Dear GitHub: no YAML anchors, please Published Sep 22, 2025 Tags: programming, rant --- TL;DR GitHub Actions recently added YAML anchors support after a long absence. This change is problematic because: YAML anchors are redundant with existing CI/CD features. They introduce a form of non-locality that complicates human and machine understanding. They lack unique usefulness since GitHub Actions does not support YAML’s "merge keys," the key feature that makes anchors valuable. The author strongly urges GitHub to remove YAML anchor support before widespread adoption. --- Context: GitHub Actions and YAML anchors GitHub Actions now lets users reuse YAML fragments with anchors, for example: At first glance, this reduces duplication but actually introduces more problems. --- Why YAML anchors are a bad fit in GitHub Actions Redundancy The above example could be replaced by defining environment variables at the workflow level (env:), which automatically applies to all jobs: This is clearer, encourages good workflow architecture, and avoids partial global state. If you feel the need to share config only among some jobs, it may signal design issues — separate workflows or jobs with own env blocks might be better. YAML anchors break workflow/job/step abstractions by creating cross-cutting global state that defies GitHub Actions’ intended design. Non-locality and complexity YAML anchors allow arbitrary references anywhere in the YAML file, making it harder for humans to understand a workflow locally because relevant info may be far away. GitHub Actions already has some non-local features (global contexts, env scoping, dependencies), but these have precise rules and limited scope. For machines and static analysis tools, anchors break the assumption that each object maps to a single location in source YAML. Most YAML parsers resolve anchors by copying values, losing source location info and complicating tools like the author's static analyzer zizmor and others (e.g., actionlint, claws, poutine). No support for merge keys The main unique feature that makes YAML anchors useful is merge keys, which allow merging multiple mappings. Merge keys enable composition with clear precedence, e.g.: However, GitHub Actions does not support merge keys. This makes YAML anchors only partially implemented and removes their true unique advantage. --- Summary YAML anchors in GitHub Actions are: Redundant (other ways exist to share config), Add unnecessary complexity harming readability and tooling, Without key YAML features (merge keys), making them only marginally useful. This complicates security assessments and automated analysis, increasing risks in an already vulnerable ecosystem. The author calls for an immediate removal of YAML anchors support, citing minimal disruption due to low current adoption. --- Footnotes / Additional notes GitHub Actions maps YAML workflows to a simple JSON-like object model—anchors break its one-to-one source mapping. Most YAML parsers copy anchor data into references, hiding the original anchor and making source-location-accurate analysis impossible. The author suggests that they might simply flag anchors as obfuscation instead of supporting