eslint-plugin-github-actions-2 1.0.0

package/docs/rules/prefer-action-yml.md

@@ -0,0 +1,57 @@
+# prefer-action-yml
+
+> **Rule catalog ID:** R043
+
+## Targeted pattern scope
+
+GitHub Action metadata files named `action.yaml`.
+
+## What this rule reports
+
+Reports action metadata files that use `action.yaml` instead of `action.yml`.
+
+## Why this rule exists
+
+GitHub supports both extensions, but the metadata docs call out `action.yml` as the preferred filename.
+
+## ❌ Incorrect
+
+```text
+action.yaml
+```
+
+## ✅ Correct
+
+```text
+action.yml
+```
+
+
+## Additional examples
+
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/prefer-action-yml": "error",
+    },
+  },
+];
+```
+
+## When not to use it
+
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+
+- [https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax](https://docs.github.com/actions/reference/workflows-and-actions/metadata-syntax)

package/docs/rules/prefer-fail-fast.md

@@ -0,0 +1,72 @@
+# prefer-fail-fast
+
+> **Rule catalog ID:** R015
+
+## Targeted pattern scope
+
+GitHub Actions workflow YAML files that use matrix strategies.
+
+## What this rule reports
+
+This rule reports jobs that explicitly set `strategy.fail-fast` to `false`.
+
+## Why this rule exists
+
+Leaving fail-fast enabled can save runner time and reduce queue pressure when one matrix job already proves the matrix is failing.
+
+## ❌ Incorrect
+
+```yaml
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node: [20, 22]
+```
+
+## ✅ Correct
+
+```yaml
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        node: [20, 22]
+```
+
+
+## Additional examples
+
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/prefer-fail-fast": "error",
+    },
+  },
+];
+```
+
+## When not to use it
+
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+
+- [https://docs.github.com/actions/using-jobs/using-a-matrix-for-your-jobs](https://docs.github.com/actions/using-jobs/using-a-matrix-for-your-jobs)
+- [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstrategy](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstrategy)

package/docs/rules/prefer-file-extension.md

@@ -0,0 +1,77 @@
+# prefer-file-extension
+
+> **Rule catalog ID:** R020
+
+## Targeted pattern scope
+
+GitHub Actions workflow YAML files under `.github/workflows/`.
+
+## What this rule reports
+
+This rule reports workflow files whose extension does not match the configured preference.
+
+## Why this rule exists
+
+Using one workflow file extension consistently keeps repositories easier to scan, search, and script against. It also avoids needless churn from mixed `.yml` and `.yaml` naming styles.
+
+## ❌ Incorrect
+
+```yaml
+# .github/workflows/release.yaml
+name: Release
+on:
+  workflow_dispatch:
+```
+
+## ✅ Correct
+
+```yaml
+# .github/workflows/release.yml
+name: Release
+on:
+  workflow_dispatch:
+```
+
+## Behavior and migration notes
+
+### Default behavior
+
+With the default configuration, this rule expects workflow files to use the `.yml` extension.
+
+### `{ "extension": "yaml" }`
+
+Use this option to enforce `.yaml` instead.
+
+### `{ "caseSensitive": false }`
+
+Use this option when you want extension matching to ignore case differences in repository paths.
+
+
+## Additional examples
+
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/prefer-file-extension": "error",
+    },
+  },
+];
+```
+
+## When not to use it
+
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+
+- [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax)

package/docs/rules/prefer-inputs-context.md

@@ -0,0 +1,84 @@
+# prefer-inputs-context
+
+> **Rule catalog ID:** R033
+
+## Targeted pattern scope
+
+GitHub Actions workflow YAML files that define `workflow_dispatch` and reference `github.event.inputs` in expressions.
+
+## What this rule reports
+
+This rule reports `github.event.inputs.*` references in `workflow_dispatch` workflows and prefers the shorter `inputs.*` context instead.
+
+## Why this rule exists
+
+GitHub documents that `inputs` and `github.event.inputs` expose the same manual-dispatch values, but `inputs` preserves Boolean values as Booleans instead of converting them to strings. Using `inputs` also makes workflow expressions shorter and easier to read.
+
+## ❌ Incorrect
+
+```yaml
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: Run validation only
+        required: true
+        type: boolean
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.inputs.dry_run }}
+    steps:
+      - run: echo release
+```
+
+## ✅ Correct
+
+```yaml
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: Run validation only
+        required: true
+        type: boolean
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    if: ${{ inputs.dry_run }}
+    steps:
+      - run: echo release
+```
+
+
+## Additional examples
+
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/prefer-inputs-context": "error",
+    },
+  },
+];
+```
+
+## When not to use it
+
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+
+- [https://docs.github.com/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch](https://docs.github.com/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch)
+- [https://docs.github.com/actions/reference/workflows-and-actions/contexts#inputs-context](https://docs.github.com/actions/reference/workflows-and-actions/contexts#inputs-context)

