Presets

The plugin exports nine flat-config presets:

• githubActions.configs.actionMetadata
• githubActions.configs.codeScanning
• githubActions.configs.dependabot
• githubActions.configs.workflowTemplateProperties
• githubActions.configs.workflowTemplates
• githubActions.configs.recommended
• githubActions.configs.security
• githubActions.configs.strict
• githubActions.configs.all

These presets cover workflow YAML, action metadata (action.yml / action.yaml), repository Dependabot configuration (.github/dependabot.yml), and workflow template package files (workflow-templates/*.yml, *.yaml, and *.properties.json).

How to choose

• Start with recommended for broad baseline quality and safety.
• Layer security for stronger supply-chain and permissions-focused checks.
• Use codeScanning for CodeQL, dependency review, SARIF upload, and related code-scanning workflows.
• Use strict when you want high signal on operational consistency.
• Use all for complete bundled rule coverage (best for internal policy repos), and layer opt-in policy rules manually when your standards require them.
• Use dependabot when you want a dedicated policy surface for dependency update automation.

Then review getting started and the full rule reference.

Rule Matrix

Fix legend:

• 🔧 = autofixable
• 💡 = suggestions available
• — = report only

Preset key legend:

• 🧩 — githubActions.configs.actionMetadata
• 🔎 — githubActions.configs.codeScanning
• 🤖 — githubActions.configs.dependabot
• 🗂️ — githubActions.configs.workflowTemplateProperties
• 🧱 — githubActions.configs.workflowTemplates
• 🟡 — githubActions.configs.recommended
• 🛡️ — githubActions.configs.security
• 🔴 — githubActions.configs.strict
• 🟣 — githubActions.configs.all

