eslint-plugin-github-actions-2 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (217) hide show
  1. package/README.md +127 -127
  2. package/dist/_internal/github-actions-config-references.js +1 -1
  3. package/dist/_internal/github-actions-config-references.js.map +1 -1
  4. package/dist/_internal/rule-docs.d.ts +1 -1
  5. package/dist/_internal/rule-docs.d.ts.map +1 -1
  6. package/dist/_internal/workflow-permissions.d.ts +2 -0
  7. package/dist/_internal/workflow-permissions.d.ts.map +1 -1
  8. package/dist/_internal/workflow-permissions.js +54 -7
  9. package/dist/_internal/workflow-permissions.js.map +1 -1
  10. package/dist/plugin.cjs +276 -24
  11. package/dist/plugin.cjs.map +2 -2
  12. package/dist/plugin.d.ts.map +1 -1
  13. package/dist/plugin.js +1 -1
  14. package/dist/plugin.js.map +1 -1
  15. package/dist/rules/action-name-casing.d.ts.map +1 -1
  16. package/dist/rules/action-name-casing.js +4 -0
  17. package/dist/rules/action-name-casing.js.map +1 -1
  18. package/dist/rules/job-id-casing.d.ts.map +1 -1
  19. package/dist/rules/job-id-casing.js +4 -0
  20. package/dist/rules/job-id-casing.js.map +1 -1
  21. package/dist/rules/max-jobs-per-action.d.ts.map +1 -1
  22. package/dist/rules/max-jobs-per-action.js +4 -0
  23. package/dist/rules/max-jobs-per-action.js.map +1 -1
  24. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts.map +1 -1
  25. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js +4 -0
  26. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js.map +1 -1
  27. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts.map +1 -1
  28. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js +4 -0
  29. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js.map +1 -1
  30. package/dist/rules/no-external-job.d.ts.map +1 -1
  31. package/dist/rules/no-external-job.js +4 -0
  32. package/dist/rules/no-external-job.js.map +1 -1
  33. package/dist/rules/no-inherit-secrets.d.ts.map +1 -1
  34. package/dist/rules/no-inherit-secrets.js +4 -0
  35. package/dist/rules/no-inherit-secrets.js.map +1 -1
  36. package/dist/rules/no-invalid-concurrency-context.d.ts.map +1 -1
  37. package/dist/rules/no-invalid-concurrency-context.js +4 -0
  38. package/dist/rules/no-invalid-concurrency-context.js.map +1 -1
  39. package/dist/rules/no-invalid-reusable-workflow-job-key.d.ts.map +1 -1
  40. package/dist/rules/no-invalid-reusable-workflow-job-key.js +4 -0
  41. package/dist/rules/no-invalid-reusable-workflow-job-key.js.map +1 -1
  42. package/dist/rules/no-invalid-workflow-call-output-value.d.ts.map +1 -1
  43. package/dist/rules/no-invalid-workflow-call-output-value.js +4 -0
  44. package/dist/rules/no-invalid-workflow-call-output-value.js.map +1 -1
  45. package/dist/rules/no-pr-head-checkout-in-pull-request-target.d.ts.map +1 -1
  46. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js +4 -0
  47. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js.map +1 -1
  48. package/dist/rules/no-secrets-in-if.d.ts.map +1 -1
  49. package/dist/rules/no-secrets-in-if.js +4 -0
  50. package/dist/rules/no-secrets-in-if.js.map +1 -1
  51. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.d.ts.map +1 -1
  52. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js +4 -0
  53. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js.map +1 -1
  54. package/dist/rules/no-top-level-env.d.ts.map +1 -1
  55. package/dist/rules/no-top-level-env.js +4 -0
  56. package/dist/rules/no-top-level-env.js.map +1 -1
  57. package/dist/rules/no-top-level-permissions.d.ts.map +1 -1
  58. package/dist/rules/no-top-level-permissions.js +4 -1
  59. package/dist/rules/no-top-level-permissions.js.map +1 -1
  60. package/dist/rules/no-unknown-job-output-reference.d.ts.map +1 -1
  61. package/dist/rules/no-unknown-job-output-reference.js +4 -0
  62. package/dist/rules/no-unknown-job-output-reference.js.map +1 -1
  63. package/dist/rules/no-unknown-step-reference.d.ts.map +1 -1
  64. package/dist/rules/no-unknown-step-reference.js +4 -0
  65. package/dist/rules/no-unknown-step-reference.js.map +1 -1
  66. package/dist/rules/no-untrusted-input-in-run.d.ts.map +1 -1
  67. package/dist/rules/no-untrusted-input-in-run.js +4 -0
  68. package/dist/rules/no-untrusted-input-in-run.js.map +1 -1
  69. package/dist/rules/no-write-all-permissions.d.ts.map +1 -1
  70. package/dist/rules/no-write-all-permissions.js +4 -0
  71. package/dist/rules/no-write-all-permissions.js.map +1 -1
  72. package/dist/rules/pin-action-shas.d.ts.map +1 -1
  73. package/dist/rules/pin-action-shas.js +4 -0
  74. package/dist/rules/pin-action-shas.js.map +1 -1
  75. package/dist/rules/prefer-fail-fast.d.ts.map +1 -1
  76. package/dist/rules/prefer-fail-fast.js +4 -0
  77. package/dist/rules/prefer-fail-fast.js.map +1 -1
  78. package/dist/rules/prefer-file-extension.d.ts.map +1 -1
  79. package/dist/rules/prefer-file-extension.js +4 -0
  80. package/dist/rules/prefer-file-extension.js.map +1 -1
  81. package/dist/rules/prefer-inputs-context.d.ts.map +1 -1
  82. package/dist/rules/prefer-inputs-context.js +4 -0
  83. package/dist/rules/prefer-inputs-context.js.map +1 -1
  84. package/dist/rules/prefer-step-uses-style.d.ts.map +1 -1
  85. package/dist/rules/prefer-step-uses-style.js +4 -0
  86. package/dist/rules/prefer-step-uses-style.js.map +1 -1
  87. package/dist/rules/require-checkout-before-local-action.d.ts.map +1 -1
  88. package/dist/rules/require-checkout-before-local-action.js +4 -0
  89. package/dist/rules/require-checkout-before-local-action.js.map +1 -1
  90. package/dist/rules/require-codeql-actions-read.d.ts.map +1 -1
  91. package/dist/rules/require-codeql-actions-read.js +4 -0
  92. package/dist/rules/require-codeql-actions-read.js.map +1 -1
  93. package/dist/rules/require-codeql-branch-filters.d.ts.map +1 -1
  94. package/dist/rules/require-codeql-branch-filters.js +4 -0
  95. package/dist/rules/require-codeql-branch-filters.js.map +1 -1
  96. package/dist/rules/require-codeql-category-when-language-matrix.d.ts.map +1 -1
  97. package/dist/rules/require-codeql-category-when-language-matrix.js +4 -0
  98. package/dist/rules/require-codeql-category-when-language-matrix.js.map +1 -1
  99. package/dist/rules/require-codeql-pull-request-trigger.d.ts.map +1 -1
  100. package/dist/rules/require-codeql-pull-request-trigger.js +4 -0
  101. package/dist/rules/require-codeql-pull-request-trigger.js.map +1 -1
  102. package/dist/rules/require-codeql-schedule.d.ts.map +1 -1
  103. package/dist/rules/require-codeql-schedule.js +4 -0
  104. package/dist/rules/require-codeql-schedule.js.map +1 -1
  105. package/dist/rules/require-codeql-security-events-write.d.ts.map +1 -1
  106. package/dist/rules/require-codeql-security-events-write.js +4 -0
  107. package/dist/rules/require-codeql-security-events-write.js.map +1 -1
  108. package/dist/rules/require-dependabot-automation-permissions.d.ts.map +1 -1
  109. package/dist/rules/require-dependabot-automation-permissions.js +4 -0
  110. package/dist/rules/require-dependabot-automation-permissions.js.map +1 -1
  111. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts.map +1 -1
  112. package/dist/rules/require-dependabot-automation-pull-request-trigger.js +4 -0
  113. package/dist/rules/require-dependabot-automation-pull-request-trigger.js.map +1 -1
  114. package/dist/rules/require-dependabot-bot-actor-guard.d.ts.map +1 -1
  115. package/dist/rules/require-dependabot-bot-actor-guard.js +4 -0
  116. package/dist/rules/require-dependabot-bot-actor-guard.js.map +1 -1
  117. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts.map +1 -1
  118. package/dist/rules/require-dependabot-open-pull-requests-limit.js +32 -2
  119. package/dist/rules/require-dependabot-open-pull-requests-limit.js.map +1 -1
  120. package/dist/rules/require-dependency-review-fail-on-severity.d.ts.map +1 -1
  121. package/dist/rules/require-dependency-review-fail-on-severity.js +4 -0
  122. package/dist/rules/require-dependency-review-fail-on-severity.js.map +1 -1
  123. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts.map +1 -1
  124. package/dist/rules/require-dependency-review-permissions-contents-read.js +23 -18
  125. package/dist/rules/require-dependency-review-permissions-contents-read.js.map +1 -1
  126. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts.map +1 -1
  127. package/dist/rules/require-dependency-review-pull-request-trigger.js +4 -0
  128. package/dist/rules/require-dependency-review-pull-request-trigger.js.map +1 -1
  129. package/dist/rules/require-fetch-metadata-github-token.d.ts.map +1 -1
  130. package/dist/rules/require-fetch-metadata-github-token.js +4 -0
  131. package/dist/rules/require-fetch-metadata-github-token.js.map +1 -1
  132. package/dist/rules/require-job-name.d.ts.map +1 -1
  133. package/dist/rules/require-job-name.js +4 -0
  134. package/dist/rules/require-job-name.js.map +1 -1
  135. package/dist/rules/require-job-step-name.d.ts.map +1 -1
  136. package/dist/rules/require-job-step-name.js +4 -0
  137. package/dist/rules/require-job-step-name.js.map +1 -1
  138. package/dist/rules/require-job-timeout-minutes.d.ts.map +1 -1
  139. package/dist/rules/require-job-timeout-minutes.js +4 -0
  140. package/dist/rules/require-job-timeout-minutes.js.map +1 -1
  141. package/dist/rules/require-merge-group-trigger.d.ts.map +1 -1
  142. package/dist/rules/require-merge-group-trigger.js +4 -0
  143. package/dist/rules/require-merge-group-trigger.js.map +1 -1
  144. package/dist/rules/require-pull-request-target-branches.d.ts.map +1 -1
  145. package/dist/rules/require-pull-request-target-branches.js +4 -0
  146. package/dist/rules/require-pull-request-target-branches.js.map +1 -1
  147. package/dist/rules/require-run-step-shell.d.ts.map +1 -1
  148. package/dist/rules/require-run-step-shell.js +4 -0
  149. package/dist/rules/require-run-step-shell.js.map +1 -1
  150. package/dist/rules/require-sarif-upload-security-events-write.d.ts.map +1 -1
  151. package/dist/rules/require-sarif-upload-security-events-write.js +4 -0
  152. package/dist/rules/require-sarif-upload-security-events-write.js.map +1 -1
  153. package/dist/rules/require-scorecard-results-format-sarif.d.ts.map +1 -1
  154. package/dist/rules/require-scorecard-results-format-sarif.js +4 -0
  155. package/dist/rules/require-scorecard-results-format-sarif.js.map +1 -1
  156. package/dist/rules/require-scorecard-upload-sarif-step.d.ts.map +1 -1
  157. package/dist/rules/require-scorecard-upload-sarif-step.js +4 -0
  158. package/dist/rules/require-scorecard-upload-sarif-step.js.map +1 -1
  159. package/dist/rules/require-secret-scan-contents-read.d.ts.map +1 -1
  160. package/dist/rules/require-secret-scan-contents-read.js +7 -3
  161. package/dist/rules/require-secret-scan-contents-read.js.map +1 -1
  162. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts.map +1 -1
  163. package/dist/rules/require-secret-scan-fetch-depth-zero.js +4 -0
  164. package/dist/rules/require-secret-scan-fetch-depth-zero.js.map +1 -1
  165. package/dist/rules/require-secret-scan-schedule.d.ts.map +1 -1
  166. package/dist/rules/require-secret-scan-schedule.js +4 -0
  167. package/dist/rules/require-secret-scan-schedule.js.map +1 -1
  168. package/dist/rules/require-trigger-types.d.ts.map +1 -1
  169. package/dist/rules/require-trigger-types.js +4 -0
  170. package/dist/rules/require-trigger-types.js.map +1 -1
  171. package/dist/rules/require-trufflehog-verified-results-mode.d.ts.map +1 -1
  172. package/dist/rules/require-trufflehog-verified-results-mode.js +4 -0
  173. package/dist/rules/require-trufflehog-verified-results-mode.js.map +1 -1
  174. package/dist/rules/require-workflow-call-input-type.d.ts.map +1 -1
  175. package/dist/rules/require-workflow-call-input-type.js +4 -0
  176. package/dist/rules/require-workflow-call-input-type.js.map +1 -1
  177. package/dist/rules/require-workflow-call-output-value.d.ts.map +1 -1
  178. package/dist/rules/require-workflow-call-output-value.js +4 -0
  179. package/dist/rules/require-workflow-call-output-value.js.map +1 -1
  180. package/dist/rules/require-workflow-concurrency.d.ts.map +1 -1
  181. package/dist/rules/require-workflow-concurrency.js +4 -0
  182. package/dist/rules/require-workflow-concurrency.js.map +1 -1
  183. package/dist/rules/require-workflow-dispatch-input-type.d.ts.map +1 -1
  184. package/dist/rules/require-workflow-dispatch-input-type.js +4 -0
  185. package/dist/rules/require-workflow-dispatch-input-type.js.map +1 -1
  186. package/dist/rules/require-workflow-interface-description.d.ts.map +1 -1
  187. package/dist/rules/require-workflow-interface-description.js +4 -0
  188. package/dist/rules/require-workflow-interface-description.js.map +1 -1
  189. package/dist/rules/require-workflow-run-branches.d.ts.map +1 -1
  190. package/dist/rules/require-workflow-run-branches.js +4 -0
  191. package/dist/rules/require-workflow-run-branches.js.map +1 -1
  192. package/dist/rules/valid-timeout-minutes.d.ts.map +1 -1
  193. package/dist/rules/valid-timeout-minutes.js +4 -0
  194. package/dist/rules/valid-timeout-minutes.js.map +1 -1
  195. package/dist/rules/valid-trigger-events.d.ts.map +1 -1
  196. package/dist/rules/valid-trigger-events.js +4 -0
  197. package/dist/rules/valid-trigger-events.js.map +1 -1
  198. package/docs/rules/guides/authoring-rules.md +34 -0
  199. package/docs/rules/guides/docs-authoring.md +34 -0
  200. package/docs/rules/guides/index.md +15 -0
  201. package/docs/rules/guides/testing-rules.md +34 -0
  202. package/docs/rules/no-top-level-permissions.md +4 -4
  203. package/docs/rules/presets/action-metadata.md +8 -8
  204. package/docs/rules/presets/all.md +123 -124
  205. package/docs/rules/presets/code-scanning.md +8 -8
  206. package/docs/rules/presets/dependabot.md +8 -8
  207. package/docs/rules/presets/index.md +119 -123
  208. package/docs/rules/presets/recommended.md +8 -8
  209. package/docs/rules/presets/security.md +8 -8
  210. package/docs/rules/presets/strict.md +8 -8
  211. package/docs/rules/presets/workflow-template-properties.md +8 -8
  212. package/docs/rules/presets/workflow-templates.md +8 -8
  213. package/docs/rules/require-dependabot-open-pull-requests-limit.md +21 -4
  214. package/docs/rules/require-dependency-review-permissions-contents-read.md +15 -4
  215. package/docs/rules/require-secret-scan-contents-read.md +10 -2
  216. package/docs/rules/require-workflow-permissions.md +4 -4
  217. package/package.json +1 -1
package/docs/rules/presets/index.md CHANGED
@@ -16,10 +16,7 @@ The plugin exports nine flat-config presets:
16
16
  - [`githubActions.configs.strict`](./strict.md)
17
17
  - [`githubActions.configs.all`](./all.md)
18
18
 
19
- These presets cover workflow YAML, action metadata (`action.yml` / `action.yaml`),
20
- repository Dependabot configuration (`.github/dependabot.yml`), and workflow
21
- template package files (`workflow-templates/*.yml`, `*.yaml`, and
22
- `*.properties.json`).
19
+ These presets cover workflow YAML, action metadata (`action.yml` / `action.yaml`), repository Dependabot configuration (`.github/dependabot.yml`), and workflow template package files (`workflow-templates/*.yml`, `*.yaml`, and `*.properties.json`).
23
20
 
24
21
  ## How to choose
25
22
 
@@ -27,11 +24,10 @@ template package files (`workflow-templates/*.yml`, `*.yaml`, and
27
24
  - Layer **security** for stronger supply-chain and permissions-focused checks.
28
25
  - Use **codeScanning** for CodeQL, dependency review, SARIF upload, and related code-scanning workflows.
29
26
  - Use **strict** when you want high signal on operational consistency.
30
- - Use **all** for complete rule coverage (best for internal policy repos).
27
+ - Use **all** for complete bundled rule coverage (best for internal policy repos), and layer opt-in policy rules manually when your standards require them.
31
28
  - Use **dependabot** when you want a dedicated policy surface for dependency update automation.
32
29
 
33
- Then review [getting started](../getting-started.md) and the full
34
- [rule reference](../overview.md).
30
+ Then review [getting started](../getting-started.md) and the full [rule reference](../overview.md).
35
31
 
36
32
  ## Rule Matrix
37
33
 
@@ -53,119 +49,119 @@ Preset key legend:
53
49
  - [🔴](./strict.md) — [`githubActions.configs.strict`](./strict.md)
54
50
  - [🟣](./all.md) — [`githubActions.configs.all`](./all.md)
55
51
 
56
- | Rule | Fix | Preset key |
57
- | --- | :-: | --- |
58
- | <span class="sb-inline-rule-number">R009</span> [`action-name-casing`](../action-name-casing.md) | 🔧 | [🟣](./all.md) [🔴](./strict.md) |
59
- | <span class="sb-inline-rule-number">R010</span> [`job-id-casing`](../job-id-casing.md) | | [🟣](./all.md) [🔴](./strict.md) |
60
- | <span class="sb-inline-rule-number">R011</span> [`max-jobs-per-action`](../max-jobs-per-action.md) | | [🟣](./all.md) [🔴](./strict.md) |
61
- | <span class="sb-inline-rule-number">R048</span> [`no-case-insensitive-input-id-collision`](../no-case-insensitive-input-id-collision.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
62
- | <span class="sb-inline-rule-number">R097</span> [`no-codeql-autobuild-for-javascript-typescript`](../no-codeql-autobuild-for-javascript-typescript.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
63
- | <span class="sb-inline-rule-number">R096</span> [`no-codeql-javascript-typescript-split-language-matrix`](../no-codeql-javascript-typescript-split-language-matrix.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
64
- | <span class="sb-inline-rule-number">R049</span> [`no-composite-input-env-access`](../no-composite-input-env-access.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
65
- | <span class="sb-inline-rule-number">R044</span> [`no-deprecated-node-runtime`](../no-deprecated-node-runtime.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
66
- | <span class="sb-inline-rule-number">R051</span> [`no-duplicate-composite-step-id`](../no-duplicate-composite-step-id.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
67
- | <span class="sb-inline-rule-number">R060</span> [`no-empty-template-file-pattern`](../no-empty-template-file-pattern.md) | 🔧 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
68
- | <span class="sb-inline-rule-number">R012</span> [`no-external-job`](../no-external-job.md) | | [🟣](./all.md) [🔴](./strict.md) |
69
- | <span class="sb-inline-rule-number">R068</span> [`no-hardcoded-default-branch-in-template`](../no-hardcoded-default-branch-in-template.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
70
- | <span class="sb-inline-rule-number">R063</span> [`no-icon-file-extension-in-template-icon-name`](../no-icon-file-extension-in-template-icon-name.md) | 🔧 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
71
- | <span class="sb-inline-rule-number">R026</span> [`no-inherit-secrets`](../no-inherit-secrets.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
72
- | <span class="sb-inline-rule-number">R042</span> [`no-invalid-concurrency-context`](../no-invalid-concurrency-context.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
73
- | <span class="sb-inline-rule-number">R019</span> [`no-invalid-key`](../no-invalid-key.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
74
- | <span class="sb-inline-rule-number">R041</span> [`no-invalid-reusable-workflow-job-key`](../no-invalid-reusable-workflow-job-key.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
75
- | <span class="sb-inline-rule-number">R059</span> [`no-invalid-template-file-pattern-regex`](../no-invalid-template-file-pattern-regex.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
76
- | <span class="sb-inline-rule-number">R040</span> [`no-invalid-workflow-call-output-value`](../no-invalid-workflow-call-output-value.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
77
- | <span class="sb-inline-rule-number">R095</span> [`no-overlapping-dependabot-directories`](../no-overlapping-dependabot-directories.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
78
- | <span class="sb-inline-rule-number">R064</span> [`no-path-separators-in-template-icon-name`](../no-path-separators-in-template-icon-name.md) | 💡 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
79
- | <span class="sb-inline-rule-number">R046</span> [`no-post-if-without-post`](../no-post-if-without-post.md) | 🔧 | [🧩](./action-metadata.md) [🟣](./all.md) |
80
- | <span class="sb-inline-rule-number">R030</span> [`no-pr-head-checkout-in-pull-request-target`](../no-pr-head-checkout-in-pull-request-target.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
81
- | <span class="sb-inline-rule-number">R045</span> [`no-pre-if-without-pre`](../no-pre-if-without-pre.md) | 🔧 | [🧩](./action-metadata.md) [🟣](./all.md) |
82
- | <span class="sb-inline-rule-number">R047</span> [`no-required-input-with-default`](../no-required-input-with-default.md) | 💡 | [🧩](./action-metadata.md) [🟣](./all.md) |
83
- | <span class="sb-inline-rule-number">R027</span> [`no-secrets-in-if`](../no-secrets-in-if.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
84
- | <span class="sb-inline-rule-number">R036</span> [`no-self-hosted-runner-on-fork-pr-events`](../no-self-hosted-runner-on-fork-pr-events.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
85
- | <span class="sb-inline-rule-number">R062</span> [`no-subdirectory-template-file-pattern`](../no-subdirectory-template-file-pattern.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
86
- | <span class="sb-inline-rule-number">R069</span> [`no-template-placeholder-in-non-template-workflow`](../no-template-placeholder-in-non-template-workflow.md) | | [🟡](./recommended.md) [🔴](./strict.md) [🟣](./all.md) |
87
- | <span class="sb-inline-rule-number">R013</span> [`no-top-level-env`](../no-top-level-env.md) | | [🟣](./all.md) [🔴](./strict.md) |
88
- | <span class="sb-inline-rule-number">R014</span> [`no-top-level-permissions`](../no-top-level-permissions.md) | | [🟣](./all.md) |
89
- | <span class="sb-inline-rule-number">R061</span> [`no-universal-template-file-pattern`](../no-universal-template-file-pattern.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
90
- | <span class="sb-inline-rule-number">R081</span> [`no-unknown-dependabot-multi-ecosystem-group`](../no-unknown-dependabot-multi-ecosystem-group.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
91
- | <span class="sb-inline-rule-number">R050</span> [`no-unknown-input-reference-in-composite`](../no-unknown-input-reference-in-composite.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
92
- | <span class="sb-inline-rule-number">R037</span> [`no-unknown-job-output-reference`](../no-unknown-job-output-reference.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
93
- | <span class="sb-inline-rule-number">R038</span> [`no-unknown-step-reference`](../no-unknown-step-reference.md) | | [🟣](./all.md) [🔴](./strict.md) |
94
- | <span class="sb-inline-rule-number">R029</span> [`no-untrusted-input-in-run`](../no-untrusted-input-in-run.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
95
- | <span class="sb-inline-rule-number">R085</span> [`no-unused-dependabot-enable-beta-ecosystems`](../no-unused-dependabot-enable-beta-ecosystems.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
96
- | <span class="sb-inline-rule-number">R053</span> [`no-unused-input-in-composite`](../no-unused-input-in-composite.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
97
- | <span class="sb-inline-rule-number">R023</span> [`no-write-all-permissions`](../no-write-all-permissions.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
98
- | <span class="sb-inline-rule-number">R003</span> [`pin-action-shas`](../pin-action-shas.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
99
- | <span class="sb-inline-rule-number">R043</span> [`prefer-action-yml`](../prefer-action-yml.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
100
- | <span class="sb-inline-rule-number">R015</span> [`prefer-fail-fast`](../prefer-fail-fast.md) | | [🟣](./all.md) [🔴](./strict.md) |
101
- | <span class="sb-inline-rule-number">R020</span> [`prefer-file-extension`](../prefer-file-extension.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
102
- | <span class="sb-inline-rule-number">R033</span> [`prefer-inputs-context`](../prefer-inputs-context.md) | 🔧 | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
103
- | <span class="sb-inline-rule-number">R016</span> [`prefer-step-uses-style`](../prefer-step-uses-style.md) | | [🟣](./all.md) |
104
- | <span class="sb-inline-rule-number">R066</span> [`prefer-template-yml-extension`](../prefer-template-yml-extension.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
105
- | <span class="sb-inline-rule-number">R005</span> [`require-action-name`](../require-action-name.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
106
- | <span class="sb-inline-rule-number">R006</span> [`require-action-run-name`](../require-action-run-name.md) | | [🟣](./all.md) [🔴](./strict.md) |
107
- | <span class="sb-inline-rule-number">R025</span> [`require-checkout-before-local-action`](../require-checkout-before-local-action.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
108
- | <span class="sb-inline-rule-number">R099</span> [`require-codeql-actions-read`](../require-codeql-actions-read.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
109
- | <span class="sb-inline-rule-number">R113</span> [`require-codeql-branch-filters`](../require-codeql-branch-filters.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
110
- | <span class="sb-inline-rule-number">R114</span> [`require-codeql-category-when-language-matrix`](../require-codeql-category-when-language-matrix.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
111
- | <span class="sb-inline-rule-number">R100</span> [`require-codeql-pull-request-trigger`](../require-codeql-pull-request-trigger.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
112
- | <span class="sb-inline-rule-number">R101</span> [`require-codeql-schedule`](../require-codeql-schedule.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
113
- | <span class="sb-inline-rule-number">R098</span> [`require-codeql-security-events-write`](../require-codeql-security-events-write.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
114
- | <span class="sb-inline-rule-number">R052</span> [`require-composite-step-name`](../require-composite-step-name.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
115
- | <span class="sb-inline-rule-number">R077</span> [`require-dependabot-assignees`](../require-dependabot-assignees.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
116
- | <span class="sb-inline-rule-number">R111</span> [`require-dependabot-automation-permissions`](../require-dependabot-automation-permissions.md) | | [🟣](./all.md) [🛡️](./security.md) |
