push", "pull_request"],
            "jobs": {
              "build": {
                "steps": [
                  { "uses": "actions/checkout@abc123def456", "with": { "persist-credentials": false } },
                  { "run": "make build" }
                ]
              },
              "test": {
                "steps": [
                  { "uses": "actions/checkout@abc123def456" },
                  { "run": "make test" }
                ]
              }
            },
            "permissions": { "contents": "read" },
            "actions": [
              { "uses": "actions/checkout@abc123def456", "pinning": "sha", "party": "1st" },
              { "uses": "docker/build-push-action@v5.1.0", "pinning": "tag", "party": "3rd" },
              { "uses": "docker/login-action@main", "pinning": "branch", "party": "3rd" }
            ]
          }
        ]
      }
    }
  }
}

Documentation

View on GitHub

GitHub Actions Collector

Parses GitHub Actions workflows, runs actionlint, and detects version pinning status for supply-chain hygiene.

Overview

This collector analyzes all GitHub Actions workflow files (.github/workflows/*.yml) in a repository. It extracts structured data from each workflow (name, triggers, jobs, action references), runs actionlint for syntax and type checking, and classifies version pinning status for every action reference. The result is a comprehensive view of GHA workflow quality and supply-chain hygiene.

Skips gracefully if no .github/workflows/ directory exists.

Collected Data

This collector writes to both normalized (vendor-agnostic) and native (GHA-specific) Component JSON paths:

Normalized paths

Path Type Description
.ci.lint object CI config lint results (errors with file/line/rule, counts)
.ci.dependencies object CI dependency pinning status (total, pinned, unpinned, item details)

Native paths

Path Type Description
.ci.native.github_actions object Raw GHA workflow data (full parsed workflows with triggers, jobs, permissions, action refs)

Collectors

This integration provides the following collectors (use include to select a subset):

Collector Description
workflows Parses workflows, runs actionlint, and detects version pinning

Installation

Add to your lunar-config.yml:

collectors:
  - uses: github://earthly/lunar-lib/collectors/github-actions@main
    on: ["domain:your-domain"]  # Or use tags like [backend, frontend]

Open Source

This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Common Use Cases

Explore guardrails that use data from GitHub Actions Collector.

+
Lint Clean + GitHub Actions Collector Ensures no lint errors across CI configuration files. Reads from the normalized...
+
Dependencies Pinned + GitHub Actions Collector Verifies all third-party CI dependencies use SHA or tag pins, not branch refs....
+
No Mutable Refs + GitHub Actions Collector Ensures no third-party CI dependencies reference mutable refs like @main,...
+
No Script Injection + GitHub Actions Collector Flags attacker-controlled ${{ }} expressions used directly in run: blocks and...
+
No Dangerous Trigger Checkout + GitHub Actions Collector Flags pull_request_target workflows that check out PR head code. This...
+
Permissions Declared + GitHub Actions Collector Flags workflows with no permissions: key at workflow or job level....
+
No Write All Permissions + GitHub Actions Collector Flags explicit permissions: write-all at workflow or job level. Workflows should...
+
Checkout No Persist Credentials + GitHub Actions Collector Flags actions/checkout steps that don't set persist-credentials: false. The...
+
No Secrets Inherit + GitHub Actions Collector Flags secrets: inherit in reusable workflow calls. This passes ALL repository...

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo