check-jsonschema --builtin-schema: Vendored Schemas
check-jsonschema --builtin-schema vendor.github-workflows validates workflow files against a bundled schema with no network access.
Vendored (built-in) schemas let check-jsonschema validate common CI config files offline, which is exactly what you want on a locked-down runner.
What it does
The --builtin-schema flag selects a schema bundled with check-jsonschema instead of a file or URL. vendor.* schemas are copies of SchemaStore schemas (github-workflows, github-actions, gitlab-ci, renovate, dependabot, azure-pipelines, and more) so validation works without downloading anything.
Common usage
# list every bundled schema name
check-jsonschema --builtin-schema list
# GitHub Actions workflow files
check-jsonschema --builtin-schema vendor.github-workflows \
.github/workflows/*.yml
# a reusable/composite action definition
check-jsonschema --builtin-schema vendor.github-actions action.yml
# GitLab CI
check-jsonschema --builtin-schema vendor.gitlab-ci .gitlab-ci.ymlOptions
| Value | What it validates |
|---|---|
| vendor.github-workflows | Files under .github/workflows/ |
| vendor.github-actions | action.yml / action.yaml definitions |
| vendor.gitlab-ci | .gitlab-ci.yml |
| vendor.azure-pipelines | azure-pipelines.yml (needs --data-transform azure-pipelines) |
| vendor.renovate | renovate.json / .renovaterc |
| vendor.dependabot | .github/dependabot.yml |
In CI
Prefer a vendor.* built-in over a remote --schemafile URL on CI: it avoids a network call, so an offline or proxied runner still validates and the job cannot flake on a SchemaStore outage. Run --builtin-schema list once to confirm the exact name in your installed version.
Common errors in CI
--builtin-schema: invalid choice: 'github-workflow' means a wrong or renamed name (note the plural github-workflows); run --builtin-schema list. Validating an Azure pipeline without --data-transform azure-pipelines yields spurious is not valid under any of the given schemas errors because the template syntax is not decoded. A vendor.* name missing from your version means the package is too old; upgrade with pipx.