eslint-plugin-github-actions-2 1.0.2 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (504) hide show
  1. package/README.md +149 -101
  2. package/dist/_internal/code-scanning-workflow.d.ts +37 -0
  3. package/dist/_internal/code-scanning-workflow.d.ts.map +1 -0
  4. package/dist/_internal/code-scanning-workflow.js +73 -0
  5. package/dist/_internal/code-scanning-workflow.js.map +1 -0
  6. package/dist/_internal/dependabot-automation-workflow.d.ts +26 -0
  7. package/dist/_internal/dependabot-automation-workflow.d.ts.map +1 -0
  8. package/dist/_internal/dependabot-automation-workflow.js +25 -0
  9. package/dist/_internal/dependabot-automation-workflow.js.map +1 -0
  10. package/dist/_internal/dependabot-yaml.d.ts +63 -0
  11. package/dist/_internal/dependabot-yaml.d.ts.map +1 -0
  12. package/dist/_internal/dependabot-yaml.js +139 -0
  13. package/dist/_internal/dependabot-yaml.js.map +1 -0
  14. package/dist/_internal/dependency-review-workflow.d.ts +20 -0
  15. package/dist/_internal/dependency-review-workflow.d.ts.map +1 -0
  16. package/dist/_internal/dependency-review-workflow.js +9 -0
  17. package/dist/_internal/dependency-review-workflow.js.map +1 -0
  18. package/dist/_internal/github-actions-config-references.d.ts +1 -1
  19. package/dist/_internal/github-actions-config-references.d.ts.map +1 -1
  20. package/dist/_internal/github-actions-config-references.js +19 -2
  21. package/dist/_internal/github-actions-config-references.js.map +1 -1
  22. package/dist/_internal/lint-targets.d.ts +8 -0
  23. package/dist/_internal/lint-targets.d.ts.map +1 -1
  24. package/dist/_internal/lint-targets.js +26 -0
  25. package/dist/_internal/lint-targets.js.map +1 -1
  26. package/dist/_internal/rules-registry.d.ts +90 -0
  27. package/dist/_internal/rules-registry.d.ts.map +1 -1
  28. package/dist/_internal/rules-registry.js +90 -0
  29. package/dist/_internal/rules-registry.js.map +1 -1
  30. package/dist/_internal/secret-scanning-workflow.d.ts +24 -0
  31. package/dist/_internal/secret-scanning-workflow.d.ts.map +1 -0
  32. package/dist/_internal/secret-scanning-workflow.js +21 -0
  33. package/dist/_internal/secret-scanning-workflow.js.map +1 -0
  34. package/dist/_internal/workflow-action-steps.d.ts +35 -0
  35. package/dist/_internal/workflow-action-steps.d.ts.map +1 -0
  36. package/dist/_internal/workflow-action-steps.js +75 -0
  37. package/dist/_internal/workflow-action-steps.js.map +1 -0
  38. package/dist/_internal/workflow-permissions.d.ts +11 -0
  39. package/dist/_internal/workflow-permissions.d.ts.map +1 -0
  40. package/dist/_internal/workflow-permissions.js +50 -0
  41. package/dist/_internal/workflow-permissions.js.map +1 -0
  42. package/dist/_internal/yaml-fixes.d.ts +13 -0
  43. package/dist/_internal/yaml-fixes.d.ts.map +1 -0
  44. package/dist/_internal/yaml-fixes.js +77 -0
  45. package/dist/_internal/yaml-fixes.js.map +1 -0
  46. package/dist/plugin.cjs +3524 -292
  47. package/dist/plugin.cjs.map +4 -4
  48. package/dist/plugin.d.ts.map +1 -1
  49. package/dist/plugin.js +2 -0
  50. package/dist/plugin.js.map +1 -1
  51. package/dist/rules/action-name-casing.d.ts.map +1 -1
  52. package/dist/rules/action-name-casing.js +3 -0
  53. package/dist/rules/action-name-casing.js.map +1 -1
  54. package/dist/rules/job-id-casing.d.ts.map +1 -1
  55. package/dist/rules/job-id-casing.js +3 -0
  56. package/dist/rules/job-id-casing.js.map +1 -1
  57. package/dist/rules/max-jobs-per-action.d.ts.map +1 -1
  58. package/dist/rules/max-jobs-per-action.js +3 -0
  59. package/dist/rules/max-jobs-per-action.js.map +1 -1
  60. package/dist/rules/no-case-insensitive-input-id-collision.d.ts.map +1 -1
  61. package/dist/rules/no-case-insensitive-input-id-collision.js +3 -0
  62. package/dist/rules/no-case-insensitive-input-id-collision.js.map +1 -1
  63. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts +9 -0
  64. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts.map +1 -0
  65. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js +54 -0
  66. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js.map +1 -0
  67. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts +9 -0
  68. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts.map +1 -0
  69. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js +50 -0
  70. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js.map +1 -0
  71. package/dist/rules/no-composite-input-env-access.d.ts.map +1 -1
  72. package/dist/rules/no-composite-input-env-access.js +3 -0
  73. package/dist/rules/no-composite-input-env-access.js.map +1 -1
  74. package/dist/rules/no-deprecated-node-runtime.d.ts.map +1 -1
  75. package/dist/rules/no-deprecated-node-runtime.js +3 -0
  76. package/dist/rules/no-deprecated-node-runtime.js.map +1 -1
  77. package/dist/rules/no-duplicate-composite-step-id.d.ts.map +1 -1
  78. package/dist/rules/no-duplicate-composite-step-id.js +3 -0
  79. package/dist/rules/no-duplicate-composite-step-id.js.map +1 -1
  80. package/dist/rules/no-empty-template-file-pattern.d.ts.map +1 -1
  81. package/dist/rules/no-empty-template-file-pattern.js +6 -0
  82. package/dist/rules/no-empty-template-file-pattern.js.map +1 -1
  83. package/dist/rules/no-external-job.d.ts.map +1 -1
  84. package/dist/rules/no-external-job.js +3 -0
  85. package/dist/rules/no-external-job.js.map +1 -1
  86. package/dist/rules/no-hardcoded-default-branch-in-template.d.ts.map +1 -1
  87. package/dist/rules/no-hardcoded-default-branch-in-template.js +3 -0
  88. package/dist/rules/no-hardcoded-default-branch-in-template.js.map +1 -1
  89. package/dist/rules/no-icon-file-extension-in-template-icon-name.d.ts.map +1 -1
  90. package/dist/rules/no-icon-file-extension-in-template-icon-name.js +13 -3
  91. package/dist/rules/no-icon-file-extension-in-template-icon-name.js.map +1 -1
  92. package/dist/rules/no-inherit-secrets.d.ts.map +1 -1
