@intentius/chant-lexicon-github 0.1.0 → 0.1.5

package/dist/integrity.json

@@ -1,41 +1,41 @@
 {
   "algorithm": "xxhash64",
   "artifacts": {
-    "manifest.json": "83aca58a0237fd57",
-    "meta.json": "317499a992c9c274",
-    "types/index.d.ts": "93ce391baebf2afb",
-    "rules/missing-recommended-inputs.ts": "42f2f3b0b6c7b52c",
-    "rules/no-raw-expressions.ts": "6359f4d3135ed351",
-    "rules/use-typed-actions.ts": "eeedcc6145b7a132",
+    "manifest.json": "62337ef86c01e6d1",
+    "meta.json": "2d1cccf3c19883a7",
+    "types/index.d.ts": "9d6f903cca5de1e9",
+    "rules/deprecated-action-version.ts": "9ec91b190557f25f",
     "rules/extract-inline-structs.ts": "646dce2eccf1fab4",
+    "rules/job-timeout.ts": "68f85c741c3d0ae8",
+    "rules/validate-concurrency.ts": "c12a1aa4ee8badb5",
     "rules/file-job-limit.ts": "7c46a302f6ba2744",
+    "rules/use-typed-actions.ts": "eeedcc6145b7a132",
+    "rules/suggest-cache.ts": "c45f7659afde2f15",
     "rules/detect-secrets.ts": "999e6c5b4e048764",
-    "rules/deprecated-action-version.ts": "9ec91b190557f25f",
     "rules/no-hardcoded-secrets.ts": "adcdb23f0480a4b7",
-    "rules/job-timeout.ts": "68f85c741c3d0ae8",
-    "rules/use-condition-builders.ts": "7406215df1f79fb8",
-    "rules/suggest-cache.ts": "c45f7659afde2f15",
-    "rules/validate-concurrency.ts": "c12a1aa4ee8badb5",
     "rules/use-matrix-builder.ts": "6b1c0ebf43378805",
-    "rules/gha020.ts": "36ef5e141524bab0",
+    "rules/missing-recommended-inputs.ts": "42f2f3b0b6c7b52c",
+    "rules/use-condition-builders.ts": "7406215df1f79fb8",
+    "rules/no-raw-expressions.ts": "6359f4d3135ed351",
     "rules/gha017.ts": "ff1c08fdedf83afa",
-    "rules/gha027.ts": "6071aedb178c90a8",
+    "rules/gha018.ts": "46acbe27d4c0c817",
+    "rules/gha026.ts": "5ace32df6cb850af",
     "rules/gha019.ts": "d9184093f36ac167",
+    "rules/gha023.ts": "2d00140d63591c9",
+    "rules/gha027.ts": "6071aedb178c90a8",
+    "rules/yaml-helpers.ts": "df426df288c175c9",
     "rules/gha024.ts": "ed75a2900c8bf12d",
-    "rules/gha009.ts": "df140c0cac573bc4",
-    "rules/gha026.ts": "5ace32df6cb850af",
+    "rules/gha025.ts": "d196899f490521ba",
+    "rules/gha006.ts": "baca27402ba18d",
     "rules/gha028.ts": "9c1ba1eb9a93d8b6",
     "rules/gha022.ts": "41038ee697a497d1",
-    "rules/gha018.ts": "46acbe27d4c0c817",
-    "rules/yaml-helpers.ts": "df426df288c175c9",
     "rules/gha011.ts": "105e2d4faeaa9977",
-    "rules/gha025.ts": "d196899f490521ba",
-    "rules/gha006.ts": "baca27402ba18d",
-    "rules/gha023.ts": "2d00140d63591c9",
+    "rules/gha020.ts": "36ef5e141524bab0",
+    "rules/gha009.ts": "df140c0cac573bc4",
     "rules/gha021.ts": "da7e2491926d1817",
     "skills/chant-github.md": "dc14037edaace2af",
     "skills/chant-github-patterns.md": "7678ef5c6b4b9bdf",
     "skills/chant-github-security.md": "f3fcfcd84475b73c"
   },
-  "composite": "18c84a14d05392cc"
+  "composite": "92e041a88a3b5d8d"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "github",
-  "version": "0.1.0",
+  "version": "0.1.5",
   "chantVersion": ">=0.1.0",
   "namespace": "GitHub",
   "intrinsics": [

