eslint-plugin-github-actions-2 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (504) hide show
  1. package/README.md +149 -101
  2. package/dist/_internal/code-scanning-workflow.d.ts +37 -0
  3. package/dist/_internal/code-scanning-workflow.d.ts.map +1 -0
  4. package/dist/_internal/code-scanning-workflow.js +73 -0
  5. package/dist/_internal/code-scanning-workflow.js.map +1 -0
  6. package/dist/_internal/dependabot-automation-workflow.d.ts +26 -0
  7. package/dist/_internal/dependabot-automation-workflow.d.ts.map +1 -0
  8. package/dist/_internal/dependabot-automation-workflow.js +25 -0
  9. package/dist/_internal/dependabot-automation-workflow.js.map +1 -0
  10. package/dist/_internal/dependabot-yaml.d.ts +63 -0
  11. package/dist/_internal/dependabot-yaml.d.ts.map +1 -0
  12. package/dist/_internal/dependabot-yaml.js +139 -0
  13. package/dist/_internal/dependabot-yaml.js.map +1 -0
  14. package/dist/_internal/dependency-review-workflow.d.ts +20 -0
  15. package/dist/_internal/dependency-review-workflow.d.ts.map +1 -0
  16. package/dist/_internal/dependency-review-workflow.js +9 -0
  17. package/dist/_internal/dependency-review-workflow.js.map +1 -0
  18. package/dist/_internal/github-actions-config-references.d.ts +1 -1
  19. package/dist/_internal/github-actions-config-references.d.ts.map +1 -1
  20. package/dist/_internal/github-actions-config-references.js +19 -2
  21. package/dist/_internal/github-actions-config-references.js.map +1 -1
  22. package/dist/_internal/lint-targets.d.ts +15 -0
  23. package/dist/_internal/lint-targets.d.ts.map +1 -1
  24. package/dist/_internal/lint-targets.js +41 -0
  25. package/dist/_internal/lint-targets.js.map +1 -1
  26. package/dist/_internal/rules-registry.d.ts +90 -0
  27. package/dist/_internal/rules-registry.d.ts.map +1 -1
  28. package/dist/_internal/rules-registry.js +90 -0
  29. package/dist/_internal/rules-registry.js.map +1 -1
  30. package/dist/_internal/secret-scanning-workflow.d.ts +24 -0
  31. package/dist/_internal/secret-scanning-workflow.d.ts.map +1 -0
  32. package/dist/_internal/secret-scanning-workflow.js +21 -0
  33. package/dist/_internal/secret-scanning-workflow.js.map +1 -0
  34. package/dist/_internal/workflow-action-steps.d.ts +35 -0
  35. package/dist/_internal/workflow-action-steps.d.ts.map +1 -0
  36. package/dist/_internal/workflow-action-steps.js +75 -0
  37. package/dist/_internal/workflow-action-steps.js.map +1 -0
  38. package/dist/_internal/workflow-permissions.d.ts +11 -0
  39. package/dist/_internal/workflow-permissions.d.ts.map +1 -0
  40. package/dist/_internal/workflow-permissions.js +50 -0
  41. package/dist/_internal/workflow-permissions.js.map +1 -0
  42. package/dist/_internal/yaml-fixes.d.ts +13 -0
  43. package/dist/_internal/yaml-fixes.d.ts.map +1 -0
  44. package/dist/_internal/yaml-fixes.js +77 -0
  45. package/dist/_internal/yaml-fixes.js.map +1 -0
  46. package/dist/plugin.cjs +3516 -268
  47. package/dist/plugin.cjs.map +4 -4
  48. package/dist/plugin.d.ts.map +1 -1
  49. package/dist/plugin.js +2 -0
  50. package/dist/plugin.js.map +1 -1
  51. package/dist/rules/action-name-casing.d.ts.map +1 -1
  52. package/dist/rules/action-name-casing.js +3 -0
  53. package/dist/rules/action-name-casing.js.map +1 -1
  54. package/dist/rules/job-id-casing.d.ts.map +1 -1
  55. package/dist/rules/job-id-casing.js +3 -0
  56. package/dist/rules/job-id-casing.js.map +1 -1
  57. package/dist/rules/max-jobs-per-action.d.ts.map +1 -1
  58. package/dist/rules/max-jobs-per-action.js +3 -0
  59. package/dist/rules/max-jobs-per-action.js.map +1 -1
  60. package/dist/rules/no-case-insensitive-input-id-collision.d.ts.map +1 -1
  61. package/dist/rules/no-case-insensitive-input-id-collision.js +3 -0
  62. package/dist/rules/no-case-insensitive-input-id-collision.js.map +1 -1
  63. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts +9 -0
  64. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts.map +1 -0
  65. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js +54 -0
  66. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js.map +1 -0
  67. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts +9 -0
  68. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts.map +1 -0
  69. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js +50 -0
  70. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js.map +1 -0
  71. package/dist/rules/no-composite-input-env-access.d.ts.map +1 -1
  72. package/dist/rules/no-composite-input-env-access.js +3 -0
  73. package/dist/rules/no-composite-input-env-access.js.map +1 -1
  74. package/dist/rules/no-deprecated-node-runtime.d.ts.map +1 -1
  75. package/dist/rules/no-deprecated-node-runtime.js +3 -0
  76. package/dist/rules/no-deprecated-node-runtime.js.map +1 -1
  77. package/dist/rules/no-duplicate-composite-step-id.d.ts.map +1 -1
  78. package/dist/rules/no-duplicate-composite-step-id.js +3 -0
  79. package/dist/rules/no-duplicate-composite-step-id.js.map +1 -1
  80. package/dist/rules/no-empty-template-file-pattern.d.ts.map +1 -1
  81. package/dist/rules/no-empty-template-file-pattern.js +6 -0
  82. package/dist/rules/no-empty-template-file-pattern.js.map +1 -1
  83. package/dist/rules/no-external-job.d.ts.map +1 -1
  84. package/dist/rules/no-external-job.js +3 -0
  85. package/dist/rules/no-external-job.js.map +1 -1
  86. package/dist/rules/no-hardcoded-default-branch-in-template.d.ts.map +1 -1
  87. package/dist/rules/no-hardcoded-default-branch-in-template.js +3 -0
  88. package/dist/rules/no-hardcoded-default-branch-in-template.js.map +1 -1
  89. package/dist/rules/no-icon-file-extension-in-template-icon-name.d.ts.map +1 -1
  90. package/dist/rules/no-icon-file-extension-in-template-icon-name.js +13 -3
  91. package/dist/rules/no-icon-file-extension-in-template-icon-name.js.map +1 -1
  92. package/dist/rules/no-inherit-secrets.d.ts.map +1 -1
  93. package/dist/rules/no-inherit-secrets.js +3 -0
  94. package/dist/rules/no-inherit-secrets.js.map +1 -1
  95. package/dist/rules/no-invalid-concurrency-context.d.ts.map +1 -1
  96. package/dist/rules/no-invalid-concurrency-context.js +3 -0
  97. package/dist/rules/no-invalid-concurrency-context.js.map +1 -1
  98. package/dist/rules/no-invalid-key.d.ts.map +1 -1
  99. package/dist/rules/no-invalid-key.js +7 -0
  100. package/dist/rules/no-invalid-key.js.map +1 -1
  101. package/dist/rules/no-invalid-reusable-workflow-job-key.d.ts.map +1 -1
  102. package/dist/rules/no-invalid-reusable-workflow-job-key.js +3 -0
  103. package/dist/rules/no-invalid-reusable-workflow-job-key.js.map +1 -1
  104. package/dist/rules/no-invalid-template-file-pattern-regex.d.ts.map +1 -1
  105. package/dist/rules/no-invalid-template-file-pattern-regex.js +3 -0
