eslint-plugin-github-actions-2 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (217) hide show
  1. package/README.md +127 -127
  2. package/dist/_internal/github-actions-config-references.js +1 -1
  3. package/dist/_internal/github-actions-config-references.js.map +1 -1
  4. package/dist/_internal/rule-docs.d.ts +1 -1
  5. package/dist/_internal/rule-docs.d.ts.map +1 -1
  6. package/dist/_internal/workflow-permissions.d.ts +2 -0
  7. package/dist/_internal/workflow-permissions.d.ts.map +1 -1
  8. package/dist/_internal/workflow-permissions.js +54 -7
  9. package/dist/_internal/workflow-permissions.js.map +1 -1
  10. package/dist/plugin.cjs +276 -24
  11. package/dist/plugin.cjs.map +2 -2
  12. package/dist/plugin.d.ts.map +1 -1
  13. package/dist/plugin.js +1 -1
  14. package/dist/plugin.js.map +1 -1
  15. package/dist/rules/action-name-casing.d.ts.map +1 -1
  16. package/dist/rules/action-name-casing.js +4 -0
  17. package/dist/rules/action-name-casing.js.map +1 -1
  18. package/dist/rules/job-id-casing.d.ts.map +1 -1
  19. package/dist/rules/job-id-casing.js +4 -0
  20. package/dist/rules/job-id-casing.js.map +1 -1
  21. package/dist/rules/max-jobs-per-action.d.ts.map +1 -1
  22. package/dist/rules/max-jobs-per-action.js +4 -0
  23. package/dist/rules/max-jobs-per-action.js.map +1 -1
  24. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.d.ts.map +1 -1
  25. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js +4 -0
  26. package/dist/rules/no-codeql-autobuild-for-javascript-typescript.js.map +1 -1
  27. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.d.ts.map +1 -1
  28. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js +4 -0
  29. package/dist/rules/no-codeql-javascript-typescript-split-language-matrix.js.map +1 -1
  30. package/dist/rules/no-external-job.d.ts.map +1 -1
  31. package/dist/rules/no-external-job.js +4 -0
  32. package/dist/rules/no-external-job.js.map +1 -1
  33. package/dist/rules/no-inherit-secrets.d.ts.map +1 -1
  34. package/dist/rules/no-inherit-secrets.js +4 -0
  35. package/dist/rules/no-inherit-secrets.js.map +1 -1
  36. package/dist/rules/no-invalid-concurrency-context.d.ts.map +1 -1
  37. package/dist/rules/no-invalid-concurrency-context.js +4 -0
  38. package/dist/rules/no-invalid-concurrency-context.js.map +1 -1
  39. package/dist/rules/no-invalid-reusable-workflow-job-key.d.ts.map +1 -1
  40. package/dist/rules/no-invalid-reusable-workflow-job-key.js +4 -0
  41. package/dist/rules/no-invalid-reusable-workflow-job-key.js.map +1 -1
  42. package/dist/rules/no-invalid-workflow-call-output-value.d.ts.map +1 -1
  43. package/dist/rules/no-invalid-workflow-call-output-value.js +4 -0
  44. package/dist/rules/no-invalid-workflow-call-output-value.js.map +1 -1
  45. package/dist/rules/no-pr-head-checkout-in-pull-request-target.d.ts.map +1 -1
  46. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js +4 -0
  47. package/dist/rules/no-pr-head-checkout-in-pull-request-target.js.map +1 -1
  48. package/dist/rules/no-secrets-in-if.d.ts.map +1 -1
  49. package/dist/rules/no-secrets-in-if.js +4 -0
  50. package/dist/rules/no-secrets-in-if.js.map +1 -1
  51. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.d.ts.map +1 -1
  52. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js +4 -0
  53. package/dist/rules/no-self-hosted-runner-on-fork-pr-events.js.map +1 -1
  54. package/dist/rules/no-top-level-env.d.ts.map +1 -1
  55. package/dist/rules/no-top-level-env.js +4 -0
  56. package/dist/rules/no-top-level-env.js.map +1 -1
  57. package/dist/rules/no-top-level-permissions.d.ts.map +1 -1
  58. package/dist/rules/no-top-level-permissions.js +4 -1
  59. package/dist/rules/no-top-level-permissions.js.map +1 -1
  60. package/dist/rules/no-unknown-job-output-reference.d.ts.map +1 -1
  61. package/dist/rules/no-unknown-job-output-reference.js +4 -0
  62. package/dist/rules/no-unknown-job-output-reference.js.map +1 -1
  63. package/dist/rules/no-unknown-step-reference.d.ts.map +1 -1
  64. package/dist/rules/no-unknown-step-reference.js +4 -0