package/dist/meta.json

@@ -17,7 +17,12 @@
   "Environment": {
     "resourceType": "GitHub::Actions::Environment",
     "kind": "property",
-    "lexicon": "github"
+    "lexicon": "github",
+    "constraints": {
+      "deployment": {
+        "default": true
+      }
+    }
   },
   "Job": {
     "resourceType": "GitHub::Actions::Job",

package/dist/types/index.d.ts

@@ -40,6 +40,8 @@ export declare class Environment {
   constructor(props: {
     /** The name of the environment configured in the repo. */
     name: string;
+    /** Whether to create a deployment for this job. Setting to false lets the job use environment secrets and variables without creating a deployment record. Wait timers and required reviewers still apply. */
+    deployment?: boolean | string;
     /** A deployment URL */
     url?: string;
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant-lexicon-github",
-  "version": "0.1.0",
+  "version": "0.1.5",
   "description": "GitHub Actions lexicon for chant — declarative IaC in TypeScript",
   "license": "Apache-2.0",
   "homepage": "https://intentius.io/chant",
@@ -43,7 +43,7 @@
     "prepack": "bun run generate && bun run bundle && bun run validate"
   },
   "devDependencies": {
-    "@intentius/chant": "0.1.0",
+    "@intentius/chant": "0.1.4",
     "typescript": "^5.9.3"
   },
   "peerDependencies": {

package/src/generated/index.d.ts

@@ -40,6 +40,8 @@ export declare class Environment {
   constructor(props: {
     /** The name of the environment configured in the repo. */
     name: string;
+    /** Whether to create a deployment for this job. Setting to false lets the job use environment secrets and variables without creating a deployment record. Wait timers and required reviewers still apply. */
+    deployment?: boolean | string;
     /** A deployment URL */
     url?: string;
   });

package/src/generated/lexicon-github.json

@@ -17,7 +17,12 @@
   "Environment": {
     "resourceType": "GitHub::Actions::Environment",
     "kind": "property",
-    "lexicon": "github"
+    "lexicon": "github",
+    "constraints": {
+      "deployment": {
+        "default": true
+      }
+    }
   },
   "Job": {
     "resourceType": "GitHub::Actions::Job",

package/src/serializer.test.ts

@@ -197,16 +197,122 @@ describe("githubSerializer.serialize", () => {
   });
 });
 
