CP-29639: Bump github.com/rhysd/actionlint from 1.7.9 to 1.7.10 in /.tools

[dependabot]

Bumps github.com/rhysd/actionlint from 1.7.9 to 1.7.10.

Release notes

Sourced from github.com/rhysd/actionlint's releases.

v1.7.10

• Support YAML anchors and aliases (&anchor and *anchor) in workflow files. In addition to parsing YAML anchors correctly, actionlint checks unused and undefined anchors. See the document for more details. (#133, thanks @​srz-zumix for the initial implementation at #568 and @​alexaandru for trying another approach at #557)

  jobs:
    test:
      runs-on: ubuntu-latest
      services:
        nginx:
          image: nginx:latest
          credentials: &credentials
            username: ${{ secrets.user }}
            password: ${{ secrets.password }}
      steps:
        - run: ./download.sh
          # OK: Valid alias to &credentials
          env: *credentials
        - run: ./check.sh
          # ERROR: Undefined anchor 'credential'
          env: *credential
        - run: ./upload.sh
          # ERROR: Unused anchor 'credentials'
          env: &credentials

• Remove support for *-xl macOS runner labels because they were dropped. (#592, thanks @​muzimuzhi)
• Remove support for the macOS 13 runner labels because they were dropped on Dec 4, 2025. (#593, thanks @​muzimuzhi)
  • macos-13
  • macos-13-large
  • macos-13-xlarge
• Increase the maximum number of inputs in the workflow_dispatch event from 10 to 25 because the limitation was recently relaxed. (#598, thanks @​Haegi)
• Support artifact-metadata permission for workflow permissions. (#602, thanks @​martincostello)
• Detect more complicated constants at if: conditions as error. See the rule document for more details.
• Refactor the workflow parser with Go iterators. This slightly improves the performance and memory usage.
• Fix parsing extra { and } characters in format string of format() function call. For example v1.7.9 didn't parse "{{0} {1} {2}}" correctly.
• Detect an invalid value at type in workflow call inputs as error.
• Report YAML merge key << as error because GitHub Actions doesn't support the syntax.
• Check available contexts in expressions at jobs.<job_id>.snapshot.if.

  snapshot:
    image-name: my-custom-image
    # ERROR: `env` context is not allowed here
    if: ${{ env.USE_SNAPSHOT == 'true' }}

• Fix the instruction to install actionlint with mise in the installation document. (#591, thanks @​risu729)
• Update the popular actions data set to the latest to include new major versions of the actions.

Changelog

Sourced from github.com/rhysd/actionlint's changelog.

v1.7.10 - 2025-12-30

• Support YAML anchors and aliases (&anchor and *anchor) in workflow files. In addition to parsing YAML anchors correctly, actionlint checks unused and undefined anchors. See the document for more details. (#133, thanks @​srz-zumix for the initial implementation at #568 and @​alexaandru for trying another approach at #557)

  jobs:
    test:
      runs-on: ubuntu-latest
      services:
        nginx:
          image: nginx:latest
          credentials: &credentials
            username: ${{ secrets.user }}
            password: ${{ secrets.password }}
      steps:
        - run: ./download.sh
          # OK: Valid alias to &credentials
          env: *credentials
        - run: ./check.sh
          # ERROR: Undefined anchor 'credential'
          env: *credential
        - run: ./upload.sh
          # ERROR: Unused anchor 'credentials'
          env: &credentials

• Remove support for *-xl macOS runner labels because they were dropped. (#592, thanks @​muzimuzhi)
• Remove support for the macOS 13 runner labels because they were dropped on Dec 4, 2025. (#593, thanks @​muzimuzhi)
  • macos-13
  • macos-13-large
  • macos-13-xlarge
• Increase the maximum number of inputs in the workflow_dispatch event from 10 to 25 because the limitation was recently relaxed. (#598, thanks @​Haegi)
• Support artifact-metadata permission for workflow permissions. (#602, thanks @​martincostello)
• Detect more complicated constants at if: conditions as error. See the rule document for more details.
• Refactor the workflow parser with Go iterators. This slightly improves the performance and memory usage.
• Fix parsing extra { and } characters in format string of format() function call. For example v1.7.9 didn't parse "{{0} {1} {2}}" correctly.
• Detect an invalid value at type in workflow call inputs as error.
• Report YAML merge key << as error because GitHub Actions doesn't support the syntax.
• Check available contexts in expressions at jobs.<job_id>.snapshot.if.

  snapshot:
    image-name: my-custom-image
    # ERROR: `env` context is not allowed here
    if: ${{ env.USE_SNAPSHOT == 'true' }}

• Fix the instruction to install actionlint with mise in the installation document. (#591, thanks @​risu729)
• Update the popular actions data set to the latest to include new major versions of the actions.

[Changes][v1.7.10]

Commits

• 0933c14 bump up version to v1.7.10
• 9ce07bf update popular actions to the latest
• 6828398 Merge branch 'anchor' (close #568, fix #133)
• abc8624 add more example for anchors
• ff3994b Merge pull request #602 from martincostello/add-artifact-metadata
• c2e42cf fix: add artifact-metadata
• 64a6ba6 Merge pull request #601 from rhysd/ci/20387448135
• 16b6af9 update generated files by go generate on CI
• 567ea3a add aliases of make tasks for playground
• 95c719a update playground dev dependencies
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)