package/docs/rules/prefer-step-uses-style.md

@@ -0,0 +1,70 @@
+# prefer-step-uses-style
+
+> **Rule catalog ID:** R016
+
+## Targeted pattern scope
+
+GitHub Actions workflow YAML files that use step-level `uses` references.
+
+## What this rule reports
+
+This rule reports step `uses` references whose style does not match the configured preference, and it can also disallow repository-local or Docker-based `uses` references.
+
+## Why this rule exists
+
+Standardizing how steps reference actions makes workflow reviews easier. Teams that prefer immutable commit SHAs, release tags, or branch names can enforce that choice consistently.
+
+## ❌ Incorrect
+
+```yaml
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+```
+
+## ✅ Correct
+
+```yaml
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+```
+
+
+## Additional examples
+
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/prefer-step-uses-style": "error",
+    },
+  },
+];
+```
+
+## When not to use it
+
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+
+- [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepsuses](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepsuses)
+- [https://docs.github.com/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions](https://docs.github.com/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions)

package/docs/rules/prefer-template-yml-extension.md

@@ -0,0 +1,57 @@
+# prefer-template-yml-extension
+
+> **Rule catalog ID:** R066
+
+## Targeted pattern scope
+
+Workflow template YAML filenames under `workflow-templates/`.
+
+## What this rule reports
+
+Reports template files that use `.yaml` instead of `.yml`.
+
+## Why this rule exists
+
+Consistent file extensions improve discoverability and repository conventions.
+
+## ❌ Incorrect
+
+```text
+workflow-templates/ci.yaml
+```
+
+## ✅ Correct
+
+```text
+workflow-templates/ci.yml
+```
+
+
+## Additional examples
+
+For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [
+  {
+    files: ["**/*.{yml,yaml}"],
+    plugins: {
+      "github-actions": githubActions,
+    },
+    rules: {
+      "github-actions/prefer-template-yml-extension": "error",
+    },
+  },
+];
+```
+
+## When not to use it
+
+You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+## Further reading
+
+- [https://docs.github.com/actions/reference/workflows-and-actions/reusing-workflow-configurations](https://docs.github.com/actions/reference/workflows-and-actions/reusing-workflow-configurations)

package/docs/rules/presets/action-metadata.md

@@ -0,0 +1,18 @@
+# `githubActions.configs.actionMetadata`
+
+Linting defaults for GitHub Action metadata files (`action.yml` / `action.yaml`).
+
+## Included rules
+
+- [`no-case-insensitive-input-id-collision`](../no-case-insensitive-input-id-collision.md)
+- [`no-composite-input-env-access`](../no-composite-input-env-access.md)
+- [`no-deprecated-node-runtime`](../no-deprecated-node-runtime.md)
+- [`no-duplicate-composite-step-id`](../no-duplicate-composite-step-id.md)
+- [`no-post-if-without-post`](../no-post-if-without-post.md)
+- [`no-pre-if-without-pre`](../no-pre-if-without-pre.md)
+- [`no-required-input-with-default`](../no-required-input-with-default.md)
+- [`no-unknown-input-reference-in-composite`](../no-unknown-input-reference-in-composite.md)
+- [`no-unused-input-in-composite`](../no-unused-input-in-composite.md)
+- [`prefer-action-yml`](../prefer-action-yml.md)
+- [`require-composite-step-name`](../require-composite-step-name.md)
+