  93. package/dist/rules/no-inherit-secrets.js +3 -0
  94. package/dist/rules/no-inherit-secrets.js.map +1 -1
  95. package/dist/rules/no-invalid-concurrency-context.d.ts.map +1 -1
  96. package/dist/rules/no-invalid-concurrency-context.js +3 -0
  97. package/dist/rules/no-invalid-concurrency-context.js.map +1 -1
  98. package/dist/rules/no-invalid-key.d.ts.map +1 -1
  99. package/dist/rules/no-invalid-key.js +3 -0
  100. package/dist/rules/no-invalid-key.js.map +1 -1
  101. package/dist/rules/no-invalid-reusable-workflow-job-key.d.ts.map +1 -1
  102. package/dist/rules/no-invalid-reusable-workflow-job-key.js +3 -0
  103. package/dist/rules/no-invalid-reusable-workflow-job-key.js.map +1 -1
  104. package/dist/rules/no-invalid-template-file-pattern-regex.d.ts.map +1 -1
  105. package/dist/rules/no-invalid-template-file-pattern-regex.js +3 -0
  106. package/dist/rules/no-invalid-template-file-pattern-regex.js.map +1 -1
  107. package/dist/rules/no-invalid-workflow-call-output-value.d.ts.map +1 -1
  108. package/dist/rules/no-invalid-workflow-call-output-value.js +3 -0
  109. package/dist/rules/no-invalid-workflow-call-output-value.js.map +1 -1
  110. package/dist/rules/no-overlapping-dependabot-directories.d.ts +9 -0
  111. package/dist/rules/no-overlapping-dependabot-directories.d.ts.map +1 -0
  112. package/dist/rules/no-overlapping-dependabot-directories.js +151 -0
  113. package/dist/rules/no-overlapping-dependabot-directories.js.map +1 -0
  114. package/dist/rules/no-path-separators-in-template-icon-name.d.ts.map +1 -1
  115. package/dist/rules/no-path-separators-in-template-icon-name.js +26 -3
  116. package/dist/rules/no-path-separators-in-template-icon-name.js.map +1 -1
  117. package/dist/rules/no-post-if-without-post.d.ts.map +1 -1
  118. package/dist/rules/no-post-if-without-post.js +6 -0
  119. package/dist/rules/no-post-if-without-post.js.map +1 -1
  120. package/dist/rules/no-pr-head-checkout-in-pull-request-target.d.ts.map +1 -1
  121. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js +3 -0
  122. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js.map +1 -1
  123. package/dist/rules/no-pre-if-without-pre.d.ts.map +1 -1
  124. package/dist/rules/no-pre-if-without-pre.js +6 -0
  125. package/dist/rules/no-pre-if-without-pre.js.map +1 -1
  126. package/dist/rules/no-required-input-with-default.d.ts.map +1 -1
  127. package/dist/rules/no-required-input-with-default.js +23 -0
  128. package/dist/rules/no-required-input-with-default.js.map +1 -1
  129. package/dist/rules/no-secrets-in-if.d.ts.map +1 -1
  130. package/dist/rules/no-secrets-in-if.js +3 -0
  131. package/dist/rules/no-secrets-in-if.js.map +1 -1
  132. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.d.ts.map +1 -1
  133. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js +3 -0
  134. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js.map +1 -1
  135. package/dist/rules/no-subdirectory-template-file-pattern.d.ts.map +1 -1
  136. package/dist/rules/no-subdirectory-template-file-pattern.js +3 -0
  137. package/dist/rules/no-subdirectory-template-file-pattern.js.map +1 -1
  138. package/dist/rules/no-template-placeholder-in-non-template-workflow.d.ts.map +1 -1
  139. package/dist/rules/no-template-placeholder-in-non-template-workflow.js +3 -0
  140. package/dist/rules/no-template-placeholder-in-non-template-workflow.js.map +1 -1
  141. package/dist/rules/no-top-level-env.d.ts.map +1 -1
  142. package/dist/rules/no-top-level-env.js +3 -0
  143. package/dist/rules/no-top-level-env.js.map +1 -1
  144. package/dist/rules/no-top-level-permissions.d.ts.map +1 -1
  145. package/dist/rules/no-top-level-permissions.js +3 -0
  146. package/dist/rules/no-top-level-permissions.js.map +1 -1
  147. package/dist/rules/no-universal-template-file-pattern.d.ts.map +1 -1
  148. package/dist/rules/no-universal-template-file-pattern.js +3 -0
  149. package/dist/rules/no-universal-template-file-pattern.js.map +1 -1
  150. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.d.ts +9 -0
  151. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.d.ts.map +1 -0
  152. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.js +58 -0
  153. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.js.map +1 -0
  154. package/dist/rules/no-unknown-input-reference-in-composite.d.ts.map +1 -1
  155. package/dist/rules/no-unknown-input-reference-in-composite.js +3 -0
  156. package/dist/rules/no-unknown-input-reference-in-composite.js.map +1 -1
  157. package/dist/rules/no-unknown-job-output-reference.d.ts.map +1 -1
  158. package/dist/rules/no-unknown-job-output-reference.js +3 -0
  159. package/dist/rules/no-unknown-job-output-reference.js.map +1 -1
  160. package/dist/rules/no-unknown-step-reference.d.ts.map +1 -1
  161. package/dist/rules/no-unknown-step-reference.js +3 -0
  162. package/dist/rules/no-unknown-step-reference.js.map +1 -1
  163. package/dist/rules/no-untrusted-input-in-run.d.ts.map +1 -1
  164. package/dist/rules/no-untrusted-input-in-run.js +3 -0
  165. package/dist/rules/no-untrusted-input-in-run.js.map +1 -1
  166. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.d.ts +9 -0
  167. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.d.ts.map +1 -0
  168. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.js +51 -0
  169. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.js.map +1 -0
  170. package/dist/rules/no-unused-input-in-composite.d.ts.map +1 -1
  171. package/dist/rules/no-unused-input-in-composite.js +3 -0
  172. package/dist/rules/no-unused-input-in-composite.js.map +1 -1
  173. package/dist/rules/no-write-all-permissions.d.ts.map +1 -1
  174. package/dist/rules/no-write-all-permissions.js +3 -0
  175. package/dist/rules/no-write-all-permissions.js.map +1 -1
  176. package/dist/rules/pin-action-shas.d.ts.map +1 -1
  177. package/dist/rules/pin-action-shas.js +3 -0
  178. package/dist/rules/pin-action-shas.js.map +1 -1
  179. package/dist/rules/prefer-action-yml.d.ts.map +1 -1
  180. package/dist/rules/prefer-action-yml.js +3 -0
  181. package/dist/rules/prefer-action-yml.js.map +1 -1
  182. package/dist/rules/prefer-fail-fast.d.ts.map +1 -1
  183. package/dist/rules/prefer-fail-fast.js +3 -0
  184. package/dist/rules/prefer-fail-fast.js.map +1 -1
  185. package/dist/rules/prefer-file-extension.d.ts.map +1 -1
  186. package/dist/rules/prefer-file-extension.js +3 -0
  187. package/dist/rules/prefer-file-extension.js.map +1 -1
  188. package/dist/rules/prefer-inputs-context.d.ts.map +1 -1
  189. package/dist/rules/prefer-inputs-context.js +3 -0
  190. package/dist/rules/prefer-inputs-context.js.map +1 -1
  191. package/dist/rules/prefer-step-uses-style.d.ts.map +1 -1
  192. package/dist/rules/prefer-step-uses-style.js +3 -0
  193. package/dist/rules/prefer-step-uses-style.js.map +1 -1
  194. package/dist/rules/prefer-template-yml-extension.d.ts.map +1 -1
  195. package/dist/rules/prefer-template-yml-extension.js +3 -0
  196. package/dist/rules/prefer-template-yml-extension.js.map +1 -1
  197. package/dist/rules/require-action-name.d.ts.map +1 -1
  198. package/dist/rules/require-action-name.js +3 -0
  199. package/dist/rules/require-action-name.js.map +1 -1
  200. package/dist/rules/require-action-run-name.d.ts.map +1 -1
  201. package/dist/rules/require-action-run-name.js +3 -0
  202. package/dist/rules/require-action-run-name.js.map +1 -1
  203. package/dist/rules/require-checkout-before-local-action.d.ts.map +1 -1
  204. package/dist/rules/require-checkout-before-local-action.js +3 -0
  205. package/dist/rules/require-checkout-before-local-action.js.map +1 -1
  206. package/dist/rules/require-codeql-actions-read.d.ts +9 -0
  207. package/dist/rules/require-codeql-actions-read.d.ts.map +1 -0
  208. package/dist/rules/require-codeql-actions-read.js +63 -0
  209. package/dist/rules/require-codeql-actions-read.js.map +1 -0
  210. package/dist/rules/require-codeql-branch-filters.d.ts +12 -0
  211. package/dist/rules/require-codeql-branch-filters.d.ts.map +1 -0
  212. package/dist/rules/require-codeql-branch-filters.js +83 -0
  213. package/dist/rules/require-codeql-branch-filters.js.map +1 -0
  214. package/dist/rules/require-codeql-category-when-language-matrix.d.ts +12 -0
  215. package/dist/rules/require-codeql-category-when-language-matrix.d.ts.map +1 -0
  216. package/dist/rules/require-codeql-category-when-language-matrix.js +68 -0
  217. package/dist/rules/require-codeql-category-when-language-matrix.js.map +1 -0
  218. package/dist/rules/require-codeql-pull-request-trigger.d.ts +9 -0
  219. package/dist/rules/require-codeql-pull-request-trigger.d.ts.map +1 -0
  220. package/dist/rules/require-codeql-pull-request-trigger.js +46 -0
  221. package/dist/rules/require-codeql-pull-request-trigger.js.map +1 -0
  222. package/dist/rules/require-codeql-schedule.d.ts +9 -0
  223. package/dist/rules/require-codeql-schedule.d.ts.map +1 -0
  224. package/dist/rules/require-codeql-schedule.js +46 -0
  225. package/dist/rules/require-codeql-schedule.js.map +1 -0
  226. package/dist/rules/require-codeql-security-events-write.d.ts +9 -0
  227. package/dist/rules/require-codeql-security-events-write.d.ts.map +1 -0
  228. package/dist/rules/require-codeql-security-events-write.js +53 -0
  229. package/dist/rules/require-codeql-security-events-write.js.map +1 -0
  230. package/dist/rules/require-composite-step-name.d.ts.map +1 -1
  231. package/dist/rules/require-composite-step-name.js +3 -0
  232. package/dist/rules/require-composite-step-name.js.map +1 -1
  233. package/dist/rules/require-dependabot-assignees.d.ts +9 -0
  234. package/dist/rules/require-dependabot-assignees.d.ts.map +1 -0
  235. package/dist/rules/require-dependabot-assignees.js +53 -0
  236. package/dist/rules/require-dependabot-assignees.js.map +1 -0
  237. package/dist/rules/require-dependabot-automation-permissions.d.ts +9 -0
  238. package/dist/rules/require-dependabot-automation-permissions.d.ts.map +1 -0
  239. package/dist/rules/require-dependabot-automation-permissions.js +68 -0
  240. package/dist/rules/require-dependabot-automation-permissions.js.map +1 -0
  241. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts +12 -0
  242. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts.map +1 -0
  243. package/dist/rules/require-dependabot-automation-pull-request-trigger.js +49 -0
  244. package/dist/rules/require-dependabot-automation-pull-request-trigger.js.map +1 -0
  245. package/dist/rules/require-dependabot-bot-actor-guard.d.ts +9 -0
  246. package/dist/rules/require-dependabot-bot-actor-guard.d.ts.map +1 -0
  247. package/dist/rules/require-dependabot-bot-actor-guard.js +64 -0
  248. package/dist/rules/require-dependabot-bot-actor-guard.js.map +1 -0
  249. package/dist/rules/require-dependabot-commit-message-include-scope.d.ts +9 -0
  250. package/dist/rules/require-dependabot-commit-message-include-scope.d.ts.map +1 -0
  251. package/dist/rules/require-dependabot-commit-message-include-scope.js +60 -0
  252. package/dist/rules/require-dependabot-commit-message-include-scope.js.map +1 -0
  253. package/dist/rules/require-dependabot-commit-message-prefix-development.d.ts +9 -0
  254. package/dist/rules/require-dependabot-commit-message-prefix-development.d.ts.map +1 -0
  255. package/dist/rules/require-dependabot-commit-message-prefix-development.js +75 -0
  256. package/dist/rules/require-dependabot-commit-message-prefix-development.js.map +1 -0
  257. package/dist/rules/require-dependabot-commit-message-prefix.d.ts +9 -0
  258. package/dist/rules/require-dependabot-commit-message-prefix.d.ts.map +1 -0
  259. package/dist/rules/require-dependabot-commit-message-prefix.js +60 -0
  260. package/dist/rules/require-dependabot-commit-message-prefix.js.map +1 -0
  261. package/dist/rules/require-dependabot-cooldown.d.ts +9 -0
