Skip to content

Add github.job_workflow_sha to the github context schema#671

Draft
stefanpenner wants to merge 1 commit into
rhysd:mainfrom
stefanpenner:add-job-workflow-sha-github-context
Draft

Add github.job_workflow_sha to the github context schema#671
stefanpenner wants to merge 1 commit into
rhysd:mainfrom
stefanpenner:add-job-workflow-sha-github-context

Conversation

@stefanpenner

@stefanpenner stefanpenner commented May 27, 2026

Copy link
Copy Markdown

github.job_workflow_sha is populated for jobs that use a reusable workflow — it holds the commit SHA of the reusable workflow file (distinct from github.workflow_sha, which holds the caller's commit).

It's been part of GitHub Actions since reusable workflows shipped, but is only mentioned in GitHub's docs as an OIDC token claim ("For jobs using a reusable workflow, the commit SHA for the reusable workflow file."); the github context reference page doesn't list it.

I've reached out to GitHub for clarification on whether the omission from the github-context docs is intentional. Either way the property is observably populated at runtime and used in real workflows — a GitHub code search returns 54+ matches in public .github/workflows/ files (GH code search is partial, so that's a lower bound), including production users like getsentry/sdk-benchmarks, finos/traderX, openmrs/openmrs-contrib-gha-workflows, tyler-technologies-oss/external-action-shared-workflows, namespacelabs/nscloud-cache-action, and Zondax/_workflows.

Without this in actionlint's schema, the common reusable-workflow self-checkout pattern raises property "job_workflow_sha" is not defined:

# inside a reusable workflow, to check out actions at the workflow's own SHA
- uses: actions/checkout@v4
  with:
    repository: org/repo
    ref: ${{ github.job_workflow_sha }}

This PR adds the missing entry to the github context's strict object type — annotated // Note: Undocumented in the github context page; documented as an OIDC token claim to match the project's existing convention for other partially-documented properties (state, output, step_summary, artifact_cache_size_limit, repository_visibility). The matching sample output in docs/checks.md is updated in the same commit. go test ./... passes locally.

🤖 Generated with Claude Code

@stefanpenner stefanpenner marked this pull request as ready for review May 27, 2026 16:39
@stefanpenner stefanpenner marked this pull request as draft May 27, 2026 16:40
`github.job_workflow_sha` is populated for jobs that use a reusable
workflow — it holds the commit SHA of the reusable workflow file
(distinct from `github.workflow_sha`, which holds the caller's commit).

It's been part of GitHub Actions since reusable workflows shipped, but is
only mentioned in GitHub's docs as an OIDC token claim[1]; the github
context reference page does not list it. It is, however, widely used in
the wild for self-checkout patterns inside reusable workflows[2].

That makes a common reusable-workflow pattern fail the expression check:

```yaml
# inside a reusable workflow, to check out actions at the workflow's own SHA
- uses: actions/checkout@v4
  with:
    repository: org/repo
    ref: ${{ github.job_workflow_sha }}
```

This PR adds the missing entry to the github context's strict object type
(annotated `// Note: Undocumented` to match existing convention for
`state`, `output`, `step_summary`, etc.) and updates the matching docs
example in `docs/checks.md`. `go test ./...` passes locally.

[1] https://docs.github.com/en/actions/reference/security/oidc — "job_workflow_sha: For jobs using a reusable workflow, the commit SHA for the reusable workflow file."
[2] e.g. https://github.com/stefanpenner/shared-workflow-test, plus a CHANGELOG note from commit-guard observing that github.workflow_sha resolves to the caller's commit in a reusable-workflow context: https://github.com/codywilliamson/commit-guard
@stefanpenner stefanpenner force-pushed the add-job-workflow-sha-github-context branch from 5d55656 to 5aac1a0 Compare May 27, 2026 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant