eslint-plugin-github-actions-2 1.0.3 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +127 -127
- package/dist/_internal/github-actions-config-references.js +1 -1
- package/dist/_internal/github-actions-config-references.js.map +1 -1
- package/dist/_internal/lint-targets.d.ts +7 -0
- package/dist/_internal/lint-targets.d.ts.map +1 -1
- package/dist/_internal/lint-targets.js +15 -0
- package/dist/_internal/lint-targets.js.map +1 -1
- package/dist/_internal/rule-docs.d.ts +1 -1
- package/dist/_internal/rule-docs.d.ts.map +1 -1
- package/dist/_internal/workflow-permissions.d.ts +2 -0
- package/dist/_internal/workflow-permissions.d.ts.map +1 -1
- package/dist/_internal/workflow-permissions.js +54 -7
- package/dist/_internal/workflow-permissions.js.map +1 -1
- package/dist/plugin.cjs +263 -22
- package/dist/plugin.cjs.map +2 -2
- package/dist/plugin.d.ts.map +1 -1
- package/dist/plugin.js +1 -1
- package/dist/plugin.js.map +1 -1
- package/dist/rules/action-name-casing.d.ts.map +1 -1
- package/dist/rules/action-name-casing.js +4 -0
- package/dist/rules/action-name-casing.js.map +1 -1
- package/dist/rules/job-id-casing.d.ts.map +1 -1
- package/dist/rules/job-id-casing.js +4 -0
- package/dist/rules/job-id-casing.js.map +1 -1
- package/dist/rules/max-jobs-per-action.d.ts.map +1 -1
- package/dist/rules/max-jobs-per-action.js +4 -0
- package/dist/rules/max-jobs-per-action.js.map +1 -1
- package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts.map +1 -1
- package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js +4 -0
- package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js.map +1 -1
- package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts.map +1 -1
- package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js +4 -0
- package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js.map +1 -1
- package/dist/rules/no-external-job.d.ts.map +1 -1
- package/dist/rules/no-external-job.js +4 -0
- package/dist/rules/no-external-job.js.map +1 -1
- package/dist/rules/no-inherit-secrets.d.ts.map +1 -1
- package/dist/rules/no-inherit-secrets.js +4 -0
- package/dist/rules/no-inherit-secrets.js.map +1 -1
- package/dist/rules/no-invalid-concurrency-context.d.ts.map +1 -1
- package/dist/rules/no-invalid-concurrency-context.js +4 -0
- package/dist/rules/no-invalid-concurrency-context.js.map +1 -1
- package/dist/rules/no-invalid-key.d.ts.map +1 -1
- package/dist/rules/no-invalid-key.js +4 -0
- package/dist/rules/no-invalid-key.js.map +1 -1
- package/dist/rules/no-invalid-reusable-workflow-job-key.d.ts.map +1 -1
- package/dist/rules/no-invalid-reusable-workflow-job-key.js +4 -0
- package/dist/rules/no-invalid-reusable-workflow-job-key.js.map +1 -1
- package/dist/rules/no-invalid-workflow-call-output-value.d.ts.map +1 -1
- package/dist/rules/no-invalid-workflow-call-output-value.js +4 -0
- package/dist/rules/no-invalid-workflow-call-output-value.js.map +1 -1
- package/dist/rules/no-pr-head-checkout-in-pull-request-target.d.ts.map +1 -1
- package/dist/rules/no-pr-head-checkout-in-pull-request-target.js +4 -0
- package/dist/rules/no-pr-head-checkout-in-pull-request-target.js.map +1 -1
- package/dist/rules/no-secrets-in-if.d.ts.map +1 -1
- package/dist/rules/no-secrets-in-if.js +4 -0
- package/dist/rules/no-secrets-in-if.js.map +1 -1
- package/dist/rules/no-self-hosted-runner-on-fork-pr-events.d.ts.map +1 -1
- package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js +4 -0
- package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js.map +1 -1
- package/dist/rules/no-top-level-env.d.ts.map +1 -1
- package/dist/rules/no-top-level-env.js +4 -0
- package/dist/rules/no-top-level-env.js.map +1 -1
- package/dist/rules/no-top-level-permissions.d.ts.map +1 -1
- package/dist/rules/no-top-level-permissions.js +4 -1
- package/dist/rules/no-top-level-permissions.js.map +1 -1
- package/dist/rules/no-unknown-job-output-reference.d.ts.map +1 -1
- package/dist/rules/no-unknown-job-output-reference.js +4 -0
- package/dist/rules/no-unknown-job-output-reference.js.map +1 -1
- package/dist/rules/no-unknown-step-reference.d.ts.map +1 -1
- package/dist/rules/no-unknown-step-reference.js +4 -0
- package/dist/rules/no-unknown-step-reference.js.map +1 -1
- package/dist/rules/no-untrusted-input-in-run.d.ts.map +1 -1
- package/dist/rules/no-untrusted-input-in-run.js +4 -0
- package/dist/rules/no-untrusted-input-in-run.js.map +1 -1
- package/dist/rules/no-write-all-permissions.d.ts.map +1 -1
- package/dist/rules/no-write-all-permissions.js +4 -0
- package/dist/rules/no-write-all-permissions.js.map +1 -1
- package/dist/rules/pin-action-shas.d.ts.map +1 -1
- package/dist/rules/pin-action-shas.js +4 -0
- package/dist/rules/pin-action-shas.js.map +1 -1
- package/dist/rules/prefer-fail-fast.d.ts.map +1 -1
- package/dist/rules/prefer-fail-fast.js +4 -0
- package/dist/rules/prefer-fail-fast.js.map +1 -1
- package/dist/rules/prefer-file-extension.d.ts.map +1 -1
- package/dist/rules/prefer-file-extension.js +4 -0
- package/dist/rules/prefer-file-extension.js.map +1 -1
- package/dist/rules/prefer-inputs-context.d.ts.map +1 -1
- package/dist/rules/prefer-inputs-context.js +4 -0
- package/dist/rules/prefer-inputs-context.js.map +1 -1
- package/dist/rules/prefer-step-uses-style.d.ts.map +1 -1
- package/dist/rules/prefer-step-uses-style.js +4 -0
- package/dist/rules/prefer-step-uses-style.js.map +1 -1
- package/dist/rules/require-action-name.d.ts.map +1 -1
- package/dist/rules/require-action-name.js +4 -0
- package/dist/rules/require-action-name.js.map +1 -1
- package/dist/rules/require-action-run-name.d.ts.map +1 -1
- package/dist/rules/require-action-run-name.js +4 -0
- package/dist/rules/require-action-run-name.js.map +1 -1
- package/dist/rules/require-checkout-before-local-action.d.ts.map +1 -1
- package/dist/rules/require-checkout-before-local-action.js +4 -0
- package/dist/rules/require-checkout-before-local-action.js.map +1 -1
- package/dist/rules/require-codeql-actions-read.d.ts.map +1 -1
- package/dist/rules/require-codeql-actions-read.js +4 -0
- package/dist/rules/require-codeql-actions-read.js.map +1 -1
- package/dist/rules/require-codeql-branch-filters.d.ts.map +1 -1
- package/dist/rules/require-codeql-branch-filters.js +4 -0
- package/dist/rules/require-codeql-branch-filters.js.map +1 -1
- package/dist/rules/require-codeql-category-when-language-matrix.d.ts.map +1 -1
- package/dist/rules/require-codeql-category-when-language-matrix.js +4 -0
- package/dist/rules/require-codeql-category-when-language-matrix.js.map +1 -1
- package/dist/rules/require-codeql-pull-request-trigger.d.ts.map +1 -1
- package/dist/rules/require-codeql-pull-request-trigger.js +4 -0
- package/dist/rules/require-codeql-pull-request-trigger.js.map +1 -1
- package/dist/rules/require-codeql-schedule.d.ts.map +1 -1
- package/dist/rules/require-codeql-schedule.js +4 -0
- package/dist/rules/require-codeql-schedule.js.map +1 -1
- package/dist/rules/require-codeql-security-events-write.d.ts.map +1 -1
- package/dist/rules/require-codeql-security-events-write.js +4 -0
- package/dist/rules/require-codeql-security-events-write.js.map +1 -1
- package/dist/rules/require-dependabot-automation-permissions.d.ts.map +1 -1
- package/dist/rules/require-dependabot-automation-permissions.js +4 -0
- package/dist/rules/require-dependabot-automation-permissions.js.map +1 -1
- package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts.map +1 -1
- package/dist/rules/require-dependabot-automation-pull-request-trigger.js +4 -0
- package/dist/rules/require-dependabot-automation-pull-request-trigger.js.map +1 -1
- package/dist/rules/require-dependabot-bot-actor-guard.d.ts.map +1 -1
- package/dist/rules/require-dependabot-bot-actor-guard.js +4 -0
- package/dist/rules/require-dependabot-bot-actor-guard.js.map +1 -1
- package/dist/rules/require-dependency-review-fail-on-severity.d.ts.map +1 -1
- package/dist/rules/require-dependency-review-fail-on-severity.js +4 -0
- package/dist/rules/require-dependency-review-fail-on-severity.js.map +1 -1
- package/dist/rules/require-dependency-review-permissions-contents-read.d.ts.map +1 -1
- package/dist/rules/require-dependency-review-permissions-contents-read.js +23 -18
- package/dist/rules/require-dependency-review-permissions-contents-read.js.map +1 -1
- package/dist/rules/require-dependency-review-pull-request-trigger.d.ts.map +1 -1
- package/dist/rules/require-dependency-review-pull-request-trigger.js +4 -0
- package/dist/rules/require-dependency-review-pull-request-trigger.js.map +1 -1
- package/dist/rules/require-fetch-metadata-github-token.d.ts.map +1 -1
- package/dist/rules/require-fetch-metadata-github-token.js +4 -0
- package/dist/rules/require-fetch-metadata-github-token.js.map +1 -1
- package/dist/rules/require-job-name.d.ts.map +1 -1
- package/dist/rules/require-job-name.js +4 -0
- package/dist/rules/require-job-name.js.map +1 -1
- package/dist/rules/require-job-step-name.d.ts.map +1 -1
- package/dist/rules/require-job-step-name.js +4 -0
- package/dist/rules/require-job-step-name.js.map +1 -1
- package/dist/rules/require-job-timeout-minutes.d.ts.map +1 -1
- package/dist/rules/require-job-timeout-minutes.js +4 -0
- package/dist/rules/require-job-timeout-minutes.js.map +1 -1
- package/dist/rules/require-merge-group-trigger.d.ts.map +1 -1
- package/dist/rules/require-merge-group-trigger.js +4 -0
- package/dist/rules/require-merge-group-trigger.js.map +1 -1
- package/dist/rules/require-pull-request-target-branches.d.ts.map +1 -1
- package/dist/rules/require-pull-request-target-branches.js +4 -0
- package/dist/rules/require-pull-request-target-branches.js.map +1 -1
- package/dist/rules/require-run-step-shell.d.ts.map +1 -1
- package/dist/rules/require-run-step-shell.js +4 -0
- package/dist/rules/require-run-step-shell.js.map +1 -1
- package/dist/rules/require-sarif-upload-security-events-write.d.ts.map +1 -1
- package/dist/rules/require-sarif-upload-security-events-write.js +4 -0
- package/dist/rules/require-sarif-upload-security-events-write.js.map +1 -1
- package/dist/rules/require-scorecard-results-format-sarif.d.ts.map +1 -1
- package/dist/rules/require-scorecard-results-format-sarif.js +4 -0
- package/dist/rules/require-scorecard-results-format-sarif.js.map +1 -1
- package/dist/rules/require-scorecard-upload-sarif-step.d.ts.map +1 -1
- package/dist/rules/require-scorecard-upload-sarif-step.js +4 -0
- package/dist/rules/require-scorecard-upload-sarif-step.js.map +1 -1
- package/dist/rules/require-secret-scan-contents-read.d.ts.map +1 -1
- package/dist/rules/require-secret-scan-contents-read.js +7 -3
- package/dist/rules/require-secret-scan-contents-read.js.map +1 -1
- package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts.map +1 -1
- package/dist/rules/require-secret-scan-fetch-depth-zero.js +4 -0
- package/dist/rules/require-secret-scan-fetch-depth-zero.js.map +1 -1
- package/dist/rules/require-secret-scan-schedule.d.ts.map +1 -1
- package/dist/rules/require-secret-scan-schedule.js +4 -0
- package/dist/rules/require-secret-scan-schedule.js.map +1 -1
- package/dist/rules/require-trigger-types.d.ts.map +1 -1
- package/dist/rules/require-trigger-types.js +4 -0
- package/dist/rules/require-trigger-types.js.map +1 -1
- package/dist/rules/require-trufflehog-verified-results-mode.d.ts.map +1 -1
- package/dist/rules/require-trufflehog-verified-results-mode.js +4 -0
- package/dist/rules/require-trufflehog-verified-results-mode.js.map +1 -1
- package/dist/rules/require-workflow-call-input-type.d.ts.map +1 -1
- package/dist/rules/require-workflow-call-input-type.js +4 -0
- package/dist/rules/require-workflow-call-input-type.js.map +1 -1
- package/dist/rules/require-workflow-call-output-value.d.ts.map +1 -1
- package/dist/rules/require-workflow-call-output-value.js +4 -0
- package/dist/rules/require-workflow-call-output-value.js.map +1 -1
- package/dist/rules/require-workflow-concurrency.d.ts.map +1 -1
- package/dist/rules/require-workflow-concurrency.js +4 -0
- package/dist/rules/require-workflow-concurrency.js.map +1 -1
- package/dist/rules/require-workflow-dispatch-input-type.d.ts.map +1 -1
- package/dist/rules/require-workflow-dispatch-input-type.js +4 -0
- package/dist/rules/require-workflow-dispatch-input-type.js.map +1 -1
- package/dist/rules/require-workflow-interface-description.d.ts.map +1 -1
- package/dist/rules/require-workflow-interface-description.js +4 -0
- package/dist/rules/require-workflow-interface-description.js.map +1 -1
- package/dist/rules/require-workflow-permissions.d.ts.map +1 -1
- package/dist/rules/require-workflow-permissions.js +4 -0
- package/dist/rules/require-workflow-permissions.js.map +1 -1
- package/dist/rules/require-workflow-run-branches.d.ts.map +1 -1
- package/dist/rules/require-workflow-run-branches.js +4 -0
- package/dist/rules/require-workflow-run-branches.js.map +1 -1
- package/dist/rules/valid-timeout-minutes.d.ts.map +1 -1
- package/dist/rules/valid-timeout-minutes.js +4 -0
- package/dist/rules/valid-timeout-minutes.js.map +1 -1
- package/dist/rules/valid-trigger-events.d.ts.map +1 -1
- package/dist/rules/valid-trigger-events.js +4 -0
- package/dist/rules/valid-trigger-events.js.map +1 -1
- package/docs/rules/guides/authoring-rules.md +34 -0
- package/docs/rules/guides/docs-authoring.md +34 -0
- package/docs/rules/guides/index.md +15 -0
- package/docs/rules/guides/testing-rules.md +34 -0
- package/docs/rules/no-top-level-permissions.md +4 -4
- package/docs/rules/presets/all.md +116 -117
- package/docs/rules/presets/index.md +119 -123
- package/docs/rules/require-dependency-review-permissions-contents-read.md +15 -4
- package/docs/rules/require-secret-scan-contents-read.md +10 -2
- package/docs/rules/require-workflow-permissions.md +4 -4
- package/package.json +1 -1
package/dist/plugin.cjs
CHANGED
|
@@ -39,7 +39,7 @@ var yamlParser = __toESM(require("yaml-eslint-parser"), 1);
|
|
|
39
39
|
var package_default = {
|
|
40
40
|
$schema: "https://www.schemastore.org/package.json",
|
|
41
41
|
name: "eslint-plugin-github-actions-2",
|
|
42
|
-
version: "1.0.
|
|
42
|
+
version: "1.0.5",
|
|
43
43
|
private: false,
|
|
44
44
|
description: "ESLint plugin for GitHub Actions workflow quality, reliability, and security rules.",
|
|
45
45
|
keywords: [
|
|
@@ -558,6 +558,10 @@ var isDependencyReviewWorkflowFile = (filePath) => {
|
|
|
558
558
|
const normalizedFilePath = normalizePathForMatching(filePath);
|
|
559
559
|
return (normalizedFilePath.includes("/.github/workflows/") || normalizedFilePath.startsWith(".github/workflows/")) && (normalizedFilePath.endsWith("dependency-review.yml") || normalizedFilePath.endsWith("dependency-review.yaml") || normalizedFilePath.includes("/dependency-review-") || normalizedFilePath.includes("/dependency-review."));
|
|
560
560
|
};
|
|
561
|
+
var isWorkflowFile = (filePath) => {
|
|
562
|
+
const normalizedFilePath = normalizePathForMatching(filePath);
|
|
563
|
+
return (normalizedFilePath.includes("/.github/workflows/") || normalizedFilePath.startsWith(".github/workflows/")) && (normalizedFilePath.endsWith(".yml") || normalizedFilePath.endsWith(".yaml"));
|
|
564
|
+
};
|
|
561
565
|
var isWorkflowTemplatePropertiesFile = (filePath) => normalizePathForMatching(filePath).includes("/workflow-templates/") && normalizePathForMatching(filePath).endsWith(".properties.json");
|
|
562
566
|
var isWorkflowTemplateYamlFile = (filePath) => {
|
|
563
567
|
const normalizedFilePath = normalizePathForMatching(filePath);
|
|
@@ -713,7 +717,7 @@ var githubActionsConfigMetadataByName = {
|
|
|
713
717
|
presetName: "github-actions:action-metadata"
|
|
714
718
|
},
|
|
715
719
|
all: {
|
|
716
|
-
description: "Enables
|
|
720
|
+
description: "Enables the complete bundled rule set across workflows, action metadata, workflow templates, and Dependabot configuration, while leaving explicitly opt-in policy rules manual.",
|
|
717
721
|
files: [
|
|
718
722
|
...WORKFLOW_FILE_GLOBS,
|
|
719
723
|
...ACTION_METADATA_FILE_GLOBS,
|
|
@@ -1428,6 +1432,9 @@ var rule = {
|
|
|
1428
1432
|
const { allowedCasings, ignoredNames } = normalizeActionNameCasingOptions(option ?? void 0);
|
|
1429
1433
|
return {
|
|
1430
1434
|
Program() {
|
|
1435
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1436
|
+
return;
|
|
1437
|
+
}
|
|
1431
1438
|
const root = getWorkflowRoot(context);
|
|
1432
1439
|
if (root === null) {
|
|
1433
1440
|
return;
|
|
@@ -1556,6 +1563,9 @@ var rule2 = {
|
|
|
1556
1563
|
const { allowedCasings, ignoredJobIds } = normalizeJobIdCasingOptions(option ?? void 0);
|
|
1557
1564
|
return {
|
|
1558
1565
|
Program() {
|
|
1566
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1567
|
+
return;
|
|
1568
|
+
}
|
|
1559
1569
|
const root = getWorkflowRoot(context);
|
|
1560
1570
|
if (root === null) {
|
|
1561
1571
|
return;
|
|
@@ -1663,6 +1673,9 @@ var rule3 = {
|
|
|
1663
1673
|
const maxJobs = configuredMaxJobs >= 1 ? configuredMaxJobs : DEFAULT_MAX_JOBS;
|
|
1664
1674
|
return {
|
|
1665
1675
|
Program() {
|
|
1676
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1677
|
+
return;
|
|
1678
|
+
}
|
|
1666
1679
|
const root = getWorkflowRoot(context);
|
|
1667
1680
|
if (root === null) {
|
|
1668
1681
|
return;
|
|
@@ -1890,6 +1903,9 @@ var rule5 = {
|
|
|
1890
1903
|
create(context) {
|
|
1891
1904
|
return {
|
|
1892
1905
|
Program() {
|
|
1906
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1907
|
+
return;
|
|
1908
|
+
}
|
|
1893
1909
|
const root = getWorkflowRoot(context);
|
|
1894
1910
|
if (root === null) {
|
|
1895
1911
|
return;
|
|
@@ -1941,6 +1957,9 @@ var rule6 = {
|
|
|
1941
1957
|
create(context) {
|
|
1942
1958
|
return {
|
|
1943
1959
|
Program() {
|
|
1960
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1961
|
+
return;
|
|
1962
|
+
}
|
|
1944
1963
|
const root = getWorkflowRoot(context);
|
|
1945
1964
|
if (root === null) {
|
|
1946
1965
|
return;
|
|
@@ -2357,6 +2376,9 @@ var rule11 = {
|
|
|
2357
2376
|
create(context) {
|
|
2358
2377
|
return {
|
|
2359
2378
|
Program() {
|
|
2379
|
+
if (!isWorkflowFile(context.filename)) {
|
|
2380
|
+
return;
|
|
2381
|
+
}
|
|
2360
2382
|
const root = getWorkflowRoot(context);
|
|
2361
2383
|
if (root === null) {
|
|
2362
2384
|
return;
|
|
@@ -2521,6 +2543,9 @@ var rule14 = {
|
|
|
2521
2543
|
create(context) {
|
|
2522
2544
|
return {
|
|
2523
2545
|
Program() {
|
|
2546
|
+
if (!isWorkflowFile(context.filename)) {
|
|
2547
|
+
return;
|
|
2548
|
+
}
|
|
2524
2549
|
const root = getWorkflowRoot(context);
|
|
2525
2550
|
if (root === null) {
|
|
2526
2551
|
return;
|
|
@@ -2729,6 +2754,9 @@ var rule15 = {
|
|
|
2729
2754
|
create(context) {
|
|
2730
2755
|
return {
|
|
2731
2756
|
Program() {
|
|
2757
|
+
if (!isWorkflowFile(context.filename)) {
|
|
2758
|
+
return;
|
|
2759
|
+
}
|
|
2732
2760
|
const root = getWorkflowRoot(context);
|
|
2733
2761
|
if (root === null) {
|
|
2734
2762
|
return;
|
|
@@ -2861,6 +2889,9 @@ var rule16 = {
|
|
|
2861
2889
|
create(context) {
|
|
2862
2890
|
return {
|
|
2863
2891
|
Program() {
|
|
2892
|
+
if (!isWorkflowFile(context.filename)) {
|
|
2893
|
+
return;
|
|
2894
|
+
}
|
|
2864
2895
|
const root = getWorkflowRoot(context);
|
|
2865
2896
|
if (root === null) {
|
|
2866
2897
|
return;
|
|
@@ -2950,6 +2981,9 @@ var rule17 = {
|
|
|
2950
2981
|
create(context) {
|
|
2951
2982
|
return {
|
|
2952
2983
|
Program() {
|
|
2984
|
+
if (!isWorkflowFile(context.filename)) {
|
|
2985
|
+
return;
|
|
2986
|
+
}
|
|
2953
2987
|
const root = getWorkflowRoot(context);
|
|
2954
2988
|
if (root === null) {
|
|
2955
2989
|
return;
|
|
@@ -3074,6 +3108,9 @@ var rule19 = {
|
|
|
3074
3108
|
create(context) {
|
|
3075
3109
|
return {
|
|
3076
3110
|
Program() {
|
|
3111
|
+
if (!isWorkflowFile(context.filename)) {
|
|
3112
|
+
return;
|
|
3113
|
+
}
|
|
3077
3114
|
const root = getWorkflowRoot(context);
|
|
3078
3115
|
if (root === null) {
|
|
3079
3116
|
return;
|
|
@@ -3510,6 +3547,9 @@ var rule23 = {
|
|
|
3510
3547
|
create(context) {
|
|
3511
3548
|
return {
|
|
3512
3549
|
Program() {
|
|
3550
|
+
if (!isWorkflowFile(context.filename)) {
|
|
3551
|
+
return;
|
|
3552
|
+
}
|
|
3513
3553
|
const root = getWorkflowRoot(context);
|
|
3514
3554
|
if (root === null) {
|
|
3515
3555
|
return;
|
|
@@ -3736,6 +3776,9 @@ var rule26 = {
|
|
|
3736
3776
|
create(context) {
|
|
3737
3777
|
return {
|
|
3738
3778
|
Program() {
|
|
3779
|
+
if (!isWorkflowFile(context.filename)) {
|
|
3780
|
+
return;
|
|
3781
|
+
}
|
|
3739
3782
|
const root = getWorkflowRoot(context);
|
|
3740
3783
|
if (root === null) {
|
|
3741
3784
|
return;
|
|
@@ -3827,6 +3870,9 @@ var rule27 = {
|
|
|
3827
3870
|
create(context) {
|
|
3828
3871
|
return {
|
|
3829
3872
|
Program() {
|
|
3873
|
+
if (!isWorkflowFile(context.filename)) {
|
|
3874
|
+
return;
|
|
3875
|
+
}
|
|
3830
3876
|
const root = getWorkflowRoot(context);
|
|
3831
3877
|
if (root === null) {
|
|
3832
3878
|
return;
|
|
@@ -3992,6 +4038,9 @@ var rule30 = {
|
|
|
3992
4038
|
create(context) {
|
|
3993
4039
|
return {
|
|
3994
4040
|
Program() {
|
|
4041
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4042
|
+
return;
|
|
4043
|
+
}
|
|
3995
4044
|
const root = getWorkflowRoot(context);
|
|
3996
4045
|
if (root === null) {
|
|
3997
4046
|
return;
|
|
@@ -4036,6 +4085,9 @@ var rule31 = {
|
|
|
4036
4085
|
create(context) {
|
|
4037
4086
|
return {
|
|
4038
4087
|
Program() {
|
|
4088
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4089
|
+
return;
|
|
4090
|
+
}
|
|
4039
4091
|
const root = getWorkflowRoot(context);
|
|
4040
4092
|
if (root === null) {
|
|
4041
4093
|
return;
|
|
@@ -4053,7 +4105,6 @@ var rule31 = {
|
|
|
4053
4105
|
meta: {
|
|
4054
4106
|
deprecated: false,
|
|
4055
4107
|
docs: {
|
|
4056
|
-
configs: ["github-actions.configs.all"],
|
|
4057
4108
|
description: "disallow top-level workflow `permissions` when you want every job to declare its own token scope explicitly.",
|
|
4058
4109
|
dialects: ["GitHub Actions workflow"],
|
|
4059
4110
|
frozen: false,
|
|
@@ -4331,6 +4382,9 @@ var rule35 = {
|
|
|
4331
4382
|
create(context) {
|
|
4332
4383
|
return {
|
|
4333
4384
|
Program() {
|
|
4385
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4386
|
+
return;
|
|
4387
|
+
}
|
|
4334
4388
|
const root = getWorkflowRoot(context);
|
|
4335
4389
|
if (root === null) {
|
|
4336
4390
|
return;
|
|
@@ -4531,6 +4585,9 @@ var rule36 = {
|
|
|
4531
4585
|
create(context) {
|
|
4532
4586
|
return {
|
|
4533
4587
|
Program() {
|
|
4588
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4589
|
+
return;
|
|
4590
|
+
}
|
|
4534
4591
|
const root = getWorkflowRoot(context);
|
|
4535
4592
|
if (root === null) {
|
|
4536
4593
|
return;
|
|
@@ -4650,6 +4707,9 @@ var rule37 = {
|
|
|
4650
4707
|
create(context) {
|
|
4651
4708
|
return {
|
|
4652
4709
|
Program() {
|
|
4710
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4711
|
+
return;
|
|
4712
|
+
}
|
|
4653
4713
|
const root = getWorkflowRoot(context);
|
|
4654
4714
|
if (root === null) {
|
|
4655
4715
|
return;
|
|
@@ -4851,6 +4911,9 @@ var rule40 = {
|
|
|
4851
4911
|
};
|
|
4852
4912
|
return {
|
|
4853
4913
|
Program() {
|
|
4914
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4915
|
+
return;
|
|
4916
|
+
}
|
|
4854
4917
|
const root = getWorkflowRoot(context);
|
|
4855
4918
|
if (root === null) {
|
|
4856
4919
|
return;
|
|
@@ -4926,6 +4989,9 @@ var rule41 = {
|
|
|
4926
4989
|
};
|
|
4927
4990
|
return {
|
|
4928
4991
|
Program() {
|
|
4992
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4993
|
+
return;
|
|
4994
|
+
}
|
|
4929
4995
|
const root = getWorkflowRoot(context);
|
|
4930
4996
|
if (root === null) {
|
|
4931
4997
|
return;
|
|
@@ -5028,6 +5094,9 @@ var rule43 = {
|
|
|
5028
5094
|
create(context) {
|
|
5029
5095
|
return {
|
|
5030
5096
|
Program() {
|
|
5097
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5098
|
+
return;
|
|
5099
|
+
}
|
|
5031
5100
|
const root = getWorkflowRoot(context);
|
|
5032
5101
|
if (root === null) {
|
|
5033
5102
|
return;
|
|
@@ -5104,6 +5173,9 @@ var rule44 = {
|
|
|
5104
5173
|
const { caseSensitive, extension } = normalizePreferFileExtensionOptions(option ?? void 0);
|
|
5105
5174
|
return {
|
|
5106
5175
|
Program(node) {
|
|
5176
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5177
|
+
return;
|
|
5178
|
+
}
|
|
5107
5179
|
const actualExtensionWithDot = (0, import_node_path3.extname)(context.filename);
|
|
5108
5180
|
if (actualExtensionWithDot.length === 0) {
|
|
5109
5181
|
return;
|
|
@@ -5216,6 +5288,9 @@ var rule45 = {
|
|
|
5216
5288
|
create(context) {
|
|
5217
5289
|
return {
|
|
5218
5290
|
Program() {
|
|
5291
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5292
|
+
return;
|
|
5293
|
+
}
|
|
5219
5294
|
const root = getWorkflowRoot(context);
|
|
5220
5295
|
if (root === null) {
|
|
5221
5296
|
return;
|
|
@@ -5344,6 +5419,9 @@ var rule46 = {
|
|
|
5344
5419
|
const { allowDocker, allowedStyles, allowRepository, ignoredReferences } = normalizeStepUsesStyleOptions(option ?? void 0);
|
|
5345
5420
|
return {
|
|
5346
5421
|
Program() {
|
|
5422
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5423
|
+
return;
|
|
5424
|
+
}
|
|
5347
5425
|
const root = getWorkflowRoot(context);
|
|
5348
5426
|
if (root === null) {
|
|
5349
5427
|
return;
|
|
@@ -5518,6 +5596,9 @@ var rule48 = {
|
|
|
5518
5596
|
create(context) {
|
|
5519
5597
|
return {
|
|
5520
5598
|
Program(node) {
|
|
5599
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5600
|
+
return;
|
|
5601
|
+
}
|
|
5521
5602
|
const root = getWorkflowRoot(context);
|
|
5522
5603
|
if (root === null) {
|
|
5523
5604
|
context.report({
|
|
@@ -5576,6 +5657,9 @@ var rule49 = {
|
|
|
5576
5657
|
create(context) {
|
|
5577
5658
|
return {
|
|
5578
5659
|
Program(node) {
|
|
5660
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5661
|
+
return;
|
|
5662
|
+
}
|
|
5579
5663
|
const root = getWorkflowRoot(context);
|
|
5580
5664
|
if (root === null) {
|
|
5581
5665
|
context.report({
|
|
@@ -5635,6 +5719,9 @@ var rule50 = {
|
|
|
5635
5719
|
create(context) {
|
|
5636
5720
|
return {
|
|
5637
5721
|
Program() {
|
|
5722
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5723
|
+
return;
|
|
5724
|
+
}
|
|
5638
5725
|
const root = getWorkflowRoot(context);
|
|
5639
5726
|
if (root === null) {
|
|
5640
5727
|
return;
|
|
@@ -5702,25 +5789,59 @@ var require_checkout_before_local_action_default = rule50;
|
|
|
5702
5789
|
|
|
5703
5790
|
// dist/_internal/workflow-permissions.js
|
|
5704
5791
|
var getPermissionsNode = (mapping) => getMappingPair(mapping, "permissions")?.value ?? null;
|
|
5705
|
-
var
|
|
5792
|
+
var getScalarPermissionLevel = (scalarValue) => {
|
|
5706
5793
|
const normalizedValue = scalarValue.trim().toLowerCase();
|
|
5794
|
+
if (normalizedValue === "read-all") {
|
|
5795
|
+
return "read";
|
|
5796
|
+
}
|
|
5707
5797
|
if (normalizedValue === "write-all") {
|
|
5798
|
+
return "write";
|
|
5799
|
+
}
|
|
5800
|
+
return null;
|
|
5801
|
+
};
|
|
5802
|
+
var scalarPermissionSatisfies = (scalarValue, requiredLevel) => {
|
|
5803
|
+
const permissionLevel = getScalarPermissionLevel(scalarValue);
|
|
5804
|
+
if (permissionLevel === "write") {
|
|
5708
5805
|
return true;
|
|
5709
5806
|
}
|
|
5710
5807
|
if (requiredLevel === "read") {
|
|
5711
|
-
return
|
|
5808
|
+
return permissionLevel === "read";
|
|
5712
5809
|
}
|
|
5713
5810
|
return false;
|
|
5714
5811
|
};
|
|
5715
|
-
var
|
|
5812
|
+
var getMappingPermissionLevel = (permissionsMapping, permissionName) => {
|
|
5716
5813
|
const permissionValue = getScalarStringValue(getMappingPair(permissionsMapping, permissionName)?.value ?? null)?.trim();
|
|
5717
5814
|
if (permissionValue === void 0 || permissionValue.length === 0) {
|
|
5815
|
+
return null;
|
|
5816
|
+
}
|
|
5817
|
+
if (permissionValue === "read") {
|
|
5818
|
+
return "read";
|
|
5819
|
+
}
|
|
5820
|
+
if (permissionValue === "write") {
|
|
5821
|
+
return "write";
|
|
5822
|
+
}
|
|
5823
|
+
return null;
|
|
5824
|
+
};
|
|
5825
|
+
var mappingPermissionSatisfies = (permissionsMapping, permissionName, requiredLevel) => {
|
|
5826
|
+
const permissionLevel = getMappingPermissionLevel(permissionsMapping, permissionName);
|
|
5827
|
+
if (permissionLevel === null) {
|
|
5718
5828
|
return false;
|
|
5719
5829
|
}
|
|
5720
5830
|
if (requiredLevel === "read") {
|
|
5721
|
-
return
|
|
5831
|
+
return permissionLevel === "read" || permissionLevel === "write";
|
|
5722
5832
|
}
|
|
5723
|
-
return
|
|
5833
|
+
return permissionLevel === "write";
|
|
5834
|
+
};
|
|
5835
|
+
var getPermissionsNodeLevel = (permissionsNode, permissionName) => {
|
|
5836
|
+
const scalarValue = getScalarStringValue(permissionsNode)?.trim();
|
|
5837
|
+
if (scalarValue !== void 0 && scalarValue.length > 0) {
|
|
5838
|
+
return getScalarPermissionLevel(scalarValue);
|
|
5839
|
+
}
|
|
5840
|
+
const unwrappedPermissionsNode = unwrapYamlValue(permissionsNode);
|
|
5841
|
+
if (unwrappedPermissionsNode?.type === "YAMLMapping") {
|
|
5842
|
+
return getMappingPermissionLevel(unwrappedPermissionsNode, permissionName);
|
|
5843
|
+
}
|
|
5844
|
+
return null;
|
|
5724
5845
|
};
|
|
5725
5846
|
var permissionsNodeSatisfies = (permissionsNode, permissionName, requiredLevel) => {
|
|
5726
5847
|
const scalarValue = getScalarStringValue(permissionsNode)?.trim();
|
|
@@ -5740,12 +5861,22 @@ var hasRequiredWorkflowPermission = (root, job, permissionName, requiredLevel) =
|
|
|
5740
5861
|
}
|
|
5741
5862
|
return permissionsNodeSatisfies(getPermissionsNode(root), permissionName, requiredLevel);
|
|
5742
5863
|
};
|
|
5864
|
+
var hasExactWorkflowPermission = (root, job, permissionName, requiredLevel) => {
|
|
5865
|
+
const jobPermissionsNode = getPermissionsNode(job.mapping);
|
|
5866
|
+
if (jobPermissionsNode !== null) {
|
|
5867
|
+
return getPermissionsNodeLevel(jobPermissionsNode, permissionName) === requiredLevel;
|
|
5868
|
+
}
|
|
5869
|
+
return getPermissionsNodeLevel(getPermissionsNode(root), permissionName) === requiredLevel;
|
|
5870
|
+
};
|
|
5743
5871
|
|
|
5744
5872
|
// dist/rules/require-codeql-actions-read.js
|
|
5745
5873
|
var rule51 = {
|
|
5746
5874
|
create(context) {
|
|
5747
5875
|
return {
|
|
5748
5876
|
Program() {
|
|
5877
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5878
|
+
return;
|
|
5879
|
+
}
|
|
5749
5880
|
const root = getWorkflowRoot(context);
|
|
5750
5881
|
if (root === null) {
|
|
5751
5882
|
return;
|