  262. package/dist/rules/require-dependabot-cooldown.d.ts.map +1 -0
  263. package/dist/rules/require-dependabot-cooldown.js +52 -0
  264. package/dist/rules/require-dependabot-cooldown.js.map +1 -0
  265. package/dist/rules/require-dependabot-directory.d.ts +9 -0
  266. package/dist/rules/require-dependabot-directory.d.ts.map +1 -0
  267. package/dist/rules/require-dependabot-directory.js +68 -0
  268. package/dist/rules/require-dependabot-directory.js.map +1 -0
  269. package/dist/rules/require-dependabot-github-actions-directory-root.d.ts +9 -0
  270. package/dist/rules/require-dependabot-github-actions-directory-root.d.ts.map +1 -0
  271. package/dist/rules/require-dependabot-github-actions-directory-root.js +76 -0
  272. package/dist/rules/require-dependabot-github-actions-directory-root.js.map +1 -0
  273. package/dist/rules/require-dependabot-labels.d.ts +9 -0
  274. package/dist/rules/require-dependabot-labels.d.ts.map +1 -0
  275. package/dist/rules/require-dependabot-labels.js +52 -0
  276. package/dist/rules/require-dependabot-labels.js.map +1 -0
  277. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts +9 -0
  278. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts.map +1 -0
  279. package/dist/rules/require-dependabot-open-pull-requests-limit.js +55 -0
  280. package/dist/rules/require-dependabot-open-pull-requests-limit.js.map +1 -0
  281. package/dist/rules/require-dependabot-package-ecosystem.d.ts +9 -0
  282. package/dist/rules/require-dependabot-package-ecosystem.d.ts.map +1 -0
  283. package/dist/rules/require-dependabot-package-ecosystem.js +79 -0
  284. package/dist/rules/require-dependabot-package-ecosystem.js.map +1 -0
  285. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.d.ts +9 -0
  286. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.d.ts.map +1 -0
  287. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.js +58 -0
  288. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.js.map +1 -0
  289. package/dist/rules/require-dependabot-schedule-cronjob.d.ts +9 -0
  290. package/dist/rules/require-dependabot-schedule-cronjob.d.ts.map +1 -0
  291. package/dist/rules/require-dependabot-schedule-cronjob.js +82 -0
  292. package/dist/rules/require-dependabot-schedule-cronjob.js.map +1 -0
  293. package/dist/rules/require-dependabot-schedule-interval.d.ts +9 -0
  294. package/dist/rules/require-dependabot-schedule-interval.d.ts.map +1 -0
  295. package/dist/rules/require-dependabot-schedule-interval.js +73 -0
  296. package/dist/rules/require-dependabot-schedule-interval.js.map +1 -0
  297. package/dist/rules/require-dependabot-schedule-time.d.ts +9 -0
  298. package/dist/rules/require-dependabot-schedule-time.d.ts.map +1 -0
  299. package/dist/rules/require-dependabot-schedule-time.js +68 -0
  300. package/dist/rules/require-dependabot-schedule-time.js.map +1 -0
  301. package/dist/rules/require-dependabot-schedule-timezone.d.ts +9 -0
  302. package/dist/rules/require-dependabot-schedule-timezone.d.ts.map +1 -0
  303. package/dist/rules/require-dependabot-schedule-timezone.js +69 -0
  304. package/dist/rules/require-dependabot-schedule-timezone.js.map +1 -0
  305. package/dist/rules/require-dependabot-target-branch.d.ts +9 -0
  306. package/dist/rules/require-dependabot-target-branch.d.ts.map +1 -0
  307. package/dist/rules/require-dependabot-target-branch.js +53 -0
  308. package/dist/rules/require-dependabot-target-branch.js.map +1 -0
  309. package/dist/rules/require-dependabot-updates.d.ts +9 -0
  310. package/dist/rules/require-dependabot-updates.d.ts.map +1 -0
  311. package/dist/rules/require-dependabot-updates.js +54 -0
  312. package/dist/rules/require-dependabot-updates.js.map +1 -0
  313. package/dist/rules/require-dependabot-version.d.ts +9 -0
  314. package/dist/rules/require-dependabot-version.d.ts.map +1 -0
  315. package/dist/rules/require-dependabot-version.js +62 -0
  316. package/dist/rules/require-dependabot-version.js.map +1 -0
  317. package/dist/rules/require-dependabot-versioning-strategy-for-npm.d.ts +9 -0
  318. package/dist/rules/require-dependabot-versioning-strategy-for-npm.d.ts.map +1 -0
  319. package/dist/rules/require-dependabot-versioning-strategy-for-npm.js +58 -0
  320. package/dist/rules/require-dependabot-versioning-strategy-for-npm.js.map +1 -0
  321. package/dist/rules/require-dependency-review-action.d.ts +9 -0
  322. package/dist/rules/require-dependency-review-action.d.ts.map +1 -0
  323. package/dist/rules/require-dependency-review-action.js +51 -0
  324. package/dist/rules/require-dependency-review-action.js.map +1 -0
  325. package/dist/rules/require-dependency-review-fail-on-severity.d.ts +9 -0
  326. package/dist/rules/require-dependency-review-fail-on-severity.d.ts.map +1 -0
  327. package/dist/rules/require-dependency-review-fail-on-severity.js +62 -0
  328. package/dist/rules/require-dependency-review-fail-on-severity.js.map +1 -0
  329. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts +9 -0
  330. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts.map +1 -0
  331. package/dist/rules/require-dependency-review-permissions-contents-read.js +55 -0
  332. package/dist/rules/require-dependency-review-permissions-contents-read.js.map +1 -0
  333. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts +9 -0
  334. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts.map +1 -0
  335. package/dist/rules/require-dependency-review-pull-request-trigger.js +47 -0
  336. package/dist/rules/require-dependency-review-pull-request-trigger.js.map +1 -0
  337. package/dist/rules/require-fetch-metadata-github-token.d.ts +9 -0
  338. package/dist/rules/require-fetch-metadata-github-token.d.ts.map +1 -0
  339. package/dist/rules/require-fetch-metadata-github-token.js +57 -0
  340. package/dist/rules/require-fetch-metadata-github-token.js.map +1 -0