package/docs/rules/presets/all.md

@@ -0,0 +1,76 @@
+# `githubActions.configs.all`
+
+Enables every available rule published by `eslint-plugin-github-actions-2`.
+
+## Included rules
+
+- [`require-workflow-permissions`](../require-workflow-permissions.md)
+- [`require-job-timeout-minutes`](../require-job-timeout-minutes.md)
+- [`pin-action-shas`](../pin-action-shas.md)
+- [`require-workflow-concurrency`](../require-workflow-concurrency.md)
+- [`action-name-casing`](../action-name-casing.md)
+- [`job-id-casing`](../job-id-casing.md)
+- [`max-jobs-per-action`](../max-jobs-per-action.md)
+- [`no-case-insensitive-input-id-collision`](../no-case-insensitive-input-id-collision.md)
+- [`no-composite-input-env-access`](../no-composite-input-env-access.md)
+- [`no-deprecated-node-runtime`](../no-deprecated-node-runtime.md)
+- [`no-duplicate-composite-step-id`](../no-duplicate-composite-step-id.md)
+- [`no-empty-template-file-pattern`](../no-empty-template-file-pattern.md)
+- [`no-external-job`](../no-external-job.md)
+- [`no-hardcoded-default-branch-in-template`](../no-hardcoded-default-branch-in-template.md)
+- [`no-icon-file-extension-in-template-icon-name`](../no-icon-file-extension-in-template-icon-name.md)
+- [`no-inherit-secrets`](../no-inherit-secrets.md)
+- [`no-invalid-concurrency-context`](../no-invalid-concurrency-context.md)
+- [`no-invalid-key`](../no-invalid-key.md)
+- [`no-invalid-reusable-workflow-job-key`](../no-invalid-reusable-workflow-job-key.md)
+- [`no-invalid-template-file-pattern-regex`](../no-invalid-template-file-pattern-regex.md)
+- [`no-invalid-workflow-call-output-value`](../no-invalid-workflow-call-output-value.md)
+- [`no-path-separators-in-template-icon-name`](../no-path-separators-in-template-icon-name.md)
+- [`no-post-if-without-post`](../no-post-if-without-post.md)
+- [`no-pr-head-checkout-in-pull-request-target`](../no-pr-head-checkout-in-pull-request-target.md)
+- [`no-pre-if-without-pre`](../no-pre-if-without-pre.md)
+- [`no-required-input-with-default`](../no-required-input-with-default.md)
+- [`no-secrets-in-if`](../no-secrets-in-if.md)
+- [`no-self-hosted-runner-on-fork-pr-events`](../no-self-hosted-runner-on-fork-pr-events.md)
+- [`no-subdirectory-template-file-pattern`](../no-subdirectory-template-file-pattern.md)
+- [`no-template-placeholder-in-non-template-workflow`](../no-template-placeholder-in-non-template-workflow.md)
+- [`no-top-level-env`](../no-top-level-env.md)
+- [`no-top-level-permissions`](../no-top-level-permissions.md)
+- [`no-universal-template-file-pattern`](../no-universal-template-file-pattern.md)
+- [`no-unknown-input-reference-in-composite`](../no-unknown-input-reference-in-composite.md)
+- [`no-unknown-job-output-reference`](../no-unknown-job-output-reference.md)
+- [`no-unknown-step-reference`](../no-unknown-step-reference.md)
+- [`no-unused-input-in-composite`](../no-unused-input-in-composite.md)
+- [`no-untrusted-input-in-run`](../no-untrusted-input-in-run.md)
+- [`no-write-all-permissions`](../no-write-all-permissions.md)
+- [`prefer-action-yml`](../prefer-action-yml.md)
+- [`prefer-fail-fast`](../prefer-fail-fast.md)
+- [`prefer-file-extension`](../prefer-file-extension.md)
+- [`prefer-inputs-context`](../prefer-inputs-context.md)
+- [`prefer-step-uses-style`](../prefer-step-uses-style.md)
+- [`prefer-template-yml-extension`](../prefer-template-yml-extension.md)
+- [`require-action-name`](../require-action-name.md)
+- [`require-action-run-name`](../require-action-run-name.md)
+- [`require-checkout-before-local-action`](../require-checkout-before-local-action.md)
+- [`require-composite-step-name`](../require-composite-step-name.md)
+- [`require-job-name`](../require-job-name.md)
+- [`require-job-step-name`](../require-job-step-name.md)
+- [`require-merge-group-trigger`](../require-merge-group-trigger.md)
+- [`require-pull-request-target-branches`](../require-pull-request-target-branches.md)
+- [`require-run-step-shell`](../require-run-step-shell.md)
+- [`require-template-categories`](../require-template-categories.md)
+- [`require-template-file-patterns`](../require-template-file-patterns.md)
+- [`require-template-icon-file-exists`](../require-template-icon-file-exists.md)
+- [`require-template-icon-name`](../require-template-icon-name.md)
+- [`require-template-workflow-name`](../require-template-workflow-name.md)
+- [`require-trigger-types`](../require-trigger-types.md)
+- [`require-workflow-call-input-type`](../require-workflow-call-input-type.md)
+- [`require-workflow-call-output-value`](../require-workflow-call-output-value.md)
+- [`require-workflow-dispatch-input-type`](../require-workflow-dispatch-input-type.md)
+- [`require-workflow-interface-description`](../require-workflow-interface-description.md)
+- [`require-workflow-run-branches`](../require-workflow-run-branches.md)
+- [`require-workflow-template-pair`](../require-workflow-template-pair.md)
+- [`require-workflow-template-properties-pair`](../require-workflow-template-properties-pair.md)
+- [`valid-timeout-minutes`](../valid-timeout-minutes.md)
+- [`valid-trigger-events`](../valid-trigger-events.md)
+

