@intentius/chant-lexicon-github 0.0.18 → 0.0.22

package/src/lint/post-synth/gha027.ts

@@ -0,0 +1,57 @@
+/**
+ * GHA027: Missing `if: always()` on Cleanup Steps
+ *
+ * Flags steps whose name contains "cleanup", "teardown", or "clean up"
+ * (case-insensitive) that lack an `if:` condition. Cleanup steps should
+ * typically run with `if: always()` so they execute even when prior steps fail.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, extractJobs } from "./yaml-helpers";
+
+const CLEANUP_PATTERN = /cleanup|teardown|clean\s+up/i;
+
+export const gha027: PostSynthCheck = {
+  id: "GHA027",
+  description: "Missing `if: always()` on cleanup steps",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+
+      // Scan raw YAML for step blocks with cleanup-like names
+      const stepPattern = /-\s+name:\s+(.+)/g;
+      let match: RegExpExecArray | null;
+
+      while ((match = stepPattern.exec(yaml)) !== null) {
+        const stepName = match[1].trim().replace(/^['"]|['"]$/g, "");
+        if (!CLEANUP_PATTERN.test(stepName)) continue;
+
+        // Get the block after this step name line
+        const afterName = yaml.slice(match.index + match[0].length);
+        // Capture lines until the next step entry or job
+        const blockEnd = afterName.search(/\n\s{6}-\s|\n\s{2}[a-z]/);
+        const block = blockEnd === -1 ? afterName : afterName.slice(0, blockEnd);
+
+        if (!/^\s+if:/m.test(block)) {
+          // Find which job this step belongs to
+          const beforeStep = yaml.slice(0, match.index);
+          const jobMatch = [...beforeStep.matchAll(/^\s{2}([a-z][a-z0-9-]*):/gm)];
+          const jobName = jobMatch.length > 0 ? jobMatch[jobMatch.length - 1][1] : "unknown";
+
+          diagnostics.push({
+            checkId: "GHA027",
+            severity: "info",
+            message: `Step "${stepName}" in job "${jobName}" looks like a cleanup step but has no \`if:\` condition. Add \`if: always()\` so it runs even when prior steps fail.`,
+            entity: `${jobName}.${stepName}`,
+            lexicon: "github",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/gha028.test.ts

@@ -0,0 +1,48 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { gha028 } from "./gha028";
+
+function makeCtx(yaml: string): PostSynthContext {
+  return {
+    outputs: new Map([["github", yaml]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", yaml]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("GHA028: workflow with no on triggers", () => {
+  test("flags workflow without on: block", () => {
+    const yaml = `name: CI
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo test
+`;
+    const diags = gha028.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA028");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("on:");
+  });
+
+  test("does not flag workflow with on: block", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo test
+`;
+    const diags = gha028.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/gha028.ts

@@ -0,0 +1,37 @@
+/**
+ * GHA028: Workflow With No `on` Triggers
+ *
+ * Flags workflow files that lack a top-level `on:` key, which means
+ * the workflow will never be triggered.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput } from "./yaml-helpers";
+
+export const gha028: PostSynthCheck = {
+  id: "GHA028",
+  description: "Workflow with no `on` triggers",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+
+      const hasOn = /^on:/m.test(yaml);
+
+      if (!hasOn) {
+        diagnostics.push({
+          checkId: "GHA028",
+          severity: "error",
+          message:
+            "Workflow has no `on:` trigger block. Without triggers the workflow will never run. Add an `on:` section with at least one event.",
+          entity: "on",
+          lexicon: "github",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/rules/deprecated-action-version.test.ts

@@ -0,0 +1,26 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { deprecatedActionVersionRule } from "./deprecated-action-version";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA012: deprecated-action-version", () => {
+  test("flags deprecated checkout version", () => {
+    const ctx = createContext(`const s = "actions/checkout@v2";`);
+    const diags = deprecatedActionVersionRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA012");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("v2");
+  });
+
+  test("does not flag current version", () => {
+    const ctx = createContext(`const s = "actions/checkout@v4";`);
+    const diags = deprecatedActionVersionRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/detect-secrets.test.ts

@@ -0,0 +1,25 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { detectSecretsRule } from "./detect-secrets";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA020: detect-secrets", () => {
+  test("flags AWS access key", () => {
+    const ctx = createContext(`const key = "AKIAIOSFODNN7EXAMPLE";`);
+    const diags = detectSecretsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA020");
+    expect(diags[0].severity).toBe("error");
+  });
+
+  test("does not flag normal strings", () => {
+    const ctx = createContext(`const name = "my-application";`);
+    const diags = detectSecretsRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/extract-inline-structs.test.ts

@@ -0,0 +1,25 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { extractInlineStructsRule } from "./extract-inline-structs";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA005: extract-inline-structs", () => {
+  test("flags deeply nested objects in Job constructor", () => {
+    const ctx = createContext(`const j = new Job({ on: { push: { branches: { pattern: "main" } } } });`);
+    const diags = extractInlineStructsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA005");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("does not flag shallow nesting", () => {
+    const ctx = createContext(`const j = new Job({ env: { NODE_ENV: "production" } });`);
+    const diags = extractInlineStructsRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/file-job-limit.test.ts

@@ -0,0 +1,28 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { fileJobLimitRule } from "./file-job-limit";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA007: file-job-limit", () => {
+  test("flags file with more than 10 jobs", () => {
+    const jobs = Array.from({ length: 11 }, (_, i) => `const j${i} = new Job({ "runs-on": "ubuntu-latest" });`).join("\n");
+    const ctx = createContext(jobs);
+    const diags = fileJobLimitRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA007");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("11");
+  });
+
+  test("does not flag 10 or fewer jobs", () => {
+    const jobs = Array.from({ length: 10 }, (_, i) => `const j${i} = new Job({ "runs-on": "ubuntu-latest" });`).join("\n");
+    const ctx = createContext(jobs);
+    const diags = fileJobLimitRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/job-timeout.test.ts

@@ -0,0 +1,31 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { jobTimeoutRule } from "./job-timeout";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA014: job-timeout", () => {
+  test("flags Job without timeoutMinutes", () => {
+    const ctx = createContext(`const j = new Job({ "runs-on": "ubuntu-latest" });`);
+    const diags = jobTimeoutRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA014");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("does not flag Job with timeoutMinutes", () => {
+    const ctx = createContext(`const j = new Job({ "runs-on": "ubuntu-latest", timeoutMinutes: 30 });`);
+    const diags = jobTimeoutRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag non-Job constructors", () => {
+    const ctx = createContext(`const s = new Step({ run: "test" });`);
+    const diags = jobTimeoutRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/missing-recommended-inputs.test.ts

@@ -0,0 +1,26 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { missingRecommendedInputsRule } from "./missing-recommended-inputs";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA010: missing-recommended-inputs", () => {
+  test("flags SetupNode without version", () => {
+    const ctx = createContext(`const step = SetupNode({ cache: "npm" });`);
+    const diags = missingRecommendedInputsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA010");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("SetupNode");
+  });
+
+  test("does not flag SetupNode with nodeVersion", () => {
+    const ctx = createContext(`const step = SetupNode({ nodeVersion: "22" });`);
+    const diags = missingRecommendedInputsRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/no-hardcoded-secrets.test.ts

@@ -0,0 +1,31 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { noHardcodedSecretsRule } from "./no-hardcoded-secrets";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA003: no-hardcoded-secrets", () => {
+  test("flags ghp_ prefix", () => {
+    const ctx = createContext(`const token = "ghp_1234567890abcdef";`);
+    const diags = noHardcodedSecretsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA003");
+    expect(diags[0].severity).toBe("error");
+  });
+
+  test("flags ghs_ prefix", () => {
+    const ctx = createContext(`const token = "ghs_abcdef1234567890";`);
+    const diags = noHardcodedSecretsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("does not flag normal strings", () => {
+    const ctx = createContext(`const name = "my-github-repo";`);
+    const diags = noHardcodedSecretsRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/no-raw-expressions.test.ts

@@ -0,0 +1,31 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { noRawExpressionsRule } from "./no-raw-expressions";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA008: no-raw-expressions", () => {
+  test("flags unknown context in ${{ }}", () => {
+    const ctx = createContext(`const x = "\${{ custom.unknown }}";`);
+    const diags = noRawExpressionsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA008");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("does not flag known contexts", () => {
+    const ctx = createContext(`const x = "\${{ github.ref }}";`);
+    const diags = noRawExpressionsRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag secrets context", () => {
+    const ctx = createContext(`const x = "\${{ secrets.MY_TOKEN }}";`);
+    const diags = noRawExpressionsRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/suggest-cache.test.ts

@@ -0,0 +1,25 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { suggestCacheRule } from "./suggest-cache";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA015: suggest-cache", () => {
+  test("flags SetupNode in steps without Cache", () => {
+    const ctx = createContext(`const j = new Job({ steps: [SetupNode({ nodeVersion: "22" })] });`);
+    const diags = suggestCacheRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA015");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("does not flag SetupNode with cache prop", () => {
+    const ctx = createContext(`const j = new Job({ steps: [SetupNode({ nodeVersion: "22", cache: "npm" })] });`);
+    const diags = suggestCacheRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/use-condition-builders.test.ts

@@ -0,0 +1,31 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { useConditionBuildersRule } from "./use-condition-builders";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA002: use-condition-builders", () => {
+  test("flags ${{ in if property", () => {
+    const ctx = createContext(`const j = new Job({ if: "\${{ github.ref == 'refs/heads/main' }}" });`);
+    const diags = useConditionBuildersRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA002");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("does not flag Expression object in if", () => {
+    const ctx = createContext(`const j = new Job({ if: branch("main") });`);
+    const diags = useConditionBuildersRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag string without ${{ in if", () => {
+    const ctx = createContext(`const j = new Job({ if: "always()" });`);
+    const diags = useConditionBuildersRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/use-matrix-builder.test.ts

