@intentius/chant-lexicon-github 0.1.5 → 0.1.7

package/dist/integrity.json

@@ -1,7 +1,7 @@
 {
   "algorithm": "xxhash64",
   "artifacts": {
-    "manifest.json": "62337ef86c01e6d1",
+    "manifest.json": "4f79e2db52795eab",
     "meta.json": "2d1cccf3c19883a7",
     "types/index.d.ts": "9d6f903cca5de1e9",
     "rules/deprecated-action-version.ts": "9ec91b190557f25f",
@@ -24,11 +24,11 @@
     "rules/gha023.ts": "2d00140d63591c9",
     "rules/gha027.ts": "6071aedb178c90a8",
     "rules/yaml-helpers.ts": "df426df288c175c9",
-    "rules/gha024.ts": "ed75a2900c8bf12d",
+    "rules/gha024.ts": "88df51d8e5a01651",
     "rules/gha025.ts": "d196899f490521ba",
     "rules/gha006.ts": "baca27402ba18d",
     "rules/gha028.ts": "9c1ba1eb9a93d8b6",
-    "rules/gha022.ts": "41038ee697a497d1",
+    "rules/gha022.ts": "d1dfc25f1409a8bc",
     "rules/gha011.ts": "105e2d4faeaa9977",
     "rules/gha020.ts": "36ef5e141524bab0",
     "rules/gha009.ts": "df140c0cac573bc4",
@@ -37,5 +37,5 @@
     "skills/chant-github-patterns.md": "7678ef5c6b4b9bdf",
     "skills/chant-github-security.md": "f3fcfcd84475b73c"
   },
-  "composite": "92e041a88a3b5d8d"
+  "composite": "a1b4fdb253dcc4a0"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "github",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "chantVersion": ">=0.1.0",
   "namespace": "GitHub",
   "intrinsics": [

package/dist/rules/gha022.ts

@@ -23,17 +23,20 @@ export const gha022: PostSynthCheck = {
       const jobsIdx = yaml.search(/^jobs:\s*$/m);
       if (jobsIdx === -1) continue;
 
-      const afterJobs = yaml.slice(jobsIdx + yaml.slice(jobsIdx).indexOf("\n") + 1);
-      const endMatch = afterJobs.search(/^[a-z]/m);
-      const jobsContent = endMatch === -1 ? afterJobs : afterJobs.slice(0, endMatch);
+      const jobsContent = yaml.slice(jobsIdx + yaml.slice(jobsIdx).indexOf("\n") + 1);
 
       for (const [jobName] of jobs) {
-        // Find this job's section in the raw YAML
-        const jobPattern = new RegExp(`^  ${jobName}:\\n([\\s\\S]*?)(?=\\n  [a-z]|$)`, "m");
-        const jobSection = jobsContent.match(jobPattern);
-        const section = jobSection ? jobSection[0] : "";
+        const jobHeader = `  ${jobName}:\n`;
+        const start = jobsContent.indexOf(jobHeader);
+        if (start === -1) continue;
 
-        if (!/timeout-minutes:/m.test(section)) {
+        // Slice from after the job header to find its content.
+        // Use literal \n  \w (no m flag) to locate the next sibling job at 2-space indent.
+        const rest = jobsContent.slice(start + jobHeader.length);
+        const nextJobMatch = rest.search(/\n  \w/);
+        const section = nextJobMatch === -1 ? rest : rest.slice(0, nextJobMatch);
+
+        if (!/timeout-minutes:/.test(section)) {
           diagnostics.push({
             checkId: "GHA022",
             severity: "info",

package/dist/rules/gha024.ts

@@ -27,7 +27,7 @@ export const gha024: PostSynthCheck = {
 
       if (!isDeployWorkflow) continue;
 
-      if (!/^concurrency:/m.test(yaml)) {
+      if (!/^\s*concurrency:/m.test(yaml)) {
         diagnostics.push({
           checkId: "GHA024",
           severity: "info",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant-lexicon-github",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "GitHub Actions lexicon for chant — declarative IaC in TypeScript",
   "license": "Apache-2.0",
   "homepage": "https://intentius.io/chant",

package/src/lint/post-synth/gha022.test.ts

@@ -34,6 +34,44 @@ jobs:
     expect(diags[0].message).toContain("build");
   });
 
