Feature request: check that local actions exist

[AndreyNautilus]

It would be great if actionlint checks that actions used in workflows actually exist.

Let's assume a repository contains a local github action: /.github/actions/my-action/action.yaml. If a workflow that uses this action contains a typo, for example:

- uses: ./.github/actions/my-actoin  # "actoin" vs "action"

the workflow is (obviously) incorrect, but actionlint doesn't report any error (version 1.6.23). The workflow will of course fail when triggered, but if the workflow has a complicated trigger (issues or schedule) which is not triggered on PR, such typos are hard to spot. In case of local actions, this check should be simple, because actionlint works with cloned repo and all local actions should be cloned too.

Theoretically the same check can be applied to remote actions (for other repos), for example:

- uses: actions/checkuot@v3  # "checkuot" vs "checkout"

but repos that contain actions can be private and the access will require a github token, so it's a bit more complicated. For remote actions actionlint can also check the existence of the version - v3 in this case, but it will be more useful when an action is referenced by commit hash.

[rhysd]

This was once checked by actionlint, but removed later because local actions don't always exist in the repository. Some people fetch their actions in workflow.

Theoretically the same check can be applied to remote actions (for other repos)

This means actionlint needs network requests and it will make actionlint much slower. Currently actionlint does not make any network request by design.

[AndreyNautilus]

Thanks for explanation.

Some people fetch their actions in workflow.

Wow, I was not aware of such use-case.

[tbutler-qontigo]

Could it be added back in as an opt-in feature for the people who don't fetch their actions in a workflow?