  106. package/dist/rules/no-invalid-template-file-pattern-regex.js.map +1 -1
  107. package/dist/rules/no-invalid-workflow-call-output-value.d.ts.map +1 -1
  108. package/dist/rules/no-invalid-workflow-call-output-value.js +3 -0
  109. package/dist/rules/no-invalid-workflow-call-output-value.js.map +1 -1
  110. package/dist/rules/no-overlapping-dependabot-directories.d.ts +9 -0
  111. package/dist/rules/no-overlapping-dependabot-directories.d.ts.map +1 -0
  112. package/dist/rules/no-overlapping-dependabot-directories.js +151 -0
  113. package/dist/rules/no-overlapping-dependabot-directories.js.map +1 -0
  114. package/dist/rules/no-path-separators-in-template-icon-name.d.ts.map +1 -1
  115. package/dist/rules/no-path-separators-in-template-icon-name.js +26 -3
  116. package/dist/rules/no-path-separators-in-template-icon-name.js.map +1 -1
  117. package/dist/rules/no-post-if-without-post.d.ts.map +1 -1
  118. package/dist/rules/no-post-if-without-post.js +6 -0
  119. package/dist/rules/no-post-if-without-post.js.map +1 -1
  120. package/dist/rules/no-pr-head-checkout-in-pull-request-target.d.ts.map +1 -1
  121. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js +3 -0
  122. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js.map +1 -1
  123. package/dist/rules/no-pre-if-without-pre.d.ts.map +1 -1
  124. package/dist/rules/no-pre-if-without-pre.js +6 -0
  125. package/dist/rules/no-pre-if-without-pre.js.map +1 -1
  126. package/dist/rules/no-required-input-with-default.d.ts.map +1 -1
  127. package/dist/rules/no-required-input-with-default.js +23 -0
  128. package/dist/rules/no-required-input-with-default.js.map +1 -1
  129. package/dist/rules/no-secrets-in-if.d.ts.map +1 -1
  130. package/dist/rules/no-secrets-in-if.js +3 -0
  131. package/dist/rules/no-secrets-in-if.js.map +1 -1
  132. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.d.ts.map +1 -1
  133. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js +3 -0
  134. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js.map +1 -1
  135. package/dist/rules/no-subdirectory-template-file-pattern.d.ts.map +1 -1
  136. package/dist/rules/no-subdirectory-template-file-pattern.js +3 -0
  137. package/dist/rules/no-subdirectory-template-file-pattern.js.map +1 -1
  138. package/dist/rules/no-template-placeholder-in-non-template-workflow.d.ts.map +1 -1
  139. package/dist/rules/no-template-placeholder-in-non-template-workflow.js +3 -0
  140. package/dist/rules/no-template-placeholder-in-non-template-workflow.js.map +1 -1
  141. package/dist/rules/no-top-level-env.d.ts.map +1 -1
  142. package/dist/rules/no-top-level-env.js +3 -0
  143. package/dist/rules/no-top-level-env.js.map +1 -1
  144. package/dist/rules/no-top-level-permissions.d.ts.map +1 -1
  145. package/dist/rules/no-top-level-permissions.js +3 -0
  146. package/dist/rules/no-top-level-permissions.js.map +1 -1
  147. package/dist/rules/no-universal-template-file-pattern.d.ts.map +1 -1
  148. package/dist/rules/no-universal-template-file-pattern.js +3 -0
  149. package/dist/rules/no-universal-template-file-pattern.js.map +1 -1
  150. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.d.ts +9 -0
  151. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.d.ts.map +1 -0
  152. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.js +58 -0
  153. package/dist/rules/no-unknown-dependabot-multi-ecosystem-group.js.map +1 -0
  154. package/dist/rules/no-unknown-input-reference-in-composite.d.ts.map +1 -1
  155. package/dist/rules/no-unknown-input-reference-in-composite.js +3 -0
  156. package/dist/rules/no-unknown-input-reference-in-composite.js.map +1 -1
  157. package/dist/rules/no-unknown-job-output-reference.d.ts.map +1 -1
  158. package/dist/rules/no-unknown-job-output-reference.js +3 -0
  159. package/dist/rules/no-unknown-job-output-reference.js.map +1 -1
  160. package/dist/rules/no-unknown-step-reference.d.ts.map +1 -1
  161. package/dist/rules/no-unknown-step-reference.js +3 -0
  162. package/dist/rules/no-unknown-step-reference.js.map +1 -1
  163. package/dist/rules/no-untrusted-input-in-run.d.ts.map +1 -1
  164. package/dist/rules/no-untrusted-input-in-run.js +3 -0
  165. package/dist/rules/no-untrusted-input-in-run.js.map +1 -1
  166. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.d.ts +9 -0
  167. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.d.ts.map +1 -0
  168. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.js +51 -0
  169. package/dist/rules/no-unused-dependabot-enable-beta-ecosystems.js.map +1 -0
  170. package/dist/rules/no-unused-input-in-composite.d.ts.map +1 -1
  171. package/dist/rules/no-unused-input-in-composite.js +3 -0
  172. package/dist/rules/no-unused-input-in-composite.js.map +1 -1
  173. package/dist/rules/no-write-all-permissions.d.ts.map +1 -1
  174. package/dist/rules/no-write-all-permissions.js +3 -0
  175. package/dist/rules/no-write-all-permissions.js.map +1 -1
  176. package/dist/rules/pin-action-shas.d.ts.map +1 -1
  177. package/dist/rules/pin-action-shas.js +3 -0
  178. package/dist/rules/pin-action-shas.js.map +1 -1
  179. package/dist/rules/prefer-action-yml.d.ts.map +1 -1
  180. package/dist/rules/prefer-action-yml.js +3 -0
  181. package/dist/rules/prefer-action-yml.js.map +1 -1
  182. package/dist/rules/prefer-fail-fast.d.ts.map +1 -1
  183. package/dist/rules/prefer-fail-fast.js +3 -0
  184. package/dist/rules/prefer-fail-fast.js.map +1 -1
  185. package/dist/rules/prefer-file-extension.d.ts.map +1 -1
  186. package/dist/rules/prefer-file-extension.js +3 -0
  187. package/dist/rules/prefer-file-extension.js.map +1 -1
  188. package/dist/rules/prefer-inputs-context.d.ts.map +1 -1
  189. package/dist/rules/prefer-inputs-context.js +3 -0
  190. package/dist/rules/prefer-inputs-context.js.map +1 -1
  191. package/dist/rules/prefer-step-uses-style.d.ts.map +1 -1
  192. package/dist/rules/prefer-step-uses-style.js +3 -0
  193. package/dist/rules/prefer-step-uses-style.js.map +1 -1
  194. package/dist/rules/prefer-template-yml-extension.d.ts.map +1 -1
  195. package/dist/rules/prefer-template-yml-extension.js +3 -0
  196. package/dist/rules/prefer-template-yml-extension.js.map +1 -1
  197. package/dist/rules/require-action-name.d.ts.map +1 -1
  198. package/dist/rules/require-action-name.js +7 -0
  199. package/dist/rules/require-action-name.js.map +1 -1
  200. package/dist/rules/require-action-run-name.d.ts.map +1 -1
  201. package/dist/rules/require-action-run-name.js +7 -0
  202. package/dist/rules/require-action-run-name.js.map +1 -1
  203. package/dist/rules/require-checkout-before-local-action.d.ts.map +1 -1
  204. package/dist/rules/require-checkout-before-local-action.js +3 -0
  205. package/dist/rules/require-checkout-before-local-action.js.map +1 -1
  206. package/dist/rules/require-codeql-actions-read.d.ts +9 -0
  207. package/dist/rules/require-codeql-actions-read.d.ts.map +1 -0
  208. package/dist/rules/require-codeql-actions-read.js +63 -0
  209. package/dist/rules/require-codeql-actions-read.js.map +1 -0
  210. package/dist/rules/require-codeql-branch-filters.d.ts +12 -0
  211. package/dist/rules/require-codeql-branch-filters.d.ts.map +1 -0
  212. package/dist/rules/require-codeql-branch-filters.js +83 -0
  213. package/dist/rules/require-codeql-branch-filters.js.map +1 -0
  214. package/dist/rules/require-codeql-category-when-language-matrix.d.ts +12 -0
  215. package/dist/rules/require-codeql-category-when-language-matrix.d.ts.map +1 -0
  216. package/dist/rules/require-codeql-category-when-language-matrix.js +68 -0
  217. package/dist/rules/require-codeql-category-when-language-matrix.js.map +1 -0
  218. package/dist/rules/require-codeql-pull-request-trigger.d.ts +9 -0
  219. package/dist/rules/require-codeql-pull-request-trigger.d.ts.map +1 -0
  220. package/dist/rules/require-codeql-pull-request-trigger.js +46 -0
  221. package/dist/rules/require-codeql-pull-request-trigger.js.map +1 -0
  222. package/dist/rules/require-codeql-schedule.d.ts +9 -0
  223. package/dist/rules/require-codeql-schedule.d.ts.map +1 -0
  224. package/dist/rules/require-codeql-schedule.js +46 -0
  225. package/dist/rules/require-codeql-schedule.js.map +1 -0
  226. package/dist/rules/require-codeql-security-events-write.d.ts +9 -0
  227. package/dist/rules/require-codeql-security-events-write.d.ts.map +1 -0
  228. package/dist/rules/require-codeql-security-events-write.js +53 -0
  229. package/dist/rules/require-codeql-security-events-write.js.map +1 -0
  230. package/dist/rules/require-composite-step-name.d.ts.map +1 -1
  231. package/dist/rules/require-composite-step-name.js +3 -0
  232. package/dist/rules/require-composite-step-name.js.map +1 -1
  233. package/dist/rules/require-dependabot-assignees.d.ts +9 -0
  234. package/dist/rules/require-dependabot-assignees.d.ts.map +1 -0
  235. package/dist/rules/require-dependabot-assignees.js +53 -0
  236. package/dist/rules/require-dependabot-assignees.js.map +1 -0
  237. package/dist/rules/require-dependabot-automation-permissions.d.ts +9 -0
  238. package/dist/rules/require-dependabot-automation-permissions.d.ts.map +1 -0
  239. package/dist/rules/require-dependabot-automation-permissions.js +68 -0
  240. package/dist/rules/require-dependabot-automation-permissions.js.map +1 -0
  241. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts +12 -0
  242. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts.map +1 -0
  243. package/dist/rules/require-dependabot-automation-pull-request-trigger.js +49 -0
  244. package/dist/rules/require-dependabot-automation-pull-request-trigger.js.map +1 -0
  245. package/dist/rules/require-dependabot-bot-actor-guard.d.ts +9 -0
  246. package/dist/rules/require-dependabot-bot-actor-guard.d.ts.map +1 -0
  247. package/dist/rules/require-dependabot-bot-actor-guard.js +64 -0
  248. package/dist/rules/require-dependabot-bot-actor-guard.js.map +1 -0
  249. package/dist/rules/require-dependabot-commit-message-include-scope.d.ts +9 -0
  250. package/dist/rules/require-dependabot-commit-message-include-scope.d.ts.map +1 -0
  251. package/dist/rules/require-dependabot-commit-message-include-scope.js +60 -0
  252. package/dist/rules/require-dependabot-commit-message-include-scope.js.map +1 -0
  253. package/dist/rules/require-dependabot-commit-message-prefix-development.d.ts +9 -0
  254. package/dist/rules/require-dependabot-commit-message-prefix-development.d.ts.map +1 -0
  255. package/dist/rules/require-dependabot-commit-message-prefix-development.js +75 -0
  256. package/dist/rules/require-dependabot-commit-message-prefix-development.js.map +1 -0
  257. package/dist/rules/require-dependabot-commit-message-prefix.d.ts +9 -0
  258. package/dist/rules/require-dependabot-commit-message-prefix.d.ts.map +1 -0
  259. package/dist/rules/require-dependabot-commit-message-prefix.js +60 -0
  260. package/dist/rules/require-dependabot-commit-message-prefix.js.map +1 -0
  261. package/dist/rules/require-dependabot-cooldown.d.ts +9 -0
  262. package/dist/rules/require-dependabot-cooldown.d.ts.map +1 -0
  263. package/dist/rules/require-dependabot-cooldown.js +52 -0
  264. package/dist/rules/require-dependabot-cooldown.js.map +1 -0
  265. package/dist/rules/require-dependabot-directory.d.ts +9 -0
  266. package/dist/rules/require-dependabot-directory.d.ts.map +1 -0
  267. package/dist/rules/require-dependabot-directory.js +68 -0
  268. package/dist/rules/require-dependabot-directory.js.map +1 -0
  269. package/dist/rules/require-dependabot-github-actions-directory-root.d.ts +9 -0
  270. package/dist/rules/require-dependabot-github-actions-directory-root.d.ts.map +1 -0
  271. package/dist/rules/require-dependabot-github-actions-directory-root.js +76 -0
  272. package/dist/rules/require-dependabot-github-actions-directory-root.js.map +1 -0
  273. package/dist/rules/require-dependabot-labels.d.ts +9 -0
  274. package/dist/rules/require-dependabot-labels.d.ts.map +1 -0
  275. package/dist/rules/require-dependabot-labels.js +52 -0
  276. package/dist/rules/require-dependabot-labels.js.map +1 -0
  277. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts +9 -0
  278. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts.map +1 -0
  279. package/dist/rules/require-dependabot-open-pull-requests-limit.js +55 -0
  280. package/dist/rules/require-dependabot-open-pull-requests-limit.js.map +1 -0
  281. package/dist/rules/require-dependabot-package-ecosystem.d.ts +9 -0
  282. package/dist/rules/require-dependabot-package-ecosystem.d.ts.map +1 -0
  283. package/dist/rules/require-dependabot-package-ecosystem.js +79 -0
  284. package/dist/rules/require-dependabot-package-ecosystem.js.map +1 -0
  285. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.d.ts +9 -0
  286. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.d.ts.map +1 -0
  287. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.js +58 -0
  288. package/dist/rules/require-dependabot-patterns-for-multi-ecosystem-group.js.map +1 -0
  289. package/dist/rules/require-dependabot-schedule-cronjob.d.ts +9 -0
  290. package/dist/rules/require-dependabot-schedule-cronjob.d.ts.map +1 -0
  291. package/dist/rules/require-dependabot-schedule-cronjob.js +82 -0
  292. package/dist/rules/require-dependabot-schedule-cronjob.js.map +1 -0
  293. package/dist/rules/require-dependabot-schedule-interval.d.ts +9 -0
  294. package/dist/rules/require-dependabot-schedule-interval.d.ts.map +1 -0
  295. package/dist/rules/require-dependabot-schedule-interval.js +73 -0
  296. package/dist/rules/require-dependabot-schedule-interval.js.map +1 -0
  297. package/dist/rules/require-dependabot-schedule-time.d.ts +9 -0
  298. package/dist/rules/require-dependabot-schedule-time.d.ts.map +1 -0
  299. package/dist/rules/require-dependabot-schedule-time.js +68 -0
  300. package/dist/rules/require-dependabot-schedule-time.js.map +1 -0
  301. package/dist/rules/require-dependabot-schedule-timezone.d.ts +9 -0
  302. package/dist/rules/require-dependabot-schedule-timezone.d.ts.map +1 -0
  303. package/dist/rules/require-dependabot-schedule-timezone.js +69 -0
  304. package/dist/rules/require-dependabot-schedule-timezone.js.map +1 -0
  305. package/dist/rules/require-dependabot-target-branch.d.ts +9 -0
  306. package/dist/rules/require-dependabot-target-branch.d.ts.map +1 -0
  307. package/dist/rules/require-dependabot-target-branch.js +53 -0
  308. package/dist/rules/require-dependabot-target-branch.js.map +1 -0
  309. package/dist/rules/require-dependabot-updates.d.ts +9 -0
  310. package/dist/rules/require-dependabot-updates.d.ts.map +1 -0
  311. package/dist/rules/require-dependabot-updates.js +54 -0
  312. package/dist/rules/require-dependabot-updates.js.map +1 -0
  313. package/dist/rules/require-dependabot-version.d.ts +9 -0
  314. package/dist/rules/require-dependabot-version.d.ts.map +1 -0
  315. package/dist/rules/require-dependabot-version.js +62 -0
  316. package/dist/rules/require-dependabot-version.js.map +1 -0
  317. package/dist/rules/require-dependabot-versioning-strategy-for-npm.d.ts +9 -0
  318. package/dist/rules/require-dependabot-versioning-strategy-for-npm.d.ts.map +1 -0
  319. package/dist/rules/require-dependabot-versioning-strategy-for-npm.js +58 -0
  320. package/dist/rules/require-dependabot-versioning-strategy-for-npm.js.map +1 -0
  321. package/dist/rules/require-dependency-review-action.d.ts +9 -0
  322. package/dist/rules/require-dependency-review-action.d.ts.map +1 -0
  323. package/dist/rules/require-dependency-review-action.js +51 -0
  324. package/dist/rules/require-dependency-review-action.js.map +1 -0
  325. package/dist/rules/require-dependency-review-fail-on-severity.d.ts +9 -0
  326. package/dist/rules/require-dependency-review-fail-on-severity.d.ts.map +1 -0
  327. package/dist/rules/require-dependency-review-fail-on-severity.js +62 -0
  328. package/dist/rules/require-dependency-review-fail-on-severity.js.map +1 -0
  329. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts +9 -0
  330. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts.map +1 -0
  331. package/dist/rules/require-dependency-review-permissions-contents-read.js +55 -0
  332. package/dist/rules/require-dependency-review-permissions-contents-read.js.map +1 -0
  333. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts +9 -0
  334. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts.map +1 -0
  335. package/dist/rules/require-dependency-review-pull-request-trigger.js +47 -0
  336. package/dist/rules/require-dependency-review-pull-request-trigger.js.map +1 -0
  337. package/dist/rules/require-fetch-metadata-github-token.d.ts +9 -0
  338. package/dist/rules/require-fetch-metadata-github-token.d.ts.map +1 -0
  339. package/dist/rules/require-fetch-metadata-github-token.js +57 -0
  340. package/dist/rules/require-fetch-metadata-github-token.js.map +1 -0
  341. package/dist/rules/require-job-name.d.ts.map +1 -1
  342. package/dist/rules/require-job-name.js +35 -0
  343. package/dist/rules/require-job-name.js.map +1 -1
  344. package/dist/rules/require-job-step-name.d.ts.map +1 -1
  345. package/dist/rules/require-job-step-name.js +76 -0
  346. package/dist/rules/require-job-step-name.js.map +1 -1
  347. package/dist/rules/require-job-timeout-minutes.d.ts.map +1 -1
  348. package/dist/rules/require-job-timeout-minutes.js +3 -0
  349. package/dist/rules/require-job-timeout-minutes.js.map +1 -1
  350. package/dist/rules/require-merge-group-trigger.d.ts.map +1 -1
  351. package/dist/rules/require-merge-group-trigger.js +3 -0
  352. package/dist/rules/require-merge-group-trigger.js.map +1 -1
  353. package/dist/rules/require-pull-request-target-branches.d.ts.map +1 -1
  354. package/dist/rules/require-pull-request-target-branches.js +3 -0
  355. package/dist/rules/require-pull-request-target-branches.js.map +1 -1
  356. package/dist/rules/require-run-step-shell.d.ts.map +1 -1
  357. package/dist/rules/require-run-step-shell.js +3 -0
  358. package/dist/rules/require-run-step-shell.js.map +1 -1
  359. package/dist/rules/require-sarif-upload-security-events-write.d.ts +9 -0
  360. package/dist/rules/require-sarif-upload-security-events-write.d.ts.map +1 -0
  361. package/dist/rules/require-sarif-upload-security-events-write.js +51 -0
  362. package/dist/rules/require-sarif-upload-security-events-write.js.map +1 -0
  363. package/dist/rules/require-scorecard-results-format-sarif.d.ts +9 -0
  364. package/dist/rules/require-scorecard-results-format-sarif.d.ts.map +1 -0
  365. package/dist/rules/require-scorecard-results-format-sarif.js +57 -0
  366. package/dist/rules/require-scorecard-results-format-sarif.js.map +1 -0
  367. package/dist/rules/require-scorecard-upload-sarif-step.d.ts +9 -0
  368. package/dist/rules/require-scorecard-upload-sarif-step.d.ts.map +1 -0
  369. package/dist/rules/require-scorecard-upload-sarif-step.js +46 -0
  370. package/dist/rules/require-scorecard-upload-sarif-step.js.map +1 -0
  371. package/dist/rules/require-secret-scan-contents-read.d.ts +12 -0
  372. package/dist/rules/require-secret-scan-contents-read.d.ts.map +1 -0
  373. package/dist/rules/require-secret-scan-contents-read.js +53 -0
  374. package/dist/rules/require-secret-scan-contents-read.js.map +1 -0
  375. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts +9 -0
  376. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts.map +1 -0
  377. package/dist/rules/require-secret-scan-fetch-depth-zero.js +77 -0
  378. package/dist/rules/require-secret-scan-fetch-depth-zero.js.map +1 -0
  379. package/dist/rules/require-secret-scan-schedule.d.ts +9 -0
  380. package/dist/rules/require-secret-scan-schedule.d.ts.map +1 -0
  381. package/dist/rules/require-secret-scan-schedule.js +46 -0
  382. package/dist/rules/require-secret-scan-schedule.js.map +1 -0
  383. package/dist/rules/require-template-categories.d.ts.map +1 -1
  384. package/dist/rules/require-template-categories.js +3 -0
  385. package/dist/rules/require-template-categories.js.map +1 -1
  386. package/dist/rules/require-template-file-patterns.d.ts.map +1 -1
  387. package/dist/rules/require-template-file-patterns.js +3 -0
  388. package/dist/rules/require-template-file-patterns.js.map +1 -1
  389. package/dist/rules/require-template-icon-file-exists.d.ts.map +1 -1
  390. package/dist/rules/require-template-icon-file-exists.js +3 -0
  391. package/dist/rules/require-template-icon-file-exists.js.map +1 -1
  392. package/dist/rules/require-template-icon-name.d.ts.map +1 -1
  393. package/dist/rules/require-template-icon-name.js +3 -0
  394. package/dist/rules/require-template-icon-name.js.map +1 -1
  395. package/dist/rules/require-template-workflow-name.d.ts.map +1 -1
  396. package/dist/rules/require-template-workflow-name.js +3 -0
  397. package/dist/rules/require-template-workflow-name.js.map +1 -1
  398. package/dist/rules/require-trigger-types.d.ts.map +1 -1
  399. package/dist/rules/require-trigger-types.js +3 -0
  400. package/dist/rules/require-trigger-types.js.map +1 -1
  401. package/dist/rules/require-trufflehog-verified-results-mode.d.ts +9 -0
  402. package/dist/rules/require-trufflehog-verified-results-mode.d.ts.map +1 -0
  403. package/dist/rules/require-trufflehog-verified-results-mode.js +59 -0
  404. package/dist/rules/require-trufflehog-verified-results-mode.js.map +1 -0
  405. package/dist/rules/require-workflow-call-input-type.d.ts.map +1 -1
  406. package/dist/rules/require-workflow-call-input-type.js +3 -0
  407. package/dist/rules/require-workflow-call-input-type.js.map +1 -1
  408. package/dist/rules/require-workflow-call-output-value.d.ts.map +1 -1
  409. package/dist/rules/require-workflow-call-output-value.js +3 -0
  410. package/dist/rules/require-workflow-call-output-value.js.map +1 -1
  411. package/dist/rules/require-workflow-concurrency.d.ts.map +1 -1
  412. package/dist/rules/require-workflow-concurrency.js +3 -0
  413. package/dist/rules/require-workflow-concurrency.js.map +1 -1
  414. package/dist/rules/require-workflow-dispatch-input-type.d.ts.map +1 -1
  415. package/dist/rules/require-workflow-dispatch-input-type.js +3 -0
  416. package/dist/rules/require-workflow-dispatch-input-type.js.map +1 -1
  417. package/dist/rules/require-workflow-interface-description.d.ts.map +1 -1
  418. package/dist/rules/require-workflow-interface-description.js +3 -0
  419. package/dist/rules/require-workflow-interface-description.js.map +1 -1
  420. package/dist/rules/require-workflow-permissions.d.ts.map +1 -1
  421. package/dist/rules/require-workflow-permissions.js +7 -0
  422. package/dist/rules/require-workflow-permissions.js.map +1 -1
  423. package/dist/rules/require-workflow-run-branches.d.ts.map +1 -1
  424. package/dist/rules/require-workflow-run-branches.js +3 -0
  425. package/dist/rules/require-workflow-run-branches.js.map +1 -1
  426. package/dist/rules/require-workflow-template-pair.d.ts.map +1 -1
  427. package/dist/rules/require-workflow-template-pair.js +3 -0
  428. package/dist/rules/require-workflow-template-pair.js.map +1 -1
  429. package/dist/rules/require-workflow-template-properties-pair.d.ts.map +1 -1
  430. package/dist/rules/require-workflow-template-properties-pair.js +3 -0
  431. package/dist/rules/require-workflow-template-properties-pair.js.map +1 -1
  432. package/dist/rules/valid-timeout-minutes.d.ts.map +1 -1
  433. package/dist/rules/valid-timeout-minutes.js +3 -0
  434. package/dist/rules/valid-timeout-minutes.js.map +1 -1
  435. package/dist/rules/valid-trigger-events.d.ts.map +1 -1
  436. package/dist/rules/valid-trigger-events.js +3 -0
  437. package/dist/rules/valid-trigger-events.js.map +1 -1
  438. package/docs/rules/action-name-casing.md +6 -2
  439. package/docs/rules/no-codeql-autobuild-for-javascript-typescript.md +55 -0
  440. package/docs/rules/no-codeql-javascript-typescript-split-language-matrix.md +51 -0
  441. package/docs/rules/no-empty-template-file-pattern.md +5 -1
  442. package/docs/rules/no-icon-file-extension-in-template-icon-name.md +5 -1
  443. package/docs/rules/no-overlapping-dependabot-directories.md +87 -0
  444. package/docs/rules/no-path-separators-in-template-icon-name.md +5 -1
  445. package/docs/rules/no-post-if-without-post.md +5 -1
  446. package/docs/rules/no-pre-if-without-pre.md +5 -1
  447. package/docs/rules/no-required-input-with-default.md +10 -1
  448. package/docs/rules/no-unknown-dependabot-multi-ecosystem-group.md +62 -0
  449. package/docs/rules/no-unused-dependabot-enable-beta-ecosystems.md +63 -0
  450. package/docs/rules/overview.md +47 -1
  451. package/docs/rules/prefer-inputs-context.md +6 -2
  452. package/docs/rules/presets/action-metadata.md +26 -15
  453. package/docs/rules/presets/all.md +129 -73
  454. package/docs/rules/presets/code-scanning.md +33 -0
  455. package/docs/rules/presets/dependabot.md +40 -0
  456. package/docs/rules/presets/index.md +139 -81
  457. package/docs/rules/presets/recommended.md +34 -23
  458. package/docs/rules/presets/security.md +39 -13
  459. package/docs/rules/presets/strict.md +56 -45
  460. package/docs/rules/presets/workflow-template-properties.md +26 -15
  461. package/docs/rules/presets/workflow-templates.md +30 -19
  462. package/docs/rules/require-codeql-actions-read.md +50 -0
  463. package/docs/rules/require-codeql-branch-filters.md +53 -0
  464. package/docs/rules/require-codeql-category-when-language-matrix.md +49 -0
  465. package/docs/rules/require-codeql-pull-request-trigger.md +53 -0
  466. package/docs/rules/require-codeql-schedule.md +57 -0
  467. package/docs/rules/require-codeql-security-events-write.md +50 -0
  468. package/docs/rules/require-dependabot-assignees.md +64 -0
  469. package/docs/rules/require-dependabot-automation-permissions.md +53 -0
  470. package/docs/rules/require-dependabot-automation-pull-request-trigger.md +49 -0
  471. package/docs/rules/require-dependabot-bot-actor-guard.md +52 -0
  472. package/docs/rules/require-dependabot-commit-message-include-scope.md +58 -0
  473. package/docs/rules/require-dependabot-commit-message-prefix-development.md +60 -0
  474. package/docs/rules/require-dependabot-commit-message-prefix.md +64 -0
  475. package/docs/rules/require-dependabot-cooldown.md +59 -0
  476. package/docs/rules/require-dependabot-directory.md +79 -0
  477. package/docs/rules/require-dependabot-github-actions-directory-root.md +62 -0
  478. package/docs/rules/require-dependabot-labels.md +65 -0
  479. package/docs/rules/require-dependabot-open-pull-requests-limit.md +58 -0
  480. package/docs/rules/require-dependabot-package-ecosystem.md +57 -0
  481. package/docs/rules/require-dependabot-patterns-for-multi-ecosystem-group.md +67 -0
  482. package/docs/rules/require-dependabot-schedule-cronjob.md +74 -0
  483. package/docs/rules/require-dependabot-schedule-interval.md +66 -0
  484. package/docs/rules/require-dependabot-schedule-time.md +60 -0
  485. package/docs/rules/require-dependabot-schedule-timezone.md +61 -0
  486. package/docs/rules/require-dependabot-target-branch.md +63 -0
  487. package/docs/rules/require-dependabot-updates.md +58 -0
  488. package/docs/rules/require-dependabot-version.md +70 -0
  489. package/docs/rules/require-dependabot-versioning-strategy-for-npm.md +58 -0
  490. package/docs/rules/require-dependency-review-action.md +60 -0
  491. package/docs/rules/require-dependency-review-fail-on-severity.md +57 -0
  492. package/docs/rules/require-dependency-review-permissions-contents-read.md +62 -0
  493. package/docs/rules/require-dependency-review-pull-request-trigger.md +57 -0
  494. package/docs/rules/require-fetch-metadata-github-token.md +49 -0
  495. package/docs/rules/require-job-name.md +6 -2
  496. package/docs/rules/require-job-step-name.md +11 -2
  497. package/docs/rules/require-sarif-upload-security-events-write.md +50 -0
  498. package/docs/rules/require-scorecard-results-format-sarif.md +49 -0
  499. package/docs/rules/require-scorecard-upload-sarif-step.md +55 -0
  500. package/docs/rules/require-secret-scan-contents-read.md +48 -0
  501. package/docs/rules/require-secret-scan-fetch-depth-zero.md +50 -0
  502. package/docs/rules/require-secret-scan-schedule.md +50 -0
  503. package/docs/rules/require-trufflehog-verified-results-mode.md +49 -0
  504. package/package.json +50 -57
package/docs/rules/require-dependabot-schedule-interval.md ADDED
@@ -0,0 +1,66 @@
1
+ # require-dependabot-schedule-interval
2
+
3
+ > **Rule catalog ID:** R074
4
+
5
+ ## Targeted pattern scope
6
+
7
+ `updates[*].schedule.interval` values in Dependabot configuration files, including values inherited from `multi-ecosystem-groups`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that do not resolve to a valid `schedule.interval` value.
12
+
13
+ ## Why this rule exists
14
+
15
+ `schedule.interval` is a required Dependabot setting. Requiring a supported value keeps update frequency explicit and avoids accidental reliance on invalid or misspelled scheduling keys.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule: {}
25
+ ```
26
+
27
+ ```yaml
28
+ version: 2
29
+ updates:
30
+ - package-ecosystem: "npm"
31
+ directory: "/"
32
+ schedule:
33
+ interval: "sometimes"
34
+ ```
35
+
36
+ ## ✅ Correct
37
+
38
+ ```yaml
39
+ version: 2
40
+ updates:
41
+ - package-ecosystem: "npm"
42
+ directory: "/"
43
+ schedule:
44
+ interval: "weekly"
45
+ ```
46
+
47
+ ## Additional examples
48
+
49
+ This rule also accepts valid intervals inherited from `multi-ecosystem-groups`, so grouped configurations do not need to duplicate schedule frequency on every update block.
50
+
51
+ ## ESLint flat config example
52
+
53
+ ```ts
54
+ import githubActions from "eslint-plugin-github-actions-2";
55
+
56
+ export default [githubActions.configs.dependabot];
57
+ ```
58
+
59
+ ## When not to use it
60
+
61
+ Disable this rule only when Dependabot files are not part of the lint surface for the repository.
62
+
63
+ ## Further reading
64
+
65
+ - [Dependabot options reference: schedule](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#schedule-)
66
+ - [Dependabot options reference: Required keys](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#required-keys)
package/docs/rules/require-dependabot-schedule-time.md ADDED
@@ -0,0 +1,60 @@
1
+ # require-dependabot-schedule-time
2
+
3
+ > **Rule catalog ID:** R075
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Non-`cron` schedule mappings in Dependabot update entries, including schedule settings inherited from `multi-ecosystem-groups`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that use a non-`cron` interval without declaring `schedule.time`.
12
+
13
+ ## Why this rule exists
14
+
15
+ GitHub assigns a random execution time when `time` is omitted. Requiring an explicit time makes Dependabot activity predictable and easier to coordinate with release windows and CI load.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule:
25
+ interval: "weekly"
26
+ ```
27
+
28
+ ## ✅ Correct
29
+
30
+ ```yaml
31
+ version: 2
32
+ updates:
33
+ - package-ecosystem: "npm"
34
+ directory: "/"
35
+ schedule:
36
+ interval: "weekly"
37
+ time: "05:30"
38
+ timezone: "UTC"
39
+ ```
40
+
41
+ ## Additional examples
42
+
43
+ Repositories that want quieter daytime CI load often use this rule to keep Dependabot runs in an off-hours maintenance window.
44
+
45
+ ## ESLint flat config example
46
+
47
+ ```ts
48
+ import githubActions from "eslint-plugin-github-actions-2";
49
+
50
+ export default [githubActions.configs.dependabot];
51
+ ```
52
+
53
+ ## When not to use it
54
+
55
+ Disable this rule if random Dependabot run times are acceptable for the repository.
56
+
57
+ ## Further reading
58
+
59
+ - [Dependabot options reference: schedule.time](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#schedule-)
60
+ - [Optimizing the creation of pull requests for Dependabot version updates](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates)
package/docs/rules/require-dependabot-schedule-timezone.md ADDED
@@ -0,0 +1,61 @@
1
+ # require-dependabot-schedule-timezone
2
+
3
+ > **Rule catalog ID:** R076
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot schedule mappings that use `time` or `cron` semantics, including values inherited from `multi-ecosystem-groups`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports schedule blocks that require timezone context but omit `schedule.timezone`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Without a timezone, explicit times default to UTC. Requiring `timezone` makes scheduled runs match local operational intent instead of silently shifting around daylight saving or team-region assumptions.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule:
25
+ interval: "weekly"
26
+ time: "05:30"
27
+ ```
28
+
29
+ ## ✅ Correct
30
+
31
+ ```yaml
32
+ version: 2
33
+ updates:
34
+ - package-ecosystem: "npm"
35
+ directory: "/"
36
+ schedule:
37
+ interval: "weekly"
38
+ time: "05:30"
39
+ timezone: "America/Detroit"
40
+ ```
41
+
42
+ ## Additional examples
43
+
44
+ When teams operate outside UTC, this rule prevents silent schedule drift caused by assuming everyone reads `time` values in the same timezone.
45
+
46
+ ## ESLint flat config example
47
+
48
+ ```ts
49
+ import githubActions from "eslint-plugin-github-actions-2";
50
+
51
+ export default [githubActions.configs.dependabot];
52
+ ```
53
+
54
+ ## When not to use it
55
+
56
+ Disable this rule if the repository intentionally standardizes all Dependabot schedules on implicit UTC.
