5 Real GitHub Actions Bugs Caught by Static Analysis

You don't find out your CI is broken until it's too late. Here are five real GitHub Actions bugs — and how static analysis catches them before they ever run. Static analysis for GitHub Actions workflows is still an underused idea. Most teams lint their application code, type-check their TypeScript, and run SAST on their Python. But the YAML files that orchestrate all of it? Those get copy-pasted from Stack Overflow and committed unchecked. These are five categories of real bugs I've seen repeatedly — and how a workflow linter catches them before they cost you anything. 1. Secrets Accidentally Echoed in run: Steps The bug: - name : Deploy run : | echo "Deploying with token: ${{ secrets.DEPLOY_TOKEN }}" ./deploy.sh --token ${{ secrets.DEPLOY_TOKEN }} That echo line will print your secret in plain text in the CI logs. GitHub masks known secret values in logs, but only if the secret is registered correctly — and only in most contexts. If the value gets split across lines or embedded in a l