|
@@ -5823,6 +5954,9 @@ var rule52 = {
|
|
|
5823
5954
|
create(context) {
|
|
5824
5955
|
return {
|
|
5825
5956
|
Program() {
|
|
5957
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5958
|
+
return;
|
|
5959
|
+
}
|
|
5826
5960
|
const root = getWorkflowRoot(context);
|
|
5827
5961
|
if (root === null || getCodeqlInitSteps(root).length === 0) {
|
|
5828
5962
|
return;
|
|
@@ -5881,6 +6015,9 @@ var rule53 = {
|
|
|
5881
6015
|
create(context) {
|
|
5882
6016
|
return {
|
|
5883
6017
|
Program() {
|
|
6018
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6019
|
+
return;
|
|
6020
|
+
}
|
|
5884
6021
|
const root = getWorkflowRoot(context);
|
|
5885
6022
|
if (root === null) {
|
|
5886
6023
|
return;
|
|
@@ -5936,6 +6073,9 @@ var rule54 = {
|
|
|
5936
6073
|
create(context) {
|
|
5937
6074
|
return {
|
|
5938
6075
|
Program(node) {
|
|
6076
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6077
|
+
return;
|
|
6078
|
+
}
|
|
5939
6079
|
const root = getWorkflowRoot(context);
|
|
5940
6080
|
if (root === null || getCodeqlInitSteps(root).length === 0) {
|
|
5941
6081
|
return;
|
|
@@ -5980,6 +6120,9 @@ var rule55 = {
|
|
|
5980
6120
|
create(context) {
|
|
5981
6121
|
return {
|
|
5982
6122
|
Program(node) {
|
|
6123
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6124
|
+
return;
|
|
6125
|
+
}
|
|
5983
6126
|
const root = getWorkflowRoot(context);
|
|
5984
6127
|
if (root === null || getCodeqlInitSteps(root).length === 0) {
|
|
5985
6128
|
return;
|
|
@@ -6024,6 +6167,9 @@ var rule56 = {
|
|
|
6024
6167
|
create(context) {
|
|
6025
6168
|
return {
|
|
6026
6169
|
Program() {
|
|
6170
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6171
|
+
return;
|
|
6172
|
+
}
|
|
6027
6173
|
const root = getWorkflowRoot(context);
|
|
6028
6174
|
if (root === null) {
|
|
6029
6175
|
return;
|
|
@@ -6200,6 +6346,9 @@ var rule59 = {
|
|
|
6200
6346
|
create(context) {
|
|
6201
6347
|
return {
|
|
6202
6348
|
Program() {
|
|
6349
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6350
|
+
return;
|
|
6351
|
+
}
|
|
6203
6352
|
const root = getWorkflowRoot(context);
|
|
6204
6353
|
if (root === null) {
|
|
6205
6354
|
return;
|
|
@@ -6262,6 +6411,9 @@ var rule60 = {
|
|
|
6262
6411
|
create(context) {
|
|
6263
6412
|
return {
|
|
6264
6413
|
Program(node) {
|
|
6414
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6415
|
+
return;
|
|
6416
|
+
}
|
|
6265
6417
|
const root = getWorkflowRoot(context);
|
|
6266
6418
|
if (root === null || !hasDependabotAutomation(root)) {
|
|
6267
6419
|
return;
|
|
@@ -6307,6 +6459,9 @@ var rule61 = {
|
|
|
6307
6459
|
create(context) {
|
|
6308
6460
|
return {
|
|
6309
6461
|
Program() {
|
|
6462
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6463
|
+
return;
|
|
6464
|
+
}
|
|
6310
6465
|
const root = getWorkflowRoot(context);
|
|
6311
6466
|
if (root === null || !hasDependabotAutomation(root)) {
|
|
6312
6467
|
return;
|
|
@@ -7453,6 +7608,9 @@ var rule81 = {
|
|
|
7453
7608
|
create(context) {
|
|
7454
7609
|
return {
|
|
7455
7610
|
Program() {
|
|
7611
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7612
|
+
return;
|
|
7613
|
+
}
|
|
7456
7614
|
const root = getWorkflowRoot(context);
|
|
7457
7615
|
if (root === null) {
|
|
7458
7616
|
return;
|
|
@@ -7506,20 +7664,28 @@ var rule82 = {
|
|
|
7506
7664
|
create(context) {
|
|
7507
7665
|
return {
|
|
7508
7666
|
Program() {
|
|
7667
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7668
|
+
return;
|
|
7669
|
+
}
|
|
7509
7670
|
const root = getWorkflowRoot(context);
|
|
7510
7671
|
if (root === null || !hasDependencyReviewAction(root)) {
|
|
7511
7672
|
return;
|
|
7512
7673
|
}
|
|
7513
|
-
const
|
|
7514
|
-
const
|
|
7515
|
-
|
|
7516
|
-
|
|
7517
|
-
|
|
7674
|
+
const seenJobIds = /* @__PURE__ */ new Set();
|
|
7675
|
+
for (const step of getDependencyReviewActionSteps(root)) {
|
|
7676
|
+
if (seenJobIds.has(step.job.id)) {
|
|
7677
|
+
continue;
|
|
7678
|
+
}
|
|
7679
|
+
seenJobIds.add(step.job.id);
|
|
7680
|
+
if (hasExactWorkflowPermission(root, step.job, "contents", "read")) {
|
|
7681
|
+
continue;
|
|
7682
|
+
}
|
|
7683
|
+
context.report({
|
|
7684
|
+
data: { jobId: step.job.id },
|
|
7685
|
+
messageId: "missingContentsReadPermission",
|
|
7686
|
+
node: step.job.idNode
|
|
7687
|
+
});
|
|
7518
7688
|
}
|
|
7519
|
-
context.report({
|
|
7520
|
-
messageId: "missingContentsReadPermission",
|
|
7521
|
-
node: contentsPair?.value ?? contentsPair ?? permissionsMapping ?? root
|
|
7522
|
-
});
|
|
7523
7689
|
}
|
|
7524
7690
|
};
|
|
7525
7691
|
},
|
|
@@ -7531,7 +7697,7 @@ var rule82 = {
|
|
|
7531
7697
|
"github-actions.configs.codeScanning",
|
|
7532
7698
|
"github-actions.configs.security"
|
|
7533
7699
|
],
|
|
7534
|
-
description: "require
|
|
7700
|
+
description: "require jobs using `actions/dependency-review-action` to grant effective `contents: read`.",
|
|
7535
7701
|
dialects: ["GitHub Actions workflow"],
|
|
7536
7702
|
frozen: false,
|
|
7537
7703
|
recommended: false,
|
|
@@ -7541,7 +7707,7 @@ var rule82 = {
|
|
|
7541
7707
|
url: "https://nick2bad4u.github.io/eslint-plugin-github-actions-2/docs/rules/require-dependency-review-permissions-contents-read"
|
|
7542
7708
|
},
|
|
7543
7709
|
messages: {
|
|
7544
|
-
missingContentsReadPermission: "
|
|
7710
|
+
missingContentsReadPermission: "Job '{{jobId}}' uses `actions/dependency-review-action` and should grant effective `contents: read` at the job or workflow level."
|
|
7545
7711
|
},
|
|
7546
7712
|
schema: [],
|
|
7547
7713
|
type: "problem"
|
|
@@ -7554,6 +7720,9 @@ var rule83 = {
|
|
|
7554
7720
|
create(context) {
|
|
7555
7721
|
return {
|
|
7556
7722
|
Program() {
|
|
7723
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7724
|
+
return;
|
|
7725
|
+
}
|
|
7557
7726
|
const root = getWorkflowRoot(context);
|
|
7558
7727
|
if (root === null || !hasDependencyReviewAction(root)) {
|
|
7559
7728
|
return;
|
|
@@ -7599,6 +7768,9 @@ var rule84 = {
|
|
|
7599
7768
|
create(context) {
|
|
7600
7769
|
return {
|
|
7601
7770
|
Program() {
|
|
7771
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7772
|
+
return;
|
|
7773
|
+
}
|
|
7602
7774
|
const root = getWorkflowRoot(context);
|
|
7603
7775
|
if (root === null) {
|
|
7604
7776
|
return;
|
|
@@ -7649,6 +7821,9 @@ var rule85 = {
|
|
|
7649
7821
|
create(context) {
|
|
7650
7822
|
return {
|
|
7651
7823
|
Program() {
|
|
7824
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7825
|
+
return;
|
|
7826
|
+
}
|
|
7652
7827
|
const root = getWorkflowRoot(context);
|
|
7653
7828
|
if (root === null) {
|
|
7654
7829
|
return;
|
|
@@ -7764,6 +7939,9 @@ var rule86 = {
|
|
|
7764
7939
|
create(context) {
|
|
7765
7940
|
return {
|
|
7766
7941
|
Program() {
|
|
7942
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7943
|
+
return;
|
|
7944
|
+
}
|
|
7767
7945
|
const root = getWorkflowRoot(context);
|
|
7768
7946
|
if (root === null) {
|
|
7769
7947
|
return;
|
|
@@ -7873,6 +8051,9 @@ var rule87 = {
|
|
|
7873
8051
|
const maxMinutes = options?.maxMinutes ?? DEFAULT_MAX_MINUTES;
|
|
7874
8052
|
return {
|
|
7875
8053
|
Program() {
|
|
8054
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8055
|
+
return;
|
|
8056
|
+
}
|
|
7876
8057
|
const root = getWorkflowRoot(context);
|
|
7877
8058
|
if (root === null) {
|
|
7878
8059
|
return;
|
|
@@ -7985,6 +8166,9 @@ var rule88 = {
|
|
|
7985
8166
|
create(context) {
|
|
7986
8167
|
return {
|
|
7987
8168
|
Program() {
|
|
8169
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8170
|
+
return;
|
|
8171
|
+
}
|
|
7988
8172
|
const root = getWorkflowRoot(context);
|
|
7989
8173
|
if (root === null || !hasTriggerEvent(root, "pull_request")) {
|
|
7990
8174
|
return;
|
|
@@ -8057,6 +8241,9 @@ var rule89 = {
|
|
|
8057
8241
|
};
|
|
8058
8242
|
return {
|
|
8059
8243
|
Program() {
|
|
8244
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8245
|
+
return;
|
|
8246
|
+
}
|
|
8060
8247
|
const root = getWorkflowRoot(context);
|
|
8061
8248
|
if (root === null) {
|
|
8062
8249
|
return;
|
|
@@ -8157,6 +8344,9 @@ var rule90 = {
|
|
|
8157
8344
|
};
|
|
8158
8345
|
return {
|
|
8159
8346
|
Program() {
|
|
8347
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8348
|
+
return;
|
|
8349
|
+
}
|
|
8160
8350
|
const root = getWorkflowRoot(context);
|
|
8161
8351
|
if (root === null) {
|
|
8162
8352
|
return;
|
|
@@ -8240,6 +8430,9 @@ var rule91 = {
|
|
|
8240
8430
|
create(context) {
|
|
8241
8431
|
return {
|
|
8242
8432
|
Program() {
|
|
8433
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8434
|
+
return;
|
|
8435
|
+
}
|
|
8243
8436
|
const root = getWorkflowRoot(context);
|
|
8244
8437
|
if (root === null) {
|
|
8245
8438
|
return;
|
|
@@ -8288,6 +8481,9 @@ var rule92 = {
|
|
|
8288
8481
|
create(context) {
|
|
8289
8482
|
return {
|
|
8290
8483
|
Program() {
|
|
8484
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8485
|
+
return;
|
|
8486
|
+
}
|
|
8291
8487
|
const root = getWorkflowRoot(context);
|
|
8292
8488
|
if (root === null) {
|
|
8293
8489
|
return;
|
|
@@ -8338,6 +8534,9 @@ var rule93 = {
|
|
|
8338
8534
|
create(context) {
|
|
8339
8535
|
return {
|
|
8340
8536
|
Program(node) {
|
|
8537
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8538
|
+
return;
|
|
8539
|
+
}
|
|
8341
8540
|
const root = getWorkflowRoot(context);
|
|
8342
8541
|
if (root === null || getScorecardSteps(root).length === 0) {
|
|
8343
8542
|
return;
|
|
@@ -8390,12 +8589,15 @@ var rule94 = {
|
|
|
8390
8589
|
create(context) {
|
|
8391
8590
|
return {
|
|
8392
8591
|
Program() {
|
|
8592
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8593
|
+
return;
|
|
8594
|
+
}
|
|
8393
8595
|
const root = getWorkflowRoot(context);
|
|
8394
8596
|
if (root === null) {
|
|
8395
8597
|
return;
|
|
8396
8598
|
}
|
|
8397
8599
|
for (const step of getSecretScanningActionSteps(root)) {
|
|
8398
|
-
if (
|
|
8600
|
+
if (hasExactWorkflowPermission(root, step.job, "contents", "read")) {
|
|
8399
8601
|
continue;
|
|
8400
8602
|
}
|
|
8401
8603
|
context.report({
|
|
@@ -8424,7 +8626,7 @@ var rule94 = {
|
|
|
8424
8626
|
url: "https://nick2bad4u.github.io/eslint-plugin-github-actions-2/docs/rules/require-secret-scan-contents-read"
|
|
8425
8627
|
},
|
|
8426
8628
|
messages: {
|
|
8427
|
-
missingContentsRead: "Job '{{jobId}}' runs a secret scanner and should grant `contents: read
|
|
8629
|
+
missingContentsRead: "Job '{{jobId}}' runs a secret scanner and should grant effective `contents: read` at the job or workflow level."
