@intentius/chant-lexicon-github 0.0.18

package/dist/integrity.json

@@ -0,0 +1,31 @@
+{
+  "algorithm": "xxhash64",
+  "artifacts": {
+    "manifest.json": "199b64fff9617c21",
+    "meta.json": "317499a992c9c274",
+    "types/index.d.ts": "93ce391baebf2afb",
+    "rules/missing-recommended-inputs.ts": "42f2f3b0b6c7b52c",
+    "rules/no-raw-expressions.ts": "6359f4d3135ed351",
+    "rules/use-typed-actions.ts": "eeedcc6145b7a132",
+    "rules/extract-inline-structs.ts": "646dce2eccf1fab4",
+    "rules/file-job-limit.ts": "7c46a302f6ba2744",
+    "rules/detect-secrets.ts": "999e6c5b4e048764",
+    "rules/deprecated-action-version.ts": "9ec91b190557f25f",
+    "rules/no-hardcoded-secrets.ts": "adcdb23f0480a4b7",
+    "rules/job-timeout.ts": "68f85c741c3d0ae8",
+    "rules/use-condition-builders.ts": "7406215df1f79fb8",
+    "rules/suggest-cache.ts": "c45f7659afde2f15",
+    "rules/validate-concurrency.ts": "c12a1aa4ee8badb5",
+    "rules/use-matrix-builder.ts": "6b1c0ebf43378805",
+    "rules/gha017.ts": "ff1c08fdedf83afa",
+    "rules/gha019.ts": "d9184093f36ac167",
+    "rules/gha009.ts": "df140c0cac573bc4",
+    "rules/gha018.ts": "46acbe27d4c0c817",
+    "rules/yaml-helpers.ts": "df426df288c175c9",
+    "rules/gha011.ts": "105e2d4faeaa9977",
+    "rules/gha006.ts": "baca27402ba18d",
+    "skills/chant-github.md": "e38b1aca37ae4ab8",
+    "skills/github-actions-patterns.md": "887ff05cbb3af292"
+  },
+  "composite": "e2321ecad63df490"
+}

package/dist/manifest.json

@@ -0,0 +1,15 @@
+{
+  "name": "github",
+  "version": "0.0.18",
+  "chantVersion": ">=0.1.0",
+  "namespace": "GitHub",
+  "intrinsics": [
+    {
+      "name": "expression",
+      "description": "${{ }} expression wrapper for GitHub Actions contexts",
+      "outputKey": "expression",
+      "isTag": false
+    }
+  ],
+  "pseudoParameters": {}
+}

package/dist/meta.json

@@ -0,0 +1,135 @@
+{
+  "Concurrency": {
+    "resourceType": "GitHub::Actions::Concurrency",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "Container": {
+    "resourceType": "GitHub::Actions::Container",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "Defaults": {
+    "resourceType": "GitHub::Actions::Defaults",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "Environment": {
+    "resourceType": "GitHub::Actions::Environment",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "Job": {
+    "resourceType": "GitHub::Actions::Job",
+    "kind": "resource",
+    "lexicon": "github",
+    "constraints": {
+      "timeout-minutes": {
+        "default": 360
+      }
+    }
+  },
+  "Permissions": {
+    "resourceType": "GitHub::Actions::Permissions",
+    "kind": "property",
+    "lexicon": "github",
+    "constraints": {
+      "models": {
+        "enum": [
+          "read",
+          "none"
+        ]
+      }
+    }
+  },
+  "PullRequestTargetTrigger": {
+    "resourceType": "GitHub::Actions::PullRequestTargetTrigger",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "PullRequestTrigger": {
+    "resourceType": "GitHub::Actions::PullRequestTrigger",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "PushTrigger": {
+    "resourceType": "GitHub::Actions::PushTrigger",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "RepositoryDispatchTrigger": {
+    "resourceType": "GitHub::Actions::RepositoryDispatchTrigger",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "ReusableWorkflowCallJob": {
+    "resourceType": "GitHub::Actions::ReusableWorkflowCallJob",
+    "kind": "resource",
+    "lexicon": "github",
+    "constraints": {
+      "uses": {
+        "pattern": "^(.+\\/)+(.+)\\.(ya?ml)(@.+)?$"
+      }
+    }
+  },
+  "ScheduleTrigger": {
+    "resourceType": "GitHub::Actions::ScheduleTrigger",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "Service": {
+    "resourceType": "GitHub::Actions::Service",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "Step": {
+    "resourceType": "GitHub::Actions::Step",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "Strategy": {
+    "resourceType": "GitHub::Actions::Strategy",
+    "kind": "property",
+    "lexicon": "github",
+    "constraints": {
+      "fail-fast": {
+        "default": true
+      }
+    }
+  },
+  "Workflow": {
+    "resourceType": "GitHub::Actions::Workflow",
+    "kind": "resource",
+    "lexicon": "github"
+  },
+  "WorkflowCallTrigger": {
+    "resourceType": "GitHub::Actions::WorkflowCallTrigger",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "WorkflowDispatchTrigger": {
+    "resourceType": "GitHub::Actions::WorkflowDispatchTrigger",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "WorkflowInput": {
+    "resourceType": "GitHub::Actions::WorkflowInput",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "WorkflowOutput": {
+    "resourceType": "GitHub::Actions::WorkflowOutput",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "WorkflowRunTrigger": {
+    "resourceType": "GitHub::Actions::WorkflowRunTrigger",
+    "kind": "property",
+    "lexicon": "github"
+  },
+  "WorkflowSecret": {
+    "resourceType": "GitHub::Actions::WorkflowSecret",
+    "kind": "property",
+    "lexicon": "github"
+  }
+}