package/docs/rules/presets/index.md

@@ -0,0 +1,100 @@
+# Presets
+
+The plugin exports seven flat-config presets:
+
+- [`githubActions.configs.actionMetadata`](./action-metadata.md)
+- [`githubActions.configs.workflowTemplateProperties`](./workflow-template-properties.md)
+- [`githubActions.configs.workflowTemplates`](./workflow-templates.md)
+- [`githubActions.configs.recommended`](./recommended.md)
+- [`githubActions.configs.security`](./security.md)
+- [`githubActions.configs.strict`](./strict.md)
+- [`githubActions.configs.all`](./all.md)
+
+These presets cover workflow YAML, action metadata (`action.yml` / `action.yaml`),
+and workflow template package files (`workflow-templates/*.yml`, `*.yaml`, and
+`*.properties.json`).
+
+## How to choose
+
+- Start with **recommended** for broad baseline quality and safety.
+- Layer **security** for stronger supply-chain and permissions-focused checks.
+- Use **strict** when you want high signal on operational consistency.
+- Use **all** for complete rule coverage (best for internal policy repos).
+
+Then review [getting started](../getting-started.md) and the full
+[rule reference](../overview.md).
+
+## Rule Matrix
+
+| Rule | 🧩 actionMetadata | 🗂️ workflowTemplateProperties | 🧱 workflowTemplates | 🟡 recommended | 🛡️ security | 🔴 strict | 🟣 all |
+| --- | :-: | :-: | :-: | :-: | :-: | :-: | :-: |
+| [`action-name-casing`](../action-name-casing.md) | — | — | — | — | — | ✅ | ✅ |
+| [`job-id-casing`](../job-id-casing.md) | — | — | — | — | — | ✅ | ✅ |
+| [`max-jobs-per-action`](../max-jobs-per-action.md) | — | — | — | — | — | ✅ | ✅ |
+| [`no-case-insensitive-input-id-collision`](../no-case-insensitive-input-id-collision.md) | ✅ | — | — | — | — | — | ✅ |
+| [`no-composite-input-env-access`](../no-composite-input-env-access.md) | ✅ | — | — | — | — | — | ✅ |
+| [`no-deprecated-node-runtime`](../no-deprecated-node-runtime.md) | ✅ | — | — | — | — | — | ✅ |
+| [`no-duplicate-composite-step-id`](../no-duplicate-composite-step-id.md) | ✅ | — | — | — | — | — | ✅ |
+| [`no-empty-template-file-pattern`](../no-empty-template-file-pattern.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`no-external-job`](../no-external-job.md) | — | — | — | — | — | ✅ | ✅ |
+| [`no-hardcoded-default-branch-in-template`](../no-hardcoded-default-branch-in-template.md) | — | — | ✅ | — | — | — | ✅ |
+| [`no-icon-file-extension-in-template-icon-name`](../no-icon-file-extension-in-template-icon-name.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`no-inherit-secrets`](../no-inherit-secrets.md) | — | — | — | — | ✅ | ✅ | ✅ |
+| [`no-invalid-concurrency-context`](../no-invalid-concurrency-context.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`no-invalid-key`](../no-invalid-key.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`no-invalid-reusable-workflow-job-key`](../no-invalid-reusable-workflow-job-key.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`no-invalid-template-file-pattern-regex`](../no-invalid-template-file-pattern-regex.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`no-invalid-workflow-call-output-value`](../no-invalid-workflow-call-output-value.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`no-path-separators-in-template-icon-name`](../no-path-separators-in-template-icon-name.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`no-post-if-without-post`](../no-post-if-without-post.md) | ✅ | — | — | — | — | — | ✅ |
+| [`no-pr-head-checkout-in-pull-request-target`](../no-pr-head-checkout-in-pull-request-target.md) | — | — | — | — | ✅ | ✅ | ✅ |
+| [`no-pre-if-without-pre`](../no-pre-if-without-pre.md) | ✅ | — | — | — | — | — | ✅ |
+| [`no-required-input-with-default`](../no-required-input-with-default.md) | ✅ | — | — | — | — | — | ✅ |
+| [`no-secrets-in-if`](../no-secrets-in-if.md) | — | — | — | ✅ | ✅ | ✅ | ✅ |
+| [`no-self-hosted-runner-on-fork-pr-events`](../no-self-hosted-runner-on-fork-pr-events.md) | — | — | — | — | ✅ | ✅ | ✅ |
+| [`no-subdirectory-template-file-pattern`](../no-subdirectory-template-file-pattern.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`no-template-placeholder-in-non-template-workflow`](../no-template-placeholder-in-non-template-workflow.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`no-top-level-env`](../no-top-level-env.md) | — | — | — | — | — | ✅ | ✅ |
