What does the GitHub Actions Workflow Expression regex match?

Matches a GitHub Actions workflow expression: ${{ context.property }}.

Is the GitHub Actions Workflow Expression regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

Dev & Systems/Git

Verified Safe

GitHub Actions Workflow Expression Regex for Python

/^\$\{\{\s+(?:github|env|vars|secrets|inputs|runner|job|steps|needs|matrix|strategy)(?:\.[a-zA-Z_][a-zA-Z0-9_\-]*)+\s+\}\}$/

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching github actions workflow expression, ported and verified for Python. A rigorously tested regex reduces debugging time and protects your application from edge-case failures. The snippet below is ready to drop into your Python project — whether you're validating in a Django view, a FastAPI endpoint, or a standalone data processing script.

Python Implementation

Python

# GitHub Actions Workflow Expression
# ReDoS-safe | RegexVault — Dev & Systems > Git

import re

github_actions_workflow_expression_pattern = re.compile(r'^\$\{\{\s+(?:github|env|vars|secrets|inputs|runner|job|steps|needs|matrix|strategy)(?:\.[a-zA-Z_][a-zA-Z0-9_\-]*)+\s+\}\}$')

def validate_github_actions_workflow_expression(value: str) -> bool:
    return bool(github_actions_workflow_expression_pattern.fullmatch(value))

# Example
print(validate_github_actions_workflow_expression("${{ github.sha }}"))  # True

Test Cases

Matches (Valid)	Rejects (Invalid)
`${{ github.sha }}`	`${{ unknown.context }}`
`${{ secrets.MY_SECRET }}`	`${{ }}`
`${{ env.NODE_VERSION }}`	`${{github.sha}}`
`${{ steps.build.outputs.artifact }}`	`github.sha`
`${{ runner.os }}`	`${ github.sha }`

When to use this pattern

This pattern is drawn from the Dev & Systems > Git category and carries a ReDoS-safe certification. That matters for Python developers because particularly important in Python web servers where CPU-bound regex operations can stall concurrent request handling. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

Never use ${{ github.event.pull_request.head.ref }} directly in shell commands — it allows script injection via branch names. Always use an intermediate environment variable.

Technical Notes

Requires at least two dot-separated components (context.property). Context names are lowercase in GitHub Actions. The i flag is not needed.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern