npm - eslint-plugin-github-actions-2 - Versions diffs - 1.0.0 - Mend

eslint-plugin-github-actions-2 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (410) hide show

package/docs/rules/action-name-casing.md ADDED Viewed

@@ -0,0 +1,64 @@
+# action-name-casing
+> **Rule catalog ID:** R009
+## Targeted pattern scope
+GitHub Actions workflow YAML files that declare a top-level `name`.
+## What this rule reports
+This rule reports workflow `name` values whose casing does not match the configured naming convention.
+## Why this rule exists
+Consistent workflow names make Actions tabs, status checks, and release dashboards easier to scan. Teams that standardize naming conventions can search and review workflow runs more quickly.
+## ❌ Incorrect
+```yaml
+name: releasePipeline
+```
+## ✅ Correct
+```yaml
+name: Release Pipeline
+```
+```yaml
+name: release-pipeline
+```
+_The second example is valid when the rule is configured for `kebab-case`._
+## Additional examples
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+## ESLint flat config example
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/action-name-casing": "error",
+    },
+  },
+];
+```
+## When not to use it
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+- [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#name](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#name)
+- [https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs](https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs)

package/docs/rules/getting-started.md ADDED Viewed

@@ -0,0 +1,46 @@
+# Getting started
+Use this guide to install the plugin, enable your first preset, and quickly
+navigate to the rule and preset reference docs.
+## Install
+```sh
+npm install --save-dev eslint eslint-plugin-github-actions-2
+```
+## Flat config example
+```js
+import githubActions from "eslint-plugin-github-actions-2";
+export default [githubActions.configs.recommended];
+```
+## What the presets do for you
+The exported presets already:
+- scope themselves to `.github/workflows/*.{yml,yaml}`
+- register `yaml-eslint-parser`
+- register the `github-actions` plugin namespace
+## Choosing a preset
+- Start with `recommended` for most repositories.
+- Add `security` when you want immutable pinning checks.
+- Use `strict` when you want concurrency and stronger operational guardrails.
+- Use `all` to enable every published rule.
+For target-specific linting, use:
+- `actionMetadata` for `action.yml`/`action.yaml`
+- `workflowTemplates` for `workflow-templates/*.yml` and `*.yaml`
+- `workflowTemplateProperties` for `workflow-templates/*.properties.json`
+## Next steps
+- Review the [preset reference](./presets/index.md)
+- Browse the full [rule reference](./overview.md)
+- See the official
+  [workflow syntax documentation](https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions)

package/docs/rules/job-id-casing.md ADDED Viewed

@@ -0,0 +1,73 @@
+# job-id-casing
+> **Rule catalog ID:** R010
+## Targeted pattern scope
+GitHub Actions workflow YAML files that declare job identifiers under `jobs`.
+## What this rule reports
+This rule reports workflow job IDs whose casing does not match the configured naming convention.
+## Why this rule exists
+Job IDs are referenced by features like `needs`, reusable workflow outputs, and visual run graphs. A consistent convention makes those references easier to read and maintain.
+## ❌ Incorrect
+```yaml
+jobs:
+  BuildApp:
+    name: Build App
+    runs-on: ubuntu-latest
+```
+## ✅ Correct
+```yaml
+jobs:
+  build-app:
+    name: Build App
+    runs-on: ubuntu-latest
+```
+```yaml
+jobs:
+  build_app:
+    name: Build App
+    runs-on: ubuntu-latest
+```
+_The second example is valid when the rule is configured for `snake_case`._
+## Additional examples
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+## ESLint flat config example
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/job-id-casing": "error",
+    },
+  },
+];
+```
+## When not to use it
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+- [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_id](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_id)
+- [https://docs.github.com/actions/using-jobs/using-jobs-in-a-workflow](https://docs.github.com/actions/using-jobs/using-jobs-in-a-workflow)

package/docs/rules/max-jobs-per-action.md ADDED Viewed

@@ -0,0 +1,79 @@
+# max-jobs-per-action
+> **Rule catalog ID:** R011
+## Targeted pattern scope
+GitHub Actions workflow YAML files that declare multiple jobs.
+## What this rule reports
+This rule reports workflows whose number of jobs exceeds the configured limit.
+## Why this rule exists
+Large workflow files become difficult to review, reason about, and evolve safely. Setting an upper bound nudges teams toward splitting unrelated concerns into smaller workflows.
+## ❌ Incorrect
+```yaml
+jobs:
+  one:
+    name: One
+    runs-on: ubuntu-latest
+  two:
+    name: Two
+    runs-on: ubuntu-latest
+  three:
+    name: Three
+    runs-on: ubuntu-latest
+  four:
+    name: Four
+    runs-on: ubuntu-latest
+```
+## ✅ Correct
+```yaml
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+```
+## Additional examples
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+## ESLint flat config example
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/max-jobs-per-action": "error",
+    },
+  },
+];
+```
+## When not to use it
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+- [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobs](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobs)
+- [https://docs.github.com/actions/using-jobs/using-jobs-in-a-workflow](https://docs.github.com/actions/using-jobs/using-jobs-in-a-workflow)

package/docs/rules/no-case-insensitive-input-id-collision.md ADDED Viewed

@@ -0,0 +1,63 @@
+# no-case-insensitive-input-id-collision
+> **Rule catalog ID:** R048
+## Targeted pattern scope
+Action metadata input ID keys under `inputs`.
+## What this rule reports
+Reports input IDs that collide when normalized case-insensitively.
+## Why this rule exists
+Case-variant IDs are confusing for callers and easy to misread in workflow `with:` blocks.
+## ❌ Incorrect
+```yaml
+inputs:
+  Token:
+    description: First input
+  token:
+    description: Second input
+```
+## ✅ Correct
+```yaml
+inputs:
+  token:
+    description: Access token
+```
+## Additional examples
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+## ESLint flat config example
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/no-case-insensitive-input-id-collision": "error",
+    },
+  },
+];
+```
+## When not to use it
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+- [https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#inputsinput_id](https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#inputsinput_id)

package/docs/rules/no-composite-input-env-access.md ADDED Viewed

@@ -0,0 +1,66 @@
+# no-composite-input-env-access
+> **Rule catalog ID:** R049
+## Targeted pattern scope
+Composite action metadata under `runs.using: composite`.
+## What this rule reports
+Reports `INPUT_*` environment variable usage in composite steps.
+## Why this rule exists
+Composite actions should read inputs via `inputs.*` context references.
+## ❌ Incorrect
+```yaml
+runs:
+  using: composite
+  steps:
+    - run: echo "$INPUT_TOKEN"
+      shell: bash
+```
+## ✅ Correct
+```yaml
+runs:
+  using: composite
+  steps:
+    - run: echo "${{ inputs.token }}"
+      shell: bash
+```
+## Additional examples
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+## ESLint flat config example
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/no-composite-input-env-access": "error",
+    },
+  },
+];
+```
+## When not to use it
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+- [https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#inputs](https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#inputs)
+- [https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#runs-for-composite-actions](https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#runs-for-composite-actions)

package/docs/rules/no-deprecated-node-runtime.md ADDED Viewed

@@ -0,0 +1,61 @@
+# no-deprecated-node-runtime
+> **Rule catalog ID:** R044
+## Targeted pattern scope
+GitHub Action metadata `runs.using` for JavaScript actions.
+## What this rule reports
+Reports deprecated Node.js runtimes such as `node12` and `node16`.
+## Why this rule exists
+Deprecated runtimes age out of security support and eventually break action execution.
+## ❌ Incorrect
+```yaml
+runs:
+  using: node16
+  main: dist/index.js
+```
+## ✅ Correct
+```yaml
+runs:
+  using: node20
+  main: dist/index.js
+```
+## Additional examples
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+## ESLint flat config example
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/no-deprecated-node-runtime": "error",
+    },
+  },
+];
+```
+## When not to use it
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+- [https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#runs-for-javascript-actions](https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#runs-for-javascript-actions)

package/docs/rules/no-duplicate-composite-step-id.md ADDED Viewed

@@ -0,0 +1,73 @@
+# no-duplicate-composite-step-id
+> **Rule catalog ID:** R051
+## Targeted pattern scope
+Composite action `runs.steps[*].id` declarations.
+## What this rule reports
+Reports duplicate step IDs in composite actions.
+## Why this rule exists
+Duplicate step IDs create ambiguous references and break output wiring.
+## ❌ Incorrect
+```yaml
+runs:
+  using: composite
+  steps:
+    - id: setup
+      run: echo one
+      shell: bash
+    - id: setup
+      run: echo two
+      shell: bash
+```
+## ✅ Correct
+```yaml
+runs:
+  using: composite
+  steps:
+    - id: setup
+      run: echo one
+      shell: bash
+    - id: finish
+      run: echo two
+      shell: bash
+```
+## Additional examples
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+## ESLint flat config example
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/no-duplicate-composite-step-id": "error",
+    },
+  },
+];
+```
+## When not to use it
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+- [https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#runs-for-composite-actions](https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax#runs-for-composite-actions)

package/docs/rules/no-empty-template-file-pattern.md ADDED Viewed

@@ -0,0 +1,57 @@
+# no-empty-template-file-pattern
+> **Rule catalog ID:** R060
+## Targeted pattern scope
+`filePatterns` entries in `workflow-templates/*.properties.json` files.
+## What this rule reports
+Reports entries that are empty or whitespace-only strings.
+## Why this rule exists
+Template matching requires meaningful regex patterns.
+## ❌ Incorrect
+```json
+{ "filePatterns": ["   "] }
+```
+## ✅ Correct
+```json
+{ "filePatterns": ["package.json$"] }
+```
+## Additional examples
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+## ESLint flat config example
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/no-empty-template-file-pattern": "error",
+    },
+  },
+];
+```
+## When not to use it
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+- [https://www.schemastore.org/github-workflow-template-properties.json](https://www.schemastore.org/github-workflow-template-properties.json)

package/docs/rules/no-external-job.md ADDED Viewed

@@ -0,0 +1,66 @@
+# no-external-job
+> **Rule catalog ID:** R012
+## Targeted pattern scope
+GitHub Actions workflow YAML files that call reusable workflows from `jobs.<id>.uses`.
+## What this rule reports
+This rule reports jobs that invoke reusable workflows via `uses` instead of defining the job inline.
+## Why this rule exists
+Some repositories prefer every job definition to live in the same workflow file for easier review, debugging, and change impact analysis.
+## ❌ Incorrect
+```yaml
+jobs:
+  deploy:
+    uses: ./.github/workflows/deploy.yml
+```
+## ✅ Correct
+```yaml
+jobs:
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy
+        run: ./scripts/deploy.sh
+```
+## Additional examples
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+## ESLint flat config example
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/no-external-job": "error",
+    },
+  },
+];
+```
+## When not to use it
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+- [https://docs.github.com/actions/using-workflows/reusing-workflows](https://docs.github.com/actions/using-workflows/reusing-workflows)
+- [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_iduses](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_iduses)