+  test("does not flag job that has timeout-minutes as a later property", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - run: echo test
+`;
+    const diags = gha022.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag multi-job workflow where all jobs have timeout-minutes", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - run: cargo test
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    needs:
+      - test
+    steps:
+      - run: cargo build
+`;
+    const diags = gha022.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+
   test("does not flag workflow without jobs", () => {
     const yaml = `name: CI
 on:

package/src/lint/post-synth/gha022.ts

@@ -23,17 +23,20 @@ export const gha022: PostSynthCheck = {
       const jobsIdx = yaml.search(/^jobs:\s*$/m);
       if (jobsIdx === -1) continue;
 
-      const afterJobs = yaml.slice(jobsIdx + yaml.slice(jobsIdx).indexOf("\n") + 1);
-      const endMatch = afterJobs.search(/^[a-z]/m);
-      const jobsContent = endMatch === -1 ? afterJobs : afterJobs.slice(0, endMatch);
+      const jobsContent = yaml.slice(jobsIdx + yaml.slice(jobsIdx).indexOf("\n") + 1);
 
       for (const [jobName] of jobs) {
-        // Find this job's section in the raw YAML
-        const jobPattern = new RegExp(`^  ${jobName}:\\n([\\s\\S]*?)(?=\\n  [a-z]|$)`, "m");
-        const jobSection = jobsContent.match(jobPattern);
-        const section = jobSection ? jobSection[0] : "";
+        const jobHeader = `  ${jobName}:\n`;
+        const start = jobsContent.indexOf(jobHeader);
+        if (start === -1) continue;
 
-        if (!/timeout-minutes:/m.test(section)) {
+        // Slice from after the job header to find its content.
+        // Use literal \n  \w (no m flag) to locate the next sibling job at 2-space indent.
+        const rest = jobsContent.slice(start + jobHeader.length);
+        const nextJobMatch = rest.search(/\n  \w/);
+        const section = nextJobMatch === -1 ? rest : rest.slice(0, nextJobMatch);
+
+        if (!/timeout-minutes:/.test(section)) {
           diagnostics.push({
             checkId: "GHA022",
             severity: "info",

package/src/lint/post-synth/gha024.test.ts

@@ -51,6 +51,23 @@ jobs:
     expect(diags).toHaveLength(0);
   });
 
+  test("does not flag deploy workflow with job-level concurrency", () => {
+    const yaml = `name: CI/CD Pipeline
+on:
+  push:
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: deploy-production
+      cancel-in-progress: true
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha024.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+
   test("does not flag non-deploy workflow without concurrency", () => {
     const yaml = `name: CI
 on:

package/src/lint/post-synth/gha024.ts

@@ -27,7 +27,7 @@ export const gha024: PostSynthCheck = {
 
       if (!isDeployWorkflow) continue;
 
-      if (!/^concurrency:/m.test(yaml)) {
+      if (!/^\s*concurrency:/m.test(yaml)) {
         diagnostics.push({
           checkId: "GHA024",
           severity: "info",

package/src/serializer.test.ts

@@ -319,7 +319,8 @@ describe("multi-workflow output", () => {
     expect(typeof output).toBe("object");
     const result = output as { primary: string; files: Record<string, string> };
     expect(result.files).toBeDefined();
-    expect(Object.keys(result.files).length).toBe(2);
+    expect(Object.keys(result.files).length).toBe(1);
+    expect(result.files["ci.yml"]).toBeUndefined(); // primary is not a secondary file
     expect(result.primary).toContain("name: CI");
     expect(result.primary).toContain("build:");
     expect(result.files["deploy.yml"]).toContain("ship:");

package/src/serializer.ts

@@ -367,10 +367,12 @@ function serializeMultiWorkflow(
     if (jobsSection) doc.jobs = jobsSection;
 
     const content = emitYAMLDocument(doc);
-    const fileName = `${toKebabCase(name)}.yml`;
-    files[fileName] = content;
-
-    if (i === 0) primary = content;
+    if (i === 0) {
+      primary = content;
+      // primary is written to the -o path by the CLI; don't also add it to files[]
+    } else {
+      files[`${toKebabCase(name)}.yml`] = content;
+    }
   }
 
   return { primary, files };