eslint-plugin-github-actions-2 1.0.4 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +127 -127
- package/dist/_internal/github-actions-config-references.js +1 -1
- package/dist/_internal/github-actions-config-references.js.map +1 -1
- package/dist/_internal/rule-docs.d.ts +1 -1
- package/dist/_internal/rule-docs.d.ts.map +1 -1
- package/dist/_internal/workflow-permissions.d.ts +2 -0
- package/dist/_internal/workflow-permissions.d.ts.map +1 -1
- package/dist/_internal/workflow-permissions.js +54 -7
- package/dist/_internal/workflow-permissions.js.map +1 -1
- package/dist/plugin.cjs +247 -22
- package/dist/plugin.cjs.map +2 -2
- package/dist/plugin.d.ts.map +1 -1
- package/dist/plugin.js +1 -1
- package/dist/plugin.js.map +1 -1
- package/dist/rules/action-name-casing.d.ts.map +1 -1
- package/dist/rules/action-name-casing.js +4 -0
- package/dist/rules/action-name-casing.js.map +1 -1
- package/dist/rules/job-id-casing.d.ts.map +1 -1
- package/dist/rules/job-id-casing.js +4 -0
- package/dist/rules/job-id-casing.js.map +1 -1
- package/dist/rules/max-jobs-per-action.d.ts.map +1 -1
- package/dist/rules/max-jobs-per-action.js +4 -0
- package/dist/rules/max-jobs-per-action.js.map +1 -1
- package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts.map +1 -1
- package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js +4 -0
- package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js.map +1 -1
- package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts.map +1 -1
- package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js +4 -0
- package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js.map +1 -1
- package/dist/rules/no-external-job.d.ts.map +1 -1
- package/dist/rules/no-external-job.js +4 -0
- package/dist/rules/no-external-job.js.map +1 -1
- package/dist/rules/no-inherit-secrets.d.ts.map +1 -1
- package/dist/rules/no-inherit-secrets.js +4 -0
- package/dist/rules/no-inherit-secrets.js.map +1 -1
- package/dist/rules/no-invalid-concurrency-context.d.ts.map +1 -1
- package/dist/rules/no-invalid-concurrency-context.js +4 -0
- package/dist/rules/no-invalid-concurrency-context.js.map +1 -1
- package/dist/rules/no-invalid-reusable-workflow-job-key.d.ts.map +1 -1
- package/dist/rules/no-invalid-reusable-workflow-job-key.js +4 -0
- package/dist/rules/no-invalid-reusable-workflow-job-key.js.map +1 -1
- package/dist/rules/no-invalid-workflow-call-output-value.d.ts.map +1 -1
- package/dist/rules/no-invalid-workflow-call-output-value.js +4 -0
- package/dist/rules/no-invalid-workflow-call-output-value.js.map +1 -1
- package/dist/rules/no-pr-head-checkout-in-pull-request-target.d.ts.map +1 -1
- package/dist/rules/no-pr-head-checkout-in-pull-request-target.js +4 -0
- package/dist/rules/no-pr-head-checkout-in-pull-request-target.js.map +1 -1
- package/dist/rules/no-secrets-in-if.d.ts.map +1 -1
- package/dist/rules/no-secrets-in-if.js +4 -0
- package/dist/rules/no-secrets-in-if.js.map +1 -1
- package/dist/rules/no-self-hosted-runner-on-fork-pr-events.d.ts.map +1 -1
- package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js +4 -0
- package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js.map +1 -1
- package/dist/rules/no-top-level-env.d.ts.map +1 -1
- package/dist/rules/no-top-level-env.js +4 -0
- package/dist/rules/no-top-level-env.js.map +1 -1
- package/dist/rules/no-top-level-permissions.d.ts.map +1 -1
- package/dist/rules/no-top-level-permissions.js +4 -1
- package/dist/rules/no-top-level-permissions.js.map +1 -1
- package/dist/rules/no-unknown-job-output-reference.d.ts.map +1 -1
- package/dist/rules/no-unknown-job-output-reference.js +4 -0
- package/dist/rules/no-unknown-job-output-reference.js.map +1 -1
- package/dist/rules/no-unknown-step-reference.d.ts.map +1 -1
- package/dist/rules/no-unknown-step-reference.js +4 -0
- package/dist/rules/no-unknown-step-reference.js.map +1 -1
- package/dist/rules/no-untrusted-input-in-run.d.ts.map +1 -1
- package/dist/rules/no-untrusted-input-in-run.js +4 -0
- package/dist/rules/no-untrusted-input-in-run.js.map +1 -1
- package/dist/rules/no-write-all-permissions.d.ts.map +1 -1
- package/dist/rules/no-write-all-permissions.js +4 -0
- package/dist/rules/no-write-all-permissions.js.map +1 -1
- package/dist/rules/pin-action-shas.d.ts.map +1 -1
- package/dist/rules/pin-action-shas.js +4 -0
- package/dist/rules/pin-action-shas.js.map +1 -1
- package/dist/rules/prefer-fail-fast.d.ts.map +1 -1
- package/dist/rules/prefer-fail-fast.js +4 -0
- package/dist/rules/prefer-fail-fast.js.map +1 -1
- package/dist/rules/prefer-file-extension.d.ts.map +1 -1
- package/dist/rules/prefer-file-extension.js +4 -0
- package/dist/rules/prefer-file-extension.js.map +1 -1
- package/dist/rules/prefer-inputs-context.d.ts.map +1 -1
- package/dist/rules/prefer-inputs-context.js +4 -0
- package/dist/rules/prefer-inputs-context.js.map +1 -1
- package/dist/rules/prefer-step-uses-style.d.ts.map +1 -1
- package/dist/rules/prefer-step-uses-style.js +4 -0
- package/dist/rules/prefer-step-uses-style.js.map +1 -1
- package/dist/rules/require-checkout-before-local-action.d.ts.map +1 -1
- package/dist/rules/require-checkout-before-local-action.js +4 -0
- package/dist/rules/require-checkout-before-local-action.js.map +1 -1
- package/dist/rules/require-codeql-actions-read.d.ts.map +1 -1
- package/dist/rules/require-codeql-actions-read.js +4 -0
- package/dist/rules/require-codeql-actions-read.js.map +1 -1
- package/dist/rules/require-codeql-branch-filters.d.ts.map +1 -1
- package/dist/rules/require-codeql-branch-filters.js +4 -0
- package/dist/rules/require-codeql-branch-filters.js.map +1 -1
- package/dist/rules/require-codeql-category-when-language-matrix.d.ts.map +1 -1
- package/dist/rules/require-codeql-category-when-language-matrix.js +4 -0
- package/dist/rules/require-codeql-category-when-language-matrix.js.map +1 -1
- package/dist/rules/require-codeql-pull-request-trigger.d.ts.map +1 -1
- package/dist/rules/require-codeql-pull-request-trigger.js +4 -0
- package/dist/rules/require-codeql-pull-request-trigger.js.map +1 -1
- package/dist/rules/require-codeql-schedule.d.ts.map +1 -1
- package/dist/rules/require-codeql-schedule.js +4 -0
- package/dist/rules/require-codeql-schedule.js.map +1 -1
- package/dist/rules/require-codeql-security-events-write.d.ts.map +1 -1
- package/dist/rules/require-codeql-security-events-write.js +4 -0
- package/dist/rules/require-codeql-security-events-write.js.map +1 -1
- package/dist/rules/require-dependabot-automation-permissions.d.ts.map +1 -1
- package/dist/rules/require-dependabot-automation-permissions.js +4 -0
- package/dist/rules/require-dependabot-automation-permissions.js.map +1 -1
- package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts.map +1 -1
- package/dist/rules/require-dependabot-automation-pull-request-trigger.js +4 -0
- package/dist/rules/require-dependabot-automation-pull-request-trigger.js.map +1 -1
- package/dist/rules/require-dependabot-bot-actor-guard.d.ts.map +1 -1
- package/dist/rules/require-dependabot-bot-actor-guard.js +4 -0
- package/dist/rules/require-dependabot-bot-actor-guard.js.map +1 -1
- package/dist/rules/require-dependency-review-fail-on-severity.d.ts.map +1 -1
- package/dist/rules/require-dependency-review-fail-on-severity.js +4 -0
- package/dist/rules/require-dependency-review-fail-on-severity.js.map +1 -1
- package/dist/rules/require-dependency-review-permissions-contents-read.d.ts.map +1 -1
- package/dist/rules/require-dependency-review-permissions-contents-read.js +23 -18
- package/dist/rules/require-dependency-review-permissions-contents-read.js.map +1 -1
- package/dist/rules/require-dependency-review-pull-request-trigger.d.ts.map +1 -1
- package/dist/rules/require-dependency-review-pull-request-trigger.js +4 -0
- package/dist/rules/require-dependency-review-pull-request-trigger.js.map +1 -1
- package/dist/rules/require-fetch-metadata-github-token.d.ts.map +1 -1
- package/dist/rules/require-fetch-metadata-github-token.js +4 -0
- package/dist/rules/require-fetch-metadata-github-token.js.map +1 -1
- package/dist/rules/require-job-name.d.ts.map +1 -1
- package/dist/rules/require-job-name.js +4 -0
- package/dist/rules/require-job-name.js.map +1 -1
- package/dist/rules/require-job-step-name.d.ts.map +1 -1
- package/dist/rules/require-job-step-name.js +4 -0
- package/dist/rules/require-job-step-name.js.map +1 -1
- package/dist/rules/require-job-timeout-minutes.d.ts.map +1 -1
- package/dist/rules/require-job-timeout-minutes.js +4 -0
- package/dist/rules/require-job-timeout-minutes.js.map +1 -1
- package/dist/rules/require-merge-group-trigger.d.ts.map +1 -1
- package/dist/rules/require-merge-group-trigger.js +4 -0
- package/dist/rules/require-merge-group-trigger.js.map +1 -1
- package/dist/rules/require-pull-request-target-branches.d.ts.map +1 -1
- package/dist/rules/require-pull-request-target-branches.js +4 -0
- package/dist/rules/require-pull-request-target-branches.js.map +1 -1
- package/dist/rules/require-run-step-shell.d.ts.map +1 -1
- package/dist/rules/require-run-step-shell.js +4 -0
- package/dist/rules/require-run-step-shell.js.map +1 -1
- package/dist/rules/require-sarif-upload-security-events-write.d.ts.map +1 -1
- package/dist/rules/require-sarif-upload-security-events-write.js +4 -0
- package/dist/rules/require-sarif-upload-security-events-write.js.map +1 -1
- package/dist/rules/require-scorecard-results-format-sarif.d.ts.map +1 -1
- package/dist/rules/require-scorecard-results-format-sarif.js +4 -0
- package/dist/rules/require-scorecard-results-format-sarif.js.map +1 -1
- package/dist/rules/require-scorecard-upload-sarif-step.d.ts.map +1 -1
- package/dist/rules/require-scorecard-upload-sarif-step.js +4 -0
- package/dist/rules/require-scorecard-upload-sarif-step.js.map +1 -1
- package/dist/rules/require-secret-scan-contents-read.d.ts.map +1 -1
- package/dist/rules/require-secret-scan-contents-read.js +7 -3
- package/dist/rules/require-secret-scan-contents-read.js.map +1 -1
- package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts.map +1 -1
- package/dist/rules/require-secret-scan-fetch-depth-zero.js +4 -0
- package/dist/rules/require-secret-scan-fetch-depth-zero.js.map +1 -1
- package/dist/rules/require-secret-scan-schedule.d.ts.map +1 -1
- package/dist/rules/require-secret-scan-schedule.js +4 -0
- package/dist/rules/require-secret-scan-schedule.js.map +1 -1
- package/dist/rules/require-trigger-types.d.ts.map +1 -1
- package/dist/rules/require-trigger-types.js +4 -0
- package/dist/rules/require-trigger-types.js.map +1 -1
- package/dist/rules/require-trufflehog-verified-results-mode.d.ts.map +1 -1
- package/dist/rules/require-trufflehog-verified-results-mode.js +4 -0
- package/dist/rules/require-trufflehog-verified-results-mode.js.map +1 -1
- package/dist/rules/require-workflow-call-input-type.d.ts.map +1 -1
- package/dist/rules/require-workflow-call-input-type.js +4 -0
- package/dist/rules/require-workflow-call-input-type.js.map +1 -1
- package/dist/rules/require-workflow-call-output-value.d.ts.map +1 -1
- package/dist/rules/require-workflow-call-output-value.js +4 -0
- package/dist/rules/require-workflow-call-output-value.js.map +1 -1
- package/dist/rules/require-workflow-concurrency.d.ts.map +1 -1
- package/dist/rules/require-workflow-concurrency.js +4 -0
- package/dist/rules/require-workflow-concurrency.js.map +1 -1
- package/dist/rules/require-workflow-dispatch-input-type.d.ts.map +1 -1
- package/dist/rules/require-workflow-dispatch-input-type.js +4 -0
- package/dist/rules/require-workflow-dispatch-input-type.js.map +1 -1
- package/dist/rules/require-workflow-interface-description.d.ts.map +1 -1
- package/dist/rules/require-workflow-interface-description.js +4 -0
- package/dist/rules/require-workflow-interface-description.js.map +1 -1
- package/dist/rules/require-workflow-run-branches.d.ts.map +1 -1
- package/dist/rules/require-workflow-run-branches.js +4 -0
- package/dist/rules/require-workflow-run-branches.js.map +1 -1
- package/dist/rules/valid-timeout-minutes.d.ts.map +1 -1
- package/dist/rules/valid-timeout-minutes.js +4 -0
- package/dist/rules/valid-timeout-minutes.js.map +1 -1
- package/dist/rules/valid-trigger-events.d.ts.map +1 -1
- package/dist/rules/valid-trigger-events.js +4 -0
- package/dist/rules/valid-trigger-events.js.map +1 -1
- package/docs/rules/guides/authoring-rules.md +34 -0
- package/docs/rules/guides/docs-authoring.md +34 -0
- package/docs/rules/guides/index.md +15 -0
- package/docs/rules/guides/testing-rules.md +34 -0
- package/docs/rules/no-top-level-permissions.md +4 -4
- package/docs/rules/presets/action-metadata.md +8 -8
- package/docs/rules/presets/all.md +123 -124
- package/docs/rules/presets/code-scanning.md +8 -8
- package/docs/rules/presets/dependabot.md +8 -8
- package/docs/rules/presets/index.md +119 -123
- package/docs/rules/presets/recommended.md +8 -8
- package/docs/rules/presets/security.md +8 -8
- package/docs/rules/presets/strict.md +8 -8
- package/docs/rules/presets/workflow-template-properties.md +8 -8
- package/docs/rules/presets/workflow-templates.md +8 -8
- package/docs/rules/require-dependency-review-permissions-contents-read.md +15 -4
- package/docs/rules/require-secret-scan-contents-read.md +10 -2
- package/docs/rules/require-workflow-permissions.md +4 -4
- package/package.json +1 -1
package/dist/plugin.cjs
CHANGED
|
@@ -39,7 +39,7 @@ var yamlParser = __toESM(require("yaml-eslint-parser"), 1);
|
|
|
39
39
|
var package_default = {
|
|
40
40
|
$schema: "https://www.schemastore.org/package.json",
|
|
41
41
|
name: "eslint-plugin-github-actions-2",
|
|
42
|
-
version: "1.0.
|
|
42
|
+
version: "1.0.5",
|
|
43
43
|
private: false,
|
|
44
44
|
description: "ESLint plugin for GitHub Actions workflow quality, reliability, and security rules.",
|
|
45
45
|
keywords: [
|
|
@@ -717,7 +717,7 @@ var githubActionsConfigMetadataByName = {
|
|
|
717
717
|
presetName: "github-actions:action-metadata"
|
|
718
718
|
},
|
|
719
719
|
all: {
|
|
720
|
-
description: "Enables
|
|
720
|
+
description: "Enables the complete bundled rule set across workflows, action metadata, workflow templates, and Dependabot configuration, while leaving explicitly opt-in policy rules manual.",
|
|
721
721
|
files: [
|
|
722
722
|
...WORKFLOW_FILE_GLOBS,
|
|
723
723
|
...ACTION_METADATA_FILE_GLOBS,
|
|
@@ -1432,6 +1432,9 @@ var rule = {
|
|
|
1432
1432
|
const { allowedCasings, ignoredNames } = normalizeActionNameCasingOptions(option ?? void 0);
|
|
1433
1433
|
return {
|
|
1434
1434
|
Program() {
|
|
1435
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1436
|
+
return;
|
|
1437
|
+
}
|
|
1435
1438
|
const root = getWorkflowRoot(context);
|
|
1436
1439
|
if (root === null) {
|
|
1437
1440
|
return;
|
|
@@ -1560,6 +1563,9 @@ var rule2 = {
|
|
|
1560
1563
|
const { allowedCasings, ignoredJobIds } = normalizeJobIdCasingOptions(option ?? void 0);
|
|
1561
1564
|
return {
|
|
1562
1565
|
Program() {
|
|
1566
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1567
|
+
return;
|
|
1568
|
+
}
|
|
1563
1569
|
const root = getWorkflowRoot(context);
|
|
1564
1570
|
if (root === null) {
|
|
1565
1571
|
return;
|
|
@@ -1667,6 +1673,9 @@ var rule3 = {
|
|
|
1667
1673
|
const maxJobs = configuredMaxJobs >= 1 ? configuredMaxJobs : DEFAULT_MAX_JOBS;
|
|
1668
1674
|
return {
|
|
1669
1675
|
Program() {
|
|
1676
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1677
|
+
return;
|
|
1678
|
+
}
|
|
1670
1679
|
const root = getWorkflowRoot(context);
|
|
1671
1680
|
if (root === null) {
|
|
1672
1681
|
return;
|
|
@@ -1894,6 +1903,9 @@ var rule5 = {
|
|
|
1894
1903
|
create(context) {
|
|
1895
1904
|
return {
|
|
1896
1905
|
Program() {
|
|
1906
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1907
|
+
return;
|
|
1908
|
+
}
|
|
1897
1909
|
const root = getWorkflowRoot(context);
|
|
1898
1910
|
if (root === null) {
|
|
1899
1911
|
return;
|
|
@@ -1945,6 +1957,9 @@ var rule6 = {
|
|
|
1945
1957
|
create(context) {
|
|
1946
1958
|
return {
|
|
1947
1959
|
Program() {
|
|
1960
|
+
if (!isWorkflowFile(context.filename)) {
|
|
1961
|
+
return;
|
|
1962
|
+
}
|
|
1948
1963
|
const root = getWorkflowRoot(context);
|
|
1949
1964
|
if (root === null) {
|
|
1950
1965
|
return;
|
|
@@ -2361,6 +2376,9 @@ var rule11 = {
|
|
|
2361
2376
|
create(context) {
|
|
2362
2377
|
return {
|
|
2363
2378
|
Program() {
|
|
2379
|
+
if (!isWorkflowFile(context.filename)) {
|
|
2380
|
+
return;
|
|
2381
|
+
}
|
|
2364
2382
|
const root = getWorkflowRoot(context);
|
|
2365
2383
|
if (root === null) {
|
|
2366
2384
|
return;
|
|
@@ -2525,6 +2543,9 @@ var rule14 = {
|
|
|
2525
2543
|
create(context) {
|
|
2526
2544
|
return {
|
|
2527
2545
|
Program() {
|
|
2546
|
+
if (!isWorkflowFile(context.filename)) {
|
|
2547
|
+
return;
|
|
2548
|
+
}
|
|
2528
2549
|
const root = getWorkflowRoot(context);
|
|
2529
2550
|
if (root === null) {
|
|
2530
2551
|
return;
|
|
@@ -2733,6 +2754,9 @@ var rule15 = {
|
|
|
2733
2754
|
create(context) {
|
|
2734
2755
|
return {
|
|
2735
2756
|
Program() {
|
|
2757
|
+
if (!isWorkflowFile(context.filename)) {
|
|
2758
|
+
return;
|
|
2759
|
+
}
|
|
2736
2760
|
const root = getWorkflowRoot(context);
|
|
2737
2761
|
if (root === null) {
|
|
2738
2762
|
return;
|
|
@@ -2957,6 +2981,9 @@ var rule17 = {
|
|
|
2957
2981
|
create(context) {
|
|
2958
2982
|
return {
|
|
2959
2983
|
Program() {
|
|
2984
|
+
if (!isWorkflowFile(context.filename)) {
|
|
2985
|
+
return;
|
|
2986
|
+
}
|
|
2960
2987
|
const root = getWorkflowRoot(context);
|
|
2961
2988
|
if (root === null) {
|
|
2962
2989
|
return;
|
|
@@ -3081,6 +3108,9 @@ var rule19 = {
|
|
|
3081
3108
|
create(context) {
|
|
3082
3109
|
return {
|
|
3083
3110
|
Program() {
|
|
3111
|
+
if (!isWorkflowFile(context.filename)) {
|
|
3112
|
+
return;
|
|
3113
|
+
}
|
|
3084
3114
|
const root = getWorkflowRoot(context);
|
|
3085
3115
|
if (root === null) {
|
|
3086
3116
|
return;
|
|
@@ -3517,6 +3547,9 @@ var rule23 = {
|
|
|
3517
3547
|
create(context) {
|
|
3518
3548
|
return {
|
|
3519
3549
|
Program() {
|
|
3550
|
+
if (!isWorkflowFile(context.filename)) {
|
|
3551
|
+
return;
|
|
3552
|
+
}
|
|
3520
3553
|
const root = getWorkflowRoot(context);
|
|
3521
3554
|
if (root === null) {
|
|
3522
3555
|
return;
|
|
@@ -3743,6 +3776,9 @@ var rule26 = {
|
|
|
3743
3776
|
create(context) {
|
|
3744
3777
|
return {
|
|
3745
3778
|
Program() {
|
|
3779
|
+
if (!isWorkflowFile(context.filename)) {
|
|
3780
|
+
return;
|
|
3781
|
+
}
|
|
3746
3782
|
const root = getWorkflowRoot(context);
|
|
3747
3783
|
if (root === null) {
|
|
3748
3784
|
return;
|
|
@@ -3834,6 +3870,9 @@ var rule27 = {
|
|
|
3834
3870
|
create(context) {
|
|
3835
3871
|
return {
|
|
3836
3872
|
Program() {
|
|
3873
|
+
if (!isWorkflowFile(context.filename)) {
|
|
3874
|
+
return;
|
|
3875
|
+
}
|
|
3837
3876
|
const root = getWorkflowRoot(context);
|
|
3838
3877
|
if (root === null) {
|
|
3839
3878
|
return;
|
|
@@ -3999,6 +4038,9 @@ var rule30 = {
|
|
|
3999
4038
|
create(context) {
|
|
4000
4039
|
return {
|
|
4001
4040
|
Program() {
|
|
4041
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4042
|
+
return;
|
|
4043
|
+
}
|
|
4002
4044
|
const root = getWorkflowRoot(context);
|
|
4003
4045
|
if (root === null) {
|
|
4004
4046
|
return;
|
|
@@ -4043,6 +4085,9 @@ var rule31 = {
|
|
|
4043
4085
|
create(context) {
|
|
4044
4086
|
return {
|
|
4045
4087
|
Program() {
|
|
4088
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4089
|
+
return;
|
|
4090
|
+
}
|
|
4046
4091
|
const root = getWorkflowRoot(context);
|
|
4047
4092
|
if (root === null) {
|
|
4048
4093
|
return;
|
|
@@ -4060,7 +4105,6 @@ var rule31 = {
|
|
|
4060
4105
|
meta: {
|
|
4061
4106
|
deprecated: false,
|
|
4062
4107
|
docs: {
|
|
4063
|
-
configs: ["github-actions.configs.all"],
|
|
4064
4108
|
description: "disallow top-level workflow `permissions` when you want every job to declare its own token scope explicitly.",
|
|
4065
4109
|
dialects: ["GitHub Actions workflow"],
|
|
4066
4110
|
frozen: false,
|
|
@@ -4338,6 +4382,9 @@ var rule35 = {
|
|
|
4338
4382
|
create(context) {
|
|
4339
4383
|
return {
|
|
4340
4384
|
Program() {
|
|
4385
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4386
|
+
return;
|
|
4387
|
+
}
|
|
4341
4388
|
const root = getWorkflowRoot(context);
|
|
4342
4389
|
if (root === null) {
|
|
4343
4390
|
return;
|
|
@@ -4538,6 +4585,9 @@ var rule36 = {
|
|
|
4538
4585
|
create(context) {
|
|
4539
4586
|
return {
|
|
4540
4587
|
Program() {
|
|
4588
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4589
|
+
return;
|
|
4590
|
+
}
|
|
4541
4591
|
const root = getWorkflowRoot(context);
|
|
4542
4592
|
if (root === null) {
|
|
4543
4593
|
return;
|
|
@@ -4657,6 +4707,9 @@ var rule37 = {
|
|
|
4657
4707
|
create(context) {
|
|
4658
4708
|
return {
|
|
4659
4709
|
Program() {
|
|
4710
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4711
|
+
return;
|
|
4712
|
+
}
|
|
4660
4713
|
const root = getWorkflowRoot(context);
|
|
4661
4714
|
if (root === null) {
|
|
4662
4715
|
return;
|
|
@@ -4858,6 +4911,9 @@ var rule40 = {
|
|
|
4858
4911
|
};
|
|
4859
4912
|
return {
|
|
4860
4913
|
Program() {
|
|
4914
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4915
|
+
return;
|
|
4916
|
+
}
|
|
4861
4917
|
const root = getWorkflowRoot(context);
|
|
4862
4918
|
if (root === null) {
|
|
4863
4919
|
return;
|
|
@@ -4933,6 +4989,9 @@ var rule41 = {
|
|
|
4933
4989
|
};
|
|
4934
4990
|
return {
|
|
4935
4991
|
Program() {
|
|
4992
|
+
if (!isWorkflowFile(context.filename)) {
|
|
4993
|
+
return;
|
|
4994
|
+
}
|
|
4936
4995
|
const root = getWorkflowRoot(context);
|
|
4937
4996
|
if (root === null) {
|
|
4938
4997
|
return;
|
|
@@ -5035,6 +5094,9 @@ var rule43 = {
|
|
|
5035
5094
|
create(context) {
|
|
5036
5095
|
return {
|
|
5037
5096
|
Program() {
|
|
5097
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5098
|
+
return;
|
|
5099
|
+
}
|
|
5038
5100
|
const root = getWorkflowRoot(context);
|
|
5039
5101
|
if (root === null) {
|
|
5040
5102
|
return;
|
|
@@ -5111,6 +5173,9 @@ var rule44 = {
|
|
|
5111
5173
|
const { caseSensitive, extension } = normalizePreferFileExtensionOptions(option ?? void 0);
|
|
5112
5174
|
return {
|
|
5113
5175
|
Program(node) {
|
|
5176
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5177
|
+
return;
|
|
5178
|
+
}
|
|
5114
5179
|
const actualExtensionWithDot = (0, import_node_path3.extname)(context.filename);
|
|
5115
5180
|
if (actualExtensionWithDot.length === 0) {
|
|
5116
5181
|
return;
|
|
@@ -5223,6 +5288,9 @@ var rule45 = {
|
|
|
5223
5288
|
create(context) {
|
|
5224
5289
|
return {
|
|
5225
5290
|
Program() {
|
|
5291
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5292
|
+
return;
|
|
5293
|
+
}
|
|
5226
5294
|
const root = getWorkflowRoot(context);
|
|
5227
5295
|
if (root === null) {
|
|
5228
5296
|
return;
|
|
@@ -5351,6 +5419,9 @@ var rule46 = {
|
|
|
5351
5419
|
const { allowDocker, allowedStyles, allowRepository, ignoredReferences } = normalizeStepUsesStyleOptions(option ?? void 0);
|
|
5352
5420
|
return {
|
|
5353
5421
|
Program() {
|
|
5422
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5423
|
+
return;
|
|
5424
|
+
}
|
|
5354
5425
|
const root = getWorkflowRoot(context);
|
|
5355
5426
|
if (root === null) {
|
|
5356
5427
|
return;
|
|
@@ -5648,6 +5719,9 @@ var rule50 = {
|
|
|
5648
5719
|
create(context) {
|
|
5649
5720
|
return {
|
|
5650
5721
|
Program() {
|
|
5722
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5723
|
+
return;
|
|
5724
|
+
}
|
|
5651
5725
|
const root = getWorkflowRoot(context);
|
|
5652
5726
|
if (root === null) {
|
|
5653
5727
|
return;
|
|
@@ -5715,25 +5789,59 @@ var require_checkout_before_local_action_default = rule50;
|
|
|
5715
5789
|
|
|
5716
5790
|
// dist/_internal/workflow-permissions.js
|
|
5717
5791
|
var getPermissionsNode = (mapping) => getMappingPair(mapping, "permissions")?.value ?? null;
|
|
5718
|
-
var
|
|
5792
|
+
var getScalarPermissionLevel = (scalarValue) => {
|
|
5719
5793
|
const normalizedValue = scalarValue.trim().toLowerCase();
|
|
5794
|
+
if (normalizedValue === "read-all") {
|
|
5795
|
+
return "read";
|
|
5796
|
+
}
|
|
5720
5797
|
if (normalizedValue === "write-all") {
|
|
5798
|
+
return "write";
|
|
5799
|
+
}
|
|
5800
|
+
return null;
|
|
5801
|
+
};
|
|
5802
|
+
var scalarPermissionSatisfies = (scalarValue, requiredLevel) => {
|
|
5803
|
+
const permissionLevel = getScalarPermissionLevel(scalarValue);
|
|
5804
|
+
if (permissionLevel === "write") {
|
|
5721
5805
|
return true;
|
|
5722
5806
|
}
|
|
5723
5807
|
if (requiredLevel === "read") {
|
|
5724
|
-
return
|
|
5808
|
+
return permissionLevel === "read";
|
|
5725
5809
|
}
|
|
5726
5810
|
return false;
|
|
5727
5811
|
};
|
|
5728
|
-
var
|
|
5812
|
+
var getMappingPermissionLevel = (permissionsMapping, permissionName) => {
|
|
5729
5813
|
const permissionValue = getScalarStringValue(getMappingPair(permissionsMapping, permissionName)?.value ?? null)?.trim();
|
|
5730
5814
|
if (permissionValue === void 0 || permissionValue.length === 0) {
|
|
5815
|
+
return null;
|
|
5816
|
+
}
|
|
5817
|
+
if (permissionValue === "read") {
|
|
5818
|
+
return "read";
|
|
5819
|
+
}
|
|
5820
|
+
if (permissionValue === "write") {
|
|
5821
|
+
return "write";
|
|
5822
|
+
}
|
|
5823
|
+
return null;
|
|
5824
|
+
};
|
|
5825
|
+
var mappingPermissionSatisfies = (permissionsMapping, permissionName, requiredLevel) => {
|
|
5826
|
+
const permissionLevel = getMappingPermissionLevel(permissionsMapping, permissionName);
|
|
5827
|
+
if (permissionLevel === null) {
|
|
5731
5828
|
return false;
|
|
5732
5829
|
}
|
|
5733
5830
|
if (requiredLevel === "read") {
|
|
5734
|
-
return
|
|
5831
|
+
return permissionLevel === "read" || permissionLevel === "write";
|
|
5832
|
+
}
|
|
5833
|
+
return permissionLevel === "write";
|
|
5834
|
+
};
|
|
5835
|
+
var getPermissionsNodeLevel = (permissionsNode, permissionName) => {
|
|
5836
|
+
const scalarValue = getScalarStringValue(permissionsNode)?.trim();
|
|
5837
|
+
if (scalarValue !== void 0 && scalarValue.length > 0) {
|
|
5838
|
+
return getScalarPermissionLevel(scalarValue);
|
|
5735
5839
|
}
|
|
5736
|
-
|
|
5840
|
+
const unwrappedPermissionsNode = unwrapYamlValue(permissionsNode);
|
|
5841
|
+
if (unwrappedPermissionsNode?.type === "YAMLMapping") {
|
|
5842
|
+
return getMappingPermissionLevel(unwrappedPermissionsNode, permissionName);
|
|
5843
|
+
}
|
|
5844
|
+
return null;
|
|
5737
5845
|
};
|
|
5738
5846
|
var permissionsNodeSatisfies = (permissionsNode, permissionName, requiredLevel) => {
|
|
5739
5847
|
const scalarValue = getScalarStringValue(permissionsNode)?.trim();
|
|
@@ -5753,12 +5861,22 @@ var hasRequiredWorkflowPermission = (root, job, permissionName, requiredLevel) =
|
|
|
5753
5861
|
}
|
|
5754
5862
|
return permissionsNodeSatisfies(getPermissionsNode(root), permissionName, requiredLevel);
|
|
5755
5863
|
};
|
|
5864
|
+
var hasExactWorkflowPermission = (root, job, permissionName, requiredLevel) => {
|
|
5865
|
+
const jobPermissionsNode = getPermissionsNode(job.mapping);
|
|
5866
|
+
if (jobPermissionsNode !== null) {
|
|
5867
|
+
return getPermissionsNodeLevel(jobPermissionsNode, permissionName) === requiredLevel;
|
|
5868
|
+
}
|
|
5869
|
+
return getPermissionsNodeLevel(getPermissionsNode(root), permissionName) === requiredLevel;
|
|
5870
|
+
};
|
|
5756
5871
|
|
|
5757
5872
|
// dist/rules/require-codeql-actions-read.js
|
|
5758
5873
|
var rule51 = {
|
|
5759
5874
|
create(context) {
|
|
5760
5875
|
return {
|
|
5761
5876
|
Program() {
|
|
5877
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5878
|
+
return;
|
|
5879
|
+
}
|
|
5762
5880
|
const root = getWorkflowRoot(context);
|
|
5763
5881
|
if (root === null) {
|
|
5764
5882
|
return;
|
|
@@ -5836,6 +5954,9 @@ var rule52 = {
|
|
|
5836
5954
|
create(context) {
|
|
5837
5955
|
return {
|
|
5838
5956
|
Program() {
|
|
5957
|
+
if (!isWorkflowFile(context.filename)) {
|
|
5958
|
+
return;
|
|
5959
|
+
}
|
|
5839
5960
|
const root = getWorkflowRoot(context);
|
|
5840
5961
|
if (root === null || getCodeqlInitSteps(root).length === 0) {
|
|
5841
5962
|
return;
|
|
@@ -5894,6 +6015,9 @@ var rule53 = {
|
|
|
5894
6015
|
create(context) {
|
|
5895
6016
|
return {
|
|
5896
6017
|
Program() {
|
|
6018
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6019
|
+
return;
|
|
6020
|
+
}
|
|
5897
6021
|
const root = getWorkflowRoot(context);
|
|
5898
6022
|
if (root === null) {
|
|
5899
6023
|
return;
|
|
@@ -5949,6 +6073,9 @@ var rule54 = {
|
|
|
5949
6073
|
create(context) {
|
|
5950
6074
|
return {
|
|
5951
6075
|
Program(node) {
|
|
6076
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6077
|
+
return;
|
|
6078
|
+
}
|
|
5952
6079
|
const root = getWorkflowRoot(context);
|
|
5953
6080
|
if (root === null || getCodeqlInitSteps(root).length === 0) {
|
|
5954
6081
|
return;
|
|
@@ -5993,6 +6120,9 @@ var rule55 = {
|
|
|
5993
6120
|
create(context) {
|
|
5994
6121
|
return {
|
|
5995
6122
|
Program(node) {
|
|
6123
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6124
|
+
return;
|
|
6125
|
+
}
|
|
5996
6126
|
const root = getWorkflowRoot(context);
|
|
5997
6127
|
if (root === null || getCodeqlInitSteps(root).length === 0) {
|
|
5998
6128
|
return;
|
|
@@ -6037,6 +6167,9 @@ var rule56 = {
|
|
|
6037
6167
|
create(context) {
|
|
6038
6168
|
return {
|
|
6039
6169
|
Program() {
|
|
6170
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6171
|
+
return;
|
|
6172
|
+
}
|
|
6040
6173
|
const root = getWorkflowRoot(context);
|
|
6041
6174
|
if (root === null) {
|
|
6042
6175
|
return;
|
|
@@ -6213,6 +6346,9 @@ var rule59 = {
|
|
|
6213
6346
|
create(context) {
|
|
6214
6347
|
return {
|
|
6215
6348
|
Program() {
|
|
6349
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6350
|
+
return;
|
|
6351
|
+
}
|
|
6216
6352
|
const root = getWorkflowRoot(context);
|
|
6217
6353
|
if (root === null) {
|
|
6218
6354
|
return;
|
|
@@ -6275,6 +6411,9 @@ var rule60 = {
|
|
|
6275
6411
|
create(context) {
|
|
6276
6412
|
return {
|
|
6277
6413
|
Program(node) {
|
|
6414
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6415
|
+
return;
|
|
6416
|
+
}
|
|
6278
6417
|
const root = getWorkflowRoot(context);
|
|
6279
6418
|
if (root === null || !hasDependabotAutomation(root)) {
|
|
6280
6419
|
return;
|
|
@@ -6320,6 +6459,9 @@ var rule61 = {
|
|
|
6320
6459
|
create(context) {
|
|
6321
6460
|
return {
|
|
6322
6461
|
Program() {
|
|
6462
|
+
if (!isWorkflowFile(context.filename)) {
|
|
6463
|
+
return;
|
|
6464
|
+
}
|
|
6323
6465
|
const root = getWorkflowRoot(context);
|
|
6324
6466
|
if (root === null || !hasDependabotAutomation(root)) {
|
|
6325
6467
|
return;
|
|
@@ -7466,6 +7608,9 @@ var rule81 = {
|
|
|
7466
7608
|
create(context) {
|
|
7467
7609
|
return {
|
|
7468
7610
|
Program() {
|
|
7611
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7612
|
+
return;
|
|
7613
|
+
}
|
|
7469
7614
|
const root = getWorkflowRoot(context);
|
|
7470
7615
|
if (root === null) {
|
|
7471
7616
|
return;
|
|
@@ -7519,20 +7664,28 @@ var rule82 = {
|
|
|
7519
7664
|
create(context) {
|
|
7520
7665
|
return {
|
|
7521
7666
|
Program() {
|
|
7667
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7668
|
+
return;
|
|
7669
|
+
}
|
|
7522
7670
|
const root = getWorkflowRoot(context);
|
|
7523
7671
|
if (root === null || !hasDependencyReviewAction(root)) {
|
|
7524
7672
|
return;
|
|
7525
7673
|
}
|
|
7526
|
-
const
|
|
7527
|
-
const
|
|
7528
|
-
|
|
7529
|
-
|
|
7530
|
-
|
|
7674
|
+
const seenJobIds = /* @__PURE__ */ new Set();
|
|
7675
|
+
for (const step of getDependencyReviewActionSteps(root)) {
|
|
7676
|
+
if (seenJobIds.has(step.job.id)) {
|
|
7677
|
+
continue;
|
|
7678
|
+
}
|
|
7679
|
+
seenJobIds.add(step.job.id);
|
|
7680
|
+
if (hasExactWorkflowPermission(root, step.job, "contents", "read")) {
|
|
7681
|
+
continue;
|
|
7682
|
+
}
|
|
7683
|
+
context.report({
|
|
7684
|
+
data: { jobId: step.job.id },
|
|
7685
|
+
messageId: "missingContentsReadPermission",
|
|
7686
|
+
node: step.job.idNode
|
|
7687
|
+
});
|
|
7531
7688
|
}
|
|
7532
|
-
context.report({
|
|
7533
|
-
messageId: "missingContentsReadPermission",
|
|
7534
|
-
node: contentsPair?.value ?? contentsPair ?? permissionsMapping ?? root
|
|
7535
|
-
});
|
|
7536
7689
|
}
|
|
7537
7690
|
};
|
|
7538
7691
|
},
|
|
@@ -7544,7 +7697,7 @@ var rule82 = {
|
|
|
7544
7697
|
"github-actions.configs.codeScanning",
|
|
7545
7698
|
"github-actions.configs.security"
|
|
7546
7699
|
],
|
|
7547
|
-
description: "require
|
|
7700
|
+
description: "require jobs using `actions/dependency-review-action` to grant effective `contents: read`.",
|
|
7548
7701
|
dialects: ["GitHub Actions workflow"],
|
|
7549
7702
|
frozen: false,
|
|
7550
7703
|
recommended: false,
|
|
@@ -7554,7 +7707,7 @@ var rule82 = {
|
|
|
7554
7707
|
url: "https://nick2bad4u.github.io/eslint-plugin-github-actions-2/docs/rules/require-dependency-review-permissions-contents-read"
|
|
7555
7708
|
},
|
|
7556
7709
|
messages: {
|
|
7557
|
-
missingContentsReadPermission: "
|
|
7710
|
+
missingContentsReadPermission: "Job '{{jobId}}' uses `actions/dependency-review-action` and should grant effective `contents: read` at the job or workflow level."
|
|
7558
7711
|
},
|
|
7559
7712
|
schema: [],
|
|
7560
7713
|
type: "problem"
|
|
@@ -7567,6 +7720,9 @@ var rule83 = {
|
|
|
7567
7720
|
create(context) {
|
|
7568
7721
|
return {
|
|
7569
7722
|
Program() {
|
|
7723
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7724
|
+
return;
|
|
7725
|
+
}
|
|
7570
7726
|
const root = getWorkflowRoot(context);
|
|
7571
7727
|
if (root === null || !hasDependencyReviewAction(root)) {
|
|
7572
7728
|
return;
|
|
@@ -7612,6 +7768,9 @@ var rule84 = {
|
|
|
7612
7768
|
create(context) {
|
|
7613
7769
|
return {
|
|
7614
7770
|
Program() {
|
|
7771
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7772
|
+
return;
|
|
7773
|
+
}
|
|
7615
7774
|
const root = getWorkflowRoot(context);
|
|
7616
7775
|
if (root === null) {
|
|
7617
7776
|
return;
|
|
@@ -7662,6 +7821,9 @@ var rule85 = {
|
|
|
7662
7821
|
create(context) {
|
|
7663
7822
|
return {
|
|
7664
7823
|
Program() {
|
|
7824
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7825
|
+
return;
|
|
7826
|
+
}
|
|
7665
7827
|
const root = getWorkflowRoot(context);
|
|
7666
7828
|
if (root === null) {
|
|
7667
7829
|
return;
|
|
@@ -7777,6 +7939,9 @@ var rule86 = {
|
|
|
7777
7939
|
create(context) {
|
|
7778
7940
|
return {
|
|
7779
7941
|
Program() {
|
|
7942
|
+
if (!isWorkflowFile(context.filename)) {
|
|
7943
|
+
return;
|
|
7944
|
+
}
|
|
7780
7945
|
const root = getWorkflowRoot(context);
|
|
7781
7946
|
if (root === null) {
|
|
7782
7947
|
return;
|
|
@@ -7886,6 +8051,9 @@ var rule87 = {
|
|
|
7886
8051
|
const maxMinutes = options?.maxMinutes ?? DEFAULT_MAX_MINUTES;
|
|
7887
8052
|
return {
|
|
7888
8053
|
Program() {
|
|
8054
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8055
|
+
return;
|
|
8056
|
+
}
|
|
7889
8057
|
const root = getWorkflowRoot(context);
|
|
7890
8058
|
if (root === null) {
|
|
7891
8059
|
return;
|
|
@@ -7998,6 +8166,9 @@ var rule88 = {
|
|
|
7998
8166
|
create(context) {
|
|
7999
8167
|
return {
|
|
8000
8168
|
Program() {
|
|
8169
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8170
|
+
return;
|
|
8171
|
+
}
|
|
8001
8172
|
const root = getWorkflowRoot(context);
|
|
8002
8173
|
if (root === null || !hasTriggerEvent(root, "pull_request")) {
|
|
8003
8174
|
return;
|
|
@@ -8070,6 +8241,9 @@ var rule89 = {
|
|
|
8070
8241
|
};
|
|
8071
8242
|
return {
|
|
8072
8243
|
Program() {
|
|
8244
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8245
|
+
return;
|
|
8246
|
+
}
|
|
8073
8247
|
const root = getWorkflowRoot(context);
|
|
8074
8248
|
if (root === null) {
|
|
8075
8249
|
return;
|
|
@@ -8170,6 +8344,9 @@ var rule90 = {
|
|
|
8170
8344
|
};
|
|
8171
8345
|
return {
|
|
8172
8346
|
Program() {
|
|
8347
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8348
|
+
return;
|
|
8349
|
+
}
|
|
8173
8350
|
const root = getWorkflowRoot(context);
|
|
8174
8351
|
if (root === null) {
|
|
8175
8352
|
return;
|
|
@@ -8253,6 +8430,9 @@ var rule91 = {
|
|
|
8253
8430
|
create(context) {
|
|
8254
8431
|
return {
|
|
8255
8432
|
Program() {
|
|
8433
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8434
|
+
return;
|
|
8435
|
+
}
|
|
8256
8436
|
const root = getWorkflowRoot(context);
|
|
8257
8437
|
if (root === null) {
|
|
8258
8438
|
return;
|
|
@@ -8301,6 +8481,9 @@ var rule92 = {
|
|
|
8301
8481
|
create(context) {
|
|
8302
8482
|
return {
|
|
8303
8483
|
Program() {
|
|
8484
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8485
|
+
return;
|
|
8486
|
+
}
|
|
8304
8487
|
const root = getWorkflowRoot(context);
|
|
8305
8488
|
if (root === null) {
|
|
8306
8489
|
return;
|
|
@@ -8351,6 +8534,9 @@ var rule93 = {
|
|
|
8351
8534
|
create(context) {
|
|
8352
8535
|
return {
|
|
8353
8536
|
Program(node) {
|
|
8537
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8538
|
+
return;
|
|
8539
|
+
}
|
|
8354
8540
|
const root = getWorkflowRoot(context);
|
|
8355
8541
|
if (root === null || getScorecardSteps(root).length === 0) {
|
|
8356
8542
|
return;
|
|
@@ -8403,12 +8589,15 @@ var rule94 = {
|
|
|
8403
8589
|
create(context) {
|
|
8404
8590
|
return {
|
|
8405
8591
|
Program() {
|
|
8592
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8593
|
+
return;
|
|
8594
|
+
}
|
|
8406
8595
|
const root = getWorkflowRoot(context);
|
|
8407
8596
|
if (root === null) {
|
|
8408
8597
|
return;
|
|
8409
8598
|
}
|
|
8410
8599
|
for (const step of getSecretScanningActionSteps(root)) {
|
|
8411
|
-
if (
|
|
8600
|
+
if (hasExactWorkflowPermission(root, step.job, "contents", "read")) {
|
|
8412
8601
|
continue;
|
|
8413
8602
|
}
|
|
8414
8603
|
context.report({
|
|
@@ -8437,7 +8626,7 @@ var rule94 = {
|
|
|
8437
8626
|
url: "https://nick2bad4u.github.io/eslint-plugin-github-actions-2/docs/rules/require-secret-scan-contents-read"
|
|
8438
8627
|
},
|
|
8439
8628
|
messages: {
|
|
8440
|
-
missingContentsRead: "Job '{{jobId}}' runs a secret scanner and should grant `contents: read
|
|
8629
|
+
missingContentsRead: "Job '{{jobId}}' runs a secret scanner and should grant effective `contents: read` at the job or workflow level."
