Setup TFLint Action
June 30, 2026 · View on GitHub
A GitHub action that installs a Terraform linter TFLint executable in the PATH.
Inputs
All inputs are optional, but may include a default where specified.
tflint_version
The version of TFLint which will be installed. See TFLint releases page for valid versions.
If version is "latest", the action will get the latest version number using Octokit.
Default: "latest"
tflint_version_file
Path to a file containing the TFLint version to install, so the version can live alongside your other tooling pins instead of being hardcoded in the workflow.
Two formats are supported:
- An asdf / mise
.tool-versionsfile — the version is read from itstflint <version>line (other tools in the file are ignored). - A plain version file whose entire contents are a single version (e.g.
0.52.0orv0.52.0).
The version may be written with or without a leading v.
This input is used only when tflint_version is unset or latest. If tflint_version is set to an explicit version, it takes precedence and tflint_version_file is ignored.
- uses: terraform-linters/setup-tflint@v6
with:
tflint_version_file: .tool-versions
checksums
A newline-delimited list of valid checksums (SHA256 hashes) for the downloaded TFLint binary. When set, the action will verify that the binary matches one of these checksums before proceeding.
This ensures that the downloaded binary for a given version is a known build. If your job runs in multiple operating systems or architectures, include appropriate checksums for all of them.
Note: Checksums ensure immutability, but do not verify integrity. To prove that checksums come from a known build in TFLint's official repository, use GitHub’s Artifact Attestations or cosign.
github_token
Used to authenticate requests to the GitHub API to obtain release data from the TFLint repository. Authenticating will increase the API rate limit. Any valid token is supported. No permissions are required.
Default: ${{ github.server_url == 'https://github.com' && github.token || '' }}
GitHub Enterprise Server will make requests to github.com anonymously by default. To authenticate these requests, you must issue a token from github.com and pass it explicitly.
tflint_wrapper
Installs a wrapper script to wrap subsequent calls to tflint and expose stdout, stderr, and exitcode outputs.
Default: "false"
cache
Enable caching of TFLint plugins. When enabled, the action will cache the plugin directory and restore it on subsequent runs based on the hash of your TFLint configuration file(s).
Default: "false"
tflint_config_path
Glob pattern for TFLint configuration file(s) used to generate the cache key. All matching files will be hashed together to determine cache validity. Supports glob patterns for monorepo setups.
Default: ".tflint.hcl"
plugin_dir
Directory where TFLint plugins are installed. See TFLint plugin configuration for details.
Can also be set via TFLINT_PLUGIN_DIR environment variable.
Default: "~/.tflint.d/plugins"
Outputs
The following outputs are available when the tflint_wrapper input is enabled:
stdout- The output (stdout) produced by the tflint command.stderr- The error output (stderr) produced by the tflint command.exitcode- The exit code produced by the tflint command.
Usage
name: Lint
on:
push:
branches: [ master ]
pull_request:
jobs:
tflint:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@v4
name: Checkout source code
- uses: terraform-linters/setup-tflint@v6
name: Setup TFLint
with:
tflint_version: v0.52.0
cache: true
- name: Show version
run: tflint --version
- name: Init TFLint
run: tflint --init
env:
# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
GITHUB_TOKEN: ${{ github.token }}
- name: Run TFLint
run: tflint -f compact
Latest Release
- uses: terraform-linters/setup-tflint@v6
or specify it explicitly as
- uses: terraform-linters/setup-tflint@v6
with:
tflint_version: latest
Using Custom GitHub Token
- uses: terraform-linters/setup-tflint@v6
with:
github_token: ${{ secrets.MY_CUSTOM_GITHUB_TOKEN }}
Loading Shared Configuration
- uses: terraform-linters/setup-tflint@v6
- uses: terraform-linters/tflint-load-config-action@v1
with:
source-repo: me/tflint-config
- run: tflint -f compact
Wrapper
- uses: terraform-linters/setup-tflint@v6
with:
tflint_wrapper: true
- id: tflint
run: tflint -f compact
- if: always()
run: echo ${{ steps.tflint.outputs.stdout }}
Plugin Caching
- uses: terraform-linters/setup-tflint@v6
with:
cache: true
- run: tflint --init
env:
GITHUB_TOKEN: ${{ github.token }}
- run: tflint -f compact
For monorepos with multiple TFLint configurations:
- uses: terraform-linters/setup-tflint@v6
with:
cache: true
tflint_config_path: '**/.tflint.hcl'
- run: tflint --init
env:
GITHUB_TOKEN: ${{ github.token }}
- run: tflint -f compact
Checks
This action supports Problem Matchers for --format compact. You can see annotations in pull requests when TFLint prints issues with the compact format.

Releasing
To create a new version:
npm version $inc && git push --follow-tags