  341. package/dist/rules/require-job-name.d.ts.map +1 -1
  342. package/dist/rules/require-job-name.js +35 -0
  343. package/dist/rules/require-job-name.js.map +1 -1
  344. package/dist/rules/require-job-step-name.d.ts.map +1 -1
  345. package/dist/rules/require-job-step-name.js +76 -0
  346. package/dist/rules/require-job-step-name.js.map +1 -1
  347. package/dist/rules/require-job-timeout-minutes.d.ts.map +1 -1
  348. package/dist/rules/require-job-timeout-minutes.js +3 -0
  349. package/dist/rules/require-job-timeout-minutes.js.map +1 -1
  350. package/dist/rules/require-merge-group-trigger.d.ts.map +1 -1
  351. package/dist/rules/require-merge-group-trigger.js +3 -0
  352. package/dist/rules/require-merge-group-trigger.js.map +1 -1
  353. package/dist/rules/require-pull-request-target-branches.d.ts.map +1 -1
  354. package/dist/rules/require-pull-request-target-branches.js +3 -0
  355. package/dist/rules/require-pull-request-target-branches.js.map +1 -1
  356. package/dist/rules/require-run-step-shell.d.ts.map +1 -1
  357. package/dist/rules/require-run-step-shell.js +3 -0
  358. package/dist/rules/require-run-step-shell.js.map +1 -1
  359. package/dist/rules/require-sarif-upload-security-events-write.d.ts +9 -0
  360. package/dist/rules/require-sarif-upload-security-events-write.d.ts.map +1 -0
  361. package/dist/rules/require-sarif-upload-security-events-write.js +51 -0
  362. package/dist/rules/require-sarif-upload-security-events-write.js.map +1 -0
  363. package/dist/rules/require-scorecard-results-format-sarif.d.ts +9 -0
  364. package/dist/rules/require-scorecard-results-format-sarif.d.ts.map +1 -0
  365. package/dist/rules/require-scorecard-results-format-sarif.js +57 -0
  366. package/dist/rules/require-scorecard-results-format-sarif.js.map +1 -0
  367. package/dist/rules/require-scorecard-upload-sarif-step.d.ts +9 -0
  368. package/dist/rules/require-scorecard-upload-sarif-step.d.ts.map +1 -0
  369. package/dist/rules/require-scorecard-upload-sarif-step.js +46 -0
  370. package/dist/rules/require-scorecard-upload-sarif-step.js.map +1 -0
  371. package/dist/rules/require-secret-scan-contents-read.d.ts +12 -0
  372. package/dist/rules/require-secret-scan-contents-read.d.ts.map +1 -0
  373. package/dist/rules/require-secret-scan-contents-read.js +53 -0
  374. package/dist/rules/require-secret-scan-contents-read.js.map +1 -0
  375. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts +9 -0
  376. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts.map +1 -0
  377. package/dist/rules/require-secret-scan-fetch-depth-zero.js +77 -0
  378. package/dist/rules/require-secret-scan-fetch-depth-zero.js.map +1 -0
  379. package/dist/rules/require-secret-scan-schedule.d.ts +9 -0
  380. package/dist/rules/require-secret-scan-schedule.d.ts.map +1 -0
  381. package/dist/rules/require-secret-scan-schedule.js +46 -0
  382. package/dist/rules/require-secret-scan-schedule.js.map +1 -0
  383. package/dist/rules/require-template-categories.d.ts.map +1 -1
  384. package/dist/rules/require-template-categories.js +3 -0
  385. package/dist/rules/require-template-categories.js.map +1 -1
  386. package/dist/rules/require-template-file-patterns.d.ts.map +1 -1
  387. package/dist/rules/require-template-file-patterns.js +3 -0
  388. package/dist/rules/require-template-file-patterns.js.map +1 -1
  389. package/dist/rules/require-template-icon-file-exists.d.ts.map +1 -1
  390. package/dist/rules/require-template-icon-file-exists.js +3 -0
  391. package/dist/rules/require-template-icon-file-exists.js.map +1 -1
  392. package/dist/rules/require-template-icon-name.d.ts.map +1 -1
  393. package/dist/rules/require-template-icon-name.js +3 -0
  394. package/dist/rules/require-template-icon-name.js.map +1 -1
  395. package/dist/rules/require-template-workflow-name.d.ts.map +1 -1
  396. package/dist/rules/require-template-workflow-name.js +3 -0
  397. package/dist/rules/require-template-workflow-name.js.map +1 -1
  398. package/dist/rules/require-trigger-types.d.ts.map +1 -1
  399. package/dist/rules/require-trigger-types.js +3 -0
  400. package/dist/rules/require-trigger-types.js.map +1 -1
  401. package/dist/rules/require-trufflehog-verified-results-mode.d.ts +9 -0
  402. package/dist/rules/require-trufflehog-verified-results-mode.d.ts.map +1 -0
  403. package/dist/rules/require-trufflehog-verified-results-mode.js +59 -0
  404. package/dist/rules/require-trufflehog-verified-results-mode.js.map +1 -0
  405. package/dist/rules/require-workflow-call-input-type.d.ts.map +1 -1
  406. package/dist/rules/require-workflow-call-input-type.js +3 -0
  407. package/dist/rules/require-workflow-call-input-type.js.map +1 -1
  408. package/dist/rules/require-workflow-call-output-value.d.ts.map +1 -1
  409. package/dist/rules/require-workflow-call-output-value.js +3 -0
  410. package/dist/rules/require-workflow-call-output-value.js.map +1 -1
  411. package/dist/rules/require-workflow-concurrency.d.ts.map +1 -1
  412. package/dist/rules/require-workflow-concurrency.js +3 -0
  413. package/dist/rules/require-workflow-concurrency.js.map +1 -1
  414. package/dist/rules/require-workflow-dispatch-input-type.d.ts.map +1 -1
  415. package/dist/rules/require-workflow-dispatch-input-type.js +3 -0
  416. package/dist/rules/require-workflow-dispatch-input-type.js.map +1 -1
  417. package/dist/rules/require-workflow-interface-description.d.ts.map +1 -1
  418. package/dist/rules/require-workflow-interface-description.js +3 -0
  419. package/dist/rules/require-workflow-interface-description.js.map +1 -1
  420. package/dist/rules/require-workflow-permissions.d.ts.map +1 -1
  421. package/dist/rules/require-workflow-permissions.js +3 -0
  422. package/dist/rules/require-workflow-permissions.js.map +1 -1
  423. package/dist/rules/require-workflow-run-branches.d.ts.map +1 -1
  424. package/dist/rules/require-workflow-run-branches.js +3 -0