117
- | <span class="sb-inline-rule-number">R112</span> [`require-dependabot-automation-pull-request-trigger`](../require-dependabot-automation-pull-request-trigger.md) | | [🟣](./all.md) [🛡️](./security.md) |
118
- | <span class="sb-inline-rule-number">R109</span> [`require-dependabot-bot-actor-guard`](../require-dependabot-bot-actor-guard.md) | | [🟣](./all.md) [🛡️](./security.md) |
119
- | <span class="sb-inline-rule-number">R089</span> [`require-dependabot-commit-message-include-scope`](../require-dependabot-commit-message-include-scope.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
120
- | <span class="sb-inline-rule-number">R079</span> [`require-dependabot-commit-message-prefix`](../require-dependabot-commit-message-prefix.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
121
- | <span class="sb-inline-rule-number">R090</span> [`require-dependabot-commit-message-prefix-development`](../require-dependabot-commit-message-prefix-development.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
122
- | <span class="sb-inline-rule-number">R086</span> [`require-dependabot-cooldown`](../require-dependabot-cooldown.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
123
- | <span class="sb-inline-rule-number">R073</span> [`require-dependabot-directory`](../require-dependabot-directory.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
124
- | <span class="sb-inline-rule-number">R084</span> [`require-dependabot-github-actions-directory-root`](../require-dependabot-github-actions-directory-root.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
125
- | <span class="sb-inline-rule-number">R080</span> [`require-dependabot-labels`](../require-dependabot-labels.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
126
- | <span class="sb-inline-rule-number">R087</span> [`require-dependabot-open-pull-requests-limit`](../require-dependabot-open-pull-requests-limit.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
127
- | <span class="sb-inline-rule-number">R072</span> [`require-dependabot-package-ecosystem`](../require-dependabot-package-ecosystem.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
128
- | <span class="sb-inline-rule-number">R082</span> [`require-dependabot-patterns-for-multi-ecosystem-group`](../require-dependabot-patterns-for-multi-ecosystem-group.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
129
- | <span class="sb-inline-rule-number">R083</span> [`require-dependabot-schedule-cronjob`](../require-dependabot-schedule-cronjob.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
130
- | <span class="sb-inline-rule-number">R074</span> [`require-dependabot-schedule-interval`](../require-dependabot-schedule-interval.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
131
- | <span class="sb-inline-rule-number">R075</span> [`require-dependabot-schedule-time`](../require-dependabot-schedule-time.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
132
- | <span class="sb-inline-rule-number">R076</span> [`require-dependabot-schedule-timezone`](../require-dependabot-schedule-timezone.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
133
- | <span class="sb-inline-rule-number">R078</span> [`require-dependabot-target-branch`](../require-dependabot-target-branch.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
134
- | <span class="sb-inline-rule-number">R071</span> [`require-dependabot-updates`](../require-dependabot-updates.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
135
- | <span class="sb-inline-rule-number">R070</span> [`require-dependabot-version`](../require-dependabot-version.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
136
- | <span class="sb-inline-rule-number">R088</span> [`require-dependabot-versioning-strategy-for-npm`](../require-dependabot-versioning-strategy-for-npm.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
137
- | <span class="sb-inline-rule-number">R091</span> [`require-dependency-review-action`](../require-dependency-review-action.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
138
- | <span class="sb-inline-rule-number">R093</span> [`require-dependency-review-fail-on-severity`](../require-dependency-review-fail-on-severity.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
139
- | <span class="sb-inline-rule-number">R092</span> [`require-dependency-review-permissions-contents-read`](../require-dependency-review-permissions-contents-read.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
140
- | <span class="sb-inline-rule-number">R094</span> [`require-dependency-review-pull-request-trigger`](../require-dependency-review-pull-request-trigger.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
141
- | <span class="sb-inline-rule-number">R110</span> [`require-fetch-metadata-github-token`](../require-fetch-metadata-github-token.md) | | [🟣](./all.md) [🛡️](./security.md) |
142
- | <span class="sb-inline-rule-number">R007</span> [`require-job-name`](../require-job-name.md) | 💡 | [🟣](./all.md) [🔴](./strict.md) |
143
- | <span class="sb-inline-rule-number">R008</span> [`require-job-step-name`](../require-job-step-name.md) | 💡 | [🟣](./all.md) [🔴](./strict.md) |
144
- | <span class="sb-inline-rule-number">R002</span> [`require-job-timeout-minutes`](../require-job-timeout-minutes.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
145
- | <span class="sb-inline-rule-number">R035</span> [`require-merge-group-trigger`](../require-merge-group-trigger.md) | | [🟣](./all.md) [🔴](./strict.md) |
146
- | <span class="sb-inline-rule-number">R032</span> [`require-pull-request-target-branches`](../require-pull-request-target-branches.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
147
- | <span class="sb-inline-rule-number">R021</span> [`require-run-step-shell`](../require-run-step-shell.md) | | [🟣](./all.md) [🔴](./strict.md) |
148
- | <span class="sb-inline-rule-number">R102</span> [`require-sarif-upload-security-events-write`](../require-sarif-upload-security-events-write.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
149
- | <span class="sb-inline-rule-number">R103</span> [`require-scorecard-results-format-sarif`](../require-scorecard-results-format-sarif.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
150
- | <span class="sb-inline-rule-number">R104</span> [`require-scorecard-upload-sarif-step`](../require-scorecard-upload-sarif-step.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
151
- | <span class="sb-inline-rule-number">R107</span> [`require-secret-scan-contents-read`](../require-secret-scan-contents-read.md) | | [🟣](./all.md) [🛡️](./security.md) |
152
- | <span class="sb-inline-rule-number">R105</span> [`require-secret-scan-fetch-depth-zero`](../require-secret-scan-fetch-depth-zero.md) | | [🟣](./all.md) [🛡️](./security.md) |
153
- | <span class="sb-inline-rule-number">R106</span> [`require-secret-scan-schedule`](../require-secret-scan-schedule.md) | | [🟣](./all.md) [🛡️](./security.md) |
154
- | <span class="sb-inline-rule-number">R057</span> [`require-template-categories`](../require-template-categories.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
155
- | <span class="sb-inline-rule-number">R058</span> [`require-template-file-patterns`](../require-template-file-patterns.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
156
- | <span class="sb-inline-rule-number">R065</span> [`require-template-icon-file-exists`](../require-template-icon-file-exists.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
157
- | <span class="sb-inline-rule-number">R056</span> [`require-template-icon-name`](../require-template-icon-name.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
158
- | <span class="sb-inline-rule-number">R067</span> [`require-template-workflow-name`](../require-template-workflow-name.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
159
- | <span class="sb-inline-rule-number">R031</span> [`require-trigger-types`](../require-trigger-types.md) | | [🟣](./all.md) [🔴](./strict.md) |
160
- | <span class="sb-inline-rule-number">R108</span> [`require-trufflehog-verified-results-mode`](../require-trufflehog-verified-results-mode.md) | | [🟣](./all.md) [🛡️](./security.md) |
161
- | <span class="sb-inline-rule-number">R034</span> [`require-workflow-call-input-type`](../require-workflow-call-input-type.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
162
- | <span class="sb-inline-rule-number">R039</span> [`require-workflow-call-output-value`](../require-workflow-call-output-value.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
163
- | <span class="sb-inline-rule-number">R004</span> [`require-workflow-concurrency`](../require-workflow-concurrency.md) | | [🟣](./all.md) [🔴](./strict.md) |
164
- | <span class="sb-inline-rule-number">R022</span> [`require-workflow-dispatch-input-type`](../require-workflow-dispatch-input-type.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
165
- | <span class="sb-inline-rule-number">R024</span> [`require-workflow-interface-description`](../require-workflow-interface-description.md) | | [🟣](./all.md) [🔴](./strict.md) |
166
- | <span class="sb-inline-rule-number">R001</span> [`require-workflow-permissions`](../require-workflow-permissions.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
167
- | <span class="sb-inline-rule-number">R028</span> [`require-workflow-run-branches`](../require-workflow-run-branches.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
168
- | <span class="sb-inline-rule-number">R054</span> [`require-workflow-template-pair`](../require-workflow-template-pair.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
169
- | <span class="sb-inline-rule-number">R055</span> [`require-workflow-template-properties-pair`](../require-workflow-template-properties-pair.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
170
- | <span class="sb-inline-rule-number">R017</span> [`valid-timeout-minutes`](../valid-timeout-minutes.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
171
- | <span class="sb-inline-rule-number">R018</span> [`valid-trigger-events`](../valid-trigger-events.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
52
+ | Rule | Fix | Preset key |
53
+ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :-: | ------------------------------------------------------------------------------------- |
54
+ | <span class="sb-inline-rule-number">R009</span> [`action-name-casing`](../action-name-casing.md) | 🔧 | [🟣](./all.md) [🔴](./strict.md) |
55
+ | <span class="sb-inline-rule-number">R010</span> [`job-id-casing`](../job-id-casing.md) | | [🟣](./all.md) [🔴](./strict.md) |
56
+ | <span class="sb-inline-rule-number">R011</span> [`max-jobs-per-action`](../max-jobs-per-action.md) | | [🟣](./all.md) [🔴](./strict.md) |
57
+ | <span class="sb-inline-rule-number">R048</span> [`no-case-insensitive-input-id-collision`](../no-case-insensitive-input-id-collision.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
58
+ | <span class="sb-inline-rule-number">R097</span> [`no-codeql-autobuild-for-javascript-typescript`](../no-codeql-autobuild-for-javascript-typescript.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
59
+ | <span class="sb-inline-rule-number">R096</span> [`no-codeql-javascript-typescript-split-language-matrix`](../no-codeql-javascript-typescript-split-language-matrix.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
60
+ | <span class="sb-inline-rule-number">R049</span> [`no-composite-input-env-access`](../no-composite-input-env-access.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
61
+ | <span class="sb-inline-rule-number">R044</span> [`no-deprecated-node-runtime`](../no-deprecated-node-runtime.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
62
+ | <span class="sb-inline-rule-number">R051</span> [`no-duplicate-composite-step-id`](../no-duplicate-composite-step-id.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
63
+ | <span class="sb-inline-rule-number">R060</span> [`no-empty-template-file-pattern`](../no-empty-template-file-pattern.md) | 🔧 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
64
+ | <span class="sb-inline-rule-number">R012</span> [`no-external-job`](../no-external-job.md) | | [🟣](./all.md) [🔴](./strict.md) |
65
+ | <span class="sb-inline-rule-number">R068</span> [`no-hardcoded-default-branch-in-template`](../no-hardcoded-default-branch-in-template.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
66
+ | <span class="sb-inline-rule-number">R063</span> [`no-icon-file-extension-in-template-icon-name`](../no-icon-file-extension-in-template-icon-name.md) | 🔧 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
67
+ | <span class="sb-inline-rule-number">R026</span> [`no-inherit-secrets`](../no-inherit-secrets.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
68
+ | <span class="sb-inline-rule-number">R042</span> [`no-invalid-concurrency-context`](../no-invalid-concurrency-context.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
69
+ | <span class="sb-inline-rule-number">R019</span> [`no-invalid-key`](../no-invalid-key.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
70
+ | <span class="sb-inline-rule-number">R041</span> [`no-invalid-reusable-workflow-job-key`](../no-invalid-reusable-workflow-job-key.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
71
+ | <span class="sb-inline-rule-number">R059</span> [`no-invalid-template-file-pattern-regex`](../no-invalid-template-file-pattern-regex.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
72
+ | <span class="sb-inline-rule-number">R040</span> [`no-invalid-workflow-call-output-value`](../no-invalid-workflow-call-output-value.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
73
+ | <span class="sb-inline-rule-number">R095</span> [`no-overlapping-dependabot-directories`](../no-overlapping-dependabot-directories.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
74
+ | <span class="sb-inline-rule-number">R064</span> [`no-path-separators-in-template-icon-name`](../no-path-separators-in-template-icon-name.md) | 💡 | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
75
+ | <span class="sb-inline-rule-number">R046</span> [`no-post-if-without-post`](../no-post-if-without-post.md) | 🔧 | [🧩](./action-metadata.md) [🟣](./all.md) |
76
+ | <span class="sb-inline-rule-number">R030</span> [`no-pr-head-checkout-in-pull-request-target`](../no-pr-head-checkout-in-pull-request-target.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
77
+ | <span class="sb-inline-rule-number">R045</span> [`no-pre-if-without-pre`](../no-pre-if-without-pre.md) | 🔧 | [🧩](./action-metadata.md) [🟣](./all.md) |
78
+ | <span class="sb-inline-rule-number">R047</span> [`no-required-input-with-default`](../no-required-input-with-default.md) | 💡 | [🧩](./action-metadata.md) [🟣](./all.md) |
79
+ | <span class="sb-inline-rule-number">R027</span> [`no-secrets-in-if`](../no-secrets-in-if.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
80
+ | <span class="sb-inline-rule-number">R036</span> [`no-self-hosted-runner-on-fork-pr-events`](../no-self-hosted-runner-on-fork-pr-events.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
81
+ | <span class="sb-inline-rule-number">R062</span> [`no-subdirectory-template-file-pattern`](../no-subdirectory-template-file-pattern.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
82
+ | <span class="sb-inline-rule-number">R069</span> [`no-template-placeholder-in-non-template-workflow`](../no-template-placeholder-in-non-template-workflow.md) | | [🟡](./recommended.md) [🔴](./strict.md) [🟣](./all.md) |
83
+ | <span class="sb-inline-rule-number">R013</span> [`no-top-level-env`](../no-top-level-env.md) | | [🟣](./all.md) [🔴](./strict.md) |
84
+ | <span class="sb-inline-rule-number">R014</span> [`no-top-level-permissions`](../no-top-level-permissions.md) | | |
85
+ | <span class="sb-inline-rule-number">R061</span> [`no-universal-template-file-pattern`](../no-universal-template-file-pattern.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
86
+ | <span class="sb-inline-rule-number">R081</span> [`no-unknown-dependabot-multi-ecosystem-group`](../no-unknown-dependabot-multi-ecosystem-group.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
87
+ | <span class="sb-inline-rule-number">R050</span> [`no-unknown-input-reference-in-composite`](../no-unknown-input-reference-in-composite.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
88
+ | <span class="sb-inline-rule-number">R037</span> [`no-unknown-job-output-reference`](../no-unknown-job-output-reference.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
89
+ | <span class="sb-inline-rule-number">R038</span> [`no-unknown-step-reference`](../no-unknown-step-reference.md) | | [🟣](./all.md) [🔴](./strict.md) |
90
+ | <span class="sb-inline-rule-number">R029</span> [`no-untrusted-input-in-run`](../no-untrusted-input-in-run.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
91
+ | <span class="sb-inline-rule-number">R085</span> [`no-unused-dependabot-enable-beta-ecosystems`](../no-unused-dependabot-enable-beta-ecosystems.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
92
+ | <span class="sb-inline-rule-number">R053</span> [`no-unused-input-in-composite`](../no-unused-input-in-composite.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
93
+ | <span class="sb-inline-rule-number">R023</span> [`no-write-all-permissions`](../no-write-all-permissions.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
94
+ | <span class="sb-inline-rule-number">R003</span> [`pin-action-shas`](../pin-action-shas.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
95
+ | <span class="sb-inline-rule-number">R043</span> [`prefer-action-yml`](../prefer-action-yml.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
96
+ | <span class="sb-inline-rule-number">R015</span> [`prefer-fail-fast`](../prefer-fail-fast.md) | | [🟣](./all.md) [🔴](./strict.md) |
97
+ | <span class="sb-inline-rule-number">R020</span> [`prefer-file-extension`](../prefer-file-extension.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
98
+ | <span class="sb-inline-rule-number">R033</span> [`prefer-inputs-context`](../prefer-inputs-context.md) | 🔧 | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
99
+ | <span class="sb-inline-rule-number">R016</span> [`prefer-step-uses-style`](../prefer-step-uses-style.md) | | [🟣](./all.md) |
100
+ | <span class="sb-inline-rule-number">R066</span> [`prefer-template-yml-extension`](../prefer-template-yml-extension.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
101
+ | <span class="sb-inline-rule-number">R005</span> [`require-action-name`](../require-action-name.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
102
+ | <span class="sb-inline-rule-number">R006</span> [`require-action-run-name`](../require-action-run-name.md) | | [🟣](./all.md) [🔴](./strict.md) |
103
+ | <span class="sb-inline-rule-number">R025</span> [`require-checkout-before-local-action`](../require-checkout-before-local-action.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
104
+ | <span class="sb-inline-rule-number">R099</span> [`require-codeql-actions-read`](../require-codeql-actions-read.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
105
+ | <span class="sb-inline-rule-number">R113</span> [`require-codeql-branch-filters`](../require-codeql-branch-filters.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
106
+ | <span class="sb-inline-rule-number">R114</span> [`require-codeql-category-when-language-matrix`](../require-codeql-category-when-language-matrix.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
107
+ | <span class="sb-inline-rule-number">R100</span> [`require-codeql-pull-request-trigger`](../require-codeql-pull-request-trigger.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
108
+ | <span class="sb-inline-rule-number">R101</span> [`require-codeql-schedule`](../require-codeql-schedule.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
109
+ | <span class="sb-inline-rule-number">R098</span> [`require-codeql-security-events-write`](../require-codeql-security-events-write.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
110
+ | <span class="sb-inline-rule-number">R052</span> [`require-composite-step-name`](../require-composite-step-name.md) | | [🧩](./action-metadata.md) [🟣](./all.md) |
111
+ | <span class="sb-inline-rule-number">R077</span> [`require-dependabot-assignees`](../require-dependabot-assignees.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
112
+ | <span class="sb-inline-rule-number">R111</span> [`require-dependabot-automation-permissions`](../require-dependabot-automation-permissions.md) | | [🟣](./all.md) [🛡️](./security.md) |
113
+ | <span class="sb-inline-rule-number">R112</span> [`require-dependabot-automation-pull-request-trigger`](../require-dependabot-automation-pull-request-trigger.md) | | [🟣](./all.md) [🛡️](./security.md) |