57
+
58
+ ## Further reading
59
+
60
+ - [Dependabot options reference: schedule.timezone](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#schedule-)
61
+ - [List of tz database time zones](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
package/docs/rules/require-dependabot-target-branch.md ADDED
@@ -0,0 +1,63 @@
1
+ # require-dependabot-target-branch
2
+
3
+ > **Rule catalog ID:** R078
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries and multi-ecosystem groups that decide where version-update pull requests land.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports update entries that do not resolve to a non-empty `target-branch`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Repositories with release trains or stabilization branches often want Dependabot changes routed predictably. Requiring `target-branch` removes ambiguity and documents the intended update flow directly in configuration.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule:
25
+ interval: "weekly"
26
+ time: "05:30"
27
+ timezone: "UTC"
28
+ ```
29
+
30
+ ## ✅ Correct
31
+
32
+ ```yaml
33
+ version: 2
34
+ updates:
35
+ - package-ecosystem: "npm"
36
+ directory: "/"
37
+ schedule:
38
+ interval: "weekly"
39
+ time: "05:30"
40
+ timezone: "UTC"
41
+ target-branch: "main"
42
+ ```
43
+
44
+ ## Additional examples
45
+
46
+ This rule is most useful in repositories that validate dependency updates on a dedicated integration branch before merging into the default branch.
47
+
48
+ ## ESLint flat config example
49
+
50
+ ```ts
51
+ import githubActions from "eslint-plugin-github-actions-2";
52
+
53
+ export default [githubActions.configs.dependabot];
54
+ ```
55
+
56
+ ## When not to use it
57
+
58
+ Disable this rule if the repository intentionally wants Dependabot to always use the default branch implicitly.
59
+
60
+ ## Further reading
61
+
62
+ - [Dependabot options reference: target-branch](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#target-branch-)
63
+ - [Customizing Dependabot pull requests: Targeting pull requests against a non-default branch](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/customizing-dependabot-prs#targeting-pull-requests-against-a-non-default-branch)
package/docs/rules/require-dependabot-updates.md ADDED
@@ -0,0 +1,58 @@
1
+ # require-dependabot-updates
2
+
3
+ > **Rule catalog ID:** R071
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Repository Dependabot configuration files at `.github/dependabot.yml` or `.github/dependabot.yaml`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports files that omit the top-level `updates` key or define it as an empty sequence.
12
+
13
+ ## Why this rule exists
14
+
15
+ `updates` is the section where Dependabot is told which ecosystems to maintain. Without at least one update entry, the configuration is syntactically present but operationally useless.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ ```
22
+
23
+ ```yaml
24
+ version: 2
25
+ updates: []
26
+ ```
27
+
28
+ ## ✅ Correct
29
+
30
+ ```yaml
31
+ version: 2
32
+ updates:
33
+ - package-ecosystem: "npm"
34
+ directory: "/"
35
+ schedule:
36
+ interval: "weekly"
37
+ ```
38
+
39
+ ## Additional examples
40
+
41
+ On repositories with multiple ecosystems, this rule helps ensure Dependabot stays enabled even after refactors remove one update block and forget to add its replacement.
42
+
43
+ ## ESLint flat config example
44
+
45
+ ```ts
46
+ import githubActions from "eslint-plugin-github-actions-2";
47
+
48
+ export default [githubActions.configs.dependabot];
49
+ ```
50
+
51
+ ## When not to use it
52
+
53
+ Disable this rule only when `.github/dependabot.yml` is intentionally not used in the repository.
54
+
55
+ ## Further reading
56
+
57
+ - [Dependabot options reference: Required keys](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#required-keys)
58
+ - [Example dependabot.yml file](https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-dependabot-version-updates#example-dependabotyml-file)
package/docs/rules/require-dependabot-version.md ADDED
@@ -0,0 +1,70 @@
1
+ # require-dependabot-version
2
+
3
+ > **Rule catalog ID:** R070
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Repository Dependabot configuration files at `.github/dependabot.yml` or `.github/dependabot.yaml`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports Dependabot configuration files that omit the top-level `version` key or set it to anything other than `2`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Dependabot configuration files must use schema version `2`. Omitting the key or using a different value makes the file invalid and prevents Dependabot from interpreting later settings reliably.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ updates:
21
+ - package-ecosystem: "npm"
22
+ directory: "/"
23
+ schedule:
24
+ interval: "weekly"
25
+ ```
26
+
27
+ ```yaml
28
+ version: 1
29
+ updates:
30
+ - package-ecosystem: "npm"
31
+ directory: "/"
32
+ schedule:
33
+ interval: "weekly"
34
+ ```
35
+
36
+ ## ✅ Correct
37
+
38
+ ```yaml
39
+ version: 2
40
+ updates:
41
+ - package-ecosystem: "npm"
42
+ directory: "/"
43
+ schedule:
44
+ interval: "weekly"
45
+ ```
46
+
47
+ ## Behavior and migration notes
48
+
49
+ The autofixer inserts `version: 2` when the top-level key is missing and rewrites any other version value to `2`. That fix is safe because Dependabot configuration currently requires schema version 2.
50
+
51
+ ## Additional examples
52
+
53
+ This rule pairs well with `require-dependabot-updates` so the file always declares both the schema version and at least one update block.
54
+
55
+ ## ESLint flat config example
56
+
57
+ ```ts
58
+ import githubActions from "eslint-plugin-github-actions-2";
59
+
60
+ export default [githubActions.configs.dependabot];
61
+ ```
62
+
63
+ ## When not to use it
64
+
65
+ Disable this rule only if you do not lint Dependabot configuration files with this plugin.
66
+
67
+ ## Further reading
68
+
69
+ - [Dependabot options reference: Required keys](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#required-keys)
70
+ - [Configuring Dependabot version updates](https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-dependabot-version-updates)
package/docs/rules/require-dependabot-versioning-strategy-for-npm.md ADDED
@@ -0,0 +1,58 @@
1
+ # require-dependabot-versioning-strategy-for-npm
2
+
3
+ > **Rule catalog ID:** R088
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Dependabot update entries with `package-ecosystem: "npm"`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports npm update entries that omit `versioning-strategy`.
12
+
13
+ ## Why this rule exists
14
+
15
+ `versioning-strategy` changes how Dependabot edits package manifests and lockfiles. Requiring the key makes npm range update behavior explicit, which is especially useful in monorepos and libraries with stricter dependency policies.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ version: 2
21
+ updates:
22
+ - package-ecosystem: "npm"
23
+ directory: "/"
24
+ schedule:
25
+ interval: "weekly"
26
+ ```
27
+
28
+ ## ✅ Correct
29
+
30
+ ```yaml
31
+ version: 2
32
+ updates:
33
+ - package-ecosystem: "npm"
34
+ directory: "/"
35
+ versioning-strategy: "increase"
36
+ schedule:
37
+ interval: "weekly"
38
+ ```
39
+
40
+ ## Additional examples
41
+
42
+ For application repositories, `increase` is a common choice because it keeps package ranges aligned with the updated resolved version.
43
+
44
+ ## ESLint flat config example
45
+
46
+ ```ts
47
+ import githubActions from "eslint-plugin-github-actions-2";
48
+
49
+ export default [githubActions.configs.dependabot];
50
+ ```
51
+
52
+ ## When not to use it
53
+
54
+ Disable this rule if the repository intentionally accepts Dependabot's default versioning strategy heuristics for npm.