+| [`no-top-level-permissions`](../no-top-level-permissions.md) | — | — | — | — | — | — | ✅ |
+| [`no-universal-template-file-pattern`](../no-universal-template-file-pattern.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`no-unknown-input-reference-in-composite`](../no-unknown-input-reference-in-composite.md) | ✅ | — | — | — | — | — | ✅ |
+| [`no-unknown-job-output-reference`](../no-unknown-job-output-reference.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`no-unknown-step-reference`](../no-unknown-step-reference.md) | — | — | — | — | — | ✅ | ✅ |
+| [`no-untrusted-input-in-run`](../no-untrusted-input-in-run.md) | — | — | — | — | ✅ | ✅ | ✅ |
+| [`no-unused-input-in-composite`](../no-unused-input-in-composite.md) | ✅ | — | — | — | — | — | ✅ |
+| [`no-write-all-permissions`](../no-write-all-permissions.md) | — | — | — | ✅ | ✅ | ✅ | ✅ |
+| [`pin-action-shas`](../pin-action-shas.md) | — | — | — | — | ✅ | ✅ | ✅ |
+| [`prefer-action-yml`](../prefer-action-yml.md) | ✅ | — | — | — | — | — | ✅ |
+| [`prefer-fail-fast`](../prefer-fail-fast.md) | — | — | — | — | — | ✅ | ✅ |
+| [`prefer-file-extension`](../prefer-file-extension.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`prefer-inputs-context`](../prefer-inputs-context.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`prefer-step-uses-style`](../prefer-step-uses-style.md) | — | — | — | — | — | — | ✅ |
+| [`prefer-template-yml-extension`](../prefer-template-yml-extension.md) | — | — | ✅ | — | — | — | ✅ |
+| [`require-action-name`](../require-action-name.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`require-action-run-name`](../require-action-run-name.md) | — | — | — | — | — | ✅ | ✅ |
+| [`require-checkout-before-local-action`](../require-checkout-before-local-action.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`require-composite-step-name`](../require-composite-step-name.md) | ✅ | — | — | — | — | — | ✅ |
+| [`require-job-name`](../require-job-name.md) | — | — | — | — | — | ✅ | ✅ |
+| [`require-job-step-name`](../require-job-step-name.md) | — | — | — | — | — | ✅ | ✅ |
+| [`require-job-timeout-minutes`](../require-job-timeout-minutes.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`require-merge-group-trigger`](../require-merge-group-trigger.md) | — | — | — | — | — | ✅ | ✅ |
+| [`require-pull-request-target-branches`](../require-pull-request-target-branches.md) | — | — | — | — | ✅ | ✅ | ✅ |
+| [`require-run-step-shell`](../require-run-step-shell.md) | — | — | — | — | — | ✅ | ✅ |
+| [`require-template-categories`](../require-template-categories.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`require-template-file-patterns`](../require-template-file-patterns.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`require-template-icon-file-exists`](../require-template-icon-file-exists.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`require-template-icon-name`](../require-template-icon-name.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`require-template-workflow-name`](../require-template-workflow-name.md) | — | — | ✅ | — | — | — | ✅ |
+| [`require-trigger-types`](../require-trigger-types.md) | — | — | — | — | — | ✅ | ✅ |
+| [`require-workflow-call-input-type`](../require-workflow-call-input-type.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`require-workflow-call-output-value`](../require-workflow-call-output-value.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`require-workflow-concurrency`](../require-workflow-concurrency.md) | — | — | — | — | — | ✅ | ✅ |
+| [`require-workflow-dispatch-input-type`](../require-workflow-dispatch-input-type.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`require-workflow-interface-description`](../require-workflow-interface-description.md) | — | — | — | — | — | ✅ | ✅ |
+| [`require-workflow-permissions`](../require-workflow-permissions.md) | — | — | — | ✅ | ✅ | ✅ | ✅ |
+| [`require-workflow-run-branches`](../require-workflow-run-branches.md) | — | — | — | — | ✅ | ✅ | ✅ |
+| [`require-workflow-template-pair`](../require-workflow-template-pair.md) | — | — | ✅ | — | — | — | ✅ |
+| [`require-workflow-template-properties-pair`](../require-workflow-template-properties-pair.md) | — | ✅ | ✅ | — | — | — | ✅ |
+| [`valid-timeout-minutes`](../valid-timeout-minutes.md) | — | — | — | ✅ | — | ✅ | ✅ |
+| [`valid-trigger-events`](../valid-trigger-events.md) | — | — | — | ✅ | — | ✅ | ✅ |
+

