eslint-plugin-github-actions-2 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (504) hide show
  1. package/README.md +149 -101
  2. package/dist/_internal/code-scanning-workflow.d.ts +37 -0
  3. package/dist/_internal/code-scanning-workflow.d.ts.map +1 -0
  4. package/dist/_internal/code-scanning-workflow.js +73 -0
  5. package/dist/_internal/code-scanning-workflow.js.map +1 -0
  6. package/dist/_internal/dependabot-automation-workflow.d.ts +26 -0
  7. package/dist/_internal/dependabot-automation-workflow.d.ts.map +1 -0
  8. package/dist/_internal/dependabot-automation-workflow.js +25 -0
  9. package/dist/_internal/dependabot-automation-workflow.js.map +1 -0
  10. package/dist/_internal/dependabot-yaml.d.ts +63 -0
  11. package/dist/_internal/dependabot-yaml.d.ts.map +1 -0
  12. package/dist/_internal/dependabot-yaml.js +139 -0
  13. package/dist/_internal/dependabot-yaml.js.map +1 -0
  14. package/dist/_internal/dependency-review-workflow.d.ts +20 -0
  15. package/dist/_internal/dependency-review-workflow.d.ts.map +1 -0
  16. package/dist/_internal/dependency-review-workflow.js +9 -0
  17. package/dist/_internal/dependency-review-workflow.js.map +1 -0
  18. package/dist/_internal/github-actions-config-references.d.ts +1 -1
  19. package/dist/_internal/github-actions-config-references.d.ts.map +1 -1
  20. package/dist/_internal/github-actions-config-references.js +19 -2
  21. package/dist/_internal/github-actions-config-references.js.map +1 -1
  22. package/dist/_internal/lint-targets.d.ts +15 -0
  23. package/dist/_internal/lint-targets.d.ts.map +1 -1
  24. package/dist/_internal/lint-targets.js +41 -0
  25. package/dist/_internal/lint-targets.js.map +1 -1
  26. package/dist/_internal/rules-registry.d.ts +90 -0
  27. package/dist/_internal/rules-registry.d.ts.map +1 -1
  28. package/dist/_internal/rules-registry.js +90 -0
  29. package/dist/_internal/rules-registry.js.map +1 -1
  30. package/dist/_internal/secret-scanning-workflow.d.ts +24 -0
  31. package/dist/_internal/secret-scanning-workflow.d.ts.map +1 -0
  32. package/dist/_internal/secret-scanning-workflow.js +21 -0
  33. package/dist/_internal/secret-scanning-workflow.js.map +1 -0
  34. package/dist/_internal/workflow-action-steps.d.ts +35 -0
  35. package/dist/_internal/workflow-action-steps.d.ts.map +1 -0
  36. package/dist/_internal/workflow-action-steps.js +75 -0
  37. package/dist/_internal/workflow-action-steps.js.map +1 -0
  38. package/dist/_internal/workflow-permissions.d.ts +11 -0
  39. package/dist/_internal/workflow-permissions.d.ts.map +1 -0
  40. package/dist/_internal/workflow-permissions.js +50 -0
  41. package/dist/_internal/workflow-permissions.js.map +1 -0
  42. package/dist/_internal/yaml-fixes.d.ts +13 -0
  43. package/dist/_internal/yaml-fixes.d.ts.map +1 -0
  44. package/dist/_internal/yaml-fixes.js +77 -0
  45. package/dist/_internal/yaml-fixes.js.map +1 -0
  46. package/dist/plugin.cjs +3516 -268
  47. package/dist/plugin.cjs.map +4 -4
  48. package/dist/plugin.d.ts.map +1 -1
  49. package/dist/plugin.js +2 -0
  50. package/dist/plugin.js.map +1 -1
  51. package/dist/rules/action-name-casing.d.ts.map +1 -1
  52. package/dist/rules/action-name-casing.js +3 -0
  53. package/dist/rules/action-name-casing.js.map +1 -1
  54. package/dist/rules/job-id-casing.d.ts.map +1 -1
  55. package/dist/rules/job-id-casing.js +3 -0
  56. package/dist/rules/job-id-casing.js.map +1 -1
  57. package/dist/rules/max-jobs-per-action.d.ts.map +1 -1
  58. package/dist/rules/max-jobs-per-action.js +3 -0
  59. package/dist/rules/max-jobs-per-action.js.map +1 -1
  60. package/dist/rules/no-case-insensitive-input-id-collision.d.ts.map +1 -1
  61. package/dist/rules/no-case-insensitive-input-id-collision.js +3 -0
  62. package/dist/rules/no-case-insensitive-input-id-collision.js.map +1 -1
  63. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts +9 -0
  64. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts.map +1 -0
  65. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js +54 -0
  66. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js.map +1 -0
  67. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts +9 -0
  68. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts.map +1 -0
  69. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js +50 -0
  70. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js.map +1 -0
  71. package/dist/rules/no-composite-input-env-access.d.ts.map +1 -1
  72. package/dist/rules/no-composite-input-env-access.js +3 -0
  73. package/dist/rules/no-composite-input-env-access.js.map +1 -1
  74. package/dist/rules/no-deprecated-node-runtime.d.ts.map +1 -1
  75. package/dist/rules/no-deprecated-node-runtime.js +3 -0
  76. package/dist/rules/no-deprecated-node-runtime.js.map +1 -1
  77. package/dist/rules/no-duplicate-composite-step-id.d.ts.map +1 -1
  78. package/dist/rules/no-duplicate-composite-step-id.js +3 -0
  79. package/dist/rules/no-duplicate-composite-step-id.js.map +1 -1
  80. package/dist/rules/no-empty-template-file-pattern.d.ts.map +1 -1
  81. package/dist/rules/no-empty-template-file-pattern.js +6 -0
  82. package/dist/rules/no-empty-template-file-pattern.js.map +1 -1
  83. package/dist/rules/no-external-job.d.ts.map +1 -1
  84. package/dist/rules/no-external-job.js +3 -0
  85. package/dist/rules/no-external-job.js.map +1 -1
  86. package/dist/rules/no-hardcoded-default-branch-in-template.d.ts.map +1 -1
  87. package/dist/rules/no-hardcoded-default-branch-in-template.js +3 -0
  88. package/dist/rules/no-hardcoded-default-branch-in-template.js.map +1 -1
  89. package/dist/rules/no-icon-file-extension-in-template-icon-name.d.ts.map +1 -1
  90. package/dist/rules/no-icon-file-extension-in-template-icon-name.js +13 -3
  91. package/dist/rules/no-icon-file-extension-in-template-icon-name.js.map +1 -1
  92. package/dist/rules/no-inherit-secrets.d.ts.map +1 -1
  93. package/dist/rules/no-inherit-secrets.js +3 -0
  94. package/dist/rules/no-inherit-secrets.js.map +1 -1
  95. package/dist/rules/no-invalid-concurrency-context.d.ts.map +1 -1
  96. package/dist/rules/no-invalid-concurrency-context.js +3 -0
  97. package/dist/rules/no-invalid-concurrency-context.js.map +1 -1
  98. package/dist/rules/no-invalid-key.d.ts.map +1 -1
  99. package/dist/rules/no-invalid-key.js +7 -0
  100. package/dist/rules/no-invalid-key.js.map +1 -1
  101. package/dist/rules/no-invalid-reusable-workflow-job-key.d.ts.map +1 -1
  102. package/dist/rules/no-invalid-reusable-workflow-job-key.js +3 -0
  103. package/dist/rules/no-invalid-reusable-workflow-job-key.js.map +1 -1
  104. package/dist/rules/no-invalid-template-file-pattern-regex.d.ts.map +1 -1
  105. package/dist/rules/no-invalid-template-file-pattern-regex.js +3 -0
  106. package/dist/rules/no-invalid-template-file-pattern-regex.js.map +1 -1
  107. package/dist/rules/no-invalid-workflow-call-output-value.d.ts.map +1 -1
  108. package/dist/rules/no-invalid-workflow-call-output-value.js +3 -0
  109. package/dist/rules/no-invalid-workflow-call-output-value.js.map +1 -1
