mpalmer · award28 · Apr 18, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -47,9 +47,13 @@ js-sys = "0.3.77"
 is-terminal = "0.4.7"
 assert_cmd = { version = "2.1.1", optional = true }
 
+[target.'cfg(not(target_family = "wasm"))'.dependencies]
+reqwest = { version = "0.13", default-features = false, features = ["blocking", "rustls"] }
+
 [dev-dependencies]
 wasm-bindgen-test = "0.3.34"
 fixtures = "2.5.0"
+httpmock = "0.8"
 
 [profile.release]
 # Tell `rustc` to optimize for small code size.

diff --git a/README.md b/README.md
@@ -115,6 +115,34 @@ action-validator .github/workflows/build.yml
 Use `action-validator -h` to see additional options.
 
 
+## Validating `uses:` references
+
+By default, `action-validator` checks that every `uses:` string in your
+workflows and composite actions is well-formed (`owner/repo[/path]@ref`,
+`docker://image`, or `./local/path`) and that any local `./` paths actually
+exist on disk.
+
+Pass `--allow-remote-checks` to additionally verify that referenced GitHub
+actions exist remotely. When the flag is set, `action-validator` issues HEAD
+requests to `api.github.com` to confirm that the referenced repository and git
+ref resolve. Because this requires network access, it is opt-in.
+
+```shell
+action-validator --allow-remote-checks .github/workflows/build.yml
+```
+
+Current limitations of remote checks:
+
+- Docker image existence checks are not yet implemented; a warning is recorded
+  in the validation state when a `docker://` reference is encountered.
+- Private GitHub actions can't be reached without authentication; responses
+  that require auth (401/403) are treated as "assume exists" to avoid false
+  positives.
+- When the flag is not set, remote references are recorded as skipped checks
+  in the `warnings` field of the validation state — they never cause the
+  validator to exit non-zero.
+
+
 ## In a GitHub Action
 
 The action-validator can be run in a Github action itself, as a pull request job. See the `actions` job in the [QA workflow](https://github.com/mpalmer/action-validator/tree/main/.github/workflows/qa.yml), in this repository, as an example of how to use action-validator + asdf in a GitHub workflow.

diff --git a/src/config.rs b/src/config.rs
@@ -19,6 +19,10 @@ pub struct CliConfig {
     )]
     pub rootdir: Option<PathBuf>,
 
+    /// Perform remote network checks to verify referenced actions/images exist
+    #[arg(long)]
+    pub allow_remote_checks: bool,
+
     /// Input file
     #[arg(name = "path_to_action_yaml")]
     pub src: Vec<PathBuf>,
@@ -45,6 +49,7 @@ pub struct RunConfig<'a> {
     pub src: &'a str,
     pub verbose: bool,
     pub rootdir: Option<PathBuf>,
+    pub allow_remote_checks: bool,
 }
 
 impl<'a> From<&JsConfig<'a>> for RunConfig<'a> {
@@ -56,6 +61,7 @@ impl<'a> From<&JsConfig<'a>> for RunConfig<'a> {
             src: config.src,
             verbose: config.verbose,
             rootdir: None,
+            allow_remote_checks: false,
         }
     }
 }