package/docs/rules/presets/recommended.md

@@ -0,0 +1,26 @@
+# `githubActions.configs.recommended`
+
+Balanced defaults for most repositories.
+
+## Included rules
+
+- [`no-invalid-concurrency-context`](../no-invalid-concurrency-context.md)
+- [`no-invalid-workflow-call-output-value`](../no-invalid-workflow-call-output-value.md)
+- [`no-write-all-permissions`](../no-write-all-permissions.md)
+- [`no-invalid-key`](../no-invalid-key.md)
+- [`no-invalid-reusable-workflow-job-key`](../no-invalid-reusable-workflow-job-key.md)
+- [`no-secrets-in-if`](../no-secrets-in-if.md)
+- [`no-template-placeholder-in-non-template-workflow`](../no-template-placeholder-in-non-template-workflow.md)
+- [`no-unknown-job-output-reference`](../no-unknown-job-output-reference.md)
+- [`prefer-file-extension`](../prefer-file-extension.md)
+- [`prefer-inputs-context`](../prefer-inputs-context.md)
+- [`require-workflow-permissions`](../require-workflow-permissions.md)
+- [`require-checkout-before-local-action`](../require-checkout-before-local-action.md)
+- [`require-job-timeout-minutes`](../require-job-timeout-minutes.md)
+- [`require-workflow-call-input-type`](../require-workflow-call-input-type.md)
+- [`require-workflow-call-output-value`](../require-workflow-call-output-value.md)
+- [`require-workflow-dispatch-input-type`](../require-workflow-dispatch-input-type.md)
+- [`valid-timeout-minutes`](../valid-timeout-minutes.md)
+- [`valid-trigger-events`](../valid-trigger-events.md)
+- [`require-action-name`](../require-action-name.md)
+

package/docs/rules/presets/security.md

@@ -0,0 +1,16 @@
+# `githubActions.configs.security`
+
+Security-focused workflow hardening checks.
+
+## Included rules
+
+- [`no-inherit-secrets`](../no-inherit-secrets.md)
+- [`no-pr-head-checkout-in-pull-request-target`](../no-pr-head-checkout-in-pull-request-target.md)
+- [`no-secrets-in-if`](../no-secrets-in-if.md)
+- [`no-self-hosted-runner-on-fork-pr-events`](../no-self-hosted-runner-on-fork-pr-events.md)
+- [`no-untrusted-input-in-run`](../no-untrusted-input-in-run.md)
+- [`require-pull-request-target-branches`](../require-pull-request-target-branches.md)
+- [`require-workflow-permissions`](../require-workflow-permissions.md)
+- [`require-workflow-run-branches`](../require-workflow-run-branches.md)
+- [`pin-action-shas`](../pin-action-shas.md)
+