  425. package/dist/rules/require-workflow-run-branches.js.map +1 -1
  426. package/dist/rules/require-workflow-template-pair.d.ts.map +1 -1
  427. package/dist/rules/require-workflow-template-pair.js +3 -0
  428. package/dist/rules/require-workflow-template-pair.js.map +1 -1
  429. package/dist/rules/require-workflow-template-properties-pair.d.ts.map +1 -1
  430. package/dist/rules/require-workflow-template-properties-pair.js +3 -0
  431. package/dist/rules/require-workflow-template-properties-pair.js.map +1 -1
  432. package/dist/rules/valid-timeout-minutes.d.ts.map +1 -1
  433. package/dist/rules/valid-timeout-minutes.js +3 -0
  434. package/dist/rules/valid-timeout-minutes.js.map +1 -1
  435. package/dist/rules/valid-trigger-events.d.ts.map +1 -1
  436. package/dist/rules/valid-trigger-events.js +3 -0
  437. package/dist/rules/valid-trigger-events.js.map +1 -1
  438. package/docs/rules/action-name-casing.md +6 -2
  439. package/docs/rules/no-codeql-autobuild-for-javascript-typescript.md +55 -0
  440. package/docs/rules/no-codeql-javascript-typescript-split-language-matrix.md +51 -0
  441. package/docs/rules/no-empty-template-file-pattern.md +5 -1
  442. package/docs/rules/no-icon-file-extension-in-template-icon-name.md +5 -1
  443. package/docs/rules/no-overlapping-dependabot-directories.md +87 -0
  444. package/docs/rules/no-path-separators-in-template-icon-name.md +5 -1
  445. package/docs/rules/no-post-if-without-post.md +5 -1
  446. package/docs/rules/no-pre-if-without-pre.md +5 -1
  447. package/docs/rules/no-required-input-with-default.md +10 -1
  448. package/docs/rules/no-unknown-dependabot-multi-ecosystem-group.md +62 -0
  449. package/docs/rules/no-unused-dependabot-enable-beta-ecosystems.md +63 -0
  450. package/docs/rules/overview.md +47 -1
  451. package/docs/rules/prefer-inputs-context.md +6 -2
  452. package/docs/rules/presets/action-metadata.md +22 -11
  453. package/docs/rules/presets/all.md +125 -69
  454. package/docs/rules/presets/code-scanning.md +33 -0
  455. package/docs/rules/presets/dependabot.md +40 -0
  456. package/docs/rules/presets/index.md +139 -81
  457. package/docs/rules/presets/recommended.md +30 -19
  458. package/docs/rules/presets/security.md +35 -9
  459. package/docs/rules/presets/strict.md +52 -41
  460. package/docs/rules/presets/workflow-template-properties.md +22 -11
  461. package/docs/rules/presets/workflow-templates.md +26 -15
  462. package/docs/rules/require-codeql-actions-read.md +50 -0
  463. package/docs/rules/require-codeql-branch-filters.md +53 -0
  464. package/docs/rules/require-codeql-category-when-language-matrix.md +49 -0
  465. package/docs/rules/require-codeql-pull-request-trigger.md +53 -0
  466. package/docs/rules/require-codeql-schedule.md +57 -0
  467. package/docs/rules/require-codeql-security-events-write.md +50 -0
  468. package/docs/rules/require-dependabot-assignees.md +64 -0
  469. package/docs/rules/require-dependabot-automation-permissions.md +53 -0
  470. package/docs/rules/require-dependabot-automation-pull-request-trigger.md +49 -0
  471. package/docs/rules/require-dependabot-bot-actor-guard.md +52 -0
  472. package/docs/rules/require-dependabot-commit-message-include-scope.md +58 -0
  473. package/docs/rules/require-dependabot-commit-message-prefix-development.md +60 -0
  474. package/docs/rules/require-dependabot-commit-message-prefix.md +64 -0
  475. package/docs/rules/require-dependabot-cooldown.md +59 -0
  476. package/docs/rules/require-dependabot-directory.md +79 -0
  477. package/docs/rules/require-dependabot-github-actions-directory-root.md +62 -0
  478. package/docs/rules/require-dependabot-labels.md +65 -0
  479. package/docs/rules/require-dependabot-open-pull-requests-limit.md +58 -0
  480. package/docs/rules/require-dependabot-package-ecosystem.md +57 -0
  481. package/docs/rules/require-dependabot-patterns-for-multi-ecosystem-group.md +67 -0
  482. package/docs/rules/require-dependabot-schedule-cronjob.md +74 -0
  483. package/docs/rules/require-dependabot-schedule-interval.md +66 -0
  484. package/docs/rules/require-dependabot-schedule-time.md +60 -0
  485. package/docs/rules/require-dependabot-schedule-timezone.md +61 -0
  486. package/docs/rules/require-dependabot-target-branch.md +63 -0
  487. package/docs/rules/require-dependabot-updates.md +58 -0
  488. package/docs/rules/require-dependabot-version.md +70 -0
  489. package/docs/rules/require-dependabot-versioning-strategy-for-npm.md +58 -0
  490. package/docs/rules/require-dependency-review-action.md +60 -0
  491. package/docs/rules/require-dependency-review-fail-on-severity.md +57 -0
  492. package/docs/rules/require-dependency-review-permissions-contents-read.md +62 -0
  493. package/docs/rules/require-dependency-review-pull-request-trigger.md +57 -0
  494. package/docs/rules/require-fetch-metadata-github-token.md +49 -0
  495. package/docs/rules/require-job-name.md +6 -2
  496. package/docs/rules/require-job-step-name.md +11 -2
  497. package/docs/rules/require-sarif-upload-security-events-write.md +50 -0
  498. package/docs/rules/require-scorecard-results-format-sarif.md +49 -0
  499. package/docs/rules/require-scorecard-upload-sarif-step.md +55 -0
  500. package/docs/rules/require-secret-scan-contents-read.md +48 -0
  501. package/docs/rules/require-secret-scan-fetch-depth-zero.md +50 -0
  502. package/docs/rules/require-secret-scan-schedule.md +50 -0
  503. package/docs/rules/require-trufflehog-verified-results-mode.md +49 -0
  504. package/package.json +50 -57
package/docs/rules/require-fetch-metadata-github-token.md ADDED
@@ -0,0 +1,49 @@
1
+ # require-fetch-metadata-github-token
2
+
3
+ > **Rule catalog ID:** R110
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflow steps that use `dependabot/fetch-metadata`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports fetch-metadata steps that do not configure `with.github-token`.
12
+
13
+ ## Why this rule exists
14
+
15
+ `dependabot/fetch-metadata` needs a token to retrieve pull request dependency metadata. Requiring the token input makes the workflow contract explicit and avoids subtle runtime failures.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ - uses: dependabot/fetch-metadata@v2
21
+ ```
22
+
23
+ ## ✅ Correct
24
+
25
+ ```yaml
26
+ - uses: dependabot/fetch-metadata@v2
27
+ with:
28
+ github-token: ${{ secrets.GITHUB_TOKEN }}
29
+ ```
30
+
31
+ ## Additional examples
32
+
33
+ This rule only checks for the presence of a non-empty token input. It does not prescribe a specific secret name.
34
+
35
+ ## ESLint flat config example
36
+
37
+ ```ts
38
+ import githubActions from "eslint-plugin-github-actions-2";
39
+
40
+ export default [githubActions.configs.security];
41
+ ```
42
+
43
+ ## When not to use it
44
+
45
+ Disable this rule only if the action changes to no longer require an explicit token input.
46
+
47
+ ## Further reading
48
+
49
+ - [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata)
package/docs/rules/require-job-name.md CHANGED
@@ -31,6 +31,9 @@ jobs:
31
31
  runs-on: ubuntu-latest
32
32
  ```
33
33
 
34
+ ## Behavior and migration notes
35
+
36
+ This rule provides a suggestion that uses the job ID as a fallback display name when `name` is missing or blank. That is useful for quick cleanup, but you should still review the suggestion and replace it with a more descriptive label when the job does more than the raw ID implies.
34
37
 
35
38
  ## Additional examples
36
39
 
@@ -57,7 +60,8 @@ export default [
57
60
  ## When not to use it
58
61
 
59
62
  You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
63
+
60
64
  ## Further reading
61
65
 
62
- - [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idname](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idname)
63
- - [https://docs.github.com/actions/using-jobs/using-jobs-in-a-workflow](https://docs.github.com/actions/using-jobs/using-jobs-in-a-workflow)
66
+ - [GitHub Actions workflow syntax: `jobs.<job_id>.name`](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idname)
67
+ - [GitHub Actions docs: Using jobs in a workflow](https://docs.github.com/actions/using-jobs/using-jobs-in-a-workflow)
package/docs/rules/require-job-step-name.md CHANGED
@@ -37,6 +37,14 @@ jobs:
37
37
  run: npm test
38
38
  ```
39
39
 
40
+ ## Behavior and migration notes
41
+
42
+ This rule provides suggestions when it can infer a meaningful step label from existing step content:
43
+
44
+ - for `uses:` steps, it suggests the action reference without the version suffix, and
45
+ - for `run:` steps, it suggests the first non-empty command line when that line is short enough to read well in logs.
46
+
47
+ Those suggestions are intentionally reviewable rather than automatically applied because human-friendly step names often need a little more context than the raw command or action reference.
40
48
 
41
49
  ## Additional examples
42
50
 
@@ -63,7 +71,8 @@ export default [
63
71
  ## When not to use it
64
72
 
65
73
  You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
74
+
66
75
  ## Further reading
67
76
 
68
- - [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps)
69
- - [https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs](https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs)
77
+ - [GitHub Actions workflow syntax: `jobs.<job_id>.steps`](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps)
78
+ - [GitHub Actions docs: Using workflow run logs](https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs)
package/docs/rules/require-sarif-upload-security-events-write.md ADDED
@@ -0,0 +1,50 @@
1
+ # require-sarif-upload-security-events-write
2
+
3
+ > **Rule catalog ID:** R102
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Jobs that use `github/codeql-action/upload-sarif`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports SARIF upload jobs that do not grant `security-events: write`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Uploading SARIF to GitHub code scanning requires `security-events: write`. Requiring it explicitly keeps workflow permissions correct and reviewable.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ permissions:
21
+ contents: read
22
+ ```
23
+
24
+ ## ✅ Correct
25
+
26
+ ```yaml
27
+ permissions:
28
+ contents: read
29
+ security-events: write
30
+ ```
31
+
32
+ ## Additional examples
33
+
34
+ This rule applies to any SARIF uploader step using `github/codeql-action/upload-sarif`, not just CodeQL-native workflows.
35
+
36
+ ## ESLint flat config example
37
+
38
+ ```ts
39
+ import githubActions from "eslint-plugin-github-actions-2";
40
+
41
+ export default [githubActions.configs.codeScanning];
42
+ ```
43
+
44
+ ## When not to use it
45
+
46
+ Disable this rule only if the uploader step is never intended to publish SARIF into GitHub code scanning.
47
+
48
+ ## Further reading
49
+
50
+ - [About code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)
package/docs/rules/require-scorecard-results-format-sarif.md ADDED
@@ -0,0 +1,49 @@
1
+ # require-scorecard-results-format-sarif
2
+
3
+ > **Rule catalog ID:** R103
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflow steps that use `ossf/scorecard-action`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports Scorecard action steps that do not set `results_format: sarif`.
12
+
13
+ ## Why this rule exists
14
+
15
+ If a repository wants Scorecard findings to flow into GitHub code scanning, SARIF is the correct results format. Requiring it makes the upload contract explicit.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ - uses: ossf/scorecard-action@v2
21
+ ```
22
+
23
+ ## ✅ Correct
24
+
25
+ ```yaml
26
+ - uses: ossf/scorecard-action@v2
27
+ with:
28
+ results_format: sarif
29
+ ```
30
+
31
+ ## Additional examples
32
+
33
+ This rule pairs naturally with `require-scorecard-upload-sarif-step`, which ensures the generated SARIF is actually published.
34
+
35
+ ## ESLint flat config example
36
+
37
+ ```ts
38
+ import githubActions from "eslint-plugin-github-actions-2";
39
+
40
+ export default [githubActions.configs.codeScanning];
41
+ ```
42
+
43
+ ## When not to use it
44
+
45
+ Disable this rule if your Scorecard workflow intentionally produces non-SARIF output for another destination.
46
+
47
+ ## Further reading
48
+
49
+ - [OpenSSF Scorecard Action](https://github.com/ossf/scorecard-action)
package/docs/rules/require-scorecard-upload-sarif-step.md ADDED
@@ -0,0 +1,55 @@
1
+ # require-scorecard-upload-sarif-step
2
+
3
+ > **Rule catalog ID:** R104
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflows that use `ossf/scorecard-action`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports Scorecard workflows that do not upload SARIF results with `github/codeql-action/upload-sarif`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Generating SARIF without uploading it leaves the code scanning integration incomplete. Requiring the upload step helps repositories actually surface Scorecard findings in GitHub.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ - uses: ossf/scorecard-action@v2
21
+ with:
22
+ results_format: sarif
23
+ ```
24
+
25
+ ## ✅ Correct
26
+
27
+ ```yaml
28
+ - uses: ossf/scorecard-action@v2
29
+ with:
30
+ results_format: sarif
31
+
32
+ - uses: github/codeql-action/upload-sarif@v4
33
+ with:
34
+ sarif_file: results.sarif
35
+ ```
36
+
37
+ ## Additional examples
38
+
39
+ This rule does not require a specific SARIF filename, only that an upload step exists.
40
+
41
+ ## ESLint flat config example
42
+
43
+ ```ts
44
+ import githubActions from "eslint-plugin-github-actions-2";
45
+
46
+ export default [githubActions.configs.codeScanning];
47
+ ```
48
+
49
+ ## When not to use it
50
+
51
+ Disable this rule if SARIF upload is handled by a reusable workflow or another job outside the current file.
52
+
53
+ ## Further reading
54
+
55
+ - [OpenSSF Scorecard Action](https://github.com/ossf/scorecard-action)
package/docs/rules/require-secret-scan-contents-read.md ADDED
@@ -0,0 +1,48 @@
1
+ # require-secret-scan-contents-read
2
+
3
+ > **Rule catalog ID:** R107
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Jobs that use supported secret-scanning actions.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports secret-scanning jobs that do not grant `contents: read`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Secret-scanning workflows generally only need read access to repository contents. Making that permission explicit reinforces least privilege.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ permissions: {}
21
+ ```
22
+
23
+ ## ✅ Correct
24
+
25
+ ```yaml
26
+ permissions:
27
+ contents: read
28
+ ```
29
+
30
+ ## Additional examples
31
+
32
+ This rule is intentionally narrow and does not try to prescribe every other permission a secret-scanning workflow may or may not need.
33
+
34
+ ## ESLint flat config example
35
+
36
+ ```ts
37
+ import githubActions from "eslint-plugin-github-actions-2";
38
+
39
+ export default [githubActions.configs.security];
40
+ ```
41
+
42
+ ## When not to use it
43
+
44
+ Disable this rule if your scanner workflow runs in an unusual environment that truly does not need repository contents access.
45
+
46
+ ## Further reading
47
+
48
+ - [GitHub Actions workflow syntax: permissions](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#permissions)
package/docs/rules/require-secret-scan-fetch-depth-zero.md ADDED
@@ -0,0 +1,50 @@
1
+ # require-secret-scan-fetch-depth-zero
2
+
3
+ > **Rule catalog ID:** R105
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Jobs that use secret-scanning actions such as Gitleaks or TruffleHog.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports secret-scanning jobs that do not checkout repository history with `fetch-depth: 0`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Secret scanners are most effective when they can inspect full repository history rather than only the latest commit range.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ - uses: actions/checkout@v6
21
+ ```
22
+
23
+ ## ✅ Correct
24
+
25
+ ```yaml
26
+ - uses: actions/checkout@v6
27
+ with:
28
+ fetch-depth: 0
29
+ ```
30
+
31
+ ## Additional examples
32
+
33
+ This rule is job-scoped, so it only checks jobs that actually run the supported secret scanners.
34
+
35
+ ## ESLint flat config example
36
+
37
+ ```ts
38
+ import githubActions from "eslint-plugin-github-actions-2";
39
+
40
+ export default [githubActions.configs.security];
41
+ ```
42
+
43
+ ## When not to use it
44
+
45
+ Disable this rule if your secret scanning workflow is intentionally limited to shallow history or event-specific diffs.
46
+
47
+ ## Further reading
48
+
49
+ - [Gitleaks Action](https://github.com/gitleaks/gitleaks-action)
50
+ - [TruffleHog Action](https://github.com/trufflesecurity/trufflehog)
package/docs/rules/require-secret-scan-schedule.md ADDED
@@ -0,0 +1,50 @@
1
+ # require-secret-scan-schedule
2
+
3
+ > **Rule catalog ID:** R106
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflows that use supported secret-scanning actions.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports secret-scanning workflows that do not define a `schedule` trigger.
12
+
13
+ ## Why this rule exists
14
+
15
+ Scheduled secret scanning catches leaks even when no recent pull request or push event happens on the affected branch.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ on: [pull_request]
21
+ ```
22
+
23
+ ## ✅ Correct
24
+
25
+ ```yaml
26
+ on:
27
+ pull_request:
28
+ schedule:
29
+ - cron: "12 4 * * *"
30
+ ```
31
+
32
+ ## Additional examples
33
+
34
+ This rule does not enforce a particular cron expression, only that periodic scanning exists.
35
+
36
+ ## ESLint flat config example
37
+
38
+ ```ts
39
+ import githubActions from "eslint-plugin-github-actions-2";
40
+
41
+ export default [githubActions.configs.security];
42
+ ```
43
+
44
+ ## When not to use it
45
+
46
+ Disable this rule if scheduled secret scanning is handled outside GitHub Actions.
47
+
48
+ ## Further reading
49
+
50
+ - [GitHub Actions workflow syntax: schedule](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#onschedule)
package/docs/rules/require-trufflehog-verified-results-mode.md ADDED
@@ -0,0 +1,49 @@
1
+ # require-trufflehog-verified-results-mode
2
+
3
+ > **Rule catalog ID:** R108
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflow steps that use the TruffleHog GitHub Action.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports TruffleHog steps that do not configure `extra_args` to include `--results=verified`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Verified-results mode reduces noise by failing only on findings that the scanner can verify more confidently.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ - uses: trufflesecurity/trufflehog@v3
21
+ ```
22
+
23
+ ## ✅ Correct
24
+
25
+ ```yaml
26
+ - uses: trufflesecurity/trufflehog@v3
27
+ with:
28
+ extra_args: --results=verified
29
+ ```
30
+
31
+ ## Additional examples
32
+
33
+ This rule still allows additional TruffleHog flags as long as the verified-results mode is present.
34
+
35
+ ## ESLint flat config example
36
+
37
+ ```ts
38
+ import githubActions from "eslint-plugin-github-actions-2";
39
+
40
+ export default [githubActions.configs.security];
41
+ ```
42
+
43
+ ## When not to use it
44
+
45
+ Disable this rule if your repository intentionally wants broader TruffleHog results despite the extra noise.
46
+
47
+ ## Further reading
48
+
49
+ - [TruffleHog Action](https://github.com/trufflesecurity/trufflehog)