eslint-plugin-github-actions-2 1.0.1 → 1.0.3

package/docs/rules/require-job-step-name.md

@@ -37,6 +37,14 @@ jobs:
         run: npm test
 ```
 
+## Behavior and migration notes
+
+This rule provides suggestions when it can infer a meaningful step label from existing step content:
+
+- for `uses:` steps, it suggests the action reference without the version suffix, and
+- for `run:` steps, it suggests the first non-empty command line when that line is short enough to read well in logs.
+
+Those suggestions are intentionally reviewable rather than automatically applied because human-friendly step names often need a little more context than the raw command or action reference.
 
 ## Additional examples
 
@@ -63,7 +71,8 @@ export default [
 ## When not to use it
 
 You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
+
 ## Further reading
 
-- [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps)
-- [https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs](https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs)
+- [GitHub Actions workflow syntax: `jobs.<job_id>.steps`](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps)
+- [GitHub Actions docs: Using workflow run logs](https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs)

package/docs/rules/require-sarif-upload-security-events-write.md

@@ -0,0 +1,50 @@
+# require-sarif-upload-security-events-write
+
+> **Rule catalog ID:** R102
+
+## Targeted pattern scope
+
+Jobs that use `github/codeql-action/upload-sarif`.
+
+## What this rule reports
+
+This rule reports SARIF upload jobs that do not grant `security-events: write`.
+
+## Why this rule exists
+
+Uploading SARIF to GitHub code scanning requires `security-events: write`. Requiring it explicitly keeps workflow permissions correct and reviewable.
+
+## ❌ Incorrect
+
+```yaml
+permissions:
+  contents: read
+```
+
+## ✅ Correct
+
+```yaml
+permissions:
+  contents: read
+  security-events: write
+```
+
+## Additional examples
+
+This rule applies to any SARIF uploader step using `github/codeql-action/upload-sarif`, not just CodeQL-native workflows.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [githubActions.configs.codeScanning];
+```
+
+## When not to use it
+
+Disable this rule only if the uploader step is never intended to publish SARIF into GitHub code scanning.
+
+## Further reading
+
+- [About code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)

package/docs/rules/require-scorecard-results-format-sarif.md

@@ -0,0 +1,49 @@
+# require-scorecard-results-format-sarif
+
+> **Rule catalog ID:** R103
+
+## Targeted pattern scope
+
+Workflow steps that use `ossf/scorecard-action`.
+
+## What this rule reports
+
+This rule reports Scorecard action steps that do not set `results_format: sarif`.
+
+## Why this rule exists
+
+If a repository wants Scorecard findings to flow into GitHub code scanning, SARIF is the correct results format. Requiring it makes the upload contract explicit.
+
+## ❌ Incorrect
+
+```yaml
+- uses: ossf/scorecard-action@v2
+```
+
+## ✅ Correct
+
+```yaml
+- uses: ossf/scorecard-action@v2
+  with:
+    results_format: sarif
+```
+
+## Additional examples
+
+This rule pairs naturally with `require-scorecard-upload-sarif-step`, which ensures the generated SARIF is actually published.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [githubActions.configs.codeScanning];
+```
+
+## When not to use it
+
+Disable this rule if your Scorecard workflow intentionally produces non-SARIF output for another destination.
+
+## Further reading
+
+- [OpenSSF Scorecard Action](https://github.com/ossf/scorecard-action)

package/docs/rules/require-scorecard-upload-sarif-step.md

@@ -0,0 +1,55 @@
+# require-scorecard-upload-sarif-step
+
+> **Rule catalog ID:** R104
+
+## Targeted pattern scope
+
+Workflows that use `ossf/scorecard-action`.
+
+## What this rule reports
+
+This rule reports Scorecard workflows that do not upload SARIF results with `github/codeql-action/upload-sarif`.
+
+## Why this rule exists
+
+Generating SARIF without uploading it leaves the code scanning integration incomplete. Requiring the upload step helps repositories actually surface Scorecard findings in GitHub.