|
|
8441
8630
|
},
|
|
8442
8631
|
schema: [],
|
|
8443
8632
|
type: "problem"
|
|
@@ -8451,6 +8640,9 @@ var rule95 = {
|
|
|
8451
8640
|
create(context) {
|
|
8452
8641
|
return {
|
|
8453
8642
|
Program() {
|
|
8643
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8644
|
+
return;
|
|
8645
|
+
}
|
|
8454
8646
|
const root = getWorkflowRoot(context);
|
|
8455
8647
|
if (root === null) {
|
|
8456
8648
|
return;
|
|
@@ -8521,6 +8713,9 @@ var rule96 = {
|
|
|
8521
8713
|
create(context) {
|
|
8522
8714
|
return {
|
|
8523
8715
|
Program(node) {
|
|
8716
|
+
if (!isWorkflowFile(context.filename)) {
|
|
8717
|
+
return;
|
|
8718
|
+
}
|
|
8524
8719
|
const root = getWorkflowRoot(context);
|
|
8525
8720
|
if (root === null || !hasSecretScanningAction(root)) {
|
|
8526
8721
|
return;
|
|
@@ -8876,6 +9071,9 @@ var rule102 = {
|
|
|
8876
9071
|
};
|
|
8877
9072
|
return {
|
|
8878
9073
|
Program() {
|
|
9074
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9075
|
+
return;
|
|
9076
|
+
}
|
|
8879
9077
|
const root = getWorkflowRoot(context);
|
|
8880
9078
|
if (root === null) {
|
|
8881
9079
|
return;
|
|
@@ -8954,6 +9152,9 @@ var rule103 = {
|
|
|
8954
9152
|
create(context) {
|
|
8955
9153
|
return {
|
|
8956
9154
|
Program() {
|
|
9155
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9156
|
+
return;
|
|
9157
|
+
}
|
|
8957
9158
|
const root = getWorkflowRoot(context);
|
|
8958
9159
|
if (root === null) {
|
|
8959
9160
|
return;
|
|
@@ -9010,6 +9211,9 @@ var rule104 = {
|
|
|
9010
9211
|
create(context) {
|
|
9011
9212
|
return {
|
|
9012
9213
|
Program() {
|
|
9214
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9215
|
+
return;
|
|
9216
|
+
}
|
|
9013
9217
|
const root = getWorkflowRoot(context);
|
|
9014
9218
|
if (root === null) {
|
|
9015
9219
|
return;
|
|
@@ -9090,6 +9294,9 @@ var rule105 = {
|
|
|
9090
9294
|
create(context) {
|
|
9091
9295
|
return {
|
|
9092
9296
|
Program() {
|
|
9297
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9298
|
+
return;
|
|
9299
|
+
}
|
|
9093
9300
|
const root = getWorkflowRoot(context);
|
|
9094
9301
|
if (root === null) {
|
|
9095
9302
|
return;
|
|
@@ -9179,6 +9386,9 @@ var rule106 = {
|
|
|
9179
9386
|
const requireCancelInProgress = options?.requireCancelInProgress ?? true;
|
|
9180
9387
|
return {
|
|
9181
9388
|
Program() {
|
|
9389
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9390
|
+
return;
|
|
9391
|
+
}
|
|
9182
9392
|
const root = getWorkflowRoot(context);
|
|
9183
9393
|
if (root === null) {
|
|
9184
9394
|
return;
|
|
@@ -9324,6 +9534,9 @@ var rule107 = {
|
|
|
9324
9534
|
create(context) {
|
|
9325
9535
|
return {
|
|
9326
9536
|
Program() {
|
|
9537
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9538
|
+
return;
|
|
9539
|
+
}
|
|
9327
9540
|
const root = getWorkflowRoot(context);
|
|
9328
9541
|
if (root === null) {
|
|
9329
9542
|
return;
|
|
@@ -9435,6 +9648,9 @@ var rule108 = {
|
|
|
9435
9648
|
create(context) {
|
|
9436
9649
|
return {
|
|
9437
9650
|
Program() {
|
|
9651
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9652
|
+
return;
|
|
9653
|
+
}
|
|
9438
9654
|
const root = getWorkflowRoot(context);
|
|
9439
9655
|
if (root === null) {
|
|
9440
9656
|
return;
|
|
@@ -9605,6 +9821,9 @@ var rule110 = {
|
|
|
9605
9821
|
create(context) {
|
|
9606
9822
|
return {
|
|
9607
9823
|
Program() {
|
|
9824
|
+
if (!isWorkflowFile(context.filename)) {
|
|
9825
|
+
return;
|
|
9826
|
+
}
|
|
9608
9827
|
const root = getWorkflowRoot(context);
|
|
9609
9828
|
if (root === null) {
|
|
9610
9829
|
return;
|
|
@@ -9818,6 +10037,9 @@ var rule113 = {
|
|
|
9818
10037
|
};
|
|
9819
10038
|
return {
|
|
9820
10039
|
Program() {
|
|
10040
|
+
if (!isWorkflowFile(context.filename)) {
|
|
10041
|
+
return;
|
|
10042
|
+
}
|
|
9821
10043
|
const root = getWorkflowRoot(context);
|
|
9822
10044
|
if (root === null) {
|
|
9823
10045
|
return;
|
|
@@ -10050,6 +10272,9 @@ var rule114 = {
|
|
|
10050
10272
|
};
|
|
10051
10273
|
return {
|
|
10052
10274
|
Program() {
|
|
10275
|
+
if (!isWorkflowFile(context.filename)) {
|
|
10276
|
+
return;
|
|
10277
|
+
}
|
|
10053
10278
|
const root = getWorkflowRoot(context);
|
|
10054
10279
|
if (root === null) {
|
|
10055
10280
|
return;
|
|
@@ -10266,7 +10491,7 @@ var getRuleConfigReferences = (ruleName, rule115) => {
|
|
|
10266
10491
|
const references = docs?.configs;
|
|
10267
10492
|
const referenceList = Array.isArray(references) ? references : [references];
|
|
10268
10493
|
if (referenceList.length === 0 || referenceList[0] === void 0) {
|
|
10269
|
-
|
|
10494
|
+
return [];
|
|
10270
10495
|
}
|
|
10271
10496
|
for (const reference of referenceList) {
|
|
10272
10497
|
if (typeof reference !== "string" || !isGithubActionsConfigReference(reference)) {
|