eslint-plugin-github-actions-2 1.0.3 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (221) hide show
  1. package/README.md +127 -127
  2. package/dist/_internal/github-actions-config-references.js +1 -1
  3. package/dist/_internal/github-actions-config-references.js.map +1 -1
  4. package/dist/_internal/lint-targets.d.ts +7 -0
  5. package/dist/_internal/lint-targets.d.ts.map +1 -1
  6. package/dist/_internal/lint-targets.js +15 -0
  7. package/dist/_internal/lint-targets.js.map +1 -1
  8. package/dist/_internal/rule-docs.d.ts +1 -1
  9. package/dist/_internal/rule-docs.d.ts.map +1 -1
  10. package/dist/_internal/workflow-permissions.d.ts +2 -0
  11. package/dist/_internal/workflow-permissions.d.ts.map +1 -1
  12. package/dist/_internal/workflow-permissions.js +54 -7
  13. package/dist/_internal/workflow-permissions.js.map +1 -1
  14. package/dist/plugin.cjs +263 -22
  15. package/dist/plugin.cjs.map +2 -2
  16. package/dist/plugin.d.ts.map +1 -1
  17. package/dist/plugin.js +1 -1
  18. package/dist/plugin.js.map +1 -1
  19. package/dist/rules/action-name-casing.d.ts.map +1 -1
  20. package/dist/rules/action-name-casing.js +4 -0
  21. package/dist/rules/action-name-casing.js.map +1 -1
  22. package/dist/rules/job-id-casing.d.ts.map +1 -1
  23. package/dist/rules/job-id-casing.js +4 -0
  24. package/dist/rules/job-id-casing.js.map +1 -1
  25. package/dist/rules/max-jobs-per-action.d.ts.map +1 -1
  26. package/dist/rules/max-jobs-per-action.js +4 -0
  27. package/dist/rules/max-jobs-per-action.js.map +1 -1
  28. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts.map +1 -1
  29. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js +4 -0
  30. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js.map +1 -1
  31. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts.map +1 -1
  32. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js +4 -0
  33. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js.map +1 -1
  34. package/dist/rules/no-external-job.d.ts.map +1 -1
  35. package/dist/rules/no-external-job.js +4 -0
  36. package/dist/rules/no-external-job.js.map +1 -1
  37. package/dist/rules/no-inherit-secrets.d.ts.map +1 -1
  38. package/dist/rules/no-inherit-secrets.js +4 -0
  39. package/dist/rules/no-inherit-secrets.js.map +1 -1
  40. package/dist/rules/no-invalid-concurrency-context.d.ts.map +1 -1
  41. package/dist/rules/no-invalid-concurrency-context.js +4 -0
  42. package/dist/rules/no-invalid-concurrency-context.js.map +1 -1
  43. package/dist/rules/no-invalid-key.d.ts.map +1 -1
  44. package/dist/rules/no-invalid-key.js +4 -0
  45. package/dist/rules/no-invalid-key.js.map +1 -1
  46. package/dist/rules/no-invalid-reusable-workflow-job-key.d.ts.map +1 -1
  47. package/dist/rules/no-invalid-reusable-workflow-job-key.js +4 -0
  48. package/dist/rules/no-invalid-reusable-workflow-job-key.js.map +1 -1
  49. package/dist/rules/no-invalid-workflow-call-output-value.d.ts.map +1 -1
  50. package/dist/rules/no-invalid-workflow-call-output-value.js +4 -0
  51. package/dist/rules/no-invalid-workflow-call-output-value.js.map +1 -1
  52. package/dist/rules/no-pr-head-checkout-in-pull-request-target.d.ts.map +1 -1
  53. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js +4 -0
  54. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js.map +1 -1
  55. package/dist/rules/no-secrets-in-if.d.ts.map +1 -1
  56. package/dist/rules/no-secrets-in-if.js +4 -0
  57. package/dist/rules/no-secrets-in-if.js.map +1 -1
  58. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.d.ts.map +1 -1
  59. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js +4 -0
  60. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js.map +1 -1
  61. package/dist/rules/no-top-level-env.d.ts.map +1 -1
  62. package/dist/rules/no-top-level-env.js +4 -0
  63. package/dist/rules/no-top-level-env.js.map +1 -1
  64. package/dist/rules/no-top-level-permissions.d.ts.map +1 -1
  65. package/dist/rules/no-top-level-permissions.js +4 -1
  66. package/dist/rules/no-top-level-permissions.js.map +1 -1
  67. package/dist/rules/no-unknown-job-output-reference.d.ts.map +1 -1
  68. package/dist/rules/no-unknown-job-output-reference.js +4 -0
  69. package/dist/rules/no-unknown-job-output-reference.js.map +1 -1
  70. package/dist/rules/no-unknown-step-reference.d.ts.map +1 -1
  71. package/dist/rules/no-unknown-step-reference.js +4 -0
  72. package/dist/rules/no-unknown-step-reference.js.map +1 -1
  73. package/dist/rules/no-untrusted-input-in-run.d.ts.map +1 -1
  74. package/dist/rules/no-untrusted-input-in-run.js +4 -0
  75. package/dist/rules/no-untrusted-input-in-run.js.map +1 -1
  76. package/dist/rules/no-write-all-permissions.d.ts.map +1 -1
  77. package/dist/rules/no-write-all-permissions.js +4 -0
  78. package/dist/rules/no-write-all-permissions.js.map +1 -1
  79. package/dist/rules/pin-action-shas.d.ts.map +1 -1
  80. package/dist/rules/pin-action-shas.js +4 -0
  81. package/dist/rules/pin-action-shas.js.map +1 -1
  82. package/dist/rules/prefer-fail-fast.d.ts.map +1 -1
  83. package/dist/rules/prefer-fail-fast.js +4 -0
  84. package/dist/rules/prefer-fail-fast.js.map +1 -1
  85. package/dist/rules/prefer-file-extension.d.ts.map +1 -1
  86. package/dist/rules/prefer-file-extension.js +4 -0
  87. package/dist/rules/prefer-file-extension.js.map +1 -1
  88. package/dist/rules/prefer-inputs-context.d.ts.map +1 -1
  89. package/dist/rules/prefer-inputs-context.js +4 -0
  90. package/dist/rules/prefer-inputs-context.js.map +1 -1
  91. package/dist/rules/prefer-step-uses-style.d.ts.map +1 -1
  92. package/dist/rules/prefer-step-uses-style.js +4 -0
  93. package/dist/rules/prefer-step-uses-style.js.map +1 -1
  94. package/dist/rules/require-action-name.d.ts.map +1 -1
  95. package/dist/rules/require-action-name.js +4 -0
  96. package/dist/rules/require-action-name.js.map +1 -1
  97. package/dist/rules/require-action-run-name.d.ts.map +1 -1
  98. package/dist/rules/require-action-run-name.js +4 -0
  99. package/dist/rules/require-action-run-name.js.map +1 -1
  100. package/dist/rules/require-checkout-before-local-action.d.ts.map +1 -1
  101. package/dist/rules/require-checkout-before-local-action.js +4 -0
  102. package/dist/rules/require-checkout-before-local-action.js.map +1 -1
  103. package/dist/rules/require-codeql-actions-read.d.ts.map +1 -1
  104. package/dist/rules/require-codeql-actions-read.js +4 -0
  105. package/dist/rules/require-codeql-actions-read.js.map +1 -1
  106. package/dist/rules/require-codeql-branch-filters.d.ts.map +1 -1
  107. package/dist/rules/require-codeql-branch-filters.js +4 -0
  108. package/dist/rules/require-codeql-branch-filters.js.map +1 -1
  109. package/dist/rules/require-codeql-category-when-language-matrix.d.ts.map +1 -1
  110. package/dist/rules/require-codeql-category-when-language-matrix.js +4 -0
  111. package/dist/rules/require-codeql-category-when-language-matrix.js.map +1 -1
  112. package/dist/rules/require-codeql-pull-request-trigger.d.ts.map +1 -1
  113. package/dist/rules/require-codeql-pull-request-trigger.js +4 -0
  114. package/dist/rules/require-codeql-pull-request-trigger.js.map +1 -1
  115. package/dist/rules/require-codeql-schedule.d.ts.map +1 -1
  116. package/dist/rules/require-codeql-schedule.js +4 -0
  117. package/dist/rules/require-codeql-schedule.js.map +1 -1
  118. package/dist/rules/require-codeql-security-events-write.d.ts.map +1 -1
  119. package/dist/rules/require-codeql-security-events-write.js +4 -0
  120. package/dist/rules/require-codeql-security-events-write.js.map +1 -1
  121. package/dist/rules/require-dependabot-automation-permissions.d.ts.map +1 -1
  122. package/dist/rules/require-dependabot-automation-permissions.js +4 -0
  123. package/dist/rules/require-dependabot-automation-permissions.js.map +1 -1
  124. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts.map +1 -1
  125. package/dist/rules/require-dependabot-automation-pull-request-trigger.js +4 -0
  126. package/dist/rules/require-dependabot-automation-pull-request-trigger.js.map +1 -1
  127. package/dist/rules/require-dependabot-bot-actor-guard.d.ts.map +1 -1
  128. package/dist/rules/require-dependabot-bot-actor-guard.js +4 -0
  129. package/dist/rules/require-dependabot-bot-actor-guard.js.map +1 -1
  130. package/dist/rules/require-dependency-review-fail-on-severity.d.ts.map +1 -1
  131. package/dist/rules/require-dependency-review-fail-on-severity.js +4 -0
  132. package/dist/rules/require-dependency-review-fail-on-severity.js.map +1 -1
  133. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts.map +1 -1
  134. package/dist/rules/require-dependency-review-permissions-contents-read.js +23 -18
  135. package/dist/rules/require-dependency-review-permissions-contents-read.js.map +1 -1
  136. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts.map +1 -1
  137. package/dist/rules/require-dependency-review-pull-request-trigger.js +4 -0
  138. package/dist/rules/require-dependency-review-pull-request-trigger.js.map +1 -1
  139. package/dist/rules/require-fetch-metadata-github-token.d.ts.map +1 -1
  140. package/dist/rules/require-fetch-metadata-github-token.js +4 -0
  141. package/dist/rules/require-fetch-metadata-github-token.js.map +1 -1
  142. package/dist/rules/require-job-name.d.ts.map +1 -1
  143. package/dist/rules/require-job-name.js +4 -0
  144. package/dist/rules/require-job-name.js.map +1 -1
  145. package/dist/rules/require-job-step-name.d.ts.map +1 -1
  146. package/dist/rules/require-job-step-name.js +4 -0
  147. package/dist/rules/require-job-step-name.js.map +1 -1
  148. package/dist/rules/require-job-timeout-minutes.d.ts.map +1 -1
  149. package/dist/rules/require-job-timeout-minutes.js +4 -0
  150. package/dist/rules/require-job-timeout-minutes.js.map +1 -1
  151. package/dist/rules/require-merge-group-trigger.d.ts.map +1 -1
  152. package/dist/rules/require-merge-group-trigger.js +4 -0
  153. package/dist/rules/require-merge-group-trigger.js.map +1 -1
  154. package/dist/rules/require-pull-request-target-branches.d.ts.map +1 -1
  155. package/dist/rules/require-pull-request-target-branches.js +4 -0
  156. package/dist/rules/require-pull-request-target-branches.js.map +1 -1
  157. package/dist/rules/require-run-step-shell.d.ts.map +1 -1
  158. package/dist/rules/require-run-step-shell.js +4 -0
  159. package/dist/rules/require-run-step-shell.js.map +1 -1
  160. package/dist/rules/require-sarif-upload-security-events-write.d.ts.map +1 -1
  161. package/dist/rules/require-sarif-upload-security-events-write.js +4 -0
  162. package/dist/rules/require-sarif-upload-security-events-write.js.map +1 -1
  163. package/dist/rules/require-scorecard-results-format-sarif.d.ts.map +1 -1
  164. package/dist/rules/require-scorecard-results-format-sarif.js +4 -0
  165. package/dist/rules/require-scorecard-results-format-sarif.js.map +1 -1
  166. package/dist/rules/require-scorecard-upload-sarif-step.d.ts.map +1 -1
  167. package/dist/rules/require-scorecard-upload-sarif-step.js +4 -0
  168. package/dist/rules/require-scorecard-upload-sarif-step.js.map +1 -1
  169. package/dist/rules/require-secret-scan-contents-read.d.ts.map +1 -1
  170. package/dist/rules/require-secret-scan-contents-read.js +7 -3
  171. package/dist/rules/require-secret-scan-contents-read.js.map +1 -1
  172. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts.map +1 -1
  173. package/dist/rules/require-secret-scan-fetch-depth-zero.js +4 -0
  174. package/dist/rules/require-secret-scan-fetch-depth-zero.js.map +1 -1
  175. package/dist/rules/require-secret-scan-schedule.d.ts.map +1 -1
  176. package/dist/rules/require-secret-scan-schedule.js +4 -0
  177. package/dist/rules/require-secret-scan-schedule.js.map +1 -1
  178. package/dist/rules/require-trigger-types.d.ts.map +1 -1
  179. package/dist/rules/require-trigger-types.js +4 -0
  180. package/dist/rules/require-trigger-types.js.map +1 -1
  181. package/dist/rules/require-trufflehog-verified-results-mode.d.ts.map +1 -1
  182. package/dist/rules/require-trufflehog-verified-results-mode.js +4 -0
  183. package/dist/rules/require-trufflehog-verified-results-mode.js.map +1 -1
  184. package/dist/rules/require-workflow-call-input-type.d.ts.map +1 -1
  185. package/dist/rules/require-workflow-call-input-type.js +4 -0
  186. package/dist/rules/require-workflow-call-input-type.js.map +1 -1
  187. package/dist/rules/require-workflow-call-output-value.d.ts.map +1 -1
  188. package/dist/rules/require-workflow-call-output-value.js +4 -0
  189. package/dist/rules/require-workflow-call-output-value.js.map +1 -1
  190. package/dist/rules/require-workflow-concurrency.d.ts.map +1 -1
  191. package/dist/rules/require-workflow-concurrency.js +4 -0
  192. package/dist/rules/require-workflow-concurrency.js.map +1 -1
  193. package/dist/rules/require-workflow-dispatch-input-type.d.ts.map +1 -1
  194. package/dist/rules/require-workflow-dispatch-input-type.js +4 -0
  195. package/dist/rules/require-workflow-dispatch-input-type.js.map +1 -1
  196. package/dist/rules/require-workflow-interface-description.d.ts.map +1 -1
  197. package/dist/rules/require-workflow-interface-description.js +4 -0
  198. package/dist/rules/require-workflow-interface-description.js.map +1 -1
  199. package/dist/rules/require-workflow-permissions.d.ts.map +1 -1
  200. package/dist/rules/require-workflow-permissions.js +4 -0
  201. package/dist/rules/require-workflow-permissions.js.map +1 -1
  202. package/dist/rules/require-workflow-run-branches.d.ts.map +1 -1
  203. package/dist/rules/require-workflow-run-branches.js +4 -0
  204. package/dist/rules/require-workflow-run-branches.js.map +1 -1
  205. package/dist/rules/valid-timeout-minutes.d.ts.map +1 -1
  206. package/dist/rules/valid-timeout-minutes.js +4 -0
  207. package/dist/rules/valid-timeout-minutes.js.map +1 -1
  208. package/dist/rules/valid-trigger-events.d.ts.map +1 -1
  209. package/dist/rules/valid-trigger-events.js +4 -0
  210. package/dist/rules/valid-trigger-events.js.map +1 -1
  211. package/docs/rules/guides/authoring-rules.md +34 -0
  212. package/docs/rules/guides/docs-authoring.md +34 -0
  213. package/docs/rules/guides/index.md +15 -0
  214. package/docs/rules/guides/testing-rules.md +34 -0
  215. package/docs/rules/no-top-level-permissions.md +4 -4
  216. package/docs/rules/presets/all.md +116 -117
  217. package/docs/rules/presets/index.md +119 -123
  218. package/docs/rules/require-dependency-review-permissions-contents-read.md +15 -4
  219. package/docs/rules/require-secret-scan-contents-read.md +10 -2
  220. package/docs/rules/require-workflow-permissions.md +4 -4
  221. package/package.json +1 -1
package/docs/rules/presets/index.md CHANGED
@@ -16,10 +16,7 @@ The plugin exports nine flat-config presets:
16
16
  - [`githubActions.configs.strict`](./strict.md)
17
17
  - [`githubActions.configs.all`](./all.md)
18
18
 
19
- These presets cover workflow YAML, action metadata (`action.yml` / `action.yaml`),
20
- repository Dependabot configuration (`.github/dependabot.yml`), and workflow
21
- template package files (`workflow-templates/*.yml`, `*.yaml`, and
22
- `*.properties.json`).
19
+ These presets cover workflow YAML, action metadata (`action.yml` / `action.yaml`), repository Dependabot configuration (`.github/dependabot.yml`), and workflow template package files (`workflow-templates/*.yml`, `*.yaml`, and `*.properties.json`).
23
20
 
24
21
  ## How to choose
25
22
 
@@ -27,11 +24,10 @@ template package files (`workflow-templates/*.yml`, `*.yaml`, and
27
24
  - Layer **security** for stronger supply-chain and permissions-focused checks.
28
25
  - Use **codeScanning** for CodeQL, dependency review, SARIF upload, and related code-scanning workflows.
29
26
  - Use **strict** when you want high signal on operational consistency.
30
- - Use **all** for complete rule coverage (best for internal policy repos).
27
+ - Use **all** for complete bundled rule coverage (best for internal policy repos), and layer opt-in policy rules manually when your standards require them.
31
28
  - Use **dependabot** when you want a dedicated policy surface for dependency update automation.
32
29
 
33
- Then review [getting started](../getting-started.md) and the full
34
- [rule reference](../overview.md).
30
+ Then review [getting started](../getting-started.md) and the full [rule reference](../overview.md).
35
31
 
36
32
  ## Rule Matrix
37
33
 
@@ -53,119 +49,119 @@ Preset key legend:
53
49
  - [🔴](./strict.md) — [`githubActions.configs.strict`](./strict.md)
54
50
  - [🟣](./all.md) — [`githubActions.configs.all`](./all.md)
55
51
 
56
- | Rule | Fix | Preset key |
57
- | --- | :-: | --- |
58
- | <span class="sb-inline-rule-number">R009</span> [`action-name-casing`](../action-name-casing.md) | 🔧 | [🟣](./all.md) [🔴](./strict.md) |
59
- | <span class="sb-inline-rule-number">R010</span> [`job-id-casing`](../job-id-casing.md) | | [🟣](./all.md) [🔴](./strict.md) |
60
- | <span class="sb-inline-rule-number">R011</span> [`max-jobs-per-action`](../max-jobs-per-action.md) | | [🟣](./all.md) [🔴](./strict.md) |
61
- | <span class="sb-inline-rule-number">R048</span> [`no-case-insensitive-input-id-collision`](../no-case-insensitive-input-id-collision.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
62
- | <span class="sb-inline-rule-number">R097</span> [`no-codeql-autobuild-for-javascript-typescript`](../no-codeql-autobuild-for-javascript-typescript.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
63
- | <span class="sb-inline-rule-number">R096</span> [`no-codeql-javascript-typescript-split-language-matrix`](../no-codeql-javascript-typescript-split-language-matrix.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
64
- | <span class="sb-inline-rule-number">R049</span> [`no-composite-input-env-access`](../no-composite-input-env-access.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
65
- | <span class="sb-inline-rule-number">R044</span> [`no-deprecated-node-runtime`](../no-deprecated-node-runtime.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
66
- | <span class="sb-inline-rule-number">R051</span> [`no-duplicate-composite-step-id`](../no-duplicate-composite-step-id.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
67
- | <span class="sb-inline-rule-number">R060</span> [`no-empty-template-file-pattern`](../no-empty-template-file-pattern.md) | 🔧 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
68
- | <span class="sb-inline-rule-number">R012</span> [`no-external-job`](../no-external-job.md) | | [🟣](./all.md) [🔴](./strict.md) |
69
- | <span class="sb-inline-rule-number">R068</span> [`no-hardcoded-default-branch-in-template`](../no-hardcoded-default-branch-in-template.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
70
- | <span class="sb-inline-rule-number">R063</span> [`no-icon-file-extension-in-template-icon-name`](../no-icon-file-extension-in-template-icon-name.md) | 🔧 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
71
- | <span class="sb-inline-rule-number">R026</span> [`no-inherit-secrets`](../no-inherit-secrets.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
72
- | <span class="sb-inline-rule-number">R042</span> [`no-invalid-concurrency-context`](../no-invalid-concurrency-context.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
73
- | <span class="sb-inline-rule-number">R019</span> [`no-invalid-key`](../no-invalid-key.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
74
- | <span class="sb-inline-rule-number">R041</span> [`no-invalid-reusable-workflow-job-key`](../no-invalid-reusable-workflow-job-key.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
75
- | <span class="sb-inline-rule-number">R059</span> [`no-invalid-template-file-pattern-regex`](../no-invalid-template-file-pattern-regex.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
76
- | <span class="sb-inline-rule-number">R040</span> [`no-invalid-workflow-call-output-value`](../no-invalid-workflow-call-output-value.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
77
- | <span class="sb-inline-rule-number">R095</span> [`no-overlapping-dependabot-directories`](../no-overlapping-dependabot-directories.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
78
- | <span class="sb-inline-rule-number">R064</span> [`no-path-separators-in-template-icon-name`](../no-path-separators-in-template-icon-name.md) | 💡 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
79
- | <span class="sb-inline-rule-number">R046</span> [`no-post-if-without-post`](../no-post-if-without-post.md) | 🔧 | [🧩](./action-metadata.md) [🟣](./all.md) |
80
- | <span class="sb-inline-rule-number">R030</span> [`no-pr-head-checkout-in-pull-request-target`](../no-pr-head-checkout-in-pull-request-target.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
81
- | <span class="sb-inline-rule-number">R045</span> [`no-pre-if-without-pre`](../no-pre-if-without-pre.md) | 🔧 | [🧩](./action-metadata.md) [🟣](./all.md) |
82
- | <span class="sb-inline-rule-number">R047</span> [`no-required-input-with-default`](../no-required-input-with-default.md) | 💡 | [🧩](./action-metadata.md) [🟣](./all.md) |
83
- | <span class="sb-inline-rule-number">R027</span> [`no-secrets-in-if`](../no-secrets-in-if.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
84
- | <span class="sb-inline-rule-number">R036</span> [`no-self-hosted-runner-on-fork-pr-events`](../no-self-hosted-runner-on-fork-pr-events.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
85
- | <span class="sb-inline-rule-number">R062</span> [`no-subdirectory-template-file-pattern`](../no-subdirectory-template-file-pattern.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
86
- | <span class="sb-inline-rule-number">R069</span> [`no-template-placeholder-in-non-template-workflow`](../no-template-placeholder-in-non-template-workflow.md) | | [🟡](./recommended.md) [🔴](./strict.md) [🟣](./all.md) |
87
- | <span class="sb-inline-rule-number">R013</span> [`no-top-level-env`](../no-top-level-env.md) | | [🟣](./all.md) [🔴](./strict.md) |
88
- | <span class="sb-inline-rule-number">R014</span> [`no-top-level-permissions`](../no-top-level-permissions.md) | | [🟣](./all.md) |
89
- | <span class="sb-inline-rule-number">R061</span> [`no-universal-template-file-pattern`](../no-universal-template-file-pattern.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
90
- | <span class="sb-inline-rule-number">R081</span> [`no-unknown-dependabot-multi-ecosystem-group`](../no-unknown-dependabot-multi-ecosystem-group.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
91
- | <span class="sb-inline-rule-number">R050</span> [`no-unknown-input-reference-in-composite`](../no-unknown-input-reference-in-composite.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
92
- | <span class="sb-inline-rule-number">R037</span> [`no-unknown-job-output-reference`](../no-unknown-job-output-reference.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
93
- | <span class="sb-inline-rule-number">R038</span> [`no-unknown-step-reference`](../no-unknown-step-reference.md) | | [🟣](./all.md) [🔴](./strict.md) |
94
- | <span class="sb-inline-rule-number">R029</span> [`no-untrusted-input-in-run`](../no-untrusted-input-in-run.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
95
- | <span class="sb-inline-rule-number">R085</span> [`no-unused-dependabot-enable-beta-ecosystems`](../no-unused-dependabot-enable-beta-ecosystems.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
96
- | <span class="sb-inline-rule-number">R053</span> [`no-unused-input-in-composite`](../no-unused-input-in-composite.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
97
- | <span class="sb-inline-rule-number">R023</span> [`no-write-all-permissions`](../no-write-all-permissions.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
98
- | <span class="sb-inline-rule-number">R003</span> [`pin-action-shas`](../pin-action-shas.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
99
- | <span class="sb-inline-rule-number">R043</span> [`prefer-action-yml`](../prefer-action-yml.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
100
- | <span class="sb-inline-rule-number">R015</span> [`prefer-fail-fast`](../prefer-fail-fast.md) | | [🟣](./all.md) [🔴](./strict.md) |
101
- | <span class="sb-inline-rule-number">R020</span> [`prefer-file-extension`](../prefer-file-extension.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
102
- | <span class="sb-inline-rule-number">R033</span> [`prefer-inputs-context`](../prefer-inputs-context.md) | 🔧 | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
103
- | <span class="sb-inline-rule-number">R016</span> [`prefer-step-uses-style`](../prefer-step-uses-style.md) | | [🟣](./all.md) |
104
- | <span class="sb-inline-rule-number">R066</span> [`prefer-template-yml-extension`](../prefer-template-yml-extension.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
105
- | <span class="sb-inline-rule-number">R005</span> [`require-action-name`](../require-action-name.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
106
- | <span class="sb-inline-rule-number">R006</span> [`require-action-run-name`](../require-action-run-name.md) | | [🟣](./all.md) [🔴](./strict.md) |
107
- | <span class="sb-inline-rule-number">R025</span> [`require-checkout-before-local-action`](../require-checkout-before-local-action.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
108
- | <span class="sb-inline-rule-number">R099</span> [`require-codeql-actions-read`](../require-codeql-actions-read.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
109
- | <span class="sb-inline-rule-number">R113</span> [`require-codeql-branch-filters`](../require-codeql-branch-filters.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
110
- | <span class="sb-inline-rule-number">R114</span> [`require-codeql-category-when-language-matrix`](../require-codeql-category-when-language-matrix.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
111
- | <span class="sb-inline-rule-number">R100</span> [`require-codeql-pull-request-trigger`](../require-codeql-pull-request-trigger.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
112
- | <span class="sb-inline-rule-number">R101</span> [`require-codeql-schedule`](../require-codeql-schedule.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
113
- | <span class="sb-inline-rule-number">R098</span> [`require-codeql-security-events-write`](../require-codeql-security-events-write.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
114
- | <span class="sb-inline-rule-number">R052</span> [`require-composite-step-name`](../require-composite-step-name.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
115
- | <span class="sb-inline-rule-number">R077</span> [`require-dependabot-assignees`](../require-dependabot-assignees.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
116
- | <span class="sb-inline-rule-number">R111</span> [`require-dependabot-automation-permissions`](../require-dependabot-automation-permissions.md) | | [🟣](./all.md) [🛡️](./security.md) |
117
- | <span class="sb-inline-rule-number">R112</span> [`require-dependabot-automation-pull-request-trigger`](../require-dependabot-automation-pull-request-trigger.md) | | [🟣](./all.md) [🛡️](./security.md) |
118
- | <span class="sb-inline-rule-number">R109</span> [`require-dependabot-bot-actor-guard`](../require-dependabot-bot-actor-guard.md) | | [🟣](./all.md) [🛡️](./security.md) |
119
- | <span class="sb-inline-rule-number">R089</span> [`require-dependabot-commit-message-include-scope`](../require-dependabot-commit-message-include-scope.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
120
- | <span class="sb-inline-rule-number">R079</span> [`require-dependabot-commit-message-prefix`](../require-dependabot-commit-message-prefix.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
121
- | <span class="sb-inline-rule-number">R090</span> [`require-dependabot-commit-message-prefix-development`](../require-dependabot-commit-message-prefix-development.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
122
- | <span class="sb-inline-rule-number">R086</span> [`require-dependabot-cooldown`](../require-dependabot-cooldown.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
123
- | <span class="sb-inline-rule-number">R073</span> [`require-dependabot-directory`](../require-dependabot-directory.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
124
- | <span class="sb-inline-rule-number">R084</span> [`require-dependabot-github-actions-directory-root`](../require-dependabot-github-actions-directory-root.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
125
- | <span class="sb-inline-rule-number">R080</span> [`require-dependabot-labels`](../require-dependabot-labels.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
126
- | <span class="sb-inline-rule-number">R087</span> [`require-dependabot-open-pull-requests-limit`](../require-dependabot-open-pull-requests-limit.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
127
- | <span class="sb-inline-rule-number">R072</span> [`require-dependabot-package-ecosystem`](../require-dependabot-package-ecosystem.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
128
- | <span class="sb-inline-rule-number">R082</span> [`require-dependabot-patterns-for-multi-ecosystem-group`](../require-dependabot-patterns-for-multi-ecosystem-group.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
129
- | <span class="sb-inline-rule-number">R083</span> [`require-dependabot-schedule-cronjob`](../require-dependabot-schedule-cronjob.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
130
- | <span class="sb-inline-rule-number">R074</span> [`require-dependabot-schedule-interval`](../require-dependabot-schedule-interval.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
131
- | <span class="sb-inline-rule-number">R075</span> [`require-dependabot-schedule-time`](../require-dependabot-schedule-time.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
132
- | <span class="sb-inline-rule-number">R076</span> [`require-dependabot-schedule-timezone`](../require-dependabot-schedule-timezone.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
133
- | <span class="sb-inline-rule-number">R078</span> [`require-dependabot-target-branch`](../require-dependabot-target-branch.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
134
- | <span class="sb-inline-rule-number">R071</span> [`require-dependabot-updates`](../require-dependabot-updates.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
135
- | <span class="sb-inline-rule-number">R070</span> [`require-dependabot-version`](../require-dependabot-version.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
136
- | <span class="sb-inline-rule-number">R088</span> [`require-dependabot-versioning-strategy-for-npm`](../require-dependabot-versioning-strategy-for-npm.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
137
- | <span class="sb-inline-rule-number">R091</span> [`require-dependency-review-action`](../require-dependency-review-action.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
138
- | <span class="sb-inline-rule-number">R093</span> [`require-dependency-review-fail-on-severity`](../require-dependency-review-fail-on-severity.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
139
- | <span class="sb-inline-rule-number">R092</span> [`require-dependency-review-permissions-contents-read`](../require-dependency-review-permissions-contents-read.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
140
- | <span class="sb-inline-rule-number">R094</span> [`require-dependency-review-pull-request-trigger`](../require-dependency-review-pull-request-trigger.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
141
- | <span class="sb-inline-rule-number">R110</span> [`require-fetch-metadata-github-token`](../require-fetch-metadata-github-token.md) | | [🟣](./all.md) [🛡️](./security.md) |
142
- | <span class="sb-inline-rule-number">R007</span> [`require-job-name`](../require-job-name.md) | 💡 | [🟣](./all.md) [🔴](./strict.md) |
143
- | <span class="sb-inline-rule-number">R008</span> [`require-job-step-name`](../require-job-step-name.md) | 💡 | [🟣](./all.md) [🔴](./strict.md) |
144
- | <span class="sb-inline-rule-number">R002</span> [`require-job-timeout-minutes`](../require-job-timeout-minutes.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
145
- | <span class="sb-inline-rule-number">R035</span> [`require-merge-group-trigger`](../require-merge-group-trigger.md) | | [🟣](./all.md) [🔴](./strict.md) |
146
- | <span class="sb-inline-rule-number">R032</span> [`require-pull-request-target-branches`](../require-pull-request-target-branches.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
147
- | <span class="sb-inline-rule-number">R021</span> [`require-run-step-shell`](../require-run-step-shell.md) | | [🟣](./all.md) [🔴](./strict.md) |
148
- | <span class="sb-inline-rule-number">R102</span> [`require-sarif-upload-security-events-write`](../require-sarif-upload-security-events-write.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
149
- | <span class="sb-inline-rule-number">R103</span> [`require-scorecard-results-format-sarif`](../require-scorecard-results-format-sarif.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
150
- | <span class="sb-inline-rule-number">R104</span> [`require-scorecard-upload-sarif-step`](../require-scorecard-upload-sarif-step.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
151
- | <span class="sb-inline-rule-number">R107</span> [`require-secret-scan-contents-read`](../require-secret-scan-contents-read.md) | | [🟣](./all.md) [🛡️](./security.md) |
152
- | <span class="sb-inline-rule-number">R105</span> [`require-secret-scan-fetch-depth-zero`](../require-secret-scan-fetch-depth-zero.md) | | [🟣](./all.md) [🛡️](./security.md) |
153
- | <span class="sb-inline-rule-number">R106</span> [`require-secret-scan-schedule`](../require-secret-scan-schedule.md) | | [🟣](./all.md) [🛡️](./security.md) |
154
- | <span class="sb-inline-rule-number">R057</span> [`require-template-categories`](../require-template-categories.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
155
- | <span class="sb-inline-rule-number">R058</span> [`require-template-file-patterns`](../require-template-file-patterns.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
156
- | <span class="sb-inline-rule-number">R065</span> [`require-template-icon-file-exists`](../require-template-icon-file-exists.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
157
- | <span class="sb-inline-rule-number">R056</span> [`require-template-icon-name`](../require-template-icon-name.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
158
- | <span class="sb-inline-rule-number">R067</span> [`require-template-workflow-name`](../require-template-workflow-name.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
159
- | <span class="sb-inline-rule-number">R031</span> [`require-trigger-types`](../require-trigger-types.md) | | [🟣](./all.md) [🔴](./strict.md) |
160
- | <span class="sb-inline-rule-number">R108</span> [`require-trufflehog-verified-results-mode`](../require-trufflehog-verified-results-mode.md) | | [🟣](./all.md) [🛡️](./security.md) |
161
- | <span class="sb-inline-rule-number">R034</span> [`require-workflow-call-input-type`](../require-workflow-call-input-type.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
162
- | <span class="sb-inline-rule-number">R039</span> [`require-workflow-call-output-value`](../require-workflow-call-output-value.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
163
- | <span class="sb-inline-rule-number">R004</span> [`require-workflow-concurrency`](../require-workflow-concurrency.md) | | [🟣](./all.md) [🔴](./strict.md) |
164
- | <span class="sb-inline-rule-number">R022</span> [`require-workflow-dispatch-input-type`](../require-workflow-dispatch-input-type.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
165
- | <span class="sb-inline-rule-number">R024</span> [`require-workflow-interface-description`](../require-workflow-interface-description.md) | | [🟣](./all.md) [🔴](./strict.md) |
166
- | <span class="sb-inline-rule-number">R001</span> [`require-workflow-permissions`](../require-workflow-permissions.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
167
- | <span class="sb-inline-rule-number">R028</span> [`require-workflow-run-branches`](../require-workflow-run-branches.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
168
- | <span class="sb-inline-rule-number">R054</span> [`require-workflow-template-pair`](../require-workflow-template-pair.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
169
- | <span class="sb-inline-rule-number">R055</span> [`require-workflow-template-properties-pair`](../require-workflow-template-properties-pair.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
170
- | <span class="sb-inline-rule-number">R017</span> [`valid-timeout-minutes`](../valid-timeout-minutes.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
171
- | <span class="sb-inline-rule-number">R018</span> [`valid-trigger-events`](../valid-trigger-events.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
52
+ | Rule | Fix | Preset key |
53
+ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-: | ------------------------------------------------------------------------------------- |
54
+ | <span class="sb-inline-rule-number">R009</span> [`action-name-casing`](../action-name-casing.md) | 🔧 | [🟣](./all.md) [🔴](./strict.md) |
55
+ | <span class="sb-inline-rule-number">R010</span> [`job-id-casing`](../job-id-casing.md) | | [🟣](./all.md) [🔴](./strict.md) |
56
+ | <span class="sb-inline-rule-number">R011</span> [`max-jobs-per-action`](../max-jobs-per-action.md) | | [🟣](./all.md) [🔴](./strict.md) |
57
+ | <span class="sb-inline-rule-number">R048</span> [`no-case-insensitive-input-id-collision`](../no-case-insensitive-input-id-collision.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
58
+ | <span class="sb-inline-rule-number">R097</span> [`no-codeql-autobuild-for-javascript-typescript`](../no-codeql-autobuild-for-javascript-typescript.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
59
+ | <span class="sb-inline-rule-number">R096</span> [`no-codeql-javascript-typescript-split-language-matrix`](../no-codeql-javascript-typescript-split-language-matrix.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
60
+ | <span class="sb-inline-rule-number">R049</span> [`no-composite-input-env-access`](../no-composite-input-env-access.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
61
+ | <span class="sb-inline-rule-number">R044</span> [`no-deprecated-node-runtime`](../no-deprecated-node-runtime.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
62
+ | <span class="sb-inline-rule-number">R051</span> [`no-duplicate-composite-step-id`](../no-duplicate-composite-step-id.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