  65. package/dist/rules/no-unknown-step-reference.js.map +1 -1
  66. package/dist/rules/no-untrusted-input-in-run.d.ts.map +1 -1
  67. package/dist/rules/no-untrusted-input-in-run.js +4 -0
  68. package/dist/rules/no-untrusted-input-in-run.js.map +1 -1
  69. package/dist/rules/no-write-all-permissions.d.ts.map +1 -1
  70. package/dist/rules/no-write-all-permissions.js +4 -0
  71. package/dist/rules/no-write-all-permissions.js.map +1 -1
  72. package/dist/rules/pin-action-shas.d.ts.map +1 -1
  73. package/dist/rules/pin-action-shas.js +4 -0
  74. package/dist/rules/pin-action-shas.js.map +1 -1
  75. package/dist/rules/prefer-fail-fast.d.ts.map +1 -1
  76. package/dist/rules/prefer-fail-fast.js +4 -0
  77. package/dist/rules/prefer-fail-fast.js.map +1 -1
  78. package/dist/rules/prefer-file-extension.d.ts.map +1 -1
  79. package/dist/rules/prefer-file-extension.js +4 -0
  80. package/dist/rules/prefer-file-extension.js.map +1 -1
  81. package/dist/rules/prefer-inputs-context.d.ts.map +1 -1
  82. package/dist/rules/prefer-inputs-context.js +4 -0
  83. package/dist/rules/prefer-inputs-context.js.map +1 -1
  84. package/dist/rules/prefer-step-uses-style.d.ts.map +1 -1
  85. package/dist/rules/prefer-step-uses-style.js +4 -0
  86. package/dist/rules/prefer-step-uses-style.js.map +1 -1
  87. package/dist/rules/require-checkout-before-local-action.d.ts.map +1 -1
  88. package/dist/rules/require-checkout-before-local-action.js +4 -0
  89. package/dist/rules/require-checkout-before-local-action.js.map +1 -1
  90. package/dist/rules/require-codeql-actions-read.d.ts.map +1 -1
  91. package/dist/rules/require-codeql-actions-read.js +4 -0
  92. package/dist/rules/require-codeql-actions-read.js.map +1 -1
  93. package/dist/rules/require-codeql-branch-filters.d.ts.map +1 -1
  94. package/dist/rules/require-codeql-branch-filters.js +4 -0
  95. package/dist/rules/require-codeql-branch-filters.js.map +1 -1
  96. package/dist/rules/require-codeql-category-when-language-matrix.d.ts.map +1 -1
  97. package/dist/rules/require-codeql-category-when-language-matrix.js +4 -0
  98. package/dist/rules/require-codeql-category-when-language-matrix.js.map +1 -1
  99. package/dist/rules/require-codeql-pull-request-trigger.d.ts.map +1 -1
  100. package/dist/rules/require-codeql-pull-request-trigger.js +4 -0
  101. package/dist/rules/require-codeql-pull-request-trigger.js.map +1 -1
  102. package/dist/rules/require-codeql-schedule.d.ts.map +1 -1
  103. package/dist/rules/require-codeql-schedule.js +4 -0
  104. package/dist/rules/require-codeql-schedule.js.map +1 -1
  105. package/dist/rules/require-codeql-security-events-write.d.ts.map +1 -1
  106. package/dist/rules/require-codeql-security-events-write.js +4 -0
  107. package/dist/rules/require-codeql-security-events-write.js.map +1 -1
  108. package/dist/rules/require-dependabot-automation-permissions.d.ts.map +1 -1
  109. package/dist/rules/require-dependabot-automation-permissions.js +4 -0
  110. package/dist/rules/require-dependabot-automation-permissions.js.map +1 -1
  111. package/dist/rules/require-dependabot-automation-pull-request-trigger.d.ts.map +1 -1
  112. package/dist/rules/require-dependabot-automation-pull-request-trigger.js +4 -0
  113. package/dist/rules/require-dependabot-automation-pull-request-trigger.js.map +1 -1
  114. package/dist/rules/require-dependabot-bot-actor-guard.d.ts.map +1 -1
  115. package/dist/rules/require-dependabot-bot-actor-guard.js +4 -0
  116. package/dist/rules/require-dependabot-bot-actor-guard.js.map +1 -1
  117. package/dist/rules/require-dependabot-open-pull-requests-limit.d.ts.map +1 -1
  118. package/dist/rules/require-dependabot-open-pull-requests-limit.js +32 -2
  119. package/dist/rules/require-dependabot-open-pull-requests-limit.js.map +1 -1
  120. package/dist/rules/require-dependency-review-fail-on-severity.d.ts.map +1 -1
  121. package/dist/rules/require-dependency-review-fail-on-severity.js +4 -0
  122. package/dist/rules/require-dependency-review-fail-on-severity.js.map +1 -1
  123. package/dist/rules/require-dependency-review-permissions-contents-read.d.ts.map +1 -1
