What does the GitHub Actions Workflow Expression regex match?

Matches a GitHub Actions workflow expression: ${{ context.property }}.

Is the GitHub Actions Workflow Expression regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

Dev & Systems/Git

Verified Safe

GitHub Actions Workflow Expression Regex for JavaScript

/^\$\{\{\s+(?:github|env|vars|secrets|inputs|runner|job|steps|needs|matrix|strategy)(?:\.[a-zA-Z_][a-zA-Z0-9_\-]*)+\s+\}\}$/

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching github actions workflow expression, ported and verified for JavaScript. A rigorously tested regex reduces debugging time and protects your application from edge-case failures. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

Javascript

// GitHub Actions Workflow Expression
// ReDoS-safe | RegexVault — Dev & Systems > Git

const githubActionsWorkflowExpressionRegex = /^\$\{\{\s+(?:github|env|vars|secrets|inputs|runner|job|steps|needs|matrix|strategy)(?:\.[a-zA-Z_][a-zA-Z0-9_\-]*)+\s+\}\}$/;

function validateGithubActionsWorkflowExpression(input: string): boolean {
  return githubActionsWorkflowExpressionRegex.test(input);
}

// Example
console.log(validateGithubActionsWorkflowExpression("${{ github.sha }}")); // true

Test Cases

Matches (Valid)	Rejects (Invalid)
`${{ github.sha }}`	`${{ unknown.context }}`
`${{ secrets.MY_SECRET }}`	`${{ }}`
`${{ env.NODE_VERSION }}`	`${{github.sha}}`
`${{ steps.build.outputs.artifact }}`	`github.sha`
`${{ runner.os }}`	`${ github.sha }`

When to use this pattern

This pattern is drawn from the Dev & Systems > Git category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

Never use ${{ github.event.pull_request.head.ref }} directly in shell commands — it allows script injection via branch names. Always use an intermediate environment variable.

Technical Notes

Requires at least two dot-separated components (context.property). Context names are lowercase in GitHub Actions. The i flag is not needed.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern