eslint-plugin-github-actions-2 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (504) hide show
  1. package/README.md +149 -101
  2. package/dist/_internal/code-scanning-workflow.d.ts +37 -0
  3. package/dist/_internal/code-scanning-workflow.d.ts.map +1 -0
  4. package/dist/_internal/code-scanning-workflow.js +73 -0
  5. package/dist/_internal/code-scanning-workflow.js.map +1 -0
  6. package/dist/_internal/dependabot-automation-workflow.d.ts +26 -0
  7. package/dist/_internal/dependabot-automation-workflow.d.ts.map +1 -0
  8. package/dist/_internal/dependabot-automation-workflow.js +25 -0
  9. package/dist/_internal/dependabot-automation-workflow.js.map +1 -0
  10. package/dist/_internal/dependabot-yaml.d.ts +63 -0
  11. package/dist/_internal/dependabot-yaml.d.ts.map +1 -0
  12. package/dist/_internal/dependabot-yaml.js +139 -0
  13. package/dist/_internal/dependabot-yaml.js.map +1 -0
  14. package/dist/_internal/dependency-review-workflow.d.ts +20 -0
  15. package/dist/_internal/dependency-review-workflow.d.ts.map +1 -0
  16. package/dist/_internal/dependency-review-workflow.js +9 -0
  17. package/dist/_internal/dependency-review-workflow.js.map +1 -0
  18. package/dist/_internal/github-actions-config-references.d.ts +1 -1
  19. package/dist/_internal/github-actions-config-references.d.ts.map +1 -1
  20. package/dist/_internal/github-actions-config-references.js +19 -2
  21. package/dist/_internal/github-actions-config-references.js.map +1 -1
  22. package/dist/_internal/lint-targets.d.ts +15 -0
  23. package/dist/_internal/lint-targets.d.ts.map +1 -1
  24. package/dist/_internal/lint-targets.js +41 -0
  25. package/dist/_internal/lint-targets.js.map +1 -1
  26. package/dist/_internal/rules-registry.d.ts +90 -0
  27. package/dist/_internal/rules-registry.d.ts.map +1 -1
  28. package/dist/_internal/rules-registry.js +90 -0
  29. package/dist/_internal/rules-registry.js.map +1 -1
  30. package/dist/_internal/secret-scanning-workflow.d.ts +24 -0
  31. package/dist/_internal/secret-scanning-workflow.d.ts.map +1 -0
  32. package/dist/_internal/secret-scanning-workflow.js +21 -0
  33. package/dist/_internal/secret-scanning-workflow.js.map +1 -0
  34. package/dist/_internal/workflow-action-steps.d.ts +35 -0
  35. package/dist/_internal/workflow-action-steps.d.ts.map +1 -0
  36. package/dist/_internal/workflow-action-steps.js +75 -0
  37. package/dist/_internal/workflow-action-steps.js.map +1 -0
  38. package/dist/_internal/workflow-permissions.d.ts +11 -0
  39. package/dist/_internal/workflow-permissions.d.ts.map +1 -0
  40. package/dist/_internal/workflow-permissions.js +50 -0
  41. package/dist/_internal/workflow-permissions.js.map +1 -0
  42. package/dist/_internal/yaml-fixes.d.ts +13 -0
  43. package/dist/_internal/yaml-fixes.d.ts.map +1 -0
  44. package/dist/_internal/yaml-fixes.js +77 -0
  45. package/dist/_internal/yaml-fixes.js.map +1 -0
  46. package/dist/plugin.cjs +3516 -268
  47. package/dist/plugin.cjs.map +4 -4
  48. package/dist/plugin.d.ts.map +1 -1
  49. package/dist/plugin.js +2 -0
  50. package/dist/plugin.js.map +1 -1
  51. package/dist/rules/action-name-casing.d.ts.map +1 -1
  52. package/dist/rules/action-name-casing.js +3 -0
  53. package/dist/rules/action-name-casing.js.map +1 -1
  54. package/dist/rules/job-id-casing.d.ts.map +1 -1
  55. package/dist/rules/job-id-casing.js +3 -0
  56. package/dist/rules/job-id-casing.js.map +1 -1
  57. package/dist/rules/max-jobs-per-action.d.ts.map +1 -1
  58. package/dist/rules/max-jobs-per-action.js +3 -0
  59. package/dist/rules/max-jobs-per-action.js.map +1 -1
  60. package/dist/rules/no-case-insensitive-input-id-collision.d.ts.map +1 -1
  61. package/dist/rules/no-case-insensitive-input-id-collision.js +3 -0
  62. package/dist/rules/no-case-insensitive-input-id-collision.js.map +1 -1
  63. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts +9 -0
  64. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts.map +1 -0
  65. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js +54 -0
  66. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js.map +1 -0
  67. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts +9 -0
  68. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts.map +1 -0
  69. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js +50 -0
  70. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js.map +1 -0
  71. package/dist/rules/no-composite-input-env-access.d.ts.map +1 -1
  72. package/dist/rules/no-composite-input-env-access.js +3 -0
  73. package/dist/rules/no-composite-input-env-access.js.map +1 -1
  74. package/dist/rules/no-deprecated-node-runtime.d.ts.map +1 -1
  75. package/dist/rules/no-deprecated-node-runtime.js +3 -0
  76. package/dist/rules/no-deprecated-node-runtime.js.map +1 -1
  77. package/dist/rules/no-duplicate-composite-step-id.d.ts.map +1 -1
  78. package/dist/rules/no-duplicate-composite-step-id.js +3 -0
  79. package/dist/rules/no-duplicate-composite-step-id.js.map +1 -1
  80. package/dist/rules/no-empty-template-file-pattern.d.ts.map +1 -1
  81. package/dist/rules/no-empty-template-file-pattern.js +6 -0
  82. package/dist/rules/no-empty-template-file-pattern.js.map +1 -1
  83. package/dist/rules/no-external-job.d.ts.map +1 -1
  84. package/dist/rules/no-external-job.js +3 -0
  85. package/dist/rules/no-external-job.js.map +1 -1
  86. package/dist/rules/no-hardcoded-default-branch-in-template.d.ts.map +1 -1
  87. package/dist/rules/no-hardcoded-default-branch-in-template.js +3 -0
  88. package/dist/rules/no-hardcoded-default-branch-in-template.js.map +1 -1
  89. package/dist/rules/no-icon-file-extension-in-template-icon-name.d.ts.map +1 -1
  90. package/dist/rules/no-icon-file-extension-in-template-icon-name.js +13 -3
  91. package/dist/rules/no-icon-file-extension-in-template-icon-name.js.map +1 -1
  92. package/dist/rules/no-inherit-secrets.d.ts.map +1 -1
  93. package/dist/rules/no-inherit-secrets.js +3 -0
  94. package/dist/rules/no-inherit-secrets.js.map +1 -1
  95. package/dist/rules/no-invalid-concurrency-context.d.ts.map +1 -1
  96. package/dist/rules/no-invalid-concurrency-context.js +3 -0
  97. package/dist/rules/no-invalid-concurrency-context.js.map +1 -1
  98. package/dist/rules/no-invalid-key.d.ts.map +1 -1
  99. package/dist/rules/no-invalid-key.js +7 -0
  100. package/dist/rules/no-invalid-key.js.map +1 -1
  101. package/dist/rules/no-invalid-reusable-workflow-job-key.d.ts.map +1 -1
  102. package/dist/rules/no-invalid-reusable-workflow-job-key.js +3 -0
  103. package/dist/rules/no-invalid-reusable-workflow-job-key.js.map +1 -1
  104. package/dist/rules/no-invalid-template-file-pattern-regex.d.ts.map +1 -1
  105. package/dist/rules/no-invalid-template-file-pattern-regex.js +3 -0
  106. package/dist/rules/no-invalid-template-file-pattern-regex.js.map +1 -1
  107. package/dist/rules/no-invalid-workflow-call-output-value.d.ts.map +1 -1
  108. package/dist/rules/no-invalid-workflow-call-output-value.js +3 -0
  109. package/dist/rules/no-invalid-workflow-call-output-value.js.map +1 -1
  110. package/dist/rules/no-overlapping-dependabot-directories.d.ts +9 -0
  111. package/dist/rules/no-overlapping-dependabot-directories.d.ts.map +1 -0
  112. package/dist/rules/no-overlapping-dependabot-directories.js +151 -0
  113. package/dist/rules/no-overlapping-dependabot-directories.js.map +1 -0
  114. package/dist/rules/no-path-separators-in-template-icon-name.d.ts.map +1 -1
  115. package/dist/rules/no-path-separators-in-template-icon-name.js +26 -3
  116. package/dist/rules/no-path-separators-in-template-icon-name.js.map +1 -1
  117. package/dist/rules/no-post-if-without-post.d.ts.map +1 -1
  118. package/dist/rules/no-post-if-without-post.js +6 -0
  119. package/dist/rules/no-post-if-without-post.js.map +1 -1
  120. package/dist/rules/no-pr-head-checkout-in-pull-request-target.d.ts.map +1 -1
  121. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js +3 -0
  122. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js.map +1 -1
  123. package/dist/rules/no-pre-if-without-pre.d.ts.map +1 -1
  124. package/dist/rules/no-pre-if-without-pre.js +6 -0
  125. package/dist/rules/no-pre-if-without-pre.js.map +1 -1
  126. package/dist/rules/no-required-input-with-default.d.ts.map +1 -1
  127. package/dist/rules/no-required-input-with-default.js +23 -0
  128. package/dist/rules/no-required-input-with-default.js.map +1 -1
  129. package/dist/rules/no-secrets-in-if.d.ts.map +1 -1
  130. package/dist/rules/no-secrets-in-if.js +3 -0
  131. package/dist/rules/no-secrets-in-if.js.map +1 -1
  132. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.d.ts.map +1 -1
  133. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js +3 -0
  134. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js.map +1 -1
  135. package/dist/rules/no-subdirectory-template-file-pattern.d.ts.map +1 -1
  136. package/dist/rules/no-subdirectory-template-file-pattern.js +3 -0
  137. package/dist/rules/no-subdirectory-template-file-pattern.js.map +1 -1
  138. package/dist/rules/no-template-placeholder-in-non-template-workflow.d.ts.map +1 -1
  139. package/dist/rules/no-template-placeholder-in-non-template-workflow.js +3 -0
  140. package/dist/rules/no-template-placeholder-in-non-template-workflow.js.map +1 -1
  141. package/dist/rules/no-top-level-env.d.ts.map +1 -1
  142. package/dist/rules/no-top-level-env.js +3 -0
  143. package/dist/rules/no-top-level-env.js.map +1 -1
  144. package/dist/rules/no-top-level-permissions.d.ts.map +1 -1
  145. package/dist/rules/no-top-level-permissions.js +3 -0
  146. package/dist/rules/no-top-level-permissions.js.map +1 -1
  147. package/dist/rules/no-universal-template-file-pattern.d.ts.map +1 -1
  148. package/dist/rules/no-universal-template-file-pattern.js +3 -0
  149. package/dist/rules/no-universal-template-file-pattern.js.map +1 -1
  150. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.d.ts +9 -0
  151. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.d.ts.map +1 -0
  152. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.js +58 -0
  153. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.js.map +1 -0
  154. package/dist/rules/no-unknown-input-reference-in-composite.d.ts.map +1 -1
  155. package/dist/rules/no-unknown-input-reference-in-composite.js +3 -0
  156. package/dist/rules/no-unknown-input-reference-in-composite.js.map +1 -1
  157. package/dist/rules/no-unknown-job-output-reference.d.ts.map +1 -1
  158. package/dist/rules/no-unknown-job-output-reference.js +3 -0
  159. package/dist/rules/no-unknown-job-output-reference.js.map +1 -1
  160. package/dist/rules/no-unknown-step-reference.d.ts.map +1 -1
  161. package/dist/rules/no-unknown-step-reference.js +3 -0
  162. package/dist/rules/no-unknown-step-reference.js.map +1 -1
  163. package/dist/rules/no-untrusted-input-in-run.d.ts.map +1 -1
  164. package/dist/rules/no-untrusted-input-in-run.js +3 -0
  165. package/dist/rules/no-untrusted-input-in-run.js.map +1 -1
  166. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.d.ts +9 -0
  167. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.d.ts.map +1 -0
  168. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.js +51 -0
  169. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.js.map +1 -0
  170. package/dist/rules/no-unused-input-in-composite.d.ts.map +1 -1
  171. package/dist/rules/no-unused-input-in-composite.js +3 -0
  172. package/dist/rules/no-unused-input-in-composite.js.map +1 -1
  173. package/dist/rules/no-write-all-permissions.d.ts.map +1 -1
  174. package/dist/rules/no-write-all-permissions.js +3 -0
  175. package/dist/rules/no-write-all-permissions.js.map +1 -1
  176. package/dist/rules/pin-action-shas.d.ts.map +1 -1
  177. package/dist/rules/pin-action-shas.js +3 -0
  178. package/dist/rules/pin-action-shas.js.map +1 -1
  179. package/dist/rules/prefer-action-yml.d.ts.map +1 -1
  180. package/dist/rules/prefer-action-yml.js +3 -0
  181. package/dist/rules/prefer-action-yml.js.map +1 -1
  182. package/dist/rules/prefer-fail-fast.d.ts.map +1 -1
  183. package/dist/rules/prefer-fail-fast.js +3 -0
  184. package/dist/rules/prefer-fail-fast.js.map +1 -1
  185. package/dist/rules/prefer-file-extension.d.ts.map +1 -1
  186. package/dist/rules/prefer-file-extension.js +3 -0
  187. package/dist/rules/prefer-file-extension.js.map +1 -1
  188. package/dist/rules/prefer-inputs-context.d.ts.map +1 -1
  189. package/dist/rules/prefer-inputs-context.js +3 -0
  190. package/dist/rules/prefer-inputs-context.js.map +1 -1
  191. package/dist/rules/prefer-step-uses-style.d.ts.map +1 -1
  192. package/dist/rules/prefer-step-uses-style.js +3 -0
  193. package/dist/rules/prefer-step-uses-style.js.map +1 -1
  194. package/dist/rules/prefer-template-yml-extension.d.ts.map +1 -1
  195. package/dist/rules/prefer-template-yml-extension.js +3 -0
  196. package/dist/rules/prefer-template-yml-extension.js.map +1 -1
  197. package/dist/rules/require-action-name.d.ts.map +1 -1
  198. package/dist/rules/require-action-name.js +7 -0
  199. package/dist/rules/require-action-name.js.map +1 -1
  200. package/dist/rules/require-action-run-name.d.ts.map +1 -1
  201. package/dist/rules/require-action-run-name.js +7 -0
  202. package/dist/rules/require-action-run-name.js.map +1 -1
  203. package/dist/rules/require-checkout-before-local-action.d.ts.map +1 -1
  204. package/dist/rules/require-checkout-before-local-action.js +3 -0
  205. package/dist/rules/require-checkout-before-local-action.js.map +1 -1
  206. package/dist/rules/require-codeql-actions-read.d.ts +9 -0
  207. package/dist/rules/require-codeql-actions-read.d.ts.map +1 -0
  208. package/dist/rules/require-codeql-actions-read.js +63 -0
  209. package/dist/rules/require-codeql-actions-read.js.map +1 -0
  210. package/dist/rules/require-codeql-branch-filters.d.ts +12 -0
  211. package/dist/rules/require-codeql-branch-filters.d.ts.map +1 -0
  212. package/dist/rules/require-codeql-branch-filters.js +83 -0
  213. package/dist/rules/require-codeql-branch-filters.js.map +1 -0
  214. package/dist/rules/require-codeql-category-when-language-matrix.d.ts +12 -0
  215. package/dist/rules/require-codeql-category-when-language-matrix.d.ts.map +1 -0
  216. package/dist/rules/require-codeql-category-when-language-matrix.js +68 -0
  217. package/dist/rules/require-codeql-category-when-language-matrix.js.map +1 -0
  218. package/dist/rules/require-codeql-pull-request-trigger.d.ts +9 -0
  219. package/dist/rules/require-codeql-pull-request-trigger.d.ts.map +1 -0
  220. package/dist/rules/require-codeql-pull-request-trigger.js +46 -0
  221. package/dist/rules/require-codeql-pull-request-trigger.js.map +1 -0
  222. package/dist/rules/require-codeql-schedule.d.ts +9 -0
  223. package/dist/rules/require-codeql-schedule.d.ts.map +1 -0
  224. package/dist/rules/require-codeql-schedule.js +46 -0
  225. package/dist/rules/require-codeql-schedule.js.map +1 -0
  226. package/dist/rules/require-codeql-security-events-write.d.ts +9 -0
  227. package/dist/rules/require-codeql-security-events-write.d.ts.map +1 -0
  228. package/dist/rules/require-codeql-security-events-write.js +53 -0
  229. package/dist/rules/require-codeql-security-events-write.js.map +1 -0
  230. package/dist/rules/require-composite-step-name.d.ts.map +1 -1
  231. package/dist/rules/require-composite-step-name.js +3 -0
  232. package/dist/rules/require-composite-step-name.js.map +1 -1
  233. package/dist/rules/require-dependabot-assignees.d.ts +9 -0
  234. package/dist/rules/require-dependabot-assignees.d.ts.map +1 -0
  235. package/dist/rules/require-dependabot-assignees.js +53 -0
  236. package/dist/rules/require-dependabot-assignees.js.map +1 -0
  237. package/dist/rules/require-dependabot-automation-permissions.d.ts +9 -0
  238. package/dist/rules/require-dependabot-automation-permissions.d.ts.map +1 -0
  239. package/dist/rules/require-dependabot-automation-permissions.js +68 -0
  240. package/dist/rules/require-dependabot-automation-permissions.js.map +1 -0
  241. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts +12 -0
  242. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts.map +1 -0
  243. package/dist/rules/require-dependabot-automation-pull-request-trigger.js +49 -0
  244. package/dist/rules/require-dependabot-automation-pull-request-trigger.js.map +1 -0
  245. package/dist/rules/require-dependabot-bot-actor-guard.d.ts +9 -0
  246. package/dist/rules/require-dependabot-bot-actor-guard.d.ts.map +1 -0
  247. package/dist/rules/require-dependabot-bot-actor-guard.js +64 -0
  248. package/dist/rules/require-dependabot-bot-actor-guard.js.map +1 -0
  249. package/dist/rules/require-dependabot-commit-message-include-scope.d.ts +9 -0
  250. package/dist/rules/require-dependabot-commit-message-include-scope.d.ts.map +1 -0
  251. package/dist/rules/require-dependabot-commit-message-include-scope.js +60 -0
  252. package/dist/rules/require-dependabot-commit-message-include-scope.js.map +1 -0
  253. package/dist/rules/require-dependabot-commit-message-prefix-development.d.ts +9 -0
  254. package/dist/rules/require-dependabot-commit-message-prefix-development.d.ts.map +1 -0
  255. package/dist/rules/require-dependabot-commit-message-prefix-development.js +75 -0
  256. package/dist/rules/require-dependabot-commit-message-prefix-development.js.map +1 -0
  257. package/dist/rules/require-dependabot-commit-message-prefix.d.ts +9 -0
  258. package/dist/rules/require-dependabot-commit-message-prefix.d.ts.map +1 -0
  259. package/dist/rules/require-dependabot-commit-message-prefix.js +60 -0
  260. package/dist/rules/require-dependabot-commit-message-prefix.js.map +1 -0
  261. package/dist/rules/require-dependabot-cooldown.d.ts +9 -0
  262. package/dist/rules/require-dependabot-cooldown.d.ts.map +1 -0
  263. package/dist/rules/require-dependabot-cooldown.js +52 -0
  264. package/dist/rules/require-dependabot-cooldown.js.map +1 -0
  265. package/dist/rules/require-dependabot-directory.d.ts +9 -0
  266. package/dist/rules/require-dependabot-directory.d.ts.map +1 -0
  267. package/dist/rules/require-dependabot-directory.js +68 -0
  268. package/dist/rules/require-dependabot-directory.js.map +1 -0
  269. package/dist/rules/require-dependabot-github-actions-directory-root.d.ts +9 -0
  270. package/dist/rules/require-dependabot-github-actions-directory-root.d.ts.map +1 -0
  271. package/dist/rules/require-dependabot-github-actions-directory-root.js +76 -0
  272. package/dist/rules/require-dependabot-github-actions-directory-root.js.map +1 -0
  273. package/dist/rules/require-dependabot-labels.d.ts +9 -0
  274. package/dist/rules/require-dependabot-labels.d.ts.map +1 -0
  275. package/dist/rules/require-dependabot-labels.js +52 -0
  276. package/dist/rules/require-dependabot-labels.js.map +1 -0
  277. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts +9 -0
  278. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts.map +1 -0
  279. package/dist/rules/require-dependabot-open-pull-requests-limit.js +55 -0
  280. package/dist/rules/require-dependabot-open-pull-requests-limit.js.map +1 -0
  281. package/dist/rules/require-dependabot-package-ecosystem.d.ts +9 -0
  282. package/dist/rules/require-dependabot-package-ecosystem.d.ts.map +1 -0
  283. package/dist/rules/require-dependabot-package-ecosystem.js +79 -0
  284. package/dist/rules/require-dependabot-package-ecosystem.js.map +1 -0
  285. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.d.ts +9 -0
  286. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.d.ts.map +1 -0
  287. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.js +58 -0
  288. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.js.map +1 -0
  289. package/dist/rules/require-dependabot-schedule-cronjob.d.ts +9 -0
  290. package/dist/rules/require-dependabot-schedule-cronjob.d.ts.map +1 -0
  291. package/dist/rules/require-dependabot-schedule-cronjob.js +82 -0
  292. package/dist/rules/require-dependabot-schedule-cronjob.js.map +1 -0
  293. package/dist/rules/require-dependabot-schedule-interval.d.ts +9 -0
  294. package/dist/rules/require-dependabot-schedule-interval.d.ts.map +1 -0
  295. package/dist/rules/require-dependabot-schedule-interval.js +73 -0
  296. package/dist/rules/require-dependabot-schedule-interval.js.map +1 -0
  297. package/dist/rules/require-dependabot-schedule-time.d.ts +9 -0
  298. package/dist/rules/require-dependabot-schedule-time.d.ts.map +1 -0
  299. package/dist/rules/require-dependabot-schedule-time.js +68 -0
  300. package/dist/rules/require-dependabot-schedule-time.js.map +1 -0
  301. package/dist/rules/require-dependabot-schedule-timezone.d.ts +9 -0
  302. package/dist/rules/require-dependabot-schedule-timezone.d.ts.map +1 -0
  303. package/dist/rules/require-dependabot-schedule-timezone.js +69 -0
  304. package/dist/rules/require-dependabot-schedule-timezone.js.map +1 -0
  305. package/dist/rules/require-dependabot-target-branch.d.ts +9 -0
  306. package/dist/rules/require-dependabot-target-branch.d.ts.map +1 -0
  307. package/dist/rules/require-dependabot-target-branch.js +53 -0
  308. package/dist/rules/require-dependabot-target-branch.js.map +1 -0
  309. package/dist/rules/require-dependabot-updates.d.ts +9 -0
  310. package/dist/rules/require-dependabot-updates.d.ts.map +1 -0
  311. package/dist/rules/require-dependabot-updates.js +54 -0
  312. package/dist/rules/require-dependabot-updates.js.map +1 -0
  313. package/dist/rules/require-dependabot-version.d.ts +9 -0
  314. package/dist/rules/require-dependabot-version.d.ts.map +1 -0
  315. package/dist/rules/require-dependabot-version.js +62 -0
  316. package/dist/rules/require-dependabot-version.js.map +1 -0
  317. package/dist/rules/require-dependabot-versioning-strategy-for-npm.d.ts +9 -0
  318. package/dist/rules/require-dependabot-versioning-strategy-for-npm.d.ts.map +1 -0
  319. package/dist/rules/require-dependabot-versioning-strategy-for-npm.js +58 -0
  320. package/dist/rules/require-dependabot-versioning-strategy-for-npm.js.map +1 -0
  321. package/dist/rules/require-dependency-review-action.d.ts +9 -0
  322. package/dist/rules/require-dependency-review-action.d.ts.map +1 -0
  323. package/dist/rules/require-dependency-review-action.js +51 -0
  324. package/dist/rules/require-dependency-review-action.js.map +1 -0
  325. package/dist/rules/require-dependency-review-fail-on-severity.d.ts +9 -0
  326. package/dist/rules/require-dependency-review-fail-on-severity.d.ts.map +1 -0
  327. package/dist/rules/require-dependency-review-fail-on-severity.js +62 -0
  328. package/dist/rules/require-dependency-review-fail-on-severity.js.map +1 -0
  329. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts +9 -0
  330. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts.map +1 -0
  331. package/dist/rules/require-dependency-review-permissions-contents-read.js +55 -0
  332. package/dist/rules/require-dependency-review-permissions-contents-read.js.map +1 -0
  333. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts +9 -0
  334. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts.map +1 -0
  335. package/dist/rules/require-dependency-review-pull-request-trigger.js +47 -0
  336. package/dist/rules/require-dependency-review-pull-request-trigger.js.map +1 -0
  337. package/dist/rules/require-fetch-metadata-github-token.d.ts +9 -0
  338. package/dist/rules/require-fetch-metadata-github-token.d.ts.map +1 -0
  339. package/dist/rules/require-fetch-metadata-github-token.js +57 -0
  340. package/dist/rules/require-fetch-metadata-github-token.js.map +1 -0
  341. package/dist/rules/require-job-name.d.ts.map +1 -1
  342. package/dist/rules/require-job-name.js +35 -0
  343. package/dist/rules/require-job-name.js.map +1 -1
  344. package/dist/rules/require-job-step-name.d.ts.map +1 -1
  345. package/dist/rules/require-job-step-name.js +76 -0
  346. package/dist/rules/require-job-step-name.js.map +1 -1
  347. package/dist/rules/require-job-timeout-minutes.d.ts.map +1 -1
  348. package/dist/rules/require-job-timeout-minutes.js +3 -0
  349. package/dist/rules/require-job-timeout-minutes.js.map +1 -1
  350. package/dist/rules/require-merge-group-trigger.d.ts.map +1 -1
  351. package/dist/rules/require-merge-group-trigger.js +3 -0
  352. package/dist/rules/require-merge-group-trigger.js.map +1 -1
  353. package/dist/rules/require-pull-request-target-branches.d.ts.map +1 -1
  354. package/dist/rules/require-pull-request-target-branches.js +3 -0
  355. package/dist/rules/require-pull-request-target-branches.js.map +1 -1
  356. package/dist/rules/require-run-step-shell.d.ts.map +1 -1
  357. package/dist/rules/require-run-step-shell.js +3 -0
  358. package/dist/rules/require-run-step-shell.js.map +1 -1
  359. package/dist/rules/require-sarif-upload-security-events-write.d.ts +9 -0
  360. package/dist/rules/require-sarif-upload-security-events-write.d.ts.map +1 -0
  361. package/dist/rules/require-sarif-upload-security-events-write.js +51 -0
  362. package/dist/rules/require-sarif-upload-security-events-write.js.map +1 -0
  363. package/dist/rules/require-scorecard-results-format-sarif.d.ts +9 -0
  364. package/dist/rules/require-scorecard-results-format-sarif.d.ts.map +1 -0
  365. package/dist/rules/require-scorecard-results-format-sarif.js +57 -0
  366. package/dist/rules/require-scorecard-results-format-sarif.js.map +1 -0
  367. package/dist/rules/require-scorecard-upload-sarif-step.d.ts +9 -0
  368. package/dist/rules/require-scorecard-upload-sarif-step.d.ts.map +1 -0
  369. package/dist/rules/require-scorecard-upload-sarif-step.js +46 -0
  370. package/dist/rules/require-scorecard-upload-sarif-step.js.map +1 -0
  371. package/dist/rules/require-secret-scan-contents-read.d.ts +12 -0
  372. package/dist/rules/require-secret-scan-contents-read.d.ts.map +1 -0
  373. package/dist/rules/require-secret-scan-contents-read.js +53 -0
  374. package/dist/rules/require-secret-scan-contents-read.js.map +1 -0
  375. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts +9 -0
  376. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts.map +1 -0
  377. package/dist/rules/require-secret-scan-fetch-depth-zero.js +77 -0
  378. package/dist/rules/require-secret-scan-fetch-depth-zero.js.map +1 -0
  379. package/dist/rules/require-secret-scan-schedule.d.ts +9 -0
  380. package/dist/rules/require-secret-scan-schedule.d.ts.map +1 -0
  381. package/dist/rules/require-secret-scan-schedule.js +46 -0
  382. package/dist/rules/require-secret-scan-schedule.js.map +1 -0
  383. package/dist/rules/require-template-categories.d.ts.map +1 -1
  384. package/dist/rules/require-template-categories.js +3 -0
  385. package/dist/rules/require-template-categories.js.map +1 -1
  386. package/dist/rules/require-template-file-patterns.d.ts.map +1 -1
  387. package/dist/rules/require-template-file-patterns.js +3 -0
  388. package/dist/rules/require-template-file-patterns.js.map +1 -1
  389. package/dist/rules/require-template-icon-file-exists.d.ts.map +1 -1
  390. package/dist/rules/require-template-icon-file-exists.js +3 -0
  391. package/dist/rules/require-template-icon-file-exists.js.map +1 -1
  392. package/dist/rules/require-template-icon-name.d.ts.map +1 -1
  393. package/dist/rules/require-template-icon-name.js +3 -0
  394. package/dist/rules/require-template-icon-name.js.map +1 -1
  395. package/dist/rules/require-template-workflow-name.d.ts.map +1 -1
  396. package/dist/rules/require-template-workflow-name.js +3 -0
  397. package/dist/rules/require-template-workflow-name.js.map +1 -1
  398. package/dist/rules/require-trigger-types.d.ts.map +1 -1
  399. package/dist/rules/require-trigger-types.js +3 -0
  400. package/dist/rules/require-trigger-types.js.map +1 -1
  401. package/dist/rules/require-trufflehog-verified-results-mode.d.ts +9 -0
  402. package/dist/rules/require-trufflehog-verified-results-mode.d.ts.map +1 -0
  403. package/dist/rules/require-trufflehog-verified-results-mode.js +59 -0
  404. package/dist/rules/require-trufflehog-verified-results-mode.js.map +1 -0
  405. package/dist/rules/require-workflow-call-input-type.d.ts.map +1 -1
  406. package/dist/rules/require-workflow-call-input-type.js +3 -0
  407. package/dist/rules/require-workflow-call-input-type.js.map +1 -1
  408. package/dist/rules/require-workflow-call-output-value.d.ts.map +1 -1
  409. package/dist/rules/require-workflow-call-output-value.js +3 -0
  410. package/dist/rules/require-workflow-call-output-value.js.map +1 -1
  411. package/dist/rules/require-workflow-concurrency.d.ts.map +1 -1
  412. package/dist/rules/require-workflow-concurrency.js +3 -0
  413. package/dist/rules/require-workflow-concurrency.js.map +1 -1
  414. package/dist/rules/require-workflow-dispatch-input-type.d.ts.map +1 -1
  415. package/dist/rules/require-workflow-dispatch-input-type.js +3 -0
  416. package/dist/rules/require-workflow-dispatch-input-type.js.map +1 -1
  417. package/dist/rules/require-workflow-interface-description.d.ts.map +1 -1
  418. package/dist/rules/require-workflow-interface-description.js +3 -0
  419. package/dist/rules/require-workflow-interface-description.js.map +1 -1
  420. package/dist/rules/require-workflow-permissions.d.ts.map +1 -1
  421. package/dist/rules/require-workflow-permissions.js +7 -0
  422. package/dist/rules/require-workflow-permissions.js.map +1 -1
  423. package/dist/rules/require-workflow-run-branches.d.ts.map +1 -1
  424. package/dist/rules/require-workflow-run-branches.js +3 -0
  425. package/dist/rules/require-workflow-run-branches.js.map +1 -1
  426. package/dist/rules/require-workflow-template-pair.d.ts.map +1 -1
  427. package/dist/rules/require-workflow-template-pair.js +3 -0
  428. package/dist/rules/require-workflow-template-pair.js.map +1 -1
  429. package/dist/rules/require-workflow-template-properties-pair.d.ts.map +1 -1
  430. package/dist/rules/require-workflow-template-properties-pair.js +3 -0
  431. package/dist/rules/require-workflow-template-properties-pair.js.map +1 -1
  432. package/dist/rules/valid-timeout-minutes.d.ts.map +1 -1
  433. package/dist/rules/valid-timeout-minutes.js +3 -0
  434. package/dist/rules/valid-timeout-minutes.js.map +1 -1
  435. package/dist/rules/valid-trigger-events.d.ts.map +1 -1
  436. package/dist/rules/valid-trigger-events.js +3 -0
  437. package/dist/rules/valid-trigger-events.js.map +1 -1
  438. package/docs/rules/action-name-casing.md +6 -2
  439. package/docs/rules/no-codeql-autobuild-for-javascript-typescript.md +55 -0
  440. package/docs/rules/no-codeql-javascript-typescript-split-language-matrix.md +51 -0
  441. package/docs/rules/no-empty-template-file-pattern.md +5 -1
  442. package/docs/rules/no-icon-file-extension-in-template-icon-name.md +5 -1
  443. package/docs/rules/no-overlapping-dependabot-directories.md +87 -0
  444. package/docs/rules/no-path-separators-in-template-icon-name.md +5 -1
  445. package/docs/rules/no-post-if-without-post.md +5 -1
  446. package/docs/rules/no-pre-if-without-pre.md +5 -1
  447. package/docs/rules/no-required-input-with-default.md +10 -1
  448. package/docs/rules/no-unknown-dependabot-multi-ecosystem-group.md +62 -0
  449. package/docs/rules/no-unused-dependabot-enable-beta-ecosystems.md +63 -0
  450. package/docs/rules/overview.md +47 -1
  451. package/docs/rules/prefer-inputs-context.md +6 -2
  452. package/docs/rules/presets/action-metadata.md +26 -15
  453. package/docs/rules/presets/all.md +129 -73
  454. package/docs/rules/presets/code-scanning.md +33 -0
  455. package/docs/rules/presets/dependabot.md +40 -0
  456. package/docs/rules/presets/index.md +139 -81
  457. package/docs/rules/presets/recommended.md +34 -23
  458. package/docs/rules/presets/security.md +39 -13
  459. package/docs/rules/presets/strict.md +56 -45
  460. package/docs/rules/presets/workflow-template-properties.md +26 -15
  461. package/docs/rules/presets/workflow-templates.md +30 -19
  462. package/docs/rules/require-codeql-actions-read.md +50 -0
  463. package/docs/rules/require-codeql-branch-filters.md +53 -0
  464. package/docs/rules/require-codeql-category-when-language-matrix.md +49 -0
  465. package/docs/rules/require-codeql-pull-request-trigger.md +53 -0
  466. package/docs/rules/require-codeql-schedule.md +57 -0
  467. package/docs/rules/require-codeql-security-events-write.md +50 -0
  468. package/docs/rules/require-dependabot-assignees.md +64 -0
  469. package/docs/rules/require-dependabot-automation-permissions.md +53 -0
  470. package/docs/rules/require-dependabot-automation-pull-request-trigger.md +49 -0
  471. package/docs/rules/require-dependabot-bot-actor-guard.md +52 -0
  472. package/docs/rules/require-dependabot-commit-message-include-scope.md +58 -0
  473. package/docs/rules/require-dependabot-commit-message-prefix-development.md +60 -0
  474. package/docs/rules/require-dependabot-commit-message-prefix.md +64 -0
  475. package/docs/rules/require-dependabot-cooldown.md +59 -0
  476. package/docs/rules/require-dependabot-directory.md +79 -0
  477. package/docs/rules/require-dependabot-github-actions-directory-root.md +62 -0
  478. package/docs/rules/require-dependabot-labels.md +65 -0
  479. package/docs/rules/require-dependabot-open-pull-requests-limit.md +58 -0
  480. package/docs/rules/require-dependabot-package-ecosystem.md +57 -0
  481. package/docs/rules/require-dependabot-patterns-for-multi-ecosystem-group.md +67 -0
  482. package/docs/rules/require-dependabot-schedule-cronjob.md +74 -0
  483. package/docs/rules/require-dependabot-schedule-interval.md +66 -0
  484. package/docs/rules/require-dependabot-schedule-time.md +60 -0
  485. package/docs/rules/require-dependabot-schedule-timezone.md +61 -0
  486. package/docs/rules/require-dependabot-target-branch.md +63 -0
  487. package/docs/rules/require-dependabot-updates.md +58 -0
  488. package/docs/rules/require-dependabot-version.md +70 -0
  489. package/docs/rules/require-dependabot-versioning-strategy-for-npm.md +58 -0
  490. package/docs/rules/require-dependency-review-action.md +60 -0
  491. package/docs/rules/require-dependency-review-fail-on-severity.md +57 -0
  492. package/docs/rules/require-dependency-review-permissions-contents-read.md +62 -0
  493. package/docs/rules/require-dependency-review-pull-request-trigger.md +57 -0
  494. package/docs/rules/require-fetch-metadata-github-token.md +49 -0
  495. package/docs/rules/require-job-name.md +6 -2
  496. package/docs/rules/require-job-step-name.md +11 -2
  497. package/docs/rules/require-sarif-upload-security-events-write.md +50 -0
  498. package/docs/rules/require-scorecard-results-format-sarif.md +49 -0
  499. package/docs/rules/require-scorecard-upload-sarif-step.md +55 -0
  500. package/docs/rules/require-secret-scan-contents-read.md +48 -0
  501. package/docs/rules/require-secret-scan-fetch-depth-zero.md +50 -0
  502. package/docs/rules/require-secret-scan-schedule.md +50 -0
  503. package/docs/rules/require-trufflehog-verified-results-mode.md +49 -0
  504. package/package.json +50 -57
package/docs/rules/require-dependabot-commit-message-prefix-development.md ADDED
@@ -0,0 +1,60 @@
1
+ # require-dependabot-commit-message-prefix-development
2
+
3
+ > **Rule catalog ID:** R090
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries for ecosystems that support `commit-message.prefix-development`, including values inherited from `multi-ecosystem-groups`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports supported update entries that do not define a non-empty `commit-message.prefix-development`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Development dependency updates often deserve different review and merge treatment than production dependencies. Requiring a dedicated development prefix makes that distinction visible in Dependabot commit messages and pull request titles.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ commit-message:
25
+ prefix: "deps"
26
+ include: "scope"
27
+ ```
28
+
29
+ ## ✅ Correct
30
+
31
+ ```yaml
32
+ version: 2
33
+ updates:
34
+ - package-ecosystem: "npm"
35
+ directory: "/"
36
+ commit-message:
37
+ prefix: "deps"
38
+ prefix-development: "deps-dev"
39
+ include: "scope"
40
+ ```
41
+
42
+ ## Additional examples
43
+
44
+ This rule only applies to ecosystems that GitHub documents as supporting `prefix-development`, so unrelated ecosystems are ignored.
45
+
46
+ ## ESLint flat config example
47
+
48
+ ```ts
49
+ import githubActions from "eslint-plugin-github-actions-2";
50
+
51
+ export default [githubActions.configs.dependabot];
52
+ ```
53
+
54
+ ## When not to use it
55
+
56
+ Disable this rule if the repository intentionally wants identical Dependabot title prefixes for production and development dependencies.
57
+
58
+ ## Further reading
59
+
60
+ - [Dependabot options reference: commit-message](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#commit-message--)
package/docs/rules/require-dependabot-commit-message-prefix.md ADDED
@@ -0,0 +1,64 @@
1
+ # require-dependabot-commit-message-prefix
2
+
3
+ > **Rule catalog ID:** R079
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries and multi-ecosystem groups that configure `commit-message` formatting.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that do not resolve to a non-empty `commit-message.prefix`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Dependabot commit messages also shape pull request titles. Requiring a prefix keeps automation, filtering, and review conventions consistent across dependency update pull requests.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule:
25
+ interval: "weekly"
26
+ time: "05:30"
27
+ timezone: "UTC"
28
+ ```
29
+
30
+ ## ✅ Correct
31
+
32
+ ```yaml
33
+ version: 2
34
+ updates:
35
+ - package-ecosystem: "npm"
36
+ directory: "/"
37
+ schedule:
38
+ interval: "weekly"
39
+ time: "05:30"
40
+ timezone: "UTC"
41
+ commit-message:
42
+ prefix: "deps"
43
+ ```
44
+
45
+ ## Additional examples
46
+
47
+ Teams that trigger automation from pull request titles or commit conventions often use this rule to keep Dependabot updates aligned with the rest of the repository.
48
+
49
+ ## ESLint flat config example
50
+
51
+ ```ts
52
+ import githubActions from "eslint-plugin-github-actions-2";
53
+
54
+ export default [githubActions.configs.dependabot];
55
+ ```
56
+
57
+ ## When not to use it
58
+
59
+ Disable this rule when the repository intentionally relies on Dependabot's default commit message heuristics.
60
+
61
+ ## Further reading
62
+
63
+ - [Dependabot options reference: commit-message](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#commit-message--)
64
+ - [Customizing Dependabot pull requests: Adding a prefix to commit messages](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#adding-a-prefix-to-commit-messages)
package/docs/rules/require-dependabot-cooldown.md ADDED
@@ -0,0 +1,59 @@
1
+ # require-dependabot-cooldown
2
+
3
+ > **Rule catalog ID:** R086
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries in `.github/dependabot.yml`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that omit the `cooldown` key.
12
+
13
+ ## Why this rule exists
14
+
15
+ Cooldown settings reduce noisy pull request churn by delaying fresh version updates for a defined period. Requiring the key makes update pacing an explicit policy decision instead of an accidental default.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule:
25
+ interval: "weekly"
26
+ ```
27
+
28
+ ## ✅ Correct
29
+
30
+ ```yaml
31
+ version: 2
32
+ updates:
33
+ - package-ecosystem: "npm"
34
+ directory: "/"
35
+ cooldown:
36
+ default-days: 3
37
+ schedule:
38
+ interval: "weekly"
39
+ ```
40
+
41
+ ## Additional examples
42
+
43
+ Teams that prefer fewer routine Dependabot pull requests often combine cooldown with grouped updates and explicit pull request limits.
44
+
45
+ ## ESLint flat config example
46
+
47
+ ```ts
48
+ import githubActions from "eslint-plugin-github-actions-2";
49
+
50
+ export default [githubActions.configs.dependabot];
51
+ ```
52
+
53
+ ## When not to use it
54
+
55
+ Disable this rule if the repository intentionally wants Dependabot to consider each new release immediately.
56
+
57
+ ## Further reading
58
+
59
+ - [Dependabot options reference: cooldown](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-)
package/docs/rules/require-dependabot-directory.md ADDED
@@ -0,0 +1,79 @@
1
+ # require-dependabot-directory
2
+
3
+ > **Rule catalog ID:** R073
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Entries under the top-level `updates` sequence in Dependabot configuration files.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that omit both `directory` and `directories`, define both at once, or provide only empty values.
12
+
13
+ ## Why this rule exists
14
+
15
+ Dependabot needs a manifest search location for every update block. Requiring exactly one directory form keeps update intent explicit and avoids ambiguous configuration.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ schedule:
24
+ interval: "weekly"
25
+ ```
26
+
27
+ ```yaml
28
+ version: 2
29
+ updates:
30
+ - package-ecosystem: "npm"
31
+ directory: "/"
32
+ directories:
33
+ - "/docs/docusaurus"
34
+ schedule:
35
+ interval: "weekly"
36
+ ```
37
+
38
+ ## ✅ Correct
39
+
40
+ ```yaml
41
+ version: 2
42
+ updates:
43
+ - package-ecosystem: "npm"
44
+ directory: "/"
45
+ schedule:
46
+ interval: "weekly"
47
+ ```
48
+
49
+ ```yaml
50
+ version: 2
51
+ updates:
52
+ - package-ecosystem: "npm"
53
+ directories:
54
+ - "/"
55
+ - "/docs/docusaurus"
56
+ schedule:
57
+ interval: "weekly"
58
+ ```
59
+
60
+ ## Additional examples
61
+
62
+ Use this rule together with monorepo-oriented Dependabot settings when some workspaces live outside the repository root and need their own manifest scan locations.
63
+
64
+ ## ESLint flat config example
65
+
66
+ ```ts
67
+ import githubActions from "eslint-plugin-github-actions-2";
68
+
69
+ export default [githubActions.configs.dependabot];
70
+ ```
71
+
72
+ ## When not to use it
73
+
74
+ Disable this rule only if another repository-specific validator already enforces directory selection semantics.
75
+
76
+ ## Further reading
77
+
78
+ - [Dependabot options reference: directories or directory](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#directories-or-directory--)
79
+ - [Defining multiple locations for manifest files](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#defining-multiple-locations-for-manifest-files)
package/docs/rules/require-dependabot-github-actions-directory-root.md ADDED
@@ -0,0 +1,62 @@
1
+ # require-dependabot-github-actions-directory-root
2
+
3
+ > **Rule catalog ID:** R084
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries that use `package-ecosystem: "github-actions"`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports GitHub Actions ecosystem entries that do not use `directory: "/"` exactly, or that try to use `directories` instead.
12
+
13
+ ## Why this rule exists
14
+
15
+ GitHub documents `directory: "/"` as the correct location for the `github-actions` ecosystem. Dependabot uses that root setting to scan the standard workflow directory and root action metadata locations. Using a narrower or alternate directory is misleading and can cause missed updates.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "github-actions"
23
+ directory: "/.github/workflows"
24
+ schedule:
25
+ interval: "weekly"
26
+ ```
27
+
28
+ ## ✅ Correct
29
+
30
+ ```yaml
31
+ version: 2
32
+ updates:
33
+ - package-ecosystem: "github-actions"
34
+ directory: "/"
35
+ schedule:
36
+ interval: "weekly"
37
+ ```
38
+
39
+ ## Behavior and migration notes
40
+
41
+ The autofixer rewrites GitHub Actions ecosystem entries to the canonical `directory: "/"` form. If the entry incorrectly uses `directories`, the fix replaces that block with the single documented `directory` key because that is the only supported location for `package-ecosystem: "github-actions"`.
42
+
43
+ ## Additional examples
44
+
45
+ This rule is a good fit for repositories that maintain both workflow YAML and root-level composite or JavaScript actions, because the documented root scan location covers both surfaces.
46
+
47
+ ## ESLint flat config example
48
+
49
+ ```ts
50
+ import githubActions from "eslint-plugin-github-actions-2";
51
+
52
+ export default [githubActions.configs.dependabot];
53
+ ```
54
+
55
+ ## When not to use it
56
+
57
+ Disable this rule only if GitHub changes the documented scan behavior for the `github-actions` ecosystem and the repository intentionally follows that newer contract.
58
+
59
+ ## Further reading
60
+
61
+ - [Dependabot options reference: directories or directory](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#directories-or-directory--)
62
+ - [Example dependabot.yml file](https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-dependabot-version-updates#example-dependabotyml-file)
package/docs/rules/require-dependabot-labels.md ADDED
@@ -0,0 +1,65 @@
1
+ # require-dependabot-labels
2
+
3
+ > **Rule catalog ID:** R080
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries and multi-ecosystem groups that decide pull request labels.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that do not resolve to a non-empty `labels` list, either directly or via `multi-ecosystem-groups` inheritance.
12
+
13
+ ## Why this rule exists
14
+
15
+ Labels are a high-leverage way to route Dependabot pull requests into automation, project boards, or triage queues. Requiring them keeps dependency updates easy to filter and process consistently.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule:
25
+ interval: "weekly"
26
+ time: "05:30"
27
+ timezone: "UTC"
28
+ ```
29
+
30
+ ## ✅ Correct
31
+
32
+ ```yaml
33
+ version: 2
34
+ updates:
35
+ - package-ecosystem: "npm"
36
+ directory: "/"
37
+ schedule:
38
+ interval: "weekly"
39
+ time: "05:30"
40
+ timezone: "UTC"
41
+ labels:
42
+ - "dependabot"
43
+ - "dependencies"
44
+ ```
45
+
46
+ ## Additional examples
47
+
48
+ This rule is a strong fit when Dependabot pull requests feed dashboards, project automation, or triage workflows that rely on consistent labels.
49
+
50
+ ## ESLint flat config example
51
+
52
+ ```ts
53
+ import githubActions from "eslint-plugin-github-actions-2";
54
+
55
+ export default [githubActions.configs.dependabot];
56
+ ```
57
+
58
+ ## When not to use it
59
+
60
+ Disable this rule if the repository intentionally accepts Dependabot's default labels without any custom triage flow.
61
+
62
+ ## Further reading
63
+
64
+ - [Dependabot options reference: labels](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#labels--)
65
+ - [Customizing Dependabot pull requests: Labeling pull requests with custom labels](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#labeling-pull-requests-with-custom-labels)
package/docs/rules/require-dependabot-open-pull-requests-limit.md ADDED
@@ -0,0 +1,58 @@
1
+ # require-dependabot-open-pull-requests-limit
2
+
3
+ > **Rule catalog ID:** R087
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries in `.github/dependabot.yml`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that do not define `open-pull-requests-limit`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Dependabot defaults can be reasonable, but they are still implicit. Requiring an explicit open pull request limit makes update volume a deliberate repository policy.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule:
25
+ interval: "weekly"
26
+ ```
27
+
28
+ ## ✅ Correct
29
+
30
+ ```yaml
31
+ version: 2
32
+ updates:
33
+ - package-ecosystem: "npm"
34
+ directory: "/"
35
+ open-pull-requests-limit: 5
36
+ schedule:
37
+ interval: "weekly"
38
+ ```
39
+
40
+ ## Additional examples
41
+
42
+ This rule works well with grouped updates because the repository can cap Dependabot volume even when multiple manifests are monitored.
43
+
44
+ ## ESLint flat config example
45
+
46
+ ```ts
47
+ import githubActions from "eslint-plugin-github-actions-2";
48
+
49
+ export default [githubActions.configs.dependabot];
50
+ ```
51
+
52
+ ## When not to use it
53
+
54
+ Disable this rule if the repository intentionally relies on Dependabot's built-in default PR limit.
55
+
56
+ ## Further reading
57
+
58
+ - [Dependabot options reference: open-pull-requests-limit](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#open-pull-requests-limit-)
package/docs/rules/require-dependabot-package-ecosystem.md ADDED
@@ -0,0 +1,57 @@
1
+ # require-dependabot-package-ecosystem
2
+
3
+ > **Rule catalog ID:** R072
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Entries under the top-level `updates` sequence in Dependabot configuration files.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports `updates` entries that are not mappings, or mappings that omit a non-empty `package-ecosystem`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Dependabot cannot resolve package-manager-specific behavior without knowing the ecosystem for each update block. Missing `package-ecosystem` means the rest of the block has no clear target.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - directory: "/"
23
+ schedule:
24
+ interval: "weekly"
25
+ ```
26
+
27
+ ## ✅ Correct
28
+
29
+ ```yaml
30
+ version: 2
31
+ updates:
32
+ - package-ecosystem: "npm"
33
+ directory: "/"
34
+ schedule:
35
+ interval: "weekly"
36
+ ```
37
+
38
+ ## Additional examples
39
+
40
+ This rule is especially helpful when large `updates` blocks are copied and edited by hand, since missing `package-ecosystem` is easy to overlook in repetitive YAML.
41
+
42
+ ## ESLint flat config example
43
+
44
+ ```ts
45
+ import githubActions from "eslint-plugin-github-actions-2";
46
+
47
+ export default [githubActions.configs.dependabot];
48
+ ```
49
+
50
+ ## When not to use it
51
+
52
+ If you already validate Dependabot files against a stricter schema elsewhere, this rule can be redundant.
53
+
54
+ ## Further reading
55
+
56
+ - [Dependabot options reference: package-ecosystem](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#package-ecosystem-)
57
+ - [Dependabot options reference: Required keys](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#required-keys)
package/docs/rules/require-dependabot-patterns-for-multi-ecosystem-group.md ADDED
@@ -0,0 +1,67 @@
1
+ # require-dependabot-patterns-for-multi-ecosystem-group
2
+
3
+ > **Rule catalog ID:** R082
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries that opt into `multi-ecosystem-group`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports grouped update entries that do not declare a non-empty `patterns` list.
12
+
13
+ ## Why this rule exists
14
+
15
+ GitHub's multi-ecosystem update guide calls out `patterns` as a required part of assigning ecosystems to a group. Without patterns, the grouping intent is underspecified and Dependabot may not consolidate updates the way the configuration suggests.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ multi-ecosystem-groups:
22
+ app:
23
+ schedule:
24
+ interval: "weekly"
25
+
26
+ updates:
27
+ - package-ecosystem: "npm"
28
+ directory: "/"
29
+ multi-ecosystem-group: "app"
30
+ ```
31
+
32
+ ## ✅ Correct
33
+
34
+ ```yaml
35
+ version: 2
36
+ multi-ecosystem-groups:
37
+ app:
38
+ schedule:
39
+ interval: "weekly"
40
+
41
+ updates:
42
+ - package-ecosystem: "npm"
43
+ directory: "/"
44
+ multi-ecosystem-group: "app"
45
+ patterns: ["*"]
46
+ ```
47
+
48
+ ## Additional examples
49
+
50
+ Use `patterns: ["*"]` when the goal is to group every dependency in that ecosystem rather than a narrower allowlist.
51
+
52
+ ## ESLint flat config example
53
+
54
+ ```ts
55
+ import githubActions from "eslint-plugin-github-actions-2";
56
+
57
+ export default [githubActions.configs.dependabot];
58
+ ```
59
+
60
+ ## When not to use it
61
+
62
+ Disable this rule only if the repository intentionally avoids multi-ecosystem updates entirely.
63
+
64
+ ## Further reading
65
+
66
+ - [Configuring multi-ecosystem updates for Dependabot](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/configuring-multi-ecosystem-updates)
67
+ - [Dependabot options reference: multi-ecosystem-groups](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#multi-ecosystem-groups-)
package/docs/rules/require-dependabot-schedule-cronjob.md ADDED
@@ -0,0 +1,74 @@
1
+ # require-dependabot-schedule-cronjob
2
+
3
+ > **Rule catalog ID:** R083
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot schedule mappings that use `interval: "cron"`, including schedules inherited from `multi-ecosystem-groups`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports two cases:
12
+
13
+ - `interval: "cron"` without a non-empty `cronjob`
14
+ - non-cron intervals that still define `cronjob`
15
+
16
+ ## Why this rule exists
17
+
18
+ `cronjob` is meaningful only when Dependabot is configured with `interval: "cron"`. Requiring it in cron mode and forbidding it elsewhere keeps schedule intent explicit and avoids configuration that looks more precise than Dependabot will actually honor.
19
+
20
+ ## ❌ Incorrect
21
+
22
+ ```yaml
23
+ version: 2
24
+ updates:
25
+ - package-ecosystem: "npm"
26
+ directory: "/"
27
+ schedule:
28
+ interval: "cron"
29
+ timezone: "UTC"
30
+ ```
31
+
32
+ ```yaml
33
+ version: 2
34
+ updates:
35
+ - package-ecosystem: "npm"
36
+ directory: "/"
37
+ schedule:
38
+ interval: "weekly"
39
+ cronjob: "0 9 * * *"
40
+ ```
41
+
42
+ ## ✅ Correct
43
+
44
+ ```yaml
45
+ version: 2
46
+ updates:
47
+ - package-ecosystem: "npm"
48
+ directory: "/"
49
+ schedule:
50
+ interval: "cron"
51
+ cronjob: "0 9 * * *"
52
+ timezone: "UTC"
53
+ ```
54
+
55
+ ## Additional examples
56
+
57
+ This rule complements `require-dependabot-schedule-time` and `require-dependabot-schedule-timezone` by covering the schedule branch where `cronjob` replaces `time`.
58
+
59
+ ## ESLint flat config example
60
+
61
+ ```ts
62
+ import githubActions from "eslint-plugin-github-actions-2";
63
+
64
+ export default [githubActions.configs.dependabot];
65
+ ```
66
+
67
+ ## When not to use it
68
+
69
+ Disable this rule only if the repository bans cron-based schedules and enforces that policy with a different rule set.
70
+
71
+ ## Further reading
72
+
73
+ - [Dependabot options reference: schedule](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#schedule-)
74
+ - [Dependabot options reference: schedule.cronjob](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#schedule-)