  110. package/dist/rules/no-overlapping-dependabot-directories.d.ts +9 -0
  111. package/dist/rules/no-overlapping-dependabot-directories.d.ts.map +1 -0
  112. package/dist/rules/no-overlapping-dependabot-directories.js +151 -0
  113. package/dist/rules/no-overlapping-dependabot-directories.js.map +1 -0
  114. package/dist/rules/no-path-separators-in-template-icon-name.d.ts.map +1 -1
  115. package/dist/rules/no-path-separators-in-template-icon-name.js +26 -3
  116. package/dist/rules/no-path-separators-in-template-icon-name.js.map +1 -1
  117. package/dist/rules/no-post-if-without-post.d.ts.map +1 -1
  118. package/dist/rules/no-post-if-without-post.js +6 -0
  119. package/dist/rules/no-post-if-without-post.js.map +1 -1
  120. package/dist/rules/no-pr-head-checkout-in-pull-request-target.d.ts.map +1 -1
  121. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js +3 -0
  122. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js.map +1 -1
  123. package/dist/rules/no-pre-if-without-pre.d.ts.map +1 -1
  124. package/dist/rules/no-pre-if-without-pre.js +6 -0
  125. package/dist/rules/no-pre-if-without-pre.js.map +1 -1
  126. package/dist/rules/no-required-input-with-default.d.ts.map +1 -1
  127. package/dist/rules/no-required-input-with-default.js +23 -0
  128. package/dist/rules/no-required-input-with-default.js.map +1 -1
  129. package/dist/rules/no-secrets-in-if.d.ts.map +1 -1
  130. package/dist/rules/no-secrets-in-if.js +3 -0
  131. package/dist/rules/no-secrets-in-if.js.map +1 -1
  132. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.d.ts.map +1 -1
  133. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js +3 -0
  134. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js.map +1 -1
  135. package/dist/rules/no-subdirectory-template-file-pattern.d.ts.map +1 -1
  136. package/dist/rules/no-subdirectory-template-file-pattern.js +3 -0
  137. package/dist/rules/no-subdirectory-template-file-pattern.js.map +1 -1
  138. package/dist/rules/no-template-placeholder-in-non-template-workflow.d.ts.map +1 -1
  139. package/dist/rules/no-template-placeholder-in-non-template-workflow.js +3 -0
  140. package/dist/rules/no-template-placeholder-in-non-template-workflow.js.map +1 -1
  141. package/dist/rules/no-top-level-env.d.ts.map +1 -1
  142. package/dist/rules/no-top-level-env.js +3 -0
  143. package/dist/rules/no-top-level-env.js.map +1 -1
  144. package/dist/rules/no-top-level-permissions.d.ts.map +1 -1
  145. package/dist/rules/no-top-level-permissions.js +3 -0
  146. package/dist/rules/no-top-level-permissions.js.map +1 -1
  147. package/dist/rules/no-universal-template-file-pattern.d.ts.map +1 -1
  148. package/dist/rules/no-universal-template-file-pattern.js +3 -0
  149. package/dist/rules/no-universal-template-file-pattern.js.map +1 -1
  150. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.d.ts +9 -0
  151. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.d.ts.map +1 -0
  152. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.js +58 -0
  153. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.js.map +1 -0
  154. package/dist/rules/no-unknown-input-reference-in-composite.d.ts.map +1 -1
  155. package/dist/rules/no-unknown-input-reference-in-composite.js +3 -0
  156. package/dist/rules/no-unknown-input-reference-in-composite.js.map +1 -1
  157. package/dist/rules/no-unknown-job-output-reference.d.ts.map +1 -1
  158. package/dist/rules/no-unknown-job-output-reference.js +3 -0
  159. package/dist/rules/no-unknown-job-output-reference.js.map +1 -1
  160. package/dist/rules/no-unknown-step-reference.d.ts.map +1 -1
  161. package/dist/rules/no-unknown-step-reference.js +3 -0
  162. package/dist/rules/no-unknown-step-reference.js.map +1 -1
  163. package/dist/rules/no-untrusted-input-in-run.d.ts.map +1 -1
  164. package/dist/rules/no-untrusted-input-in-run.js +3 -0
  165. package/dist/rules/no-untrusted-input-in-run.js.map +1 -1
  166. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.d.ts +9 -0
  167. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.d.ts.map +1 -0
  168. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.js +51 -0
  169. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.js.map +1 -0
  170. package/dist/rules/no-unused-input-in-composite.d.ts.map +1 -1
  171. package/dist/rules/no-unused-input-in-composite.js +3 -0
  172. package/dist/rules/no-unused-input-in-composite.js.map +1 -1
  173. package/dist/rules/no-write-all-permissions.d.ts.map +1 -1
  174. package/dist/rules/no-write-all-permissions.js +3 -0
  175. package/dist/rules/no-write-all-permissions.js.map +1 -1
  176. package/dist/rules/pin-action-shas.d.ts.map +1 -1
  177. package/dist/rules/pin-action-shas.js +3 -0
  178. package/dist/rules/pin-action-shas.js.map +1 -1
  179. package/dist/rules/prefer-action-yml.d.ts.map +1 -1
  180. package/dist/rules/prefer-action-yml.js +3 -0
  181. package/dist/rules/prefer-action-yml.js.map +1 -1
  182. package/dist/rules/prefer-fail-fast.d.ts.map +1 -1
  183. package/dist/rules/prefer-fail-fast.js +3 -0
  184. package/dist/rules/prefer-fail-fast.js.map +1 -1
  185. package/dist/rules/prefer-file-extension.d.ts.map +1 -1
  186. package/dist/rules/prefer-file-extension.js +3 -0
  187. package/dist/rules/prefer-file-extension.js.map +1 -1
  188. package/dist/rules/prefer-inputs-context.d.ts.map +1 -1
  189. package/dist/rules/prefer-inputs-context.js +3 -0
  190. package/dist/rules/prefer-inputs-context.js.map +1 -1
  191. package/dist/rules/prefer-step-uses-style.d.ts.map +1 -1
  192. package/dist/rules/prefer-step-uses-style.js +3 -0
  193. package/dist/rules/prefer-step-uses-style.js.map +1 -1
  194. package/dist/rules/prefer-template-yml-extension.d.ts.map +1 -1
  195. package/dist/rules/prefer-template-yml-extension.js +3 -0
  196. package/dist/rules/prefer-template-yml-extension.js.map +1 -1
  197. package/dist/rules/require-action-name.d.ts.map +1 -1
  198. package/dist/rules/require-action-name.js +7 -0
  199. package/dist/rules/require-action-name.js.map +1 -1
  200. package/dist/rules/require-action-run-name.d.ts.map +1 -1
  201. package/dist/rules/require-action-run-name.js +7 -0
  202. package/dist/rules/require-action-run-name.js.map +1 -1
  203. package/dist/rules/require-checkout-before-local-action.d.ts.map +1 -1
  204. package/dist/rules/require-checkout-before-local-action.js +3 -0
  205. package/dist/rules/require-checkout-before-local-action.js.map +1 -1
  206. package/dist/rules/require-codeql-actions-read.d.ts +9 -0
  207. package/dist/rules/require-codeql-actions-read.d.ts.map +1 -0
  208. package/dist/rules/require-codeql-actions-read.js +63 -0
  209. package/dist/rules/require-codeql-actions-read.js.map +1 -0
  210. package/dist/rules/require-codeql-branch-filters.d.ts +12 -0
  211. package/dist/rules/require-codeql-branch-filters.d.ts.map +1 -0
  212. package/dist/rules/require-codeql-branch-filters.js +83 -0
  213. package/dist/rules/require-codeql-branch-filters.js.map +1 -0
  214. package/dist/rules/require-codeql-category-when-language-matrix.d.ts +12 -0
  215. package/dist/rules/require-codeql-category-when-language-matrix.d.ts.map +1 -0
  216. package/dist/rules/require-codeql-category-when-language-matrix.js +68 -0
  217. package/dist/rules/require-codeql-category-when-language-matrix.js.map +1 -0
  218. package/dist/rules/require-codeql-pull-request-trigger.d.ts +9 -0
  219. package/dist/rules/require-codeql-pull-request-trigger.d.ts.map +1 -0
  220. package/dist/rules/require-codeql-pull-request-trigger.js +46 -0
  221. package/dist/rules/require-codeql-pull-request-trigger.js.map +1 -0
  222. package/dist/rules/require-codeql-schedule.d.ts +9 -0
  223. package/dist/rules/require-codeql-schedule.d.ts.map +1 -0
  224. package/dist/rules/require-codeql-schedule.js +46 -0
  225. package/dist/rules/require-codeql-schedule.js.map +1 -0
  226. package/dist/rules/require-codeql-security-events-write.d.ts +9 -0
  227. package/dist/rules/require-codeql-security-events-write.d.ts.map +1 -0
  228. package/dist/rules/require-codeql-security-events-write.js +53 -0
  229. package/dist/rules/require-codeql-security-events-write.js.map +1 -0
  230. package/dist/rules/require-composite-step-name.d.ts.map +1 -1
  231. package/dist/rules/require-composite-step-name.js +3 -0
  232. package/dist/rules/require-composite-step-name.js.map +1 -1
  233. package/dist/rules/require-dependabot-assignees.d.ts +9 -0
  234. package/dist/rules/require-dependabot-assignees.d.ts.map +1 -0
  235. package/dist/rules/require-dependabot-assignees.js +53 -0
  236. package/dist/rules/require-dependabot-assignees.js.map +1 -0
  237. package/dist/rules/require-dependabot-automation-permissions.d.ts +9 -0
  238. package/dist/rules/require-dependabot-automation-permissions.d.ts.map +1 -0
  239. package/dist/rules/require-dependabot-automation-permissions.js +68 -0
  240. package/dist/rules/require-dependabot-automation-permissions.js.map +1 -0
  241. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts +12 -0
  242. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts.map +1 -0
  243. package/dist/rules/require-dependabot-automation-pull-request-trigger.js +49 -0
  244. package/dist/rules/require-dependabot-automation-pull-request-trigger.js.map +1 -0
  245. package/dist/rules/require-dependabot-bot-actor-guard.d.ts +9 -0
  246. package/dist/rules/require-dependabot-bot-actor-guard.d.ts.map +1 -0
  247. package/dist/rules/require-dependabot-bot-actor-guard.js +64 -0
  248. package/dist/rules/require-dependabot-bot-actor-guard.js.map +1 -0
  249. package/dist/rules/require-dependabot-commit-message-include-scope.d.ts +9 -0
  250. package/dist/rules/require-dependabot-commit-message-include-scope.d.ts.map +1 -0
  251. package/dist/rules/require-dependabot-commit-message-include-scope.js +60 -0
  252. package/dist/rules/require-dependabot-commit-message-include-scope.js.map +1 -0
  253. package/dist/rules/require-dependabot-commit-message-prefix-development.d.ts +9 -0
  254. package/dist/rules/require-dependabot-commit-message-prefix-development.d.ts.map +1 -0
  255. package/dist/rules/require-dependabot-commit-message-prefix-development.js +75 -0
  256. package/dist/rules/require-dependabot-commit-message-prefix-development.js.map +1 -0
  257. package/dist/rules/require-dependabot-commit-message-prefix.d.ts +9 -0
  258. package/dist/rules/require-dependabot-commit-message-prefix.d.ts.map +1 -0
  259. package/dist/rules/require-dependabot-commit-message-prefix.js +60 -0
  260. package/dist/rules/require-dependabot-commit-message-prefix.js.map +1 -0
  261. package/dist/rules/require-dependabot-cooldown.d.ts +9 -0
  262. package/dist/rules/require-dependabot-cooldown.d.ts.map +1 -0
  263. package/dist/rules/require-dependabot-cooldown.js +52 -0
  264. package/dist/rules/require-dependabot-cooldown.js.map +1 -0
  265. package/dist/rules/require-dependabot-directory.d.ts +9 -0
  266. package/dist/rules/require-dependabot-directory.d.ts.map +1 -0
  267. package/dist/rules/require-dependabot-directory.js +68 -0
  268. package/dist/rules/require-dependabot-directory.js.map +1 -0
  269. package/dist/rules/require-dependabot-github-actions-directory-root.d.ts +9 -0
  270. package/dist/rules/require-dependabot-github-actions-directory-root.d.ts.map +1 -0
  271. package/dist/rules/require-dependabot-github-actions-directory-root.js +76 -0
  272. package/dist/rules/require-dependabot-github-actions-directory-root.js.map +1 -0
  273. package/dist/rules/require-dependabot-labels.d.ts +9 -0
  274. package/dist/rules/require-dependabot-labels.d.ts.map +1 -0
  275. package/dist/rules/require-dependabot-labels.js +52 -0
  276. package/dist/rules/require-dependabot-labels.js.map +1 -0
  277. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts +9 -0
  278. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts.map +1 -0
  279. package/dist/rules/require-dependabot-open-pull-requests-limit.js +55 -0
  280. package/dist/rules/require-dependabot-open-pull-requests-limit.js.map +1 -0
  281. package/dist/rules/require-dependabot-package-ecosystem.d.ts +9 -0
  282. package/dist/rules/require-dependabot-package-ecosystem.d.ts.map +1 -0
  283. package/dist/rules/require-dependabot-package-ecosystem.js +79 -0
  284. package/dist/rules/require-dependabot-package-ecosystem.js.map +1 -0
  285. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.d.ts +9 -0
  286. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.d.ts.map +1 -0
  287. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.js +58 -0
  288. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.js.map +1 -0
  289. package/dist/rules/require-dependabot-schedule-cronjob.d.ts +9 -0
  290. package/dist/rules/require-dependabot-schedule-cronjob.d.ts.map +1 -0
  291. package/dist/rules/require-dependabot-schedule-cronjob.js +82 -0
  292. package/dist/rules/require-dependabot-schedule-cronjob.js.map +1 -0
  293. package/dist/rules/require-dependabot-schedule-interval.d.ts +9 -0
  294. package/dist/rules/require-dependabot-schedule-interval.d.ts.map +1 -0
  295. package/dist/rules/require-dependabot-schedule-interval.js +73 -0
  296. package/dist/rules/require-dependabot-schedule-interval.js.map +1 -0
  297. package/dist/rules/require-dependabot-schedule-time.d.ts +9 -0
  298. package/dist/rules/require-dependabot-schedule-time.d.ts.map +1 -0
  299. package/dist/rules/require-dependabot-schedule-time.js +68 -0
  300. package/dist/rules/require-dependabot-schedule-time.js.map +1 -0
  301. package/dist/rules/require-dependabot-schedule-timezone.d.ts +9 -0
  302. package/dist/rules/require-dependabot-schedule-timezone.d.ts.map +1 -0
  303. package/dist/rules/require-dependabot-schedule-timezone.js +69 -0
  304. package/dist/rules/require-dependabot-schedule-timezone.js.map +1 -0
  305. package/dist/rules/require-dependabot-target-branch.d.ts +9 -0
  306. package/dist/rules/require-dependabot-target-branch.d.ts.map +1 -0
  307. package/dist/rules/require-dependabot-target-branch.js +53 -0
  308. package/dist/rules/require-dependabot-target-branch.js.map +1 -0
  309. package/dist/rules/require-dependabot-updates.d.ts +9 -0
  310. package/dist/rules/require-dependabot-updates.d.ts.map +1 -0
  311. package/dist/rules/require-dependabot-updates.js +54 -0
  312. package/dist/rules/require-dependabot-updates.js.map +1 -0
  313. package/dist/rules/require-dependabot-version.d.ts +9 -0
  314. package/dist/rules/require-dependabot-version.d.ts.map +1 -0
  315. package/dist/rules/require-dependabot-version.js +62 -0
  316. package/dist/rules/require-dependabot-version.js.map +1 -0
  317. package/dist/rules/require-dependabot-versioning-strategy-for-npm.d.ts +9 -0
  318. package/dist/rules/require-dependabot-versioning-strategy-for-npm.d.ts.map +1 -0
  319. package/dist/rules/require-dependabot-versioning-strategy-for-npm.js +58 -0
  320. package/dist/rules/require-dependabot-versioning-strategy-for-npm.js.map +1 -0
  321. package/dist/rules/require-dependency-review-action.d.ts +9 -0
  322. package/dist/rules/require-dependency-review-action.d.ts.map +1 -0
  323. package/dist/rules/require-dependency-review-action.js +51 -0
  324. package/dist/rules/require-dependency-review-action.js.map +1 -0
  325. package/dist/rules/require-dependency-review-fail-on-severity.d.ts +9 -0
  326. package/dist/rules/require-dependency-review-fail-on-severity.d.ts.map +1 -0
  327. package/dist/rules/require-dependency-review-fail-on-severity.js +62 -0
  328. package/dist/rules/require-dependency-review-fail-on-severity.js.map +1 -0
  329. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts +9 -0
  330. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts.map +1 -0
  331. package/dist/rules/require-dependency-review-permissions-contents-read.js +55 -0
  332. package/dist/rules/require-dependency-review-permissions-contents-read.js.map +1 -0
  333. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts +9 -0
  334. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts.map +1 -0
  335. package/dist/rules/require-dependency-review-pull-request-trigger.js +47 -0
  336. package/dist/rules/require-dependency-review-pull-request-trigger.js.map +1 -0
  337. package/dist/rules/require-fetch-metadata-github-token.d.ts +9 -0
  338. package/dist/rules/require-fetch-metadata-github-token.d.ts.map +1 -0
  339. package/dist/rules/require-fetch-metadata-github-token.js +57 -0
  340. package/dist/rules/require-fetch-metadata-github-token.js.map +1 -0
  341. package/dist/rules/require-job-name.d.ts.map +1 -1
  342. package/dist/rules/require-job-name.js +35 -0
  343. package/dist/rules/require-job-name.js.map +1 -1
  344. package/dist/rules/require-job-step-name.d.ts.map +1 -1
  345. package/dist/rules/require-job-step-name.js +76 -0
  346. package/dist/rules/require-job-step-name.js.map +1 -1
  347. package/dist/rules/require-job-timeout-minutes.d.ts.map +1 -1
  348. package/dist/rules/require-job-timeout-minutes.js +3 -0
  349. package/dist/rules/require-job-timeout-minutes.js.map +1 -1
  350. package/dist/rules/require-merge-group-trigger.d.ts.map +1 -1
  351. package/dist/rules/require-merge-group-trigger.js +3 -0
  352. package/dist/rules/require-merge-group-trigger.js.map +1 -1
  353. package/dist/rules/require-pull-request-target-branches.d.ts.map +1 -1
  354. package/dist/rules/require-pull-request-target-branches.js +3 -0
  355. package/dist/rules/require-pull-request-target-branches.js.map +1 -1
  356. package/dist/rules/require-run-step-shell.d.ts.map +1 -1
  357. package/dist/rules/require-run-step-shell.js +3 -0
  358. package/dist/rules/require-run-step-shell.js.map +1 -1
  359. package/dist/rules/require-sarif-upload-security-events-write.d.ts +9 -0
  360. package/dist/rules/require-sarif-upload-security-events-write.d.ts.map +1 -0
  361. package/dist/rules/require-sarif-upload-security-events-write.js +51 -0
  362. package/dist/rules/require-sarif-upload-security-events-write.js.map +1 -0
  363. package/dist/rules/require-scorecard-results-format-sarif.d.ts +9 -0
  364. package/dist/rules/require-scorecard-results-format-sarif.d.ts.map +1 -0
  365. package/dist/rules/require-scorecard-results-format-sarif.js +57 -0
  366. package/dist/rules/require-scorecard-results-format-sarif.js.map +1 -0
  367. package/dist/rules/require-scorecard-upload-sarif-step.d.ts +9 -0
  368. package/dist/rules/require-scorecard-upload-sarif-step.d.ts.map +1 -0
  369. package/dist/rules/require-scorecard-upload-sarif-step.js +46 -0
  370. package/dist/rules/require-scorecard-upload-sarif-step.js.map +1 -0
  371. package/dist/rules/require-secret-scan-contents-read.d.ts +12 -0
  372. package/dist/rules/require-secret-scan-contents-read.d.ts.map +1 -0
  373. package/dist/rules/require-secret-scan-contents-read.js +53 -0
  374. package/dist/rules/require-secret-scan-contents-read.js.map +1 -0
  375. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts +9 -0
  376. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts.map +1 -0
  377. package/dist/rules/require-secret-scan-fetch-depth-zero.js +77 -0
  378. package/dist/rules/require-secret-scan-fetch-depth-zero.js.map +1 -0
  379. package/dist/rules/require-secret-scan-schedule.d.ts +9 -0
  380. package/dist/rules/require-secret-scan-schedule.d.ts.map +1 -0
  381. package/dist/rules/require-secret-scan-schedule.js +46 -0
  382. package/dist/rules/require-secret-scan-schedule.js.map +1 -0
  383. package/dist/rules/require-template-categories.d.ts.map +1 -1
  384. package/dist/rules/require-template-categories.js +3 -0
  385. package/dist/rules/require-template-categories.js.map +1 -1
  386. package/dist/rules/require-template-file-patterns.d.ts.map +1 -1
  387. package/dist/rules/require-template-file-patterns.js +3 -0
  388. package/dist/rules/require-template-file-patterns.js.map +1 -1
  389. package/dist/rules/require-template-icon-file-exists.d.ts.map +1 -1
  390. package/dist/rules/require-template-icon-file-exists.js +3 -0
  391. package/dist/rules/require-template-icon-file-exists.js.map +1 -1
  392. package/dist/rules/require-template-icon-name.d.ts.map +1 -1
  393. package/dist/rules/require-template-icon-name.js +3 -0
  394. package/dist/rules/require-template-icon-name.js.map +1 -1
  395. package/dist/rules/require-template-workflow-name.d.ts.map +1 -1
  396. package/dist/rules/require-template-workflow-name.js +3 -0
  397. package/dist/rules/require-template-workflow-name.js.map +1 -1
  398. package/dist/rules/require-trigger-types.d.ts.map +1 -1
  399. package/dist/rules/require-trigger-types.js +3 -0
  400. package/dist/rules/require-trigger-types.js.map +1 -1
  401. package/dist/rules/require-trufflehog-verified-results-mode.d.ts +9 -0
  402. package/dist/rules/require-trufflehog-verified-results-mode.d.ts.map +1 -0
  403. package/dist/rules/require-trufflehog-verified-results-mode.js +59 -0
  404. package/dist/rules/require-trufflehog-verified-results-mode.js.map +1 -0
  405. package/dist/rules/require-workflow-call-input-type.d.ts.map +1 -1
  406. package/dist/rules/require-workflow-call-input-type.js +3 -0