+
+## ❌ Incorrect
+
+```yaml
+- uses: ossf/scorecard-action@v2
+  with:
+    results_format: sarif
+```
+
+## ✅ Correct
+
+```yaml
+- uses: ossf/scorecard-action@v2
+  with:
+    results_format: sarif
+
+- uses: github/codeql-action/upload-sarif@v4
+  with:
+    sarif_file: results.sarif
+```
+
+## Additional examples
+
+This rule does not require a specific SARIF filename, only that an upload step exists.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [githubActions.configs.codeScanning];
+```
+
+## When not to use it
+
+Disable this rule if SARIF upload is handled by a reusable workflow or another job outside the current file.
+
+## Further reading
+
+- [OpenSSF Scorecard Action](https://github.com/ossf/scorecard-action)

package/docs/rules/require-secret-scan-contents-read.md

@@ -0,0 +1,48 @@
+# require-secret-scan-contents-read
+
+> **Rule catalog ID:** R107
+
+## Targeted pattern scope
+
+Jobs that use supported secret-scanning actions.
+
+## What this rule reports
+
+This rule reports secret-scanning jobs that do not grant `contents: read`.
+
+## Why this rule exists
+
+Secret-scanning workflows generally only need read access to repository contents. Making that permission explicit reinforces least privilege.
+
+## ❌ Incorrect
+
+```yaml
+permissions: {}
+```
+
+## ✅ Correct
+
+```yaml
+permissions:
+  contents: read
+```
+
+## Additional examples
+
+This rule is intentionally narrow and does not try to prescribe every other permission a secret-scanning workflow may or may not need.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [githubActions.configs.security];
+```
+
+## When not to use it
+
+Disable this rule if your scanner workflow runs in an unusual environment that truly does not need repository contents access.
+
+## Further reading
+
+- [GitHub Actions workflow syntax: permissions](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#permissions)

package/docs/rules/require-secret-scan-fetch-depth-zero.md

@@ -0,0 +1,50 @@
+# require-secret-scan-fetch-depth-zero
+
+> **Rule catalog ID:** R105
+
+## Targeted pattern scope
+
+Jobs that use secret-scanning actions such as Gitleaks or TruffleHog.
+
+## What this rule reports
+
+This rule reports secret-scanning jobs that do not checkout repository history with `fetch-depth: 0`.
+
+## Why this rule exists
+
+Secret scanners are most effective when they can inspect full repository history rather than only the latest commit range.
+
+## ❌ Incorrect
+
+```yaml
+- uses: actions/checkout@v6
+```
+
+## ✅ Correct
+
+```yaml
+- uses: actions/checkout@v6
+  with:
+    fetch-depth: 0
+```
+
+## Additional examples
+
+This rule is job-scoped, so it only checks jobs that actually run the supported secret scanners.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [githubActions.configs.security];
+```
+
+## When not to use it
+
+Disable this rule if your secret scanning workflow is intentionally limited to shallow history or event-specific diffs.
+
+## Further reading
+
+- [Gitleaks Action](https://github.com/gitleaks/gitleaks-action)
+- [TruffleHog Action](https://github.com/trufflesecurity/trufflehog)

package/docs/rules/require-secret-scan-schedule.md

@@ -0,0 +1,50 @@
+# require-secret-scan-schedule
+
+> **Rule catalog ID:** R106
+
+## Targeted pattern scope
+
+Workflows that use supported secret-scanning actions.
+
+## What this rule reports
+
+This rule reports secret-scanning workflows that do not define a `schedule` trigger.
+
+## Why this rule exists
+
+Scheduled secret scanning catches leaks even when no recent pull request or push event happens on the affected branch.
+
+## ❌ Incorrect
+
+```yaml
+on: [pull_request]
+```
+
+## ✅ Correct
+
+```yaml
+on:
+  pull_request:
+  schedule:
+    - cron: "12 4 * * *"
+```
+
+## Additional examples
+
+This rule does not enforce a particular cron expression, only that periodic scanning exists.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [githubActions.configs.security];
+```
+
+## When not to use it
+
+Disable this rule if scheduled secret scanning is handled outside GitHub Actions.