  124. package/dist/rules/require-dependency-review-permissions-contents-read.js +23 -18
  125. package/dist/rules/require-dependency-review-permissions-contents-read.js.map +1 -1
  126. package/dist/rules/require-dependency-review-pull-request-trigger.d.ts.map +1 -1
  127. package/dist/rules/require-dependency-review-pull-request-trigger.js +4 -0
  128. package/dist/rules/require-dependency-review-pull-request-trigger.js.map +1 -1
  129. package/dist/rules/require-fetch-metadata-github-token.d.ts.map +1 -1
  130. package/dist/rules/require-fetch-metadata-github-token.js +4 -0
  131. package/dist/rules/require-fetch-metadata-github-token.js.map +1 -1
  132. package/dist/rules/require-job-name.d.ts.map +1 -1
  133. package/dist/rules/require-job-name.js +4 -0
  134. package/dist/rules/require-job-name.js.map +1 -1
  135. package/dist/rules/require-job-step-name.d.ts.map +1 -1
  136. package/dist/rules/require-job-step-name.js +4 -0
  137. package/dist/rules/require-job-step-name.js.map +1 -1
  138. package/dist/rules/require-job-timeout-minutes.d.ts.map +1 -1
  139. package/dist/rules/require-job-timeout-minutes.js +4 -0
  140. package/dist/rules/require-job-timeout-minutes.js.map +1 -1
  141. package/dist/rules/require-merge-group-trigger.d.ts.map +1 -1
  142. package/dist/rules/require-merge-group-trigger.js +4 -0
  143. package/dist/rules/require-merge-group-trigger.js.map +1 -1
  144. package/dist/rules/require-pull-request-target-branches.d.ts.map +1 -1
  145. package/dist/rules/require-pull-request-target-branches.js +4 -0
  146. package/dist/rules/require-pull-request-target-branches.js.map +1 -1
  147. package/dist/rules/require-run-step-shell.d.ts.map +1 -1
  148. package/dist/rules/require-run-step-shell.js +4 -0
  149. package/dist/rules/require-run-step-shell.js.map +1 -1
  150. package/dist/rules/require-sarif-upload-security-events-write.d.ts.map +1 -1
  151. package/dist/rules/require-sarif-upload-security-events-write.js +4 -0
  152. package/dist/rules/require-sarif-upload-security-events-write.js.map +1 -1
  153. package/dist/rules/require-scorecard-results-format-sarif.d.ts.map +1 -1
  154. package/dist/rules/require-scorecard-results-format-sarif.js +4 -0
  155. package/dist/rules/require-scorecard-results-format-sarif.js.map +1 -1
  156. package/dist/rules/require-scorecard-upload-sarif-step.d.ts.map +1 -1
  157. package/dist/rules/require-scorecard-upload-sarif-step.js +4 -0
  158. package/dist/rules/require-scorecard-upload-sarif-step.js.map +1 -1
  159. package/dist/rules/require-secret-scan-contents-read.d.ts.map +1 -1
  160. package/dist/rules/require-secret-scan-contents-read.js +7 -3
  161. package/dist/rules/require-secret-scan-contents-read.js.map +1 -1
  162. package/dist/rules/require-secret-scan-fetch-depth-zero.d.ts.map +1 -1
  163. package/dist/rules/require-secret-scan-fetch-depth-zero.js +4 -0
  164. package/dist/rules/require-secret-scan-fetch-depth-zero.js.map +1 -1
  165. package/dist/rules/require-secret-scan-schedule.d.ts.map +1 -1
  166. package/dist/rules/require-secret-scan-schedule.js +4 -0
  167. package/dist/rules/require-secret-scan-schedule.js.map +1 -1
  168. package/dist/rules/require-trigger-types.d.ts.map +1 -1
  169. package/dist/rules/require-trigger-types.js +4 -0
  170. package/dist/rules/require-trigger-types.js.map +1 -1
  171. package/dist/rules/require-trufflehog-verified-results-mode.d.ts.map +1 -1
  172. package/dist/rules/require-trufflehog-verified-results-mode.js +4 -0
  173. package/dist/rules/require-trufflehog-verified-results-mode.js.map +1 -1
  174. package/dist/rules/require-workflow-call-input-type.d.ts.map +1 -1
  175. package/dist/rules/require-workflow-call-input-type.js +4 -0
  176. package/dist/rules/require-workflow-call-input-type.js.map +1 -1
  177. package/dist/rules/require-workflow-call-output-value.d.ts.map +1 -1
  178. package/dist/rules/require-workflow-call-output-value.js +4 -0
  179. package/dist/rules/require-workflow-call-output-value.js.map +1 -1
  180. package/dist/rules/require-workflow-concurrency.d.ts.map +1 -1