63
+ | <span class="sb-inline-rule-number">R060</span> [`no-empty-template-file-pattern`](../no-empty-template-file-pattern.md) | 🔧 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
64
+ | <span class="sb-inline-rule-number">R012</span> [`no-external-job`](../no-external-job.md) | | [🟣](./all.md) [🔴](./strict.md) |
65
+ | <span class="sb-inline-rule-number">R068</span> [`no-hardcoded-default-branch-in-template`](../no-hardcoded-default-branch-in-template.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
66
+ | <span class="sb-inline-rule-number">R063</span> [`no-icon-file-extension-in-template-icon-name`](../no-icon-file-extension-in-template-icon-name.md) | 🔧 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
67
+ | <span class="sb-inline-rule-number">R026</span> [`no-inherit-secrets`](../no-inherit-secrets.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
68
+ | <span class="sb-inline-rule-number">R042</span> [`no-invalid-concurrency-context`](../no-invalid-concurrency-context.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
69
+ | <span class="sb-inline-rule-number">R019</span> [`no-invalid-key`](../no-invalid-key.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
70
+ | <span class="sb-inline-rule-number">R041</span> [`no-invalid-reusable-workflow-job-key`](../no-invalid-reusable-workflow-job-key.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
71
+ | <span class="sb-inline-rule-number">R059</span> [`no-invalid-template-file-pattern-regex`](../no-invalid-template-file-pattern-regex.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
72
+ | <span class="sb-inline-rule-number">R040</span> [`no-invalid-workflow-call-output-value`](../no-invalid-workflow-call-output-value.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
73
+ | <span class="sb-inline-rule-number">R095</span> [`no-overlapping-dependabot-directories`](../no-overlapping-dependabot-directories.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
74
+ | <span class="sb-inline-rule-number">R064</span> [`no-path-separators-in-template-icon-name`](../no-path-separators-in-template-icon-name.md) | 💡 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
75
+ | <span class="sb-inline-rule-number">R046</span> [`no-post-if-without-post`](../no-post-if-without-post.md) | 🔧 | [🧩](./action-metadata.md) [🟣](./all.md) |
76
+ | <span class="sb-inline-rule-number">R030</span> [`no-pr-head-checkout-in-pull-request-target`](../no-pr-head-checkout-in-pull-request-target.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
77
+ | <span class="sb-inline-rule-number">R045</span> [`no-pre-if-without-pre`](../no-pre-if-without-pre.md) | 🔧 | [🧩](./action-metadata.md) [🟣](./all.md) |
78
+ | <span class="sb-inline-rule-number">R047</span> [`no-required-input-with-default`](../no-required-input-with-default.md) | 💡 | [🧩](./action-metadata.md) [🟣](./all.md) |
79
+ | <span class="sb-inline-rule-number">R027</span> [`no-secrets-in-if`](../no-secrets-in-if.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
80
+ | <span class="sb-inline-rule-number">R036</span> [`no-self-hosted-runner-on-fork-pr-events`](../no-self-hosted-runner-on-fork-pr-events.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
81
+ | <span class="sb-inline-rule-number">R062</span> [`no-subdirectory-template-file-pattern`](../no-subdirectory-template-file-pattern.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
82
+ | <span class="sb-inline-rule-number">R069</span> [`no-template-placeholder-in-non-template-workflow`](../no-template-placeholder-in-non-template-workflow.md) | | [🟡](./recommended.md) [🔴](./strict.md) [🟣](./all.md) |
83
+ | <span class="sb-inline-rule-number">R013</span> [`no-top-level-env`](../no-top-level-env.md) | | [🟣](./all.md) [🔴](./strict.md) |
84
+ | <span class="sb-inline-rule-number">R014</span> [`no-top-level-permissions`](../no-top-level-permissions.md) | | |
85
+ | <span class="sb-inline-rule-number">R061</span> [`no-universal-template-file-pattern`](../no-universal-template-file-pattern.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
86
+ | <span class="sb-inline-rule-number">R081</span> [`no-unknown-dependabot-multi-ecosystem-group`](../no-unknown-dependabot-multi-ecosystem-group.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
87
+ | <span class="sb-inline-rule-number">R050</span> [`no-unknown-input-reference-in-composite`](../no-unknown-input-reference-in-composite.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
88
+ | <span class="sb-inline-rule-number">R037</span> [`no-unknown-job-output-reference`](../no-unknown-job-output-reference.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
89
+ | <span class="sb-inline-rule-number">R038</span> [`no-unknown-step-reference`](../no-unknown-step-reference.md) | | [🟣](./all.md) [🔴](./strict.md) |
90
+ | <span class="sb-inline-rule-number">R029</span> [`no-untrusted-input-in-run`](../no-untrusted-input-in-run.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
91
+ | <span class="sb-inline-rule-number">R085</span> [`no-unused-dependabot-enable-beta-ecosystems`](../no-unused-dependabot-enable-beta-ecosystems.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
92
+ | <span class="sb-inline-rule-number">R053</span> [`no-unused-input-in-composite`](../no-unused-input-in-composite.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
93
+ | <span class="sb-inline-rule-number">R023</span> [`no-write-all-permissions`](../no-write-all-permissions.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
94
+ | <span class="sb-inline-rule-number">R003</span> [`pin-action-shas`](../pin-action-shas.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
95
+ | <span class="sb-inline-rule-number">R043</span> [`prefer-action-yml`](../prefer-action-yml.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
96
+ | <span class="sb-inline-rule-number">R015</span> [`prefer-fail-fast`](../prefer-fail-fast.md) | | [🟣](./all.md) [🔴](./strict.md) |
97
+ | <span class="sb-inline-rule-number">R020</span> [`prefer-file-extension`](../prefer-file-extension.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
98
+ | <span class="sb-inline-rule-number">R033</span> [`prefer-inputs-context`](../prefer-inputs-context.md) | 🔧 | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
99
+ | <span class="sb-inline-rule-number">R016</span> [`prefer-step-uses-style`](../prefer-step-uses-style.md) | | [🟣](./all.md) |
100
+ | <span class="sb-inline-rule-number">R066</span> [`prefer-template-yml-extension`](../prefer-template-yml-extension.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
101
+ | <span class="sb-inline-rule-number">R005</span> [`require-action-name`](../require-action-name.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
102
+ | <span class="sb-inline-rule-number">R006</span> [`require-action-run-name`](../require-action-run-name.md) | | [🟣](./all.md) [🔴](./strict.md) |
103
+ | <span class="sb-inline-rule-number">R025</span> [`require-checkout-before-local-action`](../require-checkout-before-local-action.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
104
+ | <span class="sb-inline-rule-number">R099</span> [`require-codeql-actions-read`](../require-codeql-actions-read.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
105
+ | <span class="sb-inline-rule-number">R113</span> [`require-codeql-branch-filters`](../require-codeql-branch-filters.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
106
+ | <span class="sb-inline-rule-number">R114</span> [`require-codeql-category-when-language-matrix`](../require-codeql-category-when-language-matrix.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
107