  407. package/dist/rules/require-workflow-call-input-type.js.map +1 -1
  408. package/dist/rules/require-workflow-call-output-value.d.ts.map +1 -1
  409. package/dist/rules/require-workflow-call-output-value.js +3 -0
  410. package/dist/rules/require-workflow-call-output-value.js.map +1 -1
  411. package/dist/rules/require-workflow-concurrency.d.ts.map +1 -1
  412. package/dist/rules/require-workflow-concurrency.js +3 -0
  413. package/dist/rules/require-workflow-concurrency.js.map +1 -1
  414. package/dist/rules/require-workflow-dispatch-input-type.d.ts.map +1 -1
  415. package/dist/rules/require-workflow-dispatch-input-type.js +3 -0
  416. package/dist/rules/require-workflow-dispatch-input-type.js.map +1 -1
  417. package/dist/rules/require-workflow-interface-description.d.ts.map +1 -1
  418. package/dist/rules/require-workflow-interface-description.js +3 -0
  419. package/dist/rules/require-workflow-interface-description.js.map +1 -1
  420. package/dist/rules/require-workflow-permissions.d.ts.map +1 -1
  421. package/dist/rules/require-workflow-permissions.js +7 -0
  422. package/dist/rules/require-workflow-permissions.js.map +1 -1
  423. package/dist/rules/require-workflow-run-branches.d.ts.map +1 -1
  424. package/dist/rules/require-workflow-run-branches.js +3 -0
  425. package/dist/rules/require-workflow-run-branches.js.map +1 -1
  426. package/dist/rules/require-workflow-template-pair.d.ts.map +1 -1
  427. package/dist/rules/require-workflow-template-pair.js +3 -0
  428. package/dist/rules/require-workflow-template-pair.js.map +1 -1
  429. package/dist/rules/require-workflow-template-properties-pair.d.ts.map +1 -1
  430. package/dist/rules/require-workflow-template-properties-pair.js +3 -0
  431. package/dist/rules/require-workflow-template-properties-pair.js.map +1 -1
  432. package/dist/rules/valid-timeout-minutes.d.ts.map +1 -1
  433. package/dist/rules/valid-timeout-minutes.js +3 -0
  434. package/dist/rules/valid-timeout-minutes.js.map +1 -1
  435. package/dist/rules/valid-trigger-events.d.ts.map +1 -1
  436. package/dist/rules/valid-trigger-events.js +3 -0
  437. package/dist/rules/valid-trigger-events.js.map +1 -1
  438. package/docs/rules/action-name-casing.md +6 -2
  439. package/docs/rules/no-codeql-autobuild-for-javascript-typescript.md +55 -0
  440. package/docs/rules/no-codeql-javascript-typescript-split-language-matrix.md +51 -0
  441. package/docs/rules/no-empty-template-file-pattern.md +5 -1
  442. package/docs/rules/no-icon-file-extension-in-template-icon-name.md +5 -1
  443. package/docs/rules/no-overlapping-dependabot-directories.md +87 -0
  444. package/docs/rules/no-path-separators-in-template-icon-name.md +5 -1
  445. package/docs/rules/no-post-if-without-post.md +5 -1
  446. package/docs/rules/no-pre-if-without-pre.md +5 -1
  447. package/docs/rules/no-required-input-with-default.md +10 -1
  448. package/docs/rules/no-unknown-dependabot-multi-ecosystem-group.md +62 -0
  449. package/docs/rules/no-unused-dependabot-enable-beta-ecosystems.md +63 -0
  450. package/docs/rules/overview.md +47 -1
  451. package/docs/rules/prefer-inputs-context.md +6 -2
  452. package/docs/rules/presets/action-metadata.md +26 -15
  453. package/docs/rules/presets/all.md +129 -73
  454. package/docs/rules/presets/code-scanning.md +33 -0
  455. package/docs/rules/presets/dependabot.md +40 -0
  456. package/docs/rules/presets/index.md +139 -81
  457. package/docs/rules/presets/recommended.md +34 -23
  458. package/docs/rules/presets/security.md +39 -13
  459. package/docs/rules/presets/strict.md +56 -45
  460. package/docs/rules/presets/workflow-template-properties.md +26 -15
  461. package/docs/rules/presets/workflow-templates.md +30 -19
  462. package/docs/rules/require-codeql-actions-read.md +50 -0
  463. package/docs/rules/require-codeql-branch-filters.md +53 -0
  464. package/docs/rules/require-codeql-category-when-language-matrix.md +49 -0
  465. package/docs/rules/require-codeql-pull-request-trigger.md +53 -0
  466. package/docs/rules/require-codeql-schedule.md +57 -0
  467. package/docs/rules/require-codeql-security-events-write.md +50 -0
  468. package/docs/rules/require-dependabot-assignees.md +64 -0
  469. package/docs/rules/require-dependabot-automation-permissions.md +53 -0
  470. package/docs/rules/require-dependabot-automation-pull-request-trigger.md +49 -0
  471. package/docs/rules/require-dependabot-bot-actor-guard.md +52 -0
  472. package/docs/rules/require-dependabot-commit-message-include-scope.md +58 -0
  473. package/docs/rules/require-dependabot-commit-message-prefix-development.md +60 -0
  474. package/docs/rules/require-dependabot-commit-message-prefix.md +64 -0
  475. package/docs/rules/require-dependabot-cooldown.md +59 -0
  476. package/docs/rules/require-dependabot-directory.md +79 -0
  477. package/docs/rules/require-dependabot-github-actions-directory-root.md +62 -0
  478. package/docs/rules/require-dependabot-labels.md +65 -0
  479. package/docs/rules/require-dependabot-open-pull-requests-limit.md +58 -0
  480. package/docs/rules/require-dependabot-package-ecosystem.md +57 -0
  481. package/docs/rules/require-dependabot-patterns-for-multi-ecosystem-group.md +67 -0
  482. package/docs/rules/require-dependabot-schedule-cronjob.md +74 -0
  483. package/docs/rules/require-dependabot-schedule-interval.md +66 -0
  484. package/docs/rules/require-dependabot-schedule-time.md +60 -0
  485. package/docs/rules/require-dependabot-schedule-timezone.md +61 -0
  486. package/docs/rules/require-dependabot-target-branch.md +63 -0
  487. package/docs/rules/require-dependabot-updates.md +58 -0
  488. package/docs/rules/require-dependabot-version.md +70 -0
  489. package/docs/rules/require-dependabot-versioning-strategy-for-npm.md +58 -0
  490. package/docs/rules/require-dependency-review-action.md +60 -0
  491. package/docs/rules/require-dependency-review-fail-on-severity.md +57 -0
  492. package/docs/rules/require-dependency-review-permissions-contents-read.md +62 -0
  493. package/docs/rules/require-dependency-review-pull-request-trigger.md +57 -0
  494. package/docs/rules/require-fetch-metadata-github-token.md +49 -0
  495. package/docs/rules/require-job-name.md +6 -2
  496. package/docs/rules/require-job-step-name.md +11 -2
  497. package/docs/rules/require-sarif-upload-security-events-write.md +50 -0
  498. package/docs/rules/require-scorecard-results-format-sarif.md +49 -0
  499. package/docs/rules/require-scorecard-upload-sarif-step.md +55 -0
  500. package/docs/rules/require-secret-scan-contents-read.md +48 -0
  501. package/docs/rules/require-secret-scan-fetch-depth-zero.md +50 -0
  502. package/docs/rules/require-secret-scan-schedule.md +50 -0
  503. package/docs/rules/require-trufflehog-verified-results-mode.md +49 -0
  504. package/package.json +50 -57
package/docs/rules/presets/workflow-templates.md CHANGED
@@ -1,22 +1,33 @@
1
- # `githubActions.configs.workflowTemplates`
2
-
3
- Workflow template package linting for both template YAML and metadata files.
4
-
1
+ ---
2
+ sidebar_position: 5
3
+ ---
4
+
5
+ # `githubActions.configs.workflowTemplates`
6
+
7
+ Workflow template package linting for both template YAML and metadata files.
8
+
5
9
  ## Included rules
6
10
 
7
- - [`no-empty-template-file-pattern`](../no-empty-template-file-pattern.md)
8
- - [`no-hardcoded-default-branch-in-template`](../no-hardcoded-default-branch-in-template.md)
9
- - [`no-icon-file-extension-in-template-icon-name`](../no-icon-file-extension-in-template-icon-name.md)
10
- - [`no-invalid-template-file-pattern-regex`](../no-invalid-template-file-pattern-regex.md)
11
- - [`no-path-separators-in-template-icon-name`](../no-path-separators-in-template-icon-name.md)
12
- - [`no-subdirectory-template-file-pattern`](../no-subdirectory-template-file-pattern.md)
13
- - [`no-universal-template-file-pattern`](../no-universal-template-file-pattern.md)
14
- - [`prefer-template-yml-extension`](../prefer-template-yml-extension.md)
15
- - [`require-template-categories`](../require-template-categories.md)
16
- - [`require-template-file-patterns`](../require-template-file-patterns.md)
17
- - [`require-template-icon-file-exists`](../require-template-icon-file-exists.md)
18
- - [`require-template-icon-name`](../require-template-icon-name.md)
19
- - [`require-template-workflow-name`](../require-template-workflow-name.md)
20
- - [`require-workflow-template-pair`](../require-workflow-template-pair.md)
21
- - [`require-workflow-template-properties-pair`](../require-workflow-template-properties-pair.md)
11
+ Fix legend:
12
+
13
+ - 🔧 = autofixable
14
+ - 💡 = suggestions available
15
+ - — = report only
22
16
 
17
+ | Rule | Fix |
18
+ | --- | :-: |
19
+ | <span class="sb-inline-rule-number">R060</span> [`no-empty-template-file-pattern`](../no-empty-template-file-pattern.md) | 🔧 |
20
+ | <span class="sb-inline-rule-number">R068</span> [`no-hardcoded-default-branch-in-template`](../no-hardcoded-default-branch-in-template.md) | — |
21
+ | <span class="sb-inline-rule-number">R063</span> [`no-icon-file-extension-in-template-icon-name`](../no-icon-file-extension-in-template-icon-name.md) | 🔧 |
22
+ | <span class="sb-inline-rule-number">R059</span> [`no-invalid-template-file-pattern-regex`](../no-invalid-template-file-pattern-regex.md) | — |
23
+ | <span class="sb-inline-rule-number">R064</span> [`no-path-separators-in-template-icon-name`](../no-path-separators-in-template-icon-name.md) | 💡 |
24
+ | <span class="sb-inline-rule-number">R062</span> [`no-subdirectory-template-file-pattern`](../no-subdirectory-template-file-pattern.md) | — |
25
+ | <span class="sb-inline-rule-number">R061</span> [`no-universal-template-file-pattern`](../no-universal-template-file-pattern.md) | — |
26
+ | <span class="sb-inline-rule-number">R066</span> [`prefer-template-yml-extension`](../prefer-template-yml-extension.md) | — |
27
+ | <span class="sb-inline-rule-number">R057</span> [`require-template-categories`](../require-template-categories.md) | — |
28
+ | <span class="sb-inline-rule-number">R058</span> [`require-template-file-patterns`](../require-template-file-patterns.md) | — |
29
+ | <span class="sb-inline-rule-number">R065</span> [`require-template-icon-file-exists`](../require-template-icon-file-exists.md) | — |
30
+ | <span class="sb-inline-rule-number">R056</span> [`require-template-icon-name`](../require-template-icon-name.md) | — |
31
+ | <span class="sb-inline-rule-number">R067</span> [`require-template-workflow-name`](../require-template-workflow-name.md) | — |
32
+ | <span class="sb-inline-rule-number">R054</span> [`require-workflow-template-pair`](../require-workflow-template-pair.md) | — |
33
+ | <span class="sb-inline-rule-number">R055</span> [`require-workflow-template-properties-pair`](../require-workflow-template-properties-pair.md) | — |
package/docs/rules/require-codeql-actions-read.md ADDED
@@ -0,0 +1,50 @@
1
+ # require-codeql-actions-read
2
+
3
+ > **Rule catalog ID:** R099
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Jobs that use CodeQL actions such as `init`, `analyze`, `autobuild`, or `upload-sarif`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports CodeQL jobs that do not grant `actions: read`.
12
+
13
+ ## Why this rule exists
14
+
15
+ CodeQL jobs commonly need `actions: read` for workflow metadata and action access. Requiring it explicitly keeps job permissions self-documenting and consistent.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ permissions:
21
+ contents: read
22
+ ```
23
+
24
+ ## ✅ Correct
25
+
26
+ ```yaml
27
+ permissions:
28
+ actions: read
29
+ contents: read
30
+ ```
31
+
32
+ ## Additional examples
33
+
34
+ This rule is job-scoped: it only evaluates jobs that actually use CodeQL actions, not unrelated workflow jobs.
35
+
36
+ ## ESLint flat config example
37
+
38
+ ```ts
39
+ import githubActions from "eslint-plugin-github-actions-2";
40
+
41
+ export default [githubActions.configs.codeScanning];
42
+ ```
43
+
44
+ ## When not to use it
45
+
46
+ Disable this rule if your CodeQL setup demonstrably works without `actions: read` and you intentionally prefer the smaller permission set.
47
+
48
+ ## Further reading
49
+
50
+ - [About code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)
package/docs/rules/require-codeql-branch-filters.md ADDED
@@ -0,0 +1,53 @@
1
+ # require-codeql-branch-filters
2
+
3
+ > **Rule catalog ID:** R113
4
+
5
+ ## Targeted pattern scope
6
+
7
+ CodeQL workflows that define `push` or `pull_request` triggers as mappings.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports CodeQL `push` or `pull_request` triggers that do not define a non-empty `branches` or `branches-ignore` filter.