114
+ | <span class="sb-inline-rule-number">R109</span> [`require-dependabot-bot-actor-guard`](../require-dependabot-bot-actor-guard.md) | | [🟣](./all.md) [🛡️](./security.md) |
115
+ | <span class="sb-inline-rule-number">R089</span> [`require-dependabot-commit-message-include-scope`](../require-dependabot-commit-message-include-scope.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
116
+ | <span class="sb-inline-rule-number">R079</span> [`require-dependabot-commit-message-prefix`](../require-dependabot-commit-message-prefix.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
117
+ | <span class="sb-inline-rule-number">R090</span> [`require-dependabot-commit-message-prefix-development`](../require-dependabot-commit-message-prefix-development.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
118
+ | <span class="sb-inline-rule-number">R086</span> [`require-dependabot-cooldown`](../require-dependabot-cooldown.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
119
+ | <span class="sb-inline-rule-number">R073</span> [`require-dependabot-directory`](../require-dependabot-directory.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
120
+ | <span class="sb-inline-rule-number">R084</span> [`require-dependabot-github-actions-directory-root`](../require-dependabot-github-actions-directory-root.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
121
+ | <span class="sb-inline-rule-number">R080</span> [`require-dependabot-labels`](../require-dependabot-labels.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
122
+ | <span class="sb-inline-rule-number">R087</span> [`require-dependabot-open-pull-requests-limit`](../require-dependabot-open-pull-requests-limit.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
123
+ | <span class="sb-inline-rule-number">R072</span> [`require-dependabot-package-ecosystem`](../require-dependabot-package-ecosystem.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
124
+ | <span class="sb-inline-rule-number">R082</span> [`require-dependabot-patterns-for-multi-ecosystem-group`](../require-dependabot-patterns-for-multi-ecosystem-group.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
125
+ | <span class="sb-inline-rule-number">R083</span> [`require-dependabot-schedule-cronjob`](../require-dependabot-schedule-cronjob.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
126
+ | <span class="sb-inline-rule-number">R074</span> [`require-dependabot-schedule-interval`](../require-dependabot-schedule-interval.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
127
+ | <span class="sb-inline-rule-number">R075</span> [`require-dependabot-schedule-time`](../require-dependabot-schedule-time.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
128
+ | <span class="sb-inline-rule-number">R076</span> [`require-dependabot-schedule-timezone`](../require-dependabot-schedule-timezone.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
129
+ | <span class="sb-inline-rule-number">R078</span> [`require-dependabot-target-branch`](../require-dependabot-target-branch.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
130
+ | <span class="sb-inline-rule-number">R071</span> [`require-dependabot-updates`](../require-dependabot-updates.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
131
+ | <span class="sb-inline-rule-number">R070</span> [`require-dependabot-version`](../require-dependabot-version.md) | 🔧 | [🟣](./all.md) [🤖](./dependabot.md) |
132
+ | <span class="sb-inline-rule-number">R088</span> [`require-dependabot-versioning-strategy-for-npm`](../require-dependabot-versioning-strategy-for-npm.md) | | [🟣](./all.md) [🤖](./dependabot.md) |
133
+ | <span class="sb-inline-rule-number">R091</span> [`require-dependency-review-action`](../require-dependency-review-action.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
134
+ | <span class="sb-inline-rule-number">R093</span> [`require-dependency-review-fail-on-severity`](../require-dependency-review-fail-on-severity.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
135
+ | <span class="sb-inline-rule-number">R092</span> [`require-dependency-review-permissions-contents-read`](../require-dependency-review-permissions-contents-read.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
136
+ | <span class="sb-inline-rule-number">R094</span> [`require-dependency-review-pull-request-trigger`](../require-dependency-review-pull-request-trigger.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
137
+ | <span class="sb-inline-rule-number">R110</span> [`require-fetch-metadata-github-token`](../require-fetch-metadata-github-token.md) | | [🟣](./all.md) [🛡️](./security.md) |
138
+ | <span class="sb-inline-rule-number">R007</span> [`require-job-name`](../require-job-name.md) | 💡 | [🟣](./all.md) [🔴](./strict.md) |
139
+ | <span class="sb-inline-rule-number">R008</span> [`require-job-step-name`](../require-job-step-name.md) | 💡 | [🟣](./all.md) [🔴](./strict.md) |
140
+ | <span class="sb-inline-rule-number">R002</span> [`require-job-timeout-minutes`](../require-job-timeout-minutes.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
141
+ | <span class="sb-inline-rule-number">R035</span> [`require-merge-group-trigger`](../require-merge-group-trigger.md) | | [🟣](./all.md) [🔴](./strict.md) |
142
+ | <span class="sb-inline-rule-number">R032</span> [`require-pull-request-target-branches`](../require-pull-request-target-branches.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
143
+ | <span class="sb-inline-rule-number">R021</span> [`require-run-step-shell`](../require-run-step-shell.md) | | [🟣](./all.md) [🔴](./strict.md) |
144
+ | <span class="sb-inline-rule-number">R102</span> [`require-sarif-upload-security-events-write`](../require-sarif-upload-security-events-write.md) | | [🟣](./all.md) [🔎](./code-scanning.md) [🛡️](./security.md) |
145
+ | <span class="sb-inline-rule-number">R103</span> [`require-scorecard-results-format-sarif`](../require-scorecard-results-format-sarif.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
146
+ | <span class="sb-inline-rule-number">R104</span> [`require-scorecard-upload-sarif-step`](../require-scorecard-upload-sarif-step.md) | | [🟣](./all.md) [🔎](./code-scanning.md) |
147
+ | <span class="sb-inline-rule-number">R107</span> [`require-secret-scan-contents-read`](../require-secret-scan-contents-read.md) | | [🟣](./all.md) [🛡️](./security.md) |
148
+ | <span class="sb-inline-rule-number">R105</span> [`require-secret-scan-fetch-depth-zero`](../require-secret-scan-fetch-depth-zero.md) | | [🟣](./all.md) [🛡️](./security.md) |
149
+ | <span class="sb-inline-rule-number">R106</span> [`require-secret-scan-schedule`](../require-secret-scan-schedule.md) | | [🟣](./all.md) [🛡️](./security.md) |
150
+ | <span class="sb-inline-rule-number">R057</span> [`require-template-categories`](../require-template-categories.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
151
+ | <span class="sb-inline-rule-number">R058</span> [`require-template-file-patterns`](../require-template-file-patterns.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
152
+ | <span class="sb-inline-rule-number">R065</span> [`require-template-icon-file-exists`](../require-template-icon-file-exists.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
153
+ | <span class="sb-inline-rule-number">R056</span> [`require-template-icon-name`](../require-template-icon-name.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
154
+ | <span class="sb-inline-rule-number">R067</span> [`require-template-workflow-name`](../require-template-workflow-name.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
155
+ | <span class="sb-inline-rule-number">R031</span> [`require-trigger-types`](../require-trigger-types.md) | | [🟣](./all.md) [🔴](./strict.md) |
156
+ | <span class="sb-inline-rule-number">R108</span> [`require-trufflehog-verified-results-mode`](../require-trufflehog-verified-results-mode.md) | | [🟣](./all.md) [🛡️](./security.md) |
157
+ | <span class="sb-inline-rule-number">R034</span> [`require-workflow-call-input-type`](../require-workflow-call-input-type.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
158
+ | <span class="sb-inline-rule-number">R039</span> [`require-workflow-call-output-value`](../require-workflow-call-output-value.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
159
+ | <span class="sb-inline-rule-number">R004</span> [`require-workflow-concurrency`](../require-workflow-concurrency.md) | | [🟣](./all.md) [🔴](./strict.md) |
160
+ | <span class="sb-inline-rule-number">R022</span> [`require-workflow-dispatch-input-type`](../require-workflow-dispatch-input-type.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
161
+ | <span class="sb-inline-rule-number">R024</span> [`require-workflow-interface-description`](../require-workflow-interface-description.md) | | [🟣](./all.md) [🔴](./strict.md) |
162
+ | <span class="sb-inline-rule-number">R001</span> [`require-workflow-permissions`](../require-workflow-permissions.md) | | [🟣](./all.md) [🟡](./recommended.md) [🛡️](./security.md) [🔴](./strict.md) |
163
+ | <span class="sb-inline-rule-number">R028</span> [`require-workflow-run-branches`](../require-workflow-run-branches.md) | | [🟣](./all.md) [🛡️](./security.md) [🔴](./strict.md) |
164
+ | <span class="sb-inline-rule-number">R054</span> [`require-workflow-template-pair`](../require-workflow-template-pair.md) | | [🧱](./workflow-templates.md) [🟣](./all.md) |
165
+ | <span class="sb-inline-rule-number">R055</span> [`require-workflow-template-properties-pair`](../require-workflow-template-properties-pair.md) | | [🗂️](./workflow-template-properties.md) [🧱](./workflow-templates.md) [🟣](./all.md) |
166
+ | <span class="sb-inline-rule-number">R017</span> [`valid-timeout-minutes`](../valid-timeout-minutes.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
167
+ | <span class="sb-inline-rule-number">R018</span> [`valid-trigger-events`](../valid-trigger-events.md) | | [🟣](./all.md) [🟡](./recommended.md) [🔴](./strict.md) |
package/docs/rules/presets/recommended.md CHANGED
@@ -1,11 +1,11 @@
1
- ---
2
- sidebar_position: 6
3
- ---
4
-
5
- # `githubActions.configs.recommended`
6
-
7
- Balanced defaults for most repositories.
8
-
1
+ ---
2
+ sidebar_position: 6
3
+ ---
4
+
5
+ # `githubActions.configs.recommended`
6
+
7
+ Balanced defaults for most repositories.
8
+
9
9
  ## Included rules
10
10
 