55
+
56
+ ## Further reading
57
+
58
+ - [Dependabot options reference: versioning-strategy](https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#versioning-strategy--)
package/docs/rules/require-dependency-review-action.md ADDED
@@ -0,0 +1,60 @@
1
+ # require-dependency-review-action
2
+
3
+ > **Rule catalog ID:** R091
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflow files whose path indicates a dependency review workflow, such as `.github/workflows/dependency-review.yml`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports dependency review workflow files that do not invoke `actions/dependency-review-action`.
12
+
13
+ ## Why this rule exists
14
+
15
+ If a workflow is intended to perform dependency review, it should actually run the dependency review action. Otherwise the workflow name and file path advertise security coverage that the repository is not really getting.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ name: "Dependency Review"
21
+ on: [pull_request]
22
+ jobs:
23
+ review:
24
+ runs-on: ubuntu-latest
25
+ steps:
26
+ - uses: actions/checkout@v5
27
+ ```
28
+
29
+ ## ✅ Correct
30
+
31
+ ```yaml
32
+ name: "Dependency Review"
33
+ on: [pull_request]
34
+ jobs:
35
+ review:
36
+ runs-on: ubuntu-latest
37
+ steps:
38
+ - uses: actions/checkout@v5
39
+ - uses: actions/dependency-review-action@v4
40
+ ```
41
+
42
+ ## Additional examples
43
+
44
+ This rule is file-path-driven, which keeps it precise without forcing every repository to adopt a global workflow-existence contract.
45
+
46
+ ## ESLint flat config example
47
+
48
+ ```ts
49
+ import githubActions from "eslint-plugin-github-actions-2";
50
+
51
+ export default [githubActions.configs.security];
52
+ ```
53
+
54
+ ## When not to use it
55
+
56
+ Disable this rule if the repository intentionally uses a differently named workflow file or a reusable wrapper workflow for dependency review.
57
+
58
+ ## Further reading
59
+
60
+ - [Customizing your dependency review action configuration](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/customizing-your-dependency-review-action-configuration)
package/docs/rules/require-dependency-review-fail-on-severity.md ADDED
@@ -0,0 +1,57 @@
1
+ # require-dependency-review-fail-on-severity
2
+
3
+ > **Rule catalog ID:** R093
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflow steps that use `actions/dependency-review-action`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports dependency review action steps that omit `with.fail-on-severity`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Without an explicit severity threshold, the repository's vulnerability blocking posture is implicit. Requiring `fail-on-severity` makes that policy visible and reviewable in the workflow file.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ jobs:
21
+ dependency-review:
22
+ runs-on: ubuntu-latest
23
+ steps:
24
+ - uses: actions/dependency-review-action@v4
25
+ ```
26
+
27
+ ## ✅ Correct
28
+
29
+ ```yaml
30
+ jobs:
31
+ dependency-review:
32
+ runs-on: ubuntu-latest
33
+ steps:
34
+ - uses: actions/dependency-review-action@v4
35
+ with:
36
+ fail-on-severity: moderate
37
+ ```
38
+
39
+ ## Additional examples
40
+
41
+ Repositories commonly use `moderate` or stricter thresholds so dependency review blocks only meaningful risk while keeping pull request friction manageable.
42
+
43
+ ## ESLint flat config example
44
+
45
+ ```ts
46
+ import githubActions from "eslint-plugin-github-actions-2";
47
+
48
+ export default [githubActions.configs.security];
49
+ ```
50
+
51
+ ## When not to use it
52
+
53
+ Disable this rule if the repository intentionally accepts the action's default behavior and does not want to codify a severity threshold in workflow YAML.
54
+
55
+ ## Further reading
56
+
57
+ - [Customizing your dependency review action configuration](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/customizing-your-dependency-review-action-configuration)
package/docs/rules/require-dependency-review-permissions-contents-read.md ADDED
@@ -0,0 +1,62 @@
1
+ # require-dependency-review-permissions-contents-read
2
+
3
+ > **Rule catalog ID:** R092
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflows that use `actions/dependency-review-action`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports workflows using the dependency review action that do not set top-level `permissions.contents: read`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Dependency review only needs repository contents read access. Requiring that explicit least-privilege permission keeps security posture reviewable and prevents drift toward broader token scope.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ on: [pull_request]
21
+ permissions:
22
+ contents: write
23
+ jobs:
24
+ dependency-review:
25
+ runs-on: ubuntu-latest
26
+ steps:
27
+ - uses: actions/dependency-review-action@v4
28
+ ```
29
+
30
+ ## ✅ Correct
31
+
32
+ ```yaml
33
+ on: [pull_request]
34
+ permissions:
35
+ contents: read
36
+ jobs:
37
+ dependency-review:
38
+ runs-on: ubuntu-latest
39
+ steps:
40
+ - uses: actions/dependency-review-action@v4
41
+ ```
42
+
43
+ ## Additional examples
44
+
45
+ This rule complements `require-workflow-permissions` by enforcing the narrower security expectation specific to dependency review workflows.
46
+
47
+ ## ESLint flat config example
48
+
49
+ ```ts
50
+ import githubActions from "eslint-plugin-github-actions-2";
51
+
52
+ export default [githubActions.configs.security];
53
+ ```
54
+
55
+ ## When not to use it
56
+
57
+ Disable this rule only if a repository-local wrapper around dependency review genuinely needs broader permissions and that design has already been reviewed.
58
+
59
+ ## Further reading
60
+
61
+ - [Customizing your dependency review action configuration](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/customizing-your-dependency-review-action-configuration)
62
+ - [GitHub Actions workflow syntax: permissions](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#permissions)
package/docs/rules/require-dependency-review-pull-request-trigger.md ADDED
@@ -0,0 +1,57 @@
1
+ # require-dependency-review-pull-request-trigger
2
+
3
+ > **Rule catalog ID:** R094
4
+
5
+ ## Targeted pattern scope
6
+
7
+ Workflows that use `actions/dependency-review-action`.
8
+
9
+ ## What this rule reports
10
+
11
+ This rule reports workflows using the dependency review action that do not listen for `pull_request`.
12
+
13
+ ## Why this rule exists
14
+
15
+ Dependency review is designed to evaluate dependency changes introduced by pull requests. Requiring the `pull_request` trigger keeps the workflow aligned with that review surface.
16
+
17
+ ## ❌ Incorrect
18
+
19
+ ```yaml
20
+ on: [workflow_dispatch]
21
+ jobs:
22
+ dependency-review:
23
+ runs-on: ubuntu-latest
24
+ steps:
25
+ - uses: actions/dependency-review-action@v4
26
+ ```
27
+
28
+ ## ✅ Correct
29
+
30
+ ```yaml
31
+ on: [pull_request]
32
+ jobs:
33
+ dependency-review:
34
+ runs-on: ubuntu-latest
35
+ steps:
36
+ - uses: actions/dependency-review-action@v4
37
+ ```
38
+
39
+ ## Additional examples
40
+
41
+ This rule does not prevent workflows from adding other triggers too. It only requires that `pull_request` be one of them when dependency review is present.
42
+
43
+ ## ESLint flat config example
44
+
45
+ ```ts
46
+ import githubActions from "eslint-plugin-github-actions-2";
47
+
48
+ export default [githubActions.configs.security];
49
+ ```
50
+
51
+ ## When not to use it
52
+
53
+ Disable this rule if the repository runs dependency review exclusively through a reusable workflow or another workflow trigger strategy.
54
+
55
+ ## Further reading
56
+
57
+ - [Customizing your dependency review action configuration](https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/customizing-your-dependency-review-action-configuration)