package/dist/rules/deprecated-action-version.ts

@@ -0,0 +1,49 @@
+/**
+ * GHA012: Deprecated Action Version
+ *
+ * Flags `uses:` strings referencing deprecated action versions.
+ */
+
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+import { deprecatedVersions } from "./data/deprecated-versions";
+
+export const deprecatedActionVersionRule: LintRule = {
+  id: "GHA012",
+  severity: "warning",
+  category: "correctness",
+  description: "Action version is deprecated — upgrade to the recommended version",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function visit(node: ts.Node): void {
+      if (ts.isStringLiteral(node)) {
+        const text = node.text;
+        const atIndex = text.indexOf("@");
+        if (atIndex === -1) { ts.forEachChild(node, visit); return; }
+
+        const actionName = text.slice(0, atIndex);
+        const version = text.slice(atIndex + 1);
+        const info = deprecatedVersions[actionName];
+
+        if (info && info.deprecated.includes(version)) {
+          const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "GHA012",
+            severity: "warning",
+            message: `"${text}" uses deprecated version ${version}. Upgrade to ${actionName}@${info.recommended}.`,
+          });
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/dist/rules/detect-secrets.ts

@@ -0,0 +1,53 @@
+/**
+ * GHA020: Detect Secrets
+ *
+ * Scans string literals for patterns matching known secret formats.
+ * Skips strings containing "secrets." (proper usage).
+ */
+
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+import { secretPatterns } from "./data/secret-patterns";
+
+export const detectSecretsRule: LintRule = {
+  id: "GHA020",
+  severity: "error",
+  category: "security",
+  description: "Potential secret detected in source code",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function visit(node: ts.Node): void {
+      if (ts.isStringLiteral(node) || ts.isNoSubstitutionTemplateLiteral(node)) {
+        const text = node.text;
+
+        // Skip strings that reference secrets properly
+        if (text.includes("secrets.")) {
+          ts.forEachChild(node, visit);
+          return;
+        }
+
+        for (const { pattern, description } of secretPatterns) {
+          if (pattern.test(text)) {
+            const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+            diagnostics.push({
+              file: sourceFile.fileName,
+              line: line + 1,
+              column: character + 1,
+              ruleId: "GHA020",
+              severity: "error",
+              message: `Potential ${description} detected. Use secrets() to reference secrets securely.`,
+            });
+            break; // One diagnostic per string
+          }
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/dist/rules/extract-inline-structs.ts

@@ -0,0 +1,62 @@
+/**
+ * GHA005: Extract Inline Structs
+ *
+ * Flags object literal nesting depth > 2 inside resource constructors.
+ */
+
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+const RESOURCE_NAMES = new Set(["Job", "Workflow", "ReusableWorkflowCallJob"]);
+const MAX_DEPTH = 2;
+
+export const extractInlineStructsRule: LintRule = {
+  id: "GHA005",
+  severity: "info",
+  category: "style",
+  description: "Extract deeply nested inline objects to named constants",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function isResourceConstructor(node: ts.NewExpression): boolean {
+      if (ts.isIdentifier(node.expression)) return RESOURCE_NAMES.has(node.expression.text);
+      if (ts.isPropertyAccessExpression(node.expression)) return RESOURCE_NAMES.has(node.expression.name.text);
+      return false;
+    }
+
+    function checkDepth(node: ts.ObjectLiteralExpression, depth: number): void {
+      if (depth > MAX_DEPTH) {
+        const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+        diagnostics.push({
+          file: sourceFile.fileName,
+          line: line + 1,
+          column: character + 1,
+          ruleId: "GHA005",
+          severity: "info",
+          message: `Object nesting depth ${depth} exceeds ${MAX_DEPTH}. Consider extracting to a named constant.`,
+        });
+        return;
+      }
+      for (const prop of node.properties) {
+        if (ts.isPropertyAssignment(prop) && ts.isObjectLiteralExpression(prop.initializer)) {
+          checkDepth(prop.initializer, depth + 1);
+        }
+      }
+    }
+
+    function visit(node: ts.Node): void {
+      if (ts.isNewExpression(node) && isResourceConstructor(node) && node.arguments?.[0]) {
+        const arg = node.arguments[0];
+        if (ts.isObjectLiteralExpression(arg)) {
+          checkDepth(arg, 1);
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/dist/rules/file-job-limit.ts

@@ -0,0 +1,49 @@
+/**
+ * GHA007: File Job Limit
+ *
+ * Flags files with more than 10 Job/ReusableWorkflowCallJob constructors.
+ */
+
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+const JOB_NAMES = new Set(["Job", "ReusableWorkflowCallJob"]);
+const MAX_JOBS = 10;
+
+export const fileJobLimitRule: LintRule = {
+  id: "GHA007",
+  severity: "warning",
+  category: "style",
+  description: "Too many jobs in a single file",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+    let jobCount = 0;
+
+    function visit(node: ts.Node): void {
+      if (ts.isNewExpression(node)) {
+        let isJob = false;
+        if (ts.isIdentifier(node.expression)) isJob = JOB_NAMES.has(node.expression.text);
+        if (ts.isPropertyAccessExpression(node.expression)) isJob = JOB_NAMES.has(node.expression.name.text);
+        if (isJob) jobCount++;
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+
+    if (jobCount > MAX_JOBS) {
+      diagnostics.push({
+        file: sourceFile.fileName,
+        line: 1,
+        column: 1,
+        ruleId: "GHA007",
+        severity: "warning",
+        message: `File has ${jobCount} job constructors (limit: ${MAX_JOBS}). Consider splitting into multiple files.`,
+      });
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/gha006.ts

@@ -0,0 +1,58 @@
+/**
+ * GHA006: Duplicate Workflow Name
+ *
+ * Detects multiple workflows sharing the same `name:` value.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { extractWorkflowName } from "./yaml-helpers";
+import type { SerializerResult } from "@intentius/chant/serializer";
+
+export const gha006: PostSynthCheck = {
+  id: "GHA006",
+  description: "Multiple workflows share the same name",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+    const nameMap = new Map<string, string[]>();
+
+    for (const [outputName, output] of ctx.outputs) {
+      const yaml = typeof output === "string" ? output : (output as SerializerResult).primary;
+
+      // Check if this is a multi-file output
+      if (typeof output === "object" && "files" in output) {
+        const result = output as SerializerResult;
+        if (result.files) {
+          for (const [fileName, fileContent] of Object.entries(result.files)) {
+            const name = extractWorkflowName(fileContent);
+            if (name) {
+              const existing = nameMap.get(name) ?? [];
+              existing.push(fileName);
+              nameMap.set(name, existing);
+            }
+          }
+        }
+      } else {
+        const name = extractWorkflowName(yaml);
+        if (name) {
+          const existing = nameMap.get(name) ?? [];
+          existing.push(outputName);
+          nameMap.set(name, existing);
+        }
+      }
+    }
+
+    for (const [name, files] of nameMap) {
+      if (files.length > 1) {
+        diagnostics.push({
+          checkId: "GHA006",
+          severity: "error",
+          message: `Duplicate workflow name "${name}" found in: ${files.join(", ")}`,
+          lexicon: "github",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/gha009.ts

@@ -0,0 +1,42 @@
+/**
+ * GHA009: Empty Matrix Dimension
+ *
+ * Detects matrix dimensions with empty values arrays.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput } from "./yaml-helpers";
+
+export const gha009: PostSynthCheck = {
+  id: "GHA009",
+  description: "Matrix dimension has empty values array",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+
+      // Find matrix sections and check for empty arrays
+      const matrixMatch = yaml.match(/matrix:\n([\s\S]*?)(?=\n\s{4}[a-z]|\n\s{2}[a-z]|\n[a-z]|$)/gm);
+      if (!matrixMatch) continue;
+
+      for (const section of matrixMatch) {
+        const lines = section.split("\n");
+        for (let i = 0; i < lines.length; i++) {
+          const keyMatch = lines[i].match(/^\s+([a-z][a-z0-9_-]*):\s*\[\s*\]\s*$/);
+          if (keyMatch) {
+            diagnostics.push({
+              checkId: "GHA009",
+              severity: "error",
+              message: `Matrix dimension "${keyMatch[1]}" has an empty values array.`,
+              lexicon: "github",
+            });
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/gha011.ts

@@ -0,0 +1,40 @@
+/**
+ * GHA011: Invalid Needs Reference
+ *
+ * Detects `needs:` references to non-existent job IDs.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, extractJobs } from "./yaml-helpers";
+
+export const gha011: PostSynthCheck = {
+  id: "GHA011",
+  description: "Job needs: references non-existent job",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const jobs = extractJobs(yaml);
+      const jobNames = new Set(jobs.keys());
+
+      for (const [jobName, job] of jobs) {
+        if (!job.needs) continue;
+        for (const need of job.needs) {
+          if (!jobNames.has(need)) {
+            diagnostics.push({
+              checkId: "GHA011",
+              severity: "error",
+              message: `Job "${jobName}" needs "${need}", but no such job exists.`,
+              entity: jobName,
+              lexicon: "github",
+            });
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/gha017.ts

@@ -0,0 +1,32 @@
+/**
+ * GHA017: Missing Permissions
+ *
+ * Flags workflows without an explicit `permissions:` block.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, hasPermissions } from "./yaml-helpers";
+
+export const gha017: PostSynthCheck = {
+  id: "GHA017",
+  description: "Workflow without explicit permissions block",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+
+      if (!hasPermissions(yaml)) {
+        diagnostics.push({
+          checkId: "GHA017",
+          severity: "info",
+          message: "Workflow does not specify permissions. Consider adding explicit permissions for least-privilege security.",
+          lexicon: "github",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/gha018.ts

@@ -0,0 +1,40 @@
+/**
+ * GHA018: Pull Request Target + Checkout Security Risk
+ *
+ * Flags workflows using `pull_request_target` trigger with a checkout action
+ * in steps — this is a known security anti-pattern.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, extractJobs, extractTriggers, hasCheckoutAction } from "./yaml-helpers";
+
+export const gha018: PostSynthCheck = {
+  id: "GHA018",
+  description: "pull_request_target with checkout action is a security risk",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const triggers = extractTriggers(yaml);
+
+      if (!triggers["pull_request_target"]) continue;
+
+      const jobs = extractJobs(yaml);
+      for (const [jobName, job] of jobs) {
+        if (job.steps && hasCheckoutAction(job.steps)) {
+          diagnostics.push({
+            checkId: "GHA018",
+            severity: "warning",
+            message: `Job "${jobName}" uses checkout with pull_request_target trigger. This runs untrusted PR code with write permissions — a security risk.`,
+            entity: jobName,
+            lexicon: "github",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/gha019.ts

@@ -0,0 +1,72 @@
+/**
+ * GHA019: Circular Needs Chain
+ *
+ * DFS-based cycle detection on the job `needs:` dependency graph.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, buildNeedsGraph } from "./yaml-helpers";
+
+export function checkCircularNeeds(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [, output] of ctx.outputs) {
+    const yaml = getPrimaryOutput(output);
+    const graph = buildNeedsGraph(yaml);
+
+    const visited = new Set<string>();
+    const inStack = new Set<string>();
+    const reportedInCycle = new Set<string>();
+
+    function dfs(node: string, path: string[]): void {
+      if (inStack.has(node)) {
+        const cycleStart = path.indexOf(node);
+        const cycle = path.slice(cycleStart);
+        cycle.push(node);
+
+        const cycleKey = [...cycle].sort().join(",");
+        if (!reportedInCycle.has(cycleKey)) {
+          reportedInCycle.add(cycleKey);
+          diagnostics.push({
+            checkId: "GHA019",
+            severity: "error",
+            message: `Circular needs: chain detected: ${cycle.join(" → ")}`,
+            entity: node,
+            lexicon: "github",
+          });
+        }
+        return;
+      }
+
+      if (visited.has(node)) return;
+
+      visited.add(node);
+      inStack.add(node);
+
+      for (const neighbor of graph.get(node) ?? []) {
+        if (graph.has(neighbor)) {
+          dfs(neighbor, [...path, node]);
+        }
+      }
+
+      inStack.delete(node);
+    }
+
+    for (const jobName of graph.keys()) {
+      if (!visited.has(jobName)) {
+        dfs(jobName, []);
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const gha019: PostSynthCheck = {
+  id: "GHA019",
+  description: "Circular needs: chain — cycle in job dependency graph",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkCircularNeeds(ctx);
+  },
+};