+ | <span class="sb-inline-rule-number">R100</span> [`require-codeql-pull-request-trigger`](../require-codeql-pull-request-trigger.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
108
+ | <span class="sb-inline-rule-number">R101</span> [`require-codeql-schedule`](../require-codeql-schedule.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
109
+ | <span class="sb-inline-rule-number">R098</span> [`require-codeql-security-events-write`](../require-codeql-security-events-write.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
110
+ | <span class="sb-inline-rule-number">R052</span> [`require-composite-step-name`](../require-composite-step-name.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
111
+ | <span class="sb-inline-rule-number">R077</span> [`require-dependabot-assignees`](../require-dependabot-assignees.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
112
+ | <span class="sb-inline-rule-number">R111</span> [`require-dependabot-automation-permissions`](../require-dependabot-automation-permissions.md) | | [🟣](./all.md) [🛡️](./security.md) |
113
+ | <span class="sb-inline-rule-number">R112</span> [`require-dependabot-automation-pull-request-trigger`](../require-dependabot-automation-pull-request-trigger.md) | | [🟣](./all.md) [🛡️](./security.md) |
114
+ | <span class="sb-inline-rule-number">R109</span> [`require-dependabot-bot-actor-guard`](../require-dependabot-bot-actor-guard.md) | | [🟣](./all.md) [🛡️](./security.md) |
115
+ | <span class="sb-inline-rule-number">R089</span> [`require-dependabot-commit-message-include-scope`](../require-dependabot-commit-message-include-scope.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
116
+ | <span class="sb-inline-rule-number">R079</span> [`require-dependabot-commit-message-prefix`](../require-dependabot-commit-message-prefix.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
117
+ | <span class="sb-inline-rule-number">R090</span> [`require-dependabot-commit-message-prefix-development`](../require-dependabot-commit-message-prefix-development.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
118
+ | <span class="sb-inline-rule-number">R086</span> [`require-dependabot-cooldown`](../require-dependabot-cooldown.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
119
+ | <span class="sb-inline-rule-number">R073</span> [`require-dependabot-directory`](../require-dependabot-directory.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
120
+ | <span class="sb-inline-rule-number">R084</span> [`require-dependabot-github-actions-directory-root`](../require-dependabot-github-actions-directory-root.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
121
+ | <span class="sb-inline-rule-number">R080</span> [`require-dependabot-labels`](../require-dependabot-labels.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
122
+ | <span class="sb-inline-rule-number">R087</span> [`require-dependabot-open-pull-requests-limit`](../require-dependabot-open-pull-requests-limit.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
123
+ | <span class="sb-inline-rule-number">R072</span> [`require-dependabot-package-ecosystem`](../require-dependabot-package-ecosystem.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
124
+ | <span class="sb-inline-rule-number">R082</span> [`require-dependabot-patterns-for-multi-ecosystem-group`](../require-dependabot-patterns-for-multi-ecosystem-group.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
125
+ | <span class="sb-inline-rule-number">R083</span> [`require-dependabot-schedule-cronjob`](../require-dependabot-schedule-cronjob.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
126
+ | <span class="sb-inline-rule-number">R074</span> [`require-dependabot-schedule-interval`](../require-dependabot-schedule-interval.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
127
+ | <span class="sb-inline-rule-number">R075</span> [`require-dependabot-schedule-time`](../require-dependabot-schedule-time.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
128
+ | <span class="sb-inline-rule-number">R076</span> [`require-dependabot-schedule-timezone`](../require-dependabot-schedule-timezone.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
129
+ | <span class="sb-inline-rule-number">R078</span> [`require-dependabot-target-branch`](../require-dependabot-target-branch.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
130
+ | <span class="sb-inline-rule-number">R071</span> [`require-dependabot-updates`](../require-dependabot-updates.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
131
+ | <span class="sb-inline-rule-number">R070</span> [`require-dependabot-version`](../require-dependabot-version.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
132
+ | <span class="sb-inline-rule-number">R088</span> [`require-dependabot-versioning-strategy-for-npm`](../require-dependabot-versioning-strategy-for-npm.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
133
+ | <span class="sb-inline-rule-number">R091</span> [`require-dependency-review-action`](../require-dependency-review-action.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
134
+ | <span class="sb-inline-rule-number">R093</span> [`require-dependency-review-fail-on-severity`](../require-dependency-review-fail-on-severity.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
135
+ | <span class="sb-inline-rule-number">R092</span> [`require-dependency-review-permissions-contents-read`](../require-dependency-review-permissions-contents-read.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
136
+ | <span class="sb-inline-rule-number">R094</span> [`require-dependency-review-pull-request-trigger`](../require-dependency-review-pull-request-trigger.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
137
+ | <span class="sb-inline-rule-number">R110</span> [`require-fetch-metadata-github-token`](../require-fetch-metadata-github-token.md) | | [🟣](./all.md) [🛡️](./security.md) |
138
+ | <span class="sb-inline-rule-number">R007</span> [`require-job-name`](../require-job-name.md) | 💡 | [🟣](./all.md) [🔴](./strict.md) |
139
+ | <span class="sb-inline-rule-number">R008</span> [`require-job-step-name`](../require-job-step-name.md) | 💡 | [🟣](./all.md) [🔴](./strict.md) |
140
+ | <span class="sb-inline-rule-number">R002</span> [`require-job-timeout-minutes`](../require-job-timeout-minutes.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
141
+ | <span class="sb-inline-rule-number">R035</span> [`require-merge-group-trigger`](../require-merge-group-trigger.md) | | [🟣](./all.md) [🔴](./strict.md) |
142
+ | <span class="sb-inline-rule-number">R032</span> [`require-pull-request-target-branches`](../require-pull-request-target-branches.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
143
+ | <span class="sb-inline-rule-number">R021</span> [`require-run-step-shell`](../require-run-step-shell.md) | | [🟣](./all.md) [🔴](./strict.md) |
144
+ | <span class="sb-inline-rule-number">R102</span> [`require-sarif-upload-security-events-write`](../require-sarif-upload-security-events-write.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
145
+ | <span class="sb-inline-rule-number">R103</span> [`require-scorecard-results-format-sarif`](../require-scorecard-results-format-sarif.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
146
+ | <span class="sb-inline-rule-number">R104</span> [`require-scorecard-upload-sarif-step`](../require-scorecard-upload-sarif-step.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
147
+ | <span class="sb-inline-rule-number">R107</span> [`require-secret-scan-contents-read`](../require-secret-scan-contents-read.md) | | [🟣](./all.md) [🛡️](./security.md) |
148
+ | <span class="sb-inline-rule-number">R105</span> [`require-secret-scan-fetch-depth-zero`](../require-secret-scan-fetch-depth-zero.md) | | [🟣](./all.md) [🛡️](./security.md) |