12
+
13
+ ## Why this rule exists
14
+
15
+ Code scanning on every branch may be intentional, but for most repositories CodeQL is scoped to the main development branches. Requiring an explicit branch filter makes that intent visible and keeps trigger breadth reviewable.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ on:
21
+ push: {}
22
+ pull_request: {}
23
+ ```
24
+
25
+ ## ✅ Correct
26
+
27
+ ```yaml
28
+ on:
29
+ push:
30
+ branches: [main]
31
+ pull_request:
32
+ branches: [main]
33
+ ```
34
+
35
+ ## Additional examples
36
+
37
+ This rule only checks CodeQL workflows and only when the trigger is expressed as a mapping where branch filters are supported.
38
+
39
+ ## ESLint flat config example
40
+
41
+ ```ts
42
+ import githubActions from "eslint-plugin-github-actions-2";
43
+
44
+ export default [githubActions.configs.codeScanning];
45
+ ```
46
+
47
+ ## When not to use it
48
+
49
+ Disable this rule if your repository intentionally wants CodeQL to react to every branch and that policy is already understood by maintainers.
50
+
51
+ ## Further reading
52
+
53
+ - [About code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)
package/docs/rules/require-codeql-category-when-language-matrix.md ADDED
@@ -0,0 +1,49 @@
1
+ # require-codeql-category-when-language-matrix
2
+
3
+ > **Rule catalog ID:** R114
4
+
5
+ ## Targeted pattern scope
6
+
7
+ CodeQL analyze steps inside jobs that use `strategy.matrix.language`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports CodeQL analyze steps that do not set `with.category` to include `matrix.language` when the job uses a language matrix.
12
+
13
+ ## Why this rule exists
14
+
15
+ When CodeQL runs in a language matrix, the SARIF category is the easiest way to keep uploads distinct and understandable in the code scanning UI. Requiring a matrix-aware category helps avoid ambiguous result grouping.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ - uses: github/codeql-action/analyze@v4
21
+ ```
22
+
23
+ ## ✅ Correct
24
+
25
+ ```yaml
26
+ - uses: github/codeql-action/analyze@v4
27
+ with:
28
+ category: /language:${{ matrix.language }}
29
+ ```
30
+
31
+ ## Additional examples
32
+
33
+ This rule only applies when the job uses a `language` matrix. Single-language CodeQL jobs are ignored.
34
+
35
+ ## ESLint flat config example
36
+
37
+ ```ts
38
+ import githubActions from "eslint-plugin-github-actions-2";
39
+
40
+ export default [githubActions.configs.codeScanning];
41
+ ```
42
+
43
+ ## When not to use it
44
+
45
+ Disable this rule if your repository intentionally accepts a shared category across matrix jobs and that grouping has already been reviewed.
46
+
47
+ ## Further reading
48
+
49
+ - [About code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)
package/docs/rules/require-codeql-pull-request-trigger.md ADDED
@@ -0,0 +1,53 @@
1
+ # require-codeql-pull-request-trigger
2
+
3
+ > **Rule catalog ID:** R100
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflows that run CodeQL analysis.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports CodeQL workflows that do not listen for `pull_request`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Code scanning is most actionable when it runs against pull requests before merges happen. Requiring the PR trigger keeps CodeQL feedback in the developer loop.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ on:
21
+ push:
22
+ branches: [main]
23
+ ```
24
+
25
+ ## ✅ Correct
26
+
27
+ ```yaml
28
+ on:
29
+ push:
30
+ branches: [main]
31
+ pull_request:
32
+ branches: [main]
33
+ ```
34
+
35
+ ## Additional examples
36
+
37
+ This rule only checks workflows that actually use CodeQL actions; it will not report on unrelated scheduled security workflows.
38
+
39
+ ## ESLint flat config example
40
+
41
+ ```ts
42
+ import githubActions from "eslint-plugin-github-actions-2";
43
+
44
+ export default [githubActions.configs.codeScanning];
45
+ ```
46
+
47
+ ## When not to use it
48
+
49
+ Disable this rule if your repository intentionally runs CodeQL only outside pull requests, for example in an external CI system.
50
+
51
+ ## Further reading
52
+
53
+ - [About code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)
package/docs/rules/require-codeql-schedule.md ADDED
@@ -0,0 +1,57 @@
1
+ # require-codeql-schedule
2
+
3
+ > **Rule catalog ID:** R101
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflows that run CodeQL analysis.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports CodeQL workflows that do not define a `schedule` trigger.
12
+
13
+ ## Why this rule exists
14
+
15
+ Scheduled CodeQL runs catch newly added queries, engine improvements, and baseline issues that may not be re-evaluated often enough through push-only activity.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ on:
21
+ push:
22
+ branches: [main]
23
+ pull_request:
24
+ branches: [main]
25
+ ```
26
+
27
+ ## ✅ Correct
28
+
29
+ ```yaml
30
+ on:
31
+ push:
32
+ branches: [main]
33
+ pull_request:
34
+ branches: [main]
35
+ schedule:
36
+ - cron: "0 0 * * 1"
37
+ ```
38
+
39
+ ## Additional examples
40
+
41
+ This rule does not enforce a particular cron expression. It only requires that periodic re-analysis be configured.
42
+
43
+ ## ESLint flat config example
44
+
45
+ ```ts
46
+ import githubActions from "eslint-plugin-github-actions-2";
47
+
48
+ export default [githubActions.configs.codeScanning];
49
+ ```
50
+
51
+ ## When not to use it
52
+
53
+ Disable this rule if CodeQL scheduling is handled outside GitHub Actions or by organization-wide automation.
54
+
55
+ ## Further reading
56
+
57
+ - [About code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)
package/docs/rules/require-codeql-security-events-write.md ADDED
@@ -0,0 +1,50 @@
1
+ # require-codeql-security-events-write
2
+
3
+ > **Rule catalog ID:** R098
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Jobs that run `github/codeql-action/analyze`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports CodeQL analysis jobs that do not grant `security-events: write`.
12
+
13
+ ## Why this rule exists
14
+
15
+ CodeQL analysis uploads results to GitHub code scanning. Without `security-events: write`, those results cannot be published correctly.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ permissions:
21
+ contents: read
22
+ ```
23
+
24
+ ## ✅ Correct
25
+
26
+ ```yaml
27
+ permissions:
28
+ contents: read
29
+ security-events: write
30
+ ```
31
+
32
+ ## Additional examples
33
+
34
+ This rule complements `require-sarif-upload-security-events-write` by covering CodeQL analysis jobs directly, even when they do not use a separate SARIF upload step.
35
+
36
+ ## ESLint flat config example
37
+
38
+ ```ts
39
+ import githubActions from "eslint-plugin-github-actions-2";
40
+
41
+ export default [githubActions.configs.codeScanning];
42
+ ```
43
+
44
+ ## When not to use it
45
+
46
+ Disable this rule only if CodeQL results are uploaded through a different mechanism outside the workflow.
47
+
48
+ ## Further reading
49
+
50
+ - [About code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql)
package/docs/rules/require-dependabot-assignees.md ADDED
@@ -0,0 +1,64 @@
1
+ # require-dependabot-assignees
2
+
3
+ > **Rule catalog ID:** R077
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries and multi-ecosystem groups that control pull request ownership.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that do not resolve to a non-empty `assignees` list, either directly or via `multi-ecosystem-groups` inheritance.
12
+
13
+ ## Why this rule exists
14
+
15
+ Dependabot pull requests are easy to ignore when they are unowned. Requiring assignees makes update responsibility explicit and improves triage speed.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule:
25
+ interval: "weekly"
26
+ time: "05:30"
27
+ timezone: "UTC"
28
+ ```
29
+
30
+ ## ✅ Correct
31
+
32
+ ```yaml
33
+ version: 2
34
+ updates:
35
+ - package-ecosystem: "npm"
36
+ directory: "/"
37
+ schedule:
38
+ interval: "weekly"
39
+ time: "05:30"
40
+ timezone: "UTC"
41
+ assignees:
42
+ - "octocat"
43
+ ```
44
+
45
+ ## Additional examples
46
+
47
+ This rule also accepts assignees inherited from a `multi-ecosystem-group`, which is often the cleanest way to keep ownership consistent across multiple update entries.
48
+
49
+ ## ESLint flat config example
50
+
51
+ ```ts
52
+ import githubActions from "eslint-plugin-github-actions-2";
53
+
54
+ export default [githubActions.configs.dependabot];
55
+ ```
56
+
57
+ ## When not to use it
58
+
59
+ Disable this rule when ownership is handled exclusively through CODEOWNERS, bots, or external automation and explicit assignees would be noisy.
60
+
61
+ ## Further reading
62
+
63
+ - [Dependabot options reference: assignees](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#assignees--)
64
+ - [Customizing Dependabot pull requests: Automatically adding assignees](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#automatically-adding-assignees)
package/docs/rules/require-dependabot-automation-permissions.md ADDED
@@ -0,0 +1,53 @@
1
+ # require-dependabot-automation-permissions
2
+
3
+ > **Rule catalog ID:** R111
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Jobs that automate Dependabot pull requests using `gh pr edit`, `gh pr review`, or `gh pr merge`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports missing minimum permissions for Dependabot pull request automation steps.
12
+
13
+ ## Why this rule exists
14
+
15
+ PR automation should request only the permissions it actually needs, but it still needs enough privilege to work. This rule makes those minimum permission requirements explicit for common `gh pr` automation commands.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ permissions:
21
+ contents: read
22
+ ```
23
+
24
+ ## ✅ Correct
25
+
26
+ ```yaml
27
+ permissions:
28
+ contents: read
29
+ pull-requests: write
30
+ issues: write
31
+ ```
32
+
33
+ ## Additional examples
34
+
35
+ - `gh pr edit --add-label` requires `issues: write`
36
+ - `gh pr review` requires `pull-requests: write`
37
+ - `gh pr merge` requires `contents: write` and `pull-requests: write`
38
+
39
+ ## ESLint flat config example
40
+
41
+ ```ts
42
+ import githubActions from "eslint-plugin-github-actions-2";
43
+
44
+ export default [githubActions.configs.security];
45
+ ```
46
+
47
+ ## When not to use it
48
+
49
+ Disable this rule if your repository uses a different automation mechanism instead of `gh pr` commands.
50
+
51
+ ## Further reading
52
+
53
+ - [Automating Dependabot with GitHub Actions](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions)
package/docs/rules/require-dependabot-automation-pull-request-trigger.md ADDED
@@ -0,0 +1,49 @@
1
+ # require-dependabot-automation-pull-request-trigger
2
+
3
+ > **Rule catalog ID:** R112
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflows that automate Dependabot pull requests.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports Dependabot automation workflows that do not listen for `pull_request`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Dependabot pull request automation should run where Dependabot actually creates pull requests. Requiring the `pull_request` trigger keeps the workflow attached to the right event surface.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ on: [workflow_dispatch]
21
+ ```
22
+
23
+ ## ✅ Correct
24
+
25
+ ```yaml
26
+ on:
27
+ pull_request:
28
+ branches: [main]
29
+ ```
30
+
31
+ ## Additional examples
32
+
33
+ This rule applies only when the workflow contains known Dependabot automation patterns such as `dependabot/fetch-metadata` or `gh pr` automation commands.
34
+
35
+ ## ESLint flat config example
36
+
37
+ ```ts
38
+ import githubActions from "eslint-plugin-github-actions-2";
39
+
40
+ export default [githubActions.configs.security];
41
+ ```
42
+
43
+ ## When not to use it
44
+
45
+ Disable this rule if your repository automates Dependabot outside `pull_request` workflows on purpose.
46
+
47
+ ## Further reading
48
+
49
+ - [Automating Dependabot with GitHub Actions](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions)
package/docs/rules/require-dependabot-bot-actor-guard.md ADDED
@@ -0,0 +1,52 @@
1
+ # require-dependabot-bot-actor-guard
2
+
3
+ > **Rule catalog ID:** R109
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Jobs that automate Dependabot pull requests using `dependabot/fetch-metadata` or `gh pr` commands.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports Dependabot automation jobs that do not guard execution on `dependabot[bot]`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Pull request automation should not run broadly on all pull requests when it is intended specifically for Dependabot. Requiring a Dependabot bot guard makes that safety boundary explicit.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ jobs:
21
+ dependabot:
22
+ runs-on: ubuntu-latest
23
+ ```
24
+
25
+ ## ✅ Correct
26
+
27
+ ```yaml
28
+ jobs:
29
+ dependabot:
30
+ if: github.event.pull_request.user.login == 'dependabot[bot]'
31
+ runs-on: ubuntu-latest
32
+ ```
33
+
34
+ ## Additional examples
35
+
36
+ This rule accepts either a job-level guard or step-level guards on the relevant automation steps.
37
+
38
+ ## ESLint flat config example
39
+
40
+ ```ts
41
+ import githubActions from "eslint-plugin-github-actions-2";
42
+
43
+ export default [githubActions.configs.security];
44
+ ```
45
+
46
+ ## When not to use it
47
+
48
+ Disable this rule if your automation intentionally handles both Dependabot and non-Dependabot pull requests in the same job.
49
+
50
+ ## Further reading
51
+
52
+ - [Automating Dependabot with GitHub Actions](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions)
package/docs/rules/require-dependabot-commit-message-include-scope.md ADDED
@@ -0,0 +1,58 @@
1
+ # require-dependabot-commit-message-include-scope
2
+
3
+ > **Rule catalog ID:** R089
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot `commit-message` configuration, including values inherited from `multi-ecosystem-groups`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that do not resolve to `commit-message.include: "scope"`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Including scope in Dependabot commit messages makes pull request titles more informative by distinguishing production and development dependency updates. That extra context is useful for triage and automation.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ commit-message:
25
+ prefix: "deps"
26
+ ```
27
+
28
+ ## ✅ Correct
29
+
30
+ ```yaml
31
+ version: 2
32
+ updates:
33
+ - package-ecosystem: "npm"
34
+ directory: "/"
35
+ commit-message:
36
+ prefix: "deps"
37
+ include: "scope"
38
+ ```
39
+
40
+ ## Additional examples
41
+
42
+ This rule is especially helpful when grouped updates would otherwise produce similar-looking pull request titles across dependency classes.
43
+
44
+ ## ESLint flat config example
45
+
46
+ ```ts
47
+ import githubActions from "eslint-plugin-github-actions-2";
48
+
49
+ export default [githubActions.configs.dependabot];
50
+ ```
51
+
52
+ ## When not to use it
53
+
54
+ Disable this rule if the repository intentionally prefers shorter Dependabot titles without dependency scope markers.
55
+
56
+ ## Further reading
57
+
58
+ - [Dependabot options reference: commit-message](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#commit-message--)