11
11
  Fix legend:
package/docs/rules/presets/security.md CHANGED
@@ -1,11 +1,11 @@
1
- ---
2
- sidebar_position: 7
3
- ---
4
-
5
- # `githubActions.configs.security`
6
-
7
- Security-focused workflow hardening checks.
8
-
1
+ ---
2
+ sidebar_position: 7
3
+ ---
4
+
5
+ # `githubActions.configs.security`
6
+
7
+ Security-focused workflow hardening checks.
8
+
9
9
  ## Included rules
10
10
 
11
11
  Fix legend:
package/docs/rules/presets/strict.md CHANGED
@@ -1,11 +1,11 @@
1
- ---
2
- sidebar_position: 8
3
- ---
4
-
5
- # `githubActions.configs.strict`
6
-
7
- Opinionated operational guardrails for mature workflow estates.
8
-
1
+ ---
2
+ sidebar_position: 8
3
+ ---
4
+
5
+ # `githubActions.configs.strict`
6
+
7
+ Opinionated operational guardrails for mature workflow estates.
8
+
9
9
  ## Included rules
10
10
 
11
11
  Fix legend:
package/docs/rules/presets/workflow-template-properties.md CHANGED
@@ -1,11 +1,11 @@
1
- ---
2
- sidebar_position: 4
3
- ---
4
-
5
- # `githubActions.configs.workflowTemplateProperties`
6
-
7
- Linting defaults for workflow-template metadata files (`*.properties.json`).
8
-
1
+ ---
2
+ sidebar_position: 4
3
+ ---
4
+
5
+ # `githubActions.configs.workflowTemplateProperties`
6
+
7
+ Linting defaults for workflow-template metadata files (`*.properties.json`).
8
+
9
9
  ## Included rules
10
10
 