|
|
8428
8630
|
},
|
|
8429
8631
|
schema: [],
|
|
8430
8632
|
type: "problem"
|
|
@@ -8438,6 +8640,9 @@ var rule95 = {
|
|
|
8438
8640
|
create(context) {
|
|
8439
8641
|
return {
|
|
8440
8642
|
Program() {
|
|
8643
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8644
|
+
return;
|
|
8645
|
+
}
|
|
8441
8646
|
const root = getWorkflowRoot(context);
|
|
8442
8647
|
if (root === null) {
|
|
8443
8648
|
return;
|
|
@@ -8508,6 +8713,9 @@ var rule96 = {
|
|
|
8508
8713
|
create(context) {
|
|
8509
8714
|
return {
|
|
8510
8715
|
Program(node) {
|
|
8716
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8717
|
+
return;
|
|
8718
|
+
}
|
|
8511
8719
|
const root = getWorkflowRoot(context);
|
|
8512
8720
|
if (root === null || !hasSecretScanningAction(root)) {
|
|
8513
8721
|
return;
|
|
@@ -8863,6 +9071,9 @@ var rule102 = {
|
|
|
8863
9071
|
};
|
|
8864
9072
|
return {
|
|
8865
9073
|
Program() {
|
|
9074
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9075
|
+
return;
|
|
9076
|
+
}
|
|
8866
9077
|
const root = getWorkflowRoot(context);
|
|
8867
9078
|
if (root === null) {
|
|
8868
9079
|
return;
|
|
@@ -8941,6 +9152,9 @@ var rule103 = {
|
|
|
8941
9152
|
create(context) {
|
|
8942
9153
|
return {
|
|
8943
9154
|
Program() {
|
|
9155
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9156
|
+
return;
|
|
9157
|
+
}
|
|
8944
9158
|
const root = getWorkflowRoot(context);
|
|
8945
9159
|
if (root === null) {
|
|
8946
9160
|
return;
|
|
@@ -8997,6 +9211,9 @@ var rule104 = {
|
|
|
8997
9211
|
create(context) {
|
|
8998
9212
|
return {
|
|
8999
9213
|
Program() {
|
|
9214
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9215
|
+
return;
|
|
9216
|
+
}
|
|
9000
9217
|
const root = getWorkflowRoot(context);
|
|
9001
9218
|
if (root === null) {
|
|
9002
9219
|
return;
|
|
@@ -9077,6 +9294,9 @@ var rule105 = {
|
|
|
9077
9294
|
create(context) {
|
|
9078
9295
|
return {
|
|
9079
9296
|
Program() {
|
|
9297
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9298
|
+
return;
|
|
9299
|
+
}
|
|
9080
9300
|
const root = getWorkflowRoot(context);
|
|
9081
9301
|
if (root === null) {
|
|
9082
9302
|
return;
|
|
@@ -9166,6 +9386,9 @@ var rule106 = {
|
|
|
9166
9386
|
const requireCancelInProgress = options?.requireCancelInProgress ?? true;
|
|
9167
9387
|
return {
|
|
9168
9388
|
Program() {
|
|
9389
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9390
|
+
return;
|
|
9391
|
+
}
|
|
9169
9392
|
const root = getWorkflowRoot(context);
|
|
9170
9393
|
if (root === null) {
|
|
9171
9394
|
return;
|
|
@@ -9311,6 +9534,9 @@ var rule107 = {
|
|
|
9311
9534
|
create(context) {
|
|
9312
9535
|
return {
|
|
9313
9536
|
Program() {
|
|
9537
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9538
|
+
return;
|
|
9539
|
+
}
|
|
9314
9540
|
const root = getWorkflowRoot(context);
|
|
9315
9541
|
if (root === null) {
|
|
9316
9542
|
return;
|
|
@@ -9422,6 +9648,9 @@ var rule108 = {
|
|
|
9422
9648
|
create(context) {
|
|
9423
9649
|
return {
|
|
9424
9650
|
Program() {
|
|
9651
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9652
|
+
return;
|
|
9653
|
+
}
|
|
9425
9654
|
const root = getWorkflowRoot(context);
|
|
9426
9655
|
if (root === null) {
|
|
9427
9656
|
return;
|
|
@@ -9489,6 +9718,9 @@ var rule109 = {
|
|
|
9489
9718
|
const allowJobLevelPermissions = options?.allowJobLevelPermissions ?? true;
|
|
9490
9719
|
return {
|
|
9491
9720
|
Program() {
|
|
9721
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9722
|
+
return;
|
|
9723
|
+
}
|
|
9492
9724
|
const root = getWorkflowRoot(context);
|
|
9493
9725
|
if (root === null) {
|
|
9494
9726
|
return;
|
|
@@ -9589,6 +9821,9 @@ var rule110 = {
|
|
|
9589
9821
|
create(context) {
|
|
9590
9822
|
return {
|
|
9591
9823
|
Program() {
|
|
9824
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9825
|
+
return;
|
|
9826
|
+
}
|
|
9592
9827
|
const root = getWorkflowRoot(context);
|
|
9593
9828
|
if (root === null) {
|
|
9594
9829
|
return;
|
|
@@ -9802,6 +10037,9 @@ var rule113 = {
|
|
|
9802
10037
|
};
|
|
9803
10038
|
return {
|
|
9804
10039
|
Program() {
|
|
10040
|
+
if (!isWorkflowFile(context.filename)) {
|
|
10041
|
+
return;
|
|
10042
|
+
}
|
|
9805
10043
|
const root = getWorkflowRoot(context);
|
|
9806
10044
|
if (root === null) {
|
|
9807
10045
|
return;
|
|
@@ -10034,6 +10272,9 @@ var rule114 = {
|
|
|
10034
10272
|
};
|
|
10035
10273
|
return {
|
|
10036
10274
|
Program() {
|
|
10275
|
+
if (!isWorkflowFile(context.filename)) {
|
|
10276
|
+
return;
|
|
10277
|
+
}
|
|
10037
10278
|
const root = getWorkflowRoot(context);
|
|
10038
10279
|
if (root === null) {
|
|
10039
10280
|
return;
|
|
@@ -10250,7 +10491,7 @@ var getRuleConfigReferences = (ruleName, rule115) => {
|
|
|
10250
10491
|
const references = docs?.configs;
|
|
10251
10492
|
const referenceList = Array.isArray(references) ? references : [references];
|
|
10252
10493
|
if (referenceList.length === 0 || referenceList[0] === void 0) {
|
|
10253
|
-
|
|
10494
|
+
return [];
|
|
10254
10495
|
}
|
|
10255
10496
|
for (const reference of referenceList) {
|
|
10256
10497
|
if (typeof reference !== "string" || !isGithubActionsConfigReference(reference)) {
|