+describe("Workflow.props.jobs", () => {
+  test("single-workflow: inline Job entity is serialized into the jobs section", () => {
+    const entities = new Map<string, Declarable>();
+    entities.set("workflow", new MockWorkflow({
+      name: "CI",
+      on: { push: { branches: ["main"] } },
+      jobs: {
+        build: new MockJob({ "runs-on": "ubuntu-latest" }),
+      },
+    }));
+
+    const output = githubSerializer.serialize(entities) as string;
+    expect(output).toContain("jobs:");
+    expect(output).toContain("build:");
+    expect(output).toContain("runs-on: ubuntu-latest");
+  });
+
+  test("single-workflow: inline Job with steps serializes step content", () => {
+    const entities = new Map<string, Declarable>();
+    entities.set("workflow", new MockWorkflow({
+      name: "CI",
+      on: { push: null },
+      jobs: {
+        test: new MockJob({
+          "runs-on": "ubuntu-latest",
+          steps: [
+            new MockStep({ name: "Run tests", run: "npm test" }),
+          ],
+        }),
+      },
+    }));
+
+    const output = githubSerializer.serialize(entities) as string;
+    expect(output).toContain("test:");
+    expect(output).toContain("run: npm test");
+  });
+
+  test("single-workflow: standalone Job export still works when Workflow.props.jobs is absent", () => {
+    const entities = new Map<string, Declarable>();
+    entities.set("workflow", new MockWorkflow({
+      name: "CI",
+      on: { push: null },
+    }));
+    entities.set("build", new MockJob({ "runs-on": "ubuntu-latest" }));
+
+    const output = githubSerializer.serialize(entities) as string;
+    expect(output).toContain("jobs:");
+    expect(output).toContain("build:");
+    expect(output).toContain("runs-on: ubuntu-latest");
+  });
+
+  test("multi-workflow: each workflow gets its own inline jobs", () => {
+    const entities = new Map<string, Declarable>();
+    entities.set("ci", new MockWorkflow({
+      name: "CI",
+      on: { push: { branches: ["main"] } },
+      jobs: { build: new MockJob({ "runs-on": "ubuntu-latest", name: "Build" }) },
+    }));
+    entities.set("deploy", new MockWorkflow({
+      name: "Deploy",
+      on: { workflowDispatch: null },
+      jobs: { release: new MockJob({ "runs-on": "ubuntu-latest", name: "Release" }) },
+    }));
+
+    const result = githubSerializer.serialize(entities) as { primary: string; files: Record<string, string> };
+    expect(result.primary).toContain("name: CI");
+    expect(result.primary).toContain("build:");
+    expect(result.primary).not.toContain("release:");
+    expect(result.files["deploy.yml"]).toContain("name: Deploy");
+    expect(result.files["deploy.yml"]).toContain("release:");
+    expect(result.files["deploy.yml"]).not.toContain("build:");
+  });
+
+  test("multi-workflow: workflow with no props.jobs gets no jobs section", () => {
+    const entities = new Map<string, Declarable>();
+    entities.set("ci", new MockWorkflow({
+      name: "CI",
+      on: { push: null },
+      jobs: { build: new MockJob({ "runs-on": "ubuntu-latest" }) },
+    }));
+    entities.set("notify", new MockWorkflow({
+      name: "Notify",
+      on: { workflowDispatch: null },
+      // no jobs
+    }));
+
+    const result = githubSerializer.serialize(entities) as { primary: string; files: Record<string, string> };
+    expect(result.primary).toContain("jobs:");
+    expect(result.files["notify.yml"]).not.toContain("jobs:");
+  });
+
+  test("multi-workflow: standalone Job exports fall back to first workflow (backwards compat for composites)", () => {
+    const entities = new Map<string, Declarable>();
+    entities.set("ci", new MockWorkflow({ name: "CI", on: { push: null } }));
+    entities.set("deploy", new MockWorkflow({ name: "Deploy", on: { workflowDispatch: null } }));
+    entities.set("build", new MockJob({ "runs-on": "ubuntu-latest" }));
+
+    const result = githubSerializer.serialize(entities) as { primary: string; files: Record<string, string> };
+    // standalone job goes to first workflow only
+    expect(result.primary).toContain("build:");
+    expect(result.files["deploy.yml"]).not.toContain("jobs:");
+  });
+});
+
 describe("multi-workflow output", () => {
-  test("produces SerializerResult with files", () => {
+  test("produces SerializerResult with files, each containing their own jobs", () => {
     const entities = new Map<string, Declarable>();
     entities.set("ci", new MockWorkflow({
       name: "CI",
       on: { push: { branches: ["main"] } },
+      jobs: { build: new MockJob({ "runs-on": "ubuntu-latest" }) },
     }));
     entities.set("deploy", new MockWorkflow({
       name: "Deploy",
       on: { push: { branches: ["main"] } },
+      jobs: { ship: new MockJob({ "runs-on": "ubuntu-latest" }) },
     }));
 
     const output = githubSerializer.serialize(entities);
@@ -215,6 +321,8 @@ describe("multi-workflow output", () => {
     expect(result.files).toBeDefined();
     expect(Object.keys(result.files).length).toBe(2);
     expect(result.primary).toContain("name: CI");
+    expect(result.primary).toContain("build:");
+    expect(result.files["deploy.yml"]).toContain("ship:");
   });
 });
 

package/src/serializer.ts

@@ -109,6 +109,78 @@ function toYAMLValue(value: unknown, entityNames: Map<Declarable, string>): unkn
   return walkValue(preprocessed, entityNames, githubVisitor(entityNames));
 }
 
+// ── Inline job serialization ──────────────────────────────────────
+
+const JOB_ENTITY_TYPES = new Set([
+  "GitHub::Actions::Job",
+  "GitHub::Actions::ReusableWorkflowCallJob",
+]);
+
+/**
+ * Serialize a value from Workflow.props.jobs into a YAML job object.
+ *
+ * When the value is a Job entity (resource Declarable), its props are inlined
+ * directly rather than emitted as a resource reference. This allows callers to
+ * pass `new Job({...})` directly inside `Workflow({ jobs: { name: new Job({...}) } })`.
+ *
+ * Plain objects are accepted too (JSON-style job definitions).
+ */
+function serializeInlineJob(
+  jobValue: unknown,
+  entityNames: Map<Declarable, string>,
+): Record<string, unknown> | undefined {
+  if (!jobValue || typeof jobValue !== "object") return undefined;
+  const obj = jobValue as Record<string, unknown>;
+
+  if ("entityType" in obj && "props" in obj && JOB_ENTITY_TYPES.has(obj.entityType as string)) {
+    // Job entity: serialize its props inline (not as a resource reference)
+    const props = toYAMLValue(obj.props, entityNames);
+    return props && typeof props === "object"
+      ? convertKeys(props as Record<string, unknown>)
+      : undefined;
+  }
+
+  // Plain object job definition (JSON-style)
+  return convertKeys(convertValueKeys(obj) as Record<string, unknown>);
+}
+
+/**
+ * Build a jobs section from Workflow.props.jobs entries.
+ * Returns undefined when props.jobs is absent or empty.
+ */
+function buildInlineJobsSection(
+  props: Record<string, unknown>,
+  entityNames: Map<Declarable, string>,
+): Record<string, unknown> | undefined {
+  if (!props.jobs || typeof props.jobs !== "object" || Array.isArray(props.jobs)) return undefined;
+  const jobsSection: Record<string, unknown> = {};
+  for (const [jName, jobValue] of Object.entries(props.jobs as Record<string, unknown>)) {
+    const serialized = serializeInlineJob(jobValue, entityNames);
+    if (serialized) jobsSection[toKebabCase(jName)] = serialized;
+  }
+  return Object.keys(jobsSection).length > 0 ? jobsSection : undefined;
+}
+
+/**
+ * Build a jobs section from standalone top-level Job entity exports.
+ * Returns undefined when there are no standalone jobs.
+ */
+function buildStandaloneJobsSection(
+  jobs: Array<[string, Declarable]>,
+  entityNames: Map<Declarable, string>,
+): Record<string, unknown> | undefined {
+  if (jobs.length === 0) return undefined;
+  const jobsSection: Record<string, unknown> = {};
+  for (const [name, job] of jobs) {
+    const jProps = toYAMLValue(
+      (job as unknown as Record<string, unknown>).props,
+      entityNames,
+    ) as Record<string, unknown> | undefined;
+    if (jProps) jobsSection[toKebabCase(name)] = convertKeys(jProps);
+  }
+  return Object.keys(jobsSection).length > 0 ? jobsSection : undefined;
+}
+
 // ── Key conversion for YAML output ────────────────────────────────
 
 /**
@@ -166,7 +238,7 @@ export const githubSerializer: Serializer = {
     for (const [name, entity] of entities) {
       if (isPropertyDeclarable(entity)) continue;
 
-      const entityType = (entity as Record<string, unknown>).entityType as string;
+      const entityType = (entity as unknown as Record<string, unknown>).entityType as string;
       if (entityType === "GitHub::Actions::Workflow") {
         workflows.push([name, entity]);
       } else if (entityType === "GitHub::Actions::Job" || entityType === "GitHub::Actions::ReusableWorkflowCallJob") {
@@ -200,7 +272,7 @@ function serializeSingleWorkflow(
   // Workflow-level properties
   if (workflows.length > 0) {
     const [, wf] = workflows[0];
-    const props = toYAMLValue((wf as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
+    const props = toYAMLValue((wf as unknown as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
     if (props) {
       if (props.name) doc.name = props.name;
       if (props["run-name"] || props.runName) doc["run-name"] = props["run-name"] ?? props.runName;
@@ -220,11 +292,11 @@ function serializeSingleWorkflow(
   if (triggers.length > 0) {
     const onSection = (doc.on as Record<string, unknown>) ?? {};
     for (const [, trigger] of triggers) {
-      const entityType = (trigger as Record<string, unknown>).entityType as string;
+      const entityType = (trigger as unknown as Record<string, unknown>).entityType as string;
       const eventName = TRIGGER_TYPE_TO_EVENT[entityType];
       if (!eventName) continue;
 