149
+ | <span class="sb-inline-rule-number">R106</span> [`require-secret-scan-schedule`](../require-secret-scan-schedule.md) | | [🟣](./all.md) [🛡️](./security.md) |
150
+ | <span class="sb-inline-rule-number">R057</span> [`require-template-categories`](../require-template-categories.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
151
+ | <span class="sb-inline-rule-number">R058</span> [`require-template-file-patterns`](../require-template-file-patterns.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
152
+ | <span class="sb-inline-rule-number">R065</span> [`require-template-icon-file-exists`](../require-template-icon-file-exists.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
153
+ | <span class="sb-inline-rule-number">R056</span> [`require-template-icon-name`](../require-template-icon-name.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
154
+ | <span class="sb-inline-rule-number">R067</span> [`require-template-workflow-name`](../require-template-workflow-name.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
155
+ | <span class="sb-inline-rule-number">R031</span> [`require-trigger-types`](../require-trigger-types.md) | | [🟣](./all.md) [🔴](./strict.md) |
156
+ | <span class="sb-inline-rule-number">R108</span> [`require-trufflehog-verified-results-mode`](../require-trufflehog-verified-results-mode.md) | | [🟣](./all.md) [🛡️](./security.md) |
157
+ | <span class="sb-inline-rule-number">R034</span> [`require-workflow-call-input-type`](../require-workflow-call-input-type.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
158
+ | <span class="sb-inline-rule-number">R039</span> [`require-workflow-call-output-value`](../require-workflow-call-output-value.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
159
+ | <span class="sb-inline-rule-number">R004</span> [`require-workflow-concurrency`](../require-workflow-concurrency.md) | | [🟣](./all.md) [🔴](./strict.md) |
160
+ | <span class="sb-inline-rule-number">R022</span> [`require-workflow-dispatch-input-type`](../require-workflow-dispatch-input-type.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
161
+ | <span class="sb-inline-rule-number">R024</span> [`require-workflow-interface-description`](../require-workflow-interface-description.md) | | [🟣](./all.md) [🔴](./strict.md) |
162
+ | <span class="sb-inline-rule-number">R001</span> [`require-workflow-permissions`](../require-workflow-permissions.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
163
+ | <span class="sb-inline-rule-number">R028</span> [`require-workflow-run-branches`](../require-workflow-run-branches.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
164
+ | <span class="sb-inline-rule-number">R054</span> [`require-workflow-template-pair`](../require-workflow-template-pair.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
165
+ | <span class="sb-inline-rule-number">R055</span> [`require-workflow-template-properties-pair`](../require-workflow-template-properties-pair.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
166
+ | <span class="sb-inline-rule-number">R017</span> [`valid-timeout-minutes`](../valid-timeout-minutes.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
167
+ | <span class="sb-inline-rule-number">R018</span> [`valid-trigger-events`](../valid-trigger-events.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
package/docs/rules/require-dependency-review-permissions-contents-read.md CHANGED
@@ -8,7 +8,7 @@ Workflows that use `actions/dependency-review-action`.
8
8
 
9
9
  ## What this rule reports
10
10
 
11
- This rule reports workflows using the dependency review action that do not set top-level `permissions.contents: read`.
11
+ This rule reports jobs using the dependency review action that do not have effective `contents: read` via either workflow-level or job-level `permissions`.
12
12
 
13
13
  ## Why this rule exists
14
14
 
@@ -18,11 +18,11 @@ Dependency review only needs repository contents read access. Requiring that exp
18
18
 
19
19
  ```yaml
20
20
  on: [pull_request]
21
- permissions:
22
- contents: write
23
21
  jobs:
24
22
  dependency-review:
25
23
  runs-on: ubuntu-latest
24
+ permissions:
25
+ contents: write
26
26
  steps:
27
27
  - uses: actions/dependency-review-action@v4
28
28
  ```
@@ -40,9 +40,20 @@ jobs:
40
40
  - uses: actions/dependency-review-action@v4
41
41
  ```
42
42
 
43
+ ```yaml
44
+ on: [pull_request]
45
+ jobs:
46
+ dependency-review:
47
+ runs-on: ubuntu-latest
48
+ permissions:
49
+ contents: read
50
+ steps:
51
+ - uses: actions/dependency-review-action@v4
52
+ ```
53
+
43
54
  ## Additional examples
44
55
 
45
- This rule complements `require-workflow-permissions` by enforcing the narrower security expectation specific to dependency review workflows.
56
+ This rule complements `require-workflow-permissions` by enforcing the narrower security expectation specific to dependency review jobs without forcing that permission to live only at the workflow root.
46
57
 
47
58
  ## ESLint flat config example
48
59
 
package/docs/rules/require-secret-scan-contents-read.md CHANGED
@@ -8,7 +8,7 @@ Jobs that use supported secret-scanning actions.
8
8
 
9
9
  ## What this rule reports
10
10
 
11
- This rule reports secret-scanning jobs that do not grant `contents: read`.
11
+ This rule reports secret-scanning jobs that do not have effective `contents: read` via either workflow-level or job-level `permissions`.
12
12
 
13
13
  ## Why this rule exists
14
14
 
@@ -17,7 +17,8 @@ Secret-scanning workflows generally only need read access to repository contents
17
17
  ## ❌ Incorrect
18
18
 
19
19
  ```yaml
20
- permissions: {}
20
+ permissions:
21
+ contents: write
21
22
  ```
22
23
 
23
24
  ## ✅ Correct
@@ -27,6 +28,13 @@ permissions:
27
28
  contents: read
28
29
  ```
29
30
 
31
+ ```yaml
32
+ jobs:
33
+ scan:
34
+ permissions:
35
+ contents: read
36
+ ```
37
+
30
38
  ## Additional examples
31
39
 
32
40
  This rule is intentionally narrow and does not try to prescribe every other permission a secret-scanning workflow may or may not need.
package/docs/rules/require-workflow-permissions.md CHANGED
@@ -43,10 +43,9 @@ jobs:
43
43
  runs-on: ubuntu-latest
44
44
  ```
45
45
 
46
-
47
46
  ## Additional examples
48
47
 
49
- For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
48
+ For larger repositories, this rule works well as a baseline requirement for explicit token scope. If your team prefers every job to declare permissions locally, layer the opt-in `no-top-level-permissions` rule on top.
50
49
 
51
50
  ## ESLint flat config example
52
51
 
@@ -69,7 +68,8 @@ export default [
69
68
  ## When not to use it
70
69
 
71
70
  You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
71
+
72
72
  ## Further reading
73
73
 
74
- - [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#permissions](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#permissions)
75
- - [https://docs.github.com/actions/security-for-github-actions/security-guides/automatic-token-authentication](https://docs.github.com/actions/security-for-github-actions/security-guides/automatic-token-authentication)
74
+ - [GitHub Actions workflow syntax: permissions](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#permissions)
75
+ - [GitHub Actions automatic token authentication guide](https://docs.github.com/actions/security-for-github-actions/security-guides/automatic-token-authentication)
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "$schema": "https://www.schemastore.org/package.json",
3
3
  "name": "eslint-plugin-github-actions-2",
4
- "version": "1.0.3",
4
+ "version": "1.0.5",
5
5
  "private": false,
6
6
  "description": "ESLint plugin for GitHub Actions workflow quality, reliability, and security rules.",
7
7
  "keywords": [