+
+## Further reading
+
+- [GitHub Actions workflow syntax: schedule](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#onschedule)

package/docs/rules/require-trufflehog-verified-results-mode.md

@@ -0,0 +1,49 @@
+# require-trufflehog-verified-results-mode
+
+> **Rule catalog ID:** R108
+
+## Targeted pattern scope
+
+Workflow steps that use the TruffleHog GitHub Action.
+
+## What this rule reports
+
+This rule reports TruffleHog steps that do not configure `extra_args` to include `--results=verified`.
+
+## Why this rule exists
+
+Verified-results mode reduces noise by failing only on findings that the scanner can verify more confidently.
+
+## ❌ Incorrect
+
+```yaml
+- uses: trufflesecurity/trufflehog@v3
+```
+
+## ✅ Correct
+
+```yaml
+- uses: trufflesecurity/trufflehog@v3
+  with:
+    extra_args: --results=verified
+```
+
+## Additional examples
+
+This rule still allows additional TruffleHog flags as long as the verified-results mode is present.
+
+## ESLint flat config example
+
+```ts
+import githubActions from "eslint-plugin-github-actions-2";
+
+export default [githubActions.configs.security];
+```
+
+## When not to use it
+
+Disable this rule if your repository intentionally wants broader TruffleHog results despite the extra noise.
+
+## Further reading
+
+- [TruffleHog Action](https://github.com/trufflesecurity/trufflehog)

package/package.json

@@ -1,7 +1,7 @@
 {
     "$schema": "https://www.schemastore.org/package.json",
     "name": "eslint-plugin-github-actions-2",
-    "version": "1.0.1",
+    "version": "1.0.3",
     "private": false,
     "description": "ESLint plugin for GitHub Actions workflow quality, reliability, and security rules.",
     "keywords": [
@@ -134,9 +134,6 @@
         "update-deps": "npx ncu -i --install never && npm run sync:peer-eslint-range && npm install --force",
         "verify:readme-rules-table": "npm run build && npm run sync:readme-rules-table"
     },
-    "overrides": {
-        "jsonc-eslint-parser": "$jsonc-eslint-parser"
-    },
     "dependencies": {
         "yaml-eslint-parser": "^2.0.0"
     },
@@ -145,34 +142,34 @@
         "@csstools/stylelint-formatter-github": "^2.0.0",
         "@docusaurus/eslint-plugin": "^3.9.2",
         "@double-great/remark-lint-alt-text": "^1.1.1",
-        "@double-great/stylelint-a11y": "^3.4.7",
+        "@double-great/stylelint-a11y": "^3.4.9",
         "@eslint-community/eslint-plugin-eslint-comments": "^4.7.1",
-        "@eslint-react/eslint-plugin": "^3.0.0",
-        "@eslint/compat": "^2.0.3",
-        "@eslint/config-helpers": "^0.5.3",
+        "@eslint-react/eslint-plugin": "^4.2.3",
+        "@eslint/compat": "^2.0.4",
+        "@eslint/config-helpers": "^0.5.4",
         "@eslint/config-inspector": "^1.5.0",
-        "@eslint/css": "^1.0.0",
+        "@eslint/css": "^1.1.0",
         "@eslint/js": "^10.0.1",
         "@eslint/json": "^1.2.0",
-        "@eslint/markdown": "^7.5.1",
+        "@eslint/markdown": "^8.0.1",
         "@html-eslint/eslint-plugin": "^0.58.1",
         "@html-eslint/parser": "^0.58.1",
         "@microsoft/eslint-plugin-sdl": "^1.1.0",