-      const props = toYAMLValue((trigger as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
+      const props = toYAMLValue((trigger as unknown as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
       if (props && Object.keys(props).length > 0) {
         onSection[eventName] = convertValueKeys(props);
       } else {
@@ -234,18 +306,14 @@ function serializeSingleWorkflow(
     doc.on = onSection;
   }
 
-  // Jobs
-  if (jobs.length > 0) {
-    const jobsSection: Record<string, unknown> = {};
-    for (const [name, job] of jobs) {
-      const props = toYAMLValue((job as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
-      if (props) {
-        const yamlName = toKebabCase(name);
-        jobsSection[yamlName] = convertKeys(props);
-      }
-    }
-    doc.jobs = jobsSection;
+  // Jobs: prefer Workflow.props.jobs (raw) when present; fall back to standalone Job exports
+  let jobsSection: Record<string, unknown> | undefined;
+  if (workflows.length > 0) {
+    const rawProps = (workflows[0][1] as unknown as Record<string, unknown>).props as Record<string, unknown>;
+    jobsSection = buildInlineJobsSection(rawProps, entityNames);
   }
+  if (!jobsSection) jobsSection = buildStandaloneJobsSection(jobs, entityNames);
+  if (jobsSection) doc.jobs = jobsSection;
 
   return emitYAMLDocument(doc);
 }
@@ -257,16 +325,13 @@ function serializeMultiWorkflow(
   _entities: Map<string, Declarable>,
   entityNames: Map<Declarable, string>,
 ): SerializerResult {
-  // For multi-workflow, each workflow gets its own file.
-  // Jobs and triggers need to be associated with workflows somehow.
-  // For now, first workflow gets all unscoped entities.
   const files: Record<string, string> = {};
   let primary = "";
 
   for (let i = 0; i < workflows.length; i++) {
     const [name, wf] = workflows[i];
     const doc: Record<string, unknown> = {};
-    const props = toYAMLValue((wf as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
+    const props = toYAMLValue((wf as unknown as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
 
     if (props) {
       if (props.name) doc.name = props.name;
@@ -281,10 +346,10 @@ function serializeMultiWorkflow(
     if (i === 0 && triggers.length > 0) {
       const onSection = (doc.on as Record<string, unknown>) ?? {};
       for (const [, trigger] of triggers) {
-        const entityType = (trigger as Record<string, unknown>).entityType as string;
+        const entityType = (trigger as unknown as Record<string, unknown>).entityType as string;
         const eventName = TRIGGER_TYPE_TO_EVENT[entityType];
         if (!eventName) continue;
-        const tProps = toYAMLValue((trigger as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
+        const tProps = toYAMLValue((trigger as unknown as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
         if (tProps && Object.keys(tProps).length > 0) {
           onSection[eventName] = convertValueKeys(tProps);
         } else {
@@ -294,17 +359,12 @@ function serializeMultiWorkflow(
       doc.on = onSection;
     }
 
-    // Attach all jobs to first workflow for now
-    if (i === 0 && jobs.length > 0) {
-      const jobsSection: Record<string, unknown> = {};
-      for (const [jName, job] of jobs) {
-        const jProps = toYAMLValue((job as Record<string, unknown>).props, entityNames) as Record<string, unknown> | undefined;
-        if (jProps) {
-          jobsSection[toKebabCase(jName)] = convertKeys(jProps);
-        }
-      }
-      doc.jobs = jobsSection;
-    }
+    // Jobs: use Workflow.props.jobs when defined, otherwise fall back to standalone exports
+    // (standalone exports only assigned to first workflow, for backwards compat with composites)
+    const rawProps = (wf as unknown as Record<string, unknown>).props as Record<string, unknown>;
+    const inlineJobs = buildInlineJobsSection(rawProps, entityNames);
+    const jobsSection = inlineJobs ?? (i === 0 ? buildStandaloneJobsSection(jobs, entityNames) : undefined);
+    if (jobsSection) doc.jobs = jobsSection;
 
     const content = emitYAMLDocument(doc);
     const fileName = `${toKebabCase(name)}.yml`;