Rule overview
eslint-plugin-github-actions-2 targets GitHub Actions workflow YAML files, action metadata files (action.yml / action.yaml), repository Dependabot configuration files (.github/dependabot.yml), and workflow-template package files under workflow-templates/.
New to the plugin? Start with Getting started. Need config guidance? See the preset reference. Looking for a specific check? Jump to Current rules.
Included rule categoriesโ
- Security: explicit least-privilege permissions and immutable SHA pinning
- Reliability: bounded job timeouts
- Operations: workflow concurrency controls and valid concurrency expression contexts
- Naming and readability: workflow names, job IDs, job names, and step names
- Execution clarity: explicit run-step shells, typed workflow interfaces, canonical manual-dispatch input access, and valid step-context references
- Workflow interface quality: documented manual-dispatch and reusable workflow interfaces plus valid reusable output values and job-output mappings
- Reusable workflow hygiene: explicit checkout ordering, narrowly scoped secret passing, and valid reusable-workflow caller job keys
- Workflow safety: safer conditional secret handling, untrusted-script handling, scoped workflow chaining, safer privileged PR automation, fork-triggered self-hosted runner hardening, and scoped privileged PR targets
- Trigger precision: explicit activity-type scoping for broad multi-activity events and merge-queue-aware pull request validation
- Dependency automation: required Dependabot keys, explicit schedules, PR routing, labels, ownership, and commit-title conventions
Current rulesโ
require-workflow-permissionsrequire-job-timeout-minutespin-action-shasrequire-workflow-concurrencyaction-name-casingjob-id-casingmax-jobs-per-actionno-case-insensitive-input-id-collisionno-codeql-autobuild-for-javascript-typescriptno-codeql-javascript-typescript-split-language-matrixno-composite-input-env-accessno-deprecated-node-runtimeno-duplicate-composite-step-idno-empty-template-file-patternno-external-jobno-hardcoded-default-branch-in-templateno-icon-file-extension-in-template-icon-nameno-inherit-secretsno-invalid-concurrency-contextno-invalid-keyno-invalid-reusable-workflow-job-keyno-invalid-template-file-pattern-regexno-invalid-workflow-call-output-valueno-overlapping-dependabot-directoriesno-path-separators-in-template-icon-nameno-post-if-without-postno-pr-head-checkout-in-pull-request-targetno-pre-if-without-preno-required-input-with-defaultno-secrets-in-ifno-self-hosted-runner-on-fork-pr-eventsno-subdirectory-template-file-patternno-template-placeholder-in-non-template-workflowno-top-level-envno-top-level-permissionsno-unused-dependabot-enable-beta-ecosystemsno-unknown-dependabot-multi-ecosystem-groupno-universal-template-file-patternno-unknown-input-reference-in-compositeno-unknown-job-output-referenceno-unknown-step-referenceno-unused-input-in-compositeno-untrusted-input-in-runno-write-all-permissionsprefer-fail-fastprefer-action-ymlprefer-file-extensionprefer-inputs-contextprefer-step-uses-styleprefer-template-yml-extensionrequire-action-namerequire-action-run-namerequire-checkout-before-local-actionrequire-codeql-actions-readrequire-codeql-branch-filtersrequire-codeql-category-when-language-matrixrequire-codeql-pull-request-triggerrequire-codeql-schedulerequire-codeql-security-events-writerequire-composite-step-namerequire-dependabot-automation-permissionsrequire-dependabot-automation-pull-request-triggerrequire-dependabot-assigneesrequire-dependabot-bot-actor-guardrequire-dependabot-commit-message-include-scoperequire-dependabot-commit-message-prefixrequire-dependabot-commit-message-prefix-developmentrequire-dependabot-cooldownrequire-dependabot-directoryrequire-dependabot-github-actions-directory-rootrequire-dependabot-labelsrequire-dependabot-open-pull-requests-limitrequire-dependabot-package-ecosystemrequire-dependabot-patterns-for-multi-ecosystem-grouprequire-dependabot-schedule-cronjobrequire-dependabot-schedule-intervalrequire-dependabot-schedule-timerequire-dependabot-schedule-timezonerequire-dependabot-target-branchrequire-dependabot-updatesrequire-dependabot-versionrequire-dependabot-versioning-strategy-for-npmrequire-dependency-review-actionrequire-dependency-review-fail-on-severityrequire-dependency-review-permissions-contents-readrequire-dependency-review-pull-request-triggerrequire-fetch-metadata-github-tokenrequire-job-namerequire-job-step-namerequire-merge-group-triggerrequire-pull-request-target-branchesrequire-run-step-shellrequire-sarif-upload-security-events-writerequire-scorecard-results-format-sarifrequire-scorecard-upload-sarif-steprequire-secret-scan-contents-readrequire-secret-scan-fetch-depth-zerorequire-secret-scan-schedulerequire-template-categoriesrequire-template-file-patternsrequire-template-icon-file-existsrequire-template-icon-namerequire-template-workflow-namerequire-trigger-typesrequire-workflow-call-input-typerequire-workflow-call-output-valuerequire-workflow-dispatch-input-typerequire-workflow-interface-descriptionrequire-workflow-run-branchesrequire-workflow-template-pairrequire-workflow-template-properties-pairrequire-trufflehog-verified-results-modevalid-timeout-minutesvalid-trigger-events