         "@microsoft/tsdoc-config": "^0.18.1",
-        "@secretlint/secretlint-rule-anthropic": "^11.4.0",
-        "@secretlint/secretlint-rule-aws": "^11.4.0",
-        "@secretlint/secretlint-rule-database-connection-string": "^11.4.0",
-        "@secretlint/secretlint-rule-gcp": "^11.4.0",
-        "@secretlint/secretlint-rule-github": "^11.4.0",
-        "@secretlint/secretlint-rule-no-dotenv": "^11.4.0",
-        "@secretlint/secretlint-rule-no-homedir": "^11.4.0",
-        "@secretlint/secretlint-rule-npm": "^11.4.0",
-        "@secretlint/secretlint-rule-openai": "^11.4.0",
-        "@secretlint/secretlint-rule-pattern": "^11.4.0",
-        "@secretlint/secretlint-rule-preset-recommend": "^11.4.0",
-        "@secretlint/secretlint-rule-privatekey": "^11.4.0",
-        "@secretlint/secretlint-rule-secp256k1-privatekey": "^11.4.0",
-        "@secretlint/types": "^11.4.0",
+        "@secretlint/secretlint-rule-anthropic": "^11.5.0",
+        "@secretlint/secretlint-rule-aws": "^11.5.0",
+        "@secretlint/secretlint-rule-database-connection-string": "^11.5.0",
+        "@secretlint/secretlint-rule-gcp": "^11.5.0",
+        "@secretlint/secretlint-rule-github": "^11.5.0",
+        "@secretlint/secretlint-rule-no-dotenv": "^11.5.0",
+        "@secretlint/secretlint-rule-no-homedir": "^11.5.0",
+        "@secretlint/secretlint-rule-npm": "^11.5.0",
+        "@secretlint/secretlint-rule-openai": "^11.5.0",
+        "@secretlint/secretlint-rule-pattern": "^11.5.0",
+        "@secretlint/secretlint-rule-preset-recommend": "^11.4.1",
+        "@secretlint/secretlint-rule-privatekey": "^11.5.0",
+        "@secretlint/secretlint-rule-secp256k1-privatekey": "^11.5.0",
+        "@secretlint/types": "^11.5.0",
         "@softonus/prettier-plugin-duplicate-remover": "^1.1.2",
         "@stryker-ignorer/console-all": "^0.3.2",
         "@stryker-mutator/core": "^9.6.0",
@@ -181,12 +178,12 @@
         "@stylelint-types/stylelint-order": "^7.0.1",
         "@stylelint-types/stylelint-stylistic": "^5.0.0",
         "@stylistic/eslint-plugin": "^5.10.0",
-        "@stylistic/stylelint-plugin": "^5.0.1",
+        "@stylistic/stylelint-plugin": "^5.1.0",
         "@types/eslint-plugin-jsx-a11y": "^6.10.1",
         "@types/eslint-plugin-security": "^3.0.1",
         "@types/htmlhint": "^1.1.5",
         "@types/madge": "^5.0.3",
-        "@types/node": "^25.5.0",
+        "@types/node": "^25.5.2",
         "@types/postcss-clamp": "^4.1.3",
         "@types/postcss-flexbugs-fixes": "^5.0.3",
         "@types/postcss-html": "^1.5.3",
@@ -195,12 +192,12 @@
         "@types/postcss-normalize": "^9.0.4",
         "@types/postcss-reporter": "^7.0.5",
         "@types/sloc": "^0.2.3",
-        "@typescript-eslint/eslint-plugin": "^8.57.2",
-        "@typescript-eslint/parser": "^8.57.2",
-        "@typescript-eslint/rule-tester": "^8.57.2",
-        "@vitest/coverage-v8": "^4.1.1",
-        "@vitest/eslint-plugin": "^1.6.13",
-        "@vitest/ui": "^4.1.1",
+        "@typescript-eslint/eslint-plugin": "^8.58.0",
+        "@typescript-eslint/parser": "^8.58.0",
+        "@typescript-eslint/rule-tester": "^8.58.0",
+        "@vitest/coverage-v8": "^4.1.2",
+        "@vitest/eslint-plugin": "^1.6.14",
+        "@vitest/ui": "^4.1.2",
         "actionlint": "^2.0.6",
         "all-contributors-cli": "^6.26.1",
         "cognitive-complexity-ts": "^0.8.1",
@@ -209,7 +206,7 @@
         "cross-env": "^10.1.0",
         "depcheck": "^1.4.7",
         "detect-secrets": "^1.0.6",
-        "eslint": "^10.1.0",
+        "eslint": "^10.2.0",
         "eslint-config-flat-gitignore": "^2.3.0",
         "eslint-config-prettier": "^10.1.8",
         "eslint-formatter-unix": "^9.0.1",
@@ -223,21 +220,19 @@
         "eslint-plugin-depend": "^1.5.0",
         "eslint-plugin-eslint-plugin": "^7.3.2",
         "eslint-plugin-etc": "^2.0.3",
-        "eslint-plugin-etc-misc": "^1.0.4",
-        "eslint-plugin-file-progress-2": "^3.4.3",
+        "eslint-plugin-etc-misc": "^1.0.5",
+        "eslint-plugin-file-progress-2": "^3.4.4",
         "eslint-plugin-html": "^8.1.4",
         "eslint-plugin-import-x": "^4.16.2",
-        "eslint-plugin-jsdoc": "^62.8.0",
+        "eslint-plugin-jsdoc": "^62.9.0",
         "eslint-plugin-jsonc": "^3.1.2",
         "eslint-plugin-jsx-a11y": "^6.10.2",
         "eslint-plugin-listeners": "^1.5.1",
-        "eslint-plugin-loadable-imports": "^1.0.1",
         "eslint-plugin-math": "^0.13.1",
         "eslint-plugin-module-interop": "^0.3.1",
         "eslint-plugin-n": "^17.24.0",
         "eslint-plugin-nitpick": "^0.12.0",
         "eslint-plugin-no-barrel-files": "^1.2.2",
-        "eslint-plugin-no-explicit-type-exports": "^0.12.1",
         "eslint-plugin-no-function-declare-after-return": "^1.1.0",
         "eslint-plugin-no-lookahead-lookbehind-regexp": "^0.4.0",
         "eslint-plugin-no-only-tests": "^3.3.0",
@@ -245,8 +240,8 @@
         "eslint-plugin-no-unsanitized": "^4.1.5",
         "eslint-plugin-no-use-extend-native": "^0.7.2",
         "eslint-plugin-node-dependencies": "^2.2.0",
-        "eslint-plugin-package-json": "^0.91.0",
-        "eslint-plugin-perfectionist": "^5.7.0",
+        "eslint-plugin-package-json": "^0.91.1",
+        "eslint-plugin-perfectionist": "^5.8.0",
         "eslint-plugin-prefer-arrow": "^1.2.3",
         "eslint-plugin-prettier": "^5.5.5",
         "eslint-plugin-promise": "^7.2.1",
@@ -255,14 +250,12 @@
         "eslint-plugin-require-jsdoc": "^1.0.4",
         "eslint-plugin-security": "^4.0.0",
         "eslint-plugin-sonarjs": "^4.0.2",
-        "eslint-plugin-sort-class-members": "^1.21.0",
-        "eslint-plugin-testing-library": "^7.16.1",
+        "eslint-plugin-testing-library": "^7.16.2",
         "eslint-plugin-toml": "^1.3.1",
-        "eslint-plugin-total-functions": "^7.1.0",
         "eslint-plugin-tsdoc": "^0.5.2",
-        "eslint-plugin-tsdoc-require-2": "^1.0.6",
+        "eslint-plugin-tsdoc-require-2": "^1.0.7",
         "eslint-plugin-undefined-css-classes": "^0.1.5",
-        "eslint-plugin-unicorn": "^63.0.0",
+        "eslint-plugin-unicorn": "^64.0.0",
         "eslint-plugin-unused-imports": "^4.4.1",
         "eslint-plugin-write-good-comments": "^0.2.0",