  181. package/dist/rules/require-workflow-concurrency.js +4 -0
  182. package/dist/rules/require-workflow-concurrency.js.map +1 -1
  183. package/dist/rules/require-workflow-dispatch-input-type.d.ts.map +1 -1
  184. package/dist/rules/require-workflow-dispatch-input-type.js +4 -0
  185. package/dist/rules/require-workflow-dispatch-input-type.js.map +1 -1
  186. package/dist/rules/require-workflow-interface-description.d.ts.map +1 -1
  187. package/dist/rules/require-workflow-interface-description.js +4 -0
  188. package/dist/rules/require-workflow-interface-description.js.map +1 -1
  189. package/dist/rules/require-workflow-run-branches.d.ts.map +1 -1
  190. package/dist/rules/require-workflow-run-branches.js +4 -0
  191. package/dist/rules/require-workflow-run-branches.js.map +1 -1
  192. package/dist/rules/valid-timeout-minutes.d.ts.map +1 -1
  193. package/dist/rules/valid-timeout-minutes.js +4 -0
  194. package/dist/rules/valid-timeout-minutes.js.map +1 -1
  195. package/dist/rules/valid-trigger-events.d.ts.map +1 -1
  196. package/dist/rules/valid-trigger-events.js +4 -0
  197. package/dist/rules/valid-trigger-events.js.map +1 -1
  198. package/docs/rules/guides/authoring-rules.md +34 -0
  199. package/docs/rules/guides/docs-authoring.md +34 -0
  200. package/docs/rules/guides/index.md +15 -0
  201. package/docs/rules/guides/testing-rules.md +34 -0
  202. package/docs/rules/no-top-level-permissions.md +4 -4
  203. package/docs/rules/presets/action-metadata.md +8 -8
  204. package/docs/rules/presets/all.md +123 -124
  205. package/docs/rules/presets/code-scanning.md +8 -8
  206. package/docs/rules/presets/dependabot.md +8 -8
  207. package/docs/rules/presets/index.md +119 -123
  208. package/docs/rules/presets/recommended.md +8 -8
  209. package/docs/rules/presets/security.md +8 -8
  210. package/docs/rules/presets/strict.md +8 -8
  211. package/docs/rules/presets/workflow-template-properties.md +8 -8
  212. package/docs/rules/presets/workflow-templates.md +8 -8
  213. package/docs/rules/require-dependabot-open-pull-requests-limit.md +21 -4
  214. package/docs/rules/require-dependency-review-permissions-contents-read.md +15 -4
  215. package/docs/rules/require-secret-scan-contents-read.md +10 -2
  216. package/docs/rules/require-workflow-permissions.md +4 -4
  217. package/package.json +1 -1
package/docs/rules/require-workflow-permissions.md CHANGED
@@ -43,10 +43,9 @@ jobs:
43
43
  runs-on: ubuntu-latest
44
44
  ```
45
45
 
46
-
47
46
  ## Additional examples
48
47
 
49
- For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
48
+ For larger repositories, this rule works well as a baseline requirement for explicit token scope. If your team prefers every job to declare permissions locally, layer the opt-in `no-top-level-permissions` rule on top.
50
49
 
51
50
  ## ESLint flat config example
52
51
 
@@ -69,7 +68,8 @@ export default [
69
68
  ## When not to use it
70
69
 
71
70
  You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.
71
+
72
72
  ## Further reading
73
73
 
74
- - [https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#permissions](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#permissions)
75
- - [https://docs.github.com/actions/security-for-github-actions/security-guides/automatic-token-authentication](https://docs.github.com/actions/security-for-github-actions/security-guides/automatic-token-authentication)
74
+ - [GitHub Actions workflow syntax: permissions](https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#permissions)
75
+ - [GitHub Actions automatic token authentication guide](https://docs.github.com/actions/security-for-github-actions/security-guides/automatic-token-authentication)
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "$schema": "https://www.schemastore.org/package.json",
3
3
  "name": "eslint-plugin-github-actions-2",
4
- "version": "1.0.4",
4
+ "version": "1.0.6",
5
5
  "private": false,
6
6
  "description": "ESLint plugin for GitHub Actions workflow quality, reliability, and security rules.",
7
7
  "keywords": [