11
11
  Fix legend:
package/docs/rules/presets/workflow-templates.md CHANGED
@@ -1,11 +1,11 @@
1
- ---
2
- sidebar_position: 5
3
- ---
4
-
5
- # `githubActions.configs.workflowTemplates`
6
-
7
- Workflow template package linting for both template YAML and metadata files.
8
-
1
+ ---
2
+ sidebar_position: 5
3
+ ---
4
+
5
+ # `githubActions.configs.workflowTemplates`
6
+
7
+ Workflow template package linting for both template YAML and metadata files.
8
+
9
9
  ## Included rules
10
10
 
11
11
  Fix legend:
package/docs/rules/require-dependabot-open-pull-requests-limit.md CHANGED
@@ -4,16 +4,20 @@
4
4
 
5
5
  ## Targeted pattern scope
6
6
 
7
- Dependabot update entries in `.github/dependabot.yml`.
7
+ Standalone Dependabot update entries in `.github/dependabot.yml` that do not use `multi-ecosystem-group`.
8
8
 
9
9
  ## What this rule reports
10
10
 
11
- This rule reports update entries that do not define `open-pull-requests-limit`.
11
+ This rule reports standalone update entries that do not define `open-pull-requests-limit`.
12
+
13
+ It also reports grouped configurations that set `open-pull-requests-limit` on either the update entry or the referenced multi-ecosystem group.
12
14
 
13
15
  ## Why this rule exists
14
16
 
15
17
  Dependabot defaults can be reasonable, but they are still implicit. Requiring an explicit open pull request limit makes update volume a deliberate repository policy.
16
18
 
19
+ Updates that use `multi-ecosystem-group` are intentionally excluded. GitHub creates a single pull request per multi-ecosystem group, so `open-pull-requests-limit` does not apply there and should not be set.
20
+
17
21
  ## ❌ Incorrect
18
22
 
19
23
  ```yaml
@@ -25,6 +29,19 @@ updates:
25
29
  interval: "weekly"
26
30
  ```
27
31
 
32
+ ```yaml
33
+ version: 2
34
+ multi-ecosystem-groups:
35
+ app:
36
+ open-pull-requests-limit: 5
37
+ updates:
38
+ - package-ecosystem: "npm"
39
+ directory: "/"
40
+ multi-ecosystem-group: "app"
41
+ schedule:
42
+ interval: "weekly"
43
+ ```
44
+
28
45
  ## ✅ Correct
29
46
 
30
47
  ```yaml
@@ -39,7 +56,7 @@ updates:
39
56
 
40
57
  ## Additional examples
41
58
 
42
- This rule works well with grouped updates because the repository can cap Dependabot volume even when multiple manifests are monitored.
59
+ This rule is intentionally limited to standalone update entries. Grouped updates already consolidate into one pull request per multi-ecosystem group.
43
60
 
44
61
  ## ESLint flat config example
45
62
 
@@ -51,7 +68,7 @@ export default [githubActions.configs.dependabot];
51
68
 
52
69
  ## When not to use it
53
70
 
54
- Disable this rule if the repository intentionally relies on Dependabot's built-in default PR limit.
71
+ Disable this rule if the repository intentionally relies on Dependabot's built-in default PR limit for standalone updates.
55
72
 
56
73
  ## Further reading
57
74
 
package/docs/rules/require-dependency-review-permissions-contents-read.md CHANGED
@@ -8,7 +8,7 @@ Workflows that use `actions/dependency-review-action`.
8
8
 
9
9
  ## What this rule reports
10
10
 
11
- This rule reports workflows using the dependency review action that do not set top-level `permissions.contents: read`.
11
+ This rule reports jobs using the dependency review action that do not have effective `contents: read` via either workflow-level or job-level `permissions`.
12
12
 
13
13
  ## Why this rule exists
14
14
 
@@ -18,11 +18,11 @@ Dependency review only needs repository contents read access. Requiring that exp
18
18
 
19
19
  ```yaml
20
20
  on: [pull_request]
21
- permissions:
22
- contents: write
23
21
  jobs:
24
22
  dependency-review:
25
23
  runs-on: ubuntu-latest
24
+ permissions:
25
+ contents: write
26
26
  steps:
27
27
  - uses: actions/dependency-review-action@v4
28
28
  ```
@@ -40,9 +40,20 @@ jobs:
40
40
  - uses: actions/dependency-review-action@v4
41
41
  ```
42
42
 
43
+ ```yaml
44
+ on: [pull_request]
45
+ jobs:
46
+ dependency-review:
47
+ runs-on: ubuntu-latest
48
+ permissions:
49
+ contents: read
50
+ steps:
51
+ - uses: actions/dependency-review-action@v4
52
+ ```
53
+
43
54
  ## Additional examples
44
55
 
45
- This rule complements `require-workflow-permissions` by enforcing the narrower security expectation specific to dependency review workflows.
56
+ This rule complements `require-workflow-permissions` by enforcing the narrower security expectation specific to dependency review jobs without forcing that permission to live only at the workflow root.
46
57
 
47
58
  ## ESLint flat config example
48
59
 
package/docs/rules/require-secret-scan-contents-read.md CHANGED
@@ -8,7 +8,7 @@ Jobs that use supported secret-scanning actions.
8
8
 
9
9
  ## What this rule reports
10
10
 
11
- This rule reports secret-scanning jobs that do not grant `contents: read`.
11
+ This rule reports secret-scanning jobs that do not have effective `contents: read` via either workflow-level or job-level `permissions`.
12
12
 
13
13
  ## Why this rule exists
14
14
 
@@ -17,7 +17,8 @@ Secret-scanning workflows generally only need read access to repository contents
17
17
  ## ❌ Incorrect
18
18
 
19
19
  ```yaml
20
- permissions: {}
20
+ permissions:
21
+ contents: write
21
22
  ```
22
23
 
23
24
  ## ✅ Correct
@@ -27,6 +28,13 @@ permissions:
27
28
  contents: read
28
29
  ```
29
30
 
31
+ ```yaml
32
+ jobs:
33
+ scan:
34
+ permissions:
35
+ contents: read
36
+ ```
37
+
30
38
  ## Additional examples
31
39
 
32
40
  This rule is intentionally narrow and does not try to prescribe every other permission a secret-scanning workflow may or may not need.