         "eslint-plugin-yml": "^3.3.1",
@@ -273,12 +266,12 @@
         "htmlhint": "^1.9.2",
         "jscpd": "^4.0.8",
         "jsonc-eslint-parser": "^3.1.0",
-        "knip": "^6.0.4",
+        "knip": "^6.3.0",
         "leasot": "^14.4.0",
         "madge": "^8.0.0",
         "markdown-link-check": "^3.14.2",
-        "npm-check-updates": "^19.6.5",
-        "npm-package-json-lint": "^9.1.0",
+        "npm-check-updates": "^20.0.0",
+        "npm-package-json-lint": "^10.0.0",
         "picocolors": "^1.1.1",
         "postcss": "^8.5.8",
         "postcss-assets": "^6.0.0",
@@ -302,7 +295,7 @@
         "prettier-plugin-interpolated-html-tags": "^2.0.1",
         "prettier-plugin-jsdoc": "^1.8.0",
         "prettier-plugin-jsdoc-type": "^0.2.0",
-        "prettier-plugin-merge": "^0.10.0",
+        "prettier-plugin-merge": "^0.10.1",
         "prettier-plugin-multiline-arrays": "^4.1.5",
         "prettier-plugin-packagejson": "^3.0.2",
         "prettier-plugin-properties": "^0.3.1",
@@ -417,16 +410,16 @@
         "remark-validate-links": "^13.1.0",
         "remark-wiki-link": "^2.0.1",
         "rimraf": "^6.1.3",
-        "secretlint": "^11.4.0",
+        "secretlint": "^11.4.1",
         "sloc": "^0.3.2",
         "sort-package-json": "^3.6.1",
-        "stylelint": "^17.5.0",
+        "stylelint": "^17.6.0",
         "stylelint-actions-formatters": "^16.3.1",
         "stylelint-checkstyle-formatter": "^0.1.2",
         "stylelint-codeframe-formatter": "^1.2.0",
         "stylelint-config-alphabetical-order": "^2.0.0",
         "stylelint-config-idiomatic-order": "^10.0.0",
-        "stylelint-config-inspector": "^2.0.2",
+        "stylelint-config-inspector": "^2.0.3",
         "stylelint-config-recess-order": "^7.7.0",
         "stylelint-config-recommended": "^18.0.0",
         "stylelint-config-sass-guidelines": "^13.0.0",
@@ -449,8 +442,8 @@
         "stylelint-no-unresolved-module": "^2.5.2",
         "stylelint-no-unsupported-browser-features": "^8.1.1",
         "stylelint-order": "^8.1.1",
-        "stylelint-plugin-defensive-css": "^2.8.0",
-        "stylelint-plugin-logical-css": "^2.0.2",
+        "stylelint-plugin-defensive-css": "^2.8.1",
+        "stylelint-plugin-logical-css": "^2.1.0",
         "stylelint-plugin-use-baseline": "^1.4.1",
         "stylelint-prettier": "^5.0.3",
         "stylelint-react-native": "^2.7.0",
@@ -462,18 +455,18 @@
         "ts-unused-exports": "^11.0.1",
         "typedoc": "^0.28.18",
         "typescript": "^6.0.2",
-        "typescript-eslint": "^8.57.2",
+        "typescript-eslint": "^8.58.0",
         "typesync": "^0.14.3",
         "vfile": "^6.0.3",
-        "vite": "^8.0.2",
+        "vite": "^8.0.3",
         "vite-tsconfig-paths": "^6.1.1",
-        "vitest": "^4.1.1",
+        "vitest": "^4.1.2",
         "yamllint-js": "^0.2.4"
     },
     "peerDependencies": {
-        "eslint": "^9.0.0 || ^10.1.0"
+        "eslint": "^9.0.0 || ^10.2.0"
     },
-    "packageManager": "npm@11.12.0",
+    "packageManager": "npm@11.12.1",
     "engines": {
         "node": ">=22.0.0"
     },