@@ -0,0 +1,25 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { useMatrixBuilderRule } from "./use-matrix-builder";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA004: use-matrix-builder", () => {
+  test("flags inline matrix object", () => {
+    const ctx = createContext(`const s = new Strategy({ matrix: { "node-version": ["18", "20"] } });`);
+    const diags = useMatrixBuilderRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA004");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("does not flag matrix reference", () => {
+    const ctx = createContext(`const s = new Strategy({ matrix: myMatrix });`);
+    const diags = useMatrixBuilderRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/use-typed-actions.test.ts

@@ -0,0 +1,39 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { useTypedActionsRule } from "./use-typed-actions";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA001: use-typed-actions", () => {
+  test("flags raw uses: string for known action", () => {
+    const ctx = createContext(`const s = new Step({ uses: "actions/checkout@v4" });`);
+    const diags = useTypedActionsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA001");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("Checkout");
+  });
+
+  test("flags actions/setup-node", () => {
+    const ctx = createContext(`const s = new Step({ uses: "actions/setup-node@v4" });`);
+    const diags = useTypedActionsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("SetupNode");
+  });
+
+  test("does not flag unknown action", () => {
+    const ctx = createContext(`const s = new Step({ uses: "custom/action@v1" });`);
+    const diags = useTypedActionsRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag non-uses property", () => {
+    const ctx = createContext(`const s = new Step({ run: "npm test" });`);
+    const diags = useTypedActionsRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/rules/validate-concurrency.test.ts

@@ -0,0 +1,31 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { validateConcurrencyRule } from "./validate-concurrency";
+
+function createContext(code: string, fileName = "test.ts"): LintContext {
+  const sourceFile = ts.createSourceFile(fileName, code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: fileName };
+}
+
+describe("GHA016: validate-concurrency", () => {
+  test("flags cancelInProgress without group", () => {
+    const ctx = createContext(`const c = new Concurrency({ cancelInProgress: true });`);
+    const diags = validateConcurrencyRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("GHA016");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("does not flag cancelInProgress with group", () => {
+    const ctx = createContext(`const c = new Concurrency({ cancelInProgress: true, group: "ci-\${{ github.ref }}" });`);
+    const diags = validateConcurrencyRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag concurrency without cancelInProgress", () => {
+    const ctx = createContext(`const c = new Concurrency({ group: "ci" });`);
+    const diags = validateConcurrencyRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/plugin.test.ts

@@ -24,7 +24,7 @@ describe("githubPlugin", () => {
 
   test("provides post-synth checks", () => {
     const checks = githubPlugin.postSynthChecks!();
-    expect(checks.length).toBe(6);
+    expect(checks.length).toBe(15);
 
     const checkIds = checks.map((c) => c.id);
     expect(checkIds).toContain("GHA006");

package/src/plugin.ts

@@ -54,7 +54,16 @@ export const githubPlugin: LexiconPlugin = {
     const { gha017 } = require("./lint/post-synth/gha017");
     const { gha018 } = require("./lint/post-synth/gha018");
     const { gha019 } = require("./lint/post-synth/gha019");
-    return [gha006, gha009, gha011, gha017, gha018, gha019];
+    const { gha020 } = require("./lint/post-synth/gha020");
+    const { gha021 } = require("./lint/post-synth/gha021");
+    const { gha022 } = require("./lint/post-synth/gha022");
+    const { gha023 } = require("./lint/post-synth/gha023");
+    const { gha024 } = require("./lint/post-synth/gha024");
+    const { gha025 } = require("./lint/post-synth/gha025");
+    const { gha026 } = require("./lint/post-synth/gha026");
+    const { gha027 } = require("./lint/post-synth/gha027");
+    const { gha028 } = require("./lint/post-synth/gha028");
+    return [gha006, gha009, gha011, gha017, gha018, gha019, gha020, gha021, gha022, gha023, gha024, gha025, gha026, gha027, gha028];
   },
 
   intrinsics(): IntrinsicDef[] {
@@ -323,7 +332,7 @@ user-invocable: true
 
 ## How chant and GitHub Actions relate
 
-chant is a **synthesis-only** tool — it compiles TypeScript source files into \`.github/workflows/*.yml\` (YAML). chant does NOT call GitHub APIs.
+chant is a **synthesis compiler** — it compiles TypeScript source files into \`.github/workflows/*.yml\` (YAML). \`chant build\` does not call GitHub APIs; synthesis is pure and deterministic.
 
 - Use **chant** for: build, lint, diff (local YAML comparison)
 - Use **git + GitHub** for: push, pull requests, workflow monitoring
@@ -387,6 +396,25 @@ git push
           },
         ],
       },
+      {
+        file: "github-actions-security.md",
+        name: "github-actions-security",
+        description: "GitHub Actions security — secret scanning, OIDC, permissions hardening, supply chain",
+        triggers: [
+          { type: "context" as const, value: "github security" },
+          { type: "context" as const, value: "workflow security" },
+          { type: "context" as const, value: "oidc" },
+          { type: "context" as const, value: "permissions" },
+        ],
+        parameters: [],
+        examples: [
+          {
+            title: "Permissions hardening",
+            input: "Lock down workflow permissions",
+            output: `new Workflow({ permissions: { contents: "read" } })`,
+          },
+        ],
+      },
     ];
 
     for (const skill of skillFiles) {