Rule	Fix	Preset key
R009 action-name-casing	🔧	🟣 🔴
R010 job-id-casing	—	🟣 🔴
R011 max-jobs-per-action	—	🟣 🔴
R048 no-case-insensitive-input-id-collision	—	🧩 🟣
R097 no-codeql-autobuild-for-javascript-typescript	—	🟣 🔎
R096 no-codeql-javascript-typescript-split-language-matrix	—	🟣 🔎
R049 no-composite-input-env-access	—	🧩 🟣
R044 no-deprecated-node-runtime	—	🧩 🟣
R051 no-duplicate-composite-step-id	—	🧩 🟣
R060 no-empty-template-file-pattern	🔧	🗂️ 🧱 🟣
R012 no-external-job	—	🟣 🔴
R068 no-hardcoded-default-branch-in-template	—	🧱 🟣
R063 no-icon-file-extension-in-template-icon-name	🔧	🗂️ 🧱 🟣
R026 no-inherit-secrets	—	🟣 🛡️ 🔴
R042 no-invalid-concurrency-context	—	🟣 🟡 🔴
R019 no-invalid-key	—	🟣 🟡 🔴
R041 no-invalid-reusable-workflow-job-key	—	🟣 🟡 🔴
R059 no-invalid-template-file-pattern-regex	—	🗂️ 🧱 🟣
R040 no-invalid-workflow-call-output-value	—	🟣 🟡 🔴
R095 no-overlapping-dependabot-directories	—	🟣 🤖
R064 no-path-separators-in-template-icon-name	💡	🗂️ 🧱 🟣
R046 no-post-if-without-post	🔧	🧩 🟣
R030 no-pr-head-checkout-in-pull-request-target	—	🟣 🛡️ 🔴
R045 no-pre-if-without-pre	🔧	🧩 🟣
R047 no-required-input-with-default	💡	🧩 🟣
R027 no-secrets-in-if	—	🟣 🟡 🛡️ 🔴
R036 no-self-hosted-runner-on-fork-pr-events	—	🟣 🛡️ 🔴
R062 no-subdirectory-template-file-pattern	—	🗂️ 🧱 🟣
R069 no-template-placeholder-in-non-template-workflow	—	🟡 🔴 🟣
R013 no-top-level-env	—	🟣 🔴
R014 no-top-level-permissions	—	—
R061 no-universal-template-file-pattern	—	🗂️ 🧱 🟣
R081 no-unknown-dependabot-multi-ecosystem-group	—	🟣 🤖
R050 no-unknown-input-reference-in-composite	—	🧩 🟣
R037 no-unknown-job-output-reference	—	🟣 🟡 🔴
R038 no-unknown-step-reference	—	🟣 🔴
R029 no-untrusted-input-in-run	—	🟣 🛡️ 🔴
R085 no-unused-dependabot-enable-beta-ecosystems	🔧	🟣 🤖
R053 no-unused-input-in-composite	—	🧩 🟣
R023 no-write-all-permissions	—	🟣 🟡 🛡️ 🔴
R003 pin-action-shas	—	🟣 🛡️ 🔴
R043 prefer-action-yml	—	🧩 🟣
R015 prefer-fail-fast	—	🟣 🔴
R020 prefer-file-extension	—	🟣 🟡 🔴
R033 prefer-inputs-context	🔧	🟣 🟡 🔴
R016 prefer-step-uses-style	—	🟣
R066 prefer-template-yml-extension	—	🧱 🟣
R005 require-action-name	—	🟣 🟡 🔴
R006 require-action-run-name	—	🟣 🔴
R025 require-checkout-before-local-action	—	🟣 🟡 🔴
R099 require-codeql-actions-read	—	🟣 🔎
R113 require-codeql-branch-filters	—	🟣 🔎
R114 require-codeql-category-when-language-matrix	—	🟣 🔎
R100 require-codeql-pull-request-trigger	—	🟣 🔎
R101 require-codeql-schedule	—	🟣 🔎
R098 require-codeql-security-events-write	—	🟣 🔎 🛡️
R052 require-composite-step-name	—	🧩 🟣
R077 require-dependabot-assignees	—	🟣 🤖
R111 require-dependabot-automation-permissions	—	🟣 🛡️
R112 require-dependabot-automation-pull-request-trigger	—	🟣 🛡️
R109 require-dependabot-bot-actor-guard	—	🟣 🛡️
R089 require-dependabot-commit-message-include-scope	—	🟣 🤖
R079 require-dependabot-commit-message-prefix	—	🟣 🤖
R090 require-dependabot-commit-message-prefix-development	—	🟣 🤖
R086 require-dependabot-cooldown	—	🟣 🤖
R073 require-dependabot-directory	—	🟣 🤖
R084 require-dependabot-github-actions-directory-root	🔧	🟣 🤖
R080 require-dependabot-labels	—	🟣 🤖
R087 require-dependabot-open-pull-requests-limit	—	🟣 🤖
R072 require-dependabot-package-ecosystem	—	🟣 🤖
R082 require-dependabot-patterns-for-multi-ecosystem-group	—	🟣 🤖
R083 require-dependabot-schedule-cronjob	—	🟣 🤖
R074 require-dependabot-schedule-interval	—	🟣 🤖
R075 require-dependabot-schedule-time	—	🟣 🤖
R076 require-dependabot-schedule-timezone	—	🟣 🤖
R078 require-dependabot-target-branch	—	🟣 🤖
R071 require-dependabot-updates	—	🟣 🤖
R070 require-dependabot-version	🔧	🟣 🤖
R088 require-dependabot-versioning-strategy-for-npm	—	🟣 🤖
R091 require-dependency-review-action	—	🟣 🔎 🛡️
R093 require-dependency-review-fail-on-severity	—	🟣 🔎 🛡️
R092 require-dependency-review-permissions-contents-read	—	🟣 🔎 🛡️
R094 require-dependency-review-pull-request-trigger	—	🟣 🔎 🛡️
R110 require-fetch-metadata-github-token	—	🟣 🛡️
R007 require-job-name	💡	🟣 🔴
R008 require-job-step-name	💡	🟣 🔴
R002 require-job-timeout-minutes	—	🟣 🟡 🔴
R035 require-merge-group-trigger	—	🟣 🔴
R032 require-pull-request-target-branches	—	🟣 🛡️ 🔴
R021 require-run-step-shell	—	🟣 🔴
R102 require-sarif-upload-security-events-write	—	🟣 🔎 🛡️
R103 require-scorecard-results-format-sarif	—	🟣 🔎
R104 require-scorecard-upload-sarif-step	—	🟣 🔎
R107 require-secret-scan-contents-read	—	🟣 🛡️
R105 require-secret-scan-fetch-depth-zero	—	🟣 🛡️
R106 require-secret-scan-schedule	—	🟣 🛡️
R057 require-template-categories	—	🗂️ 🧱 🟣
R058 require-template-file-patterns	—	🗂️ 🧱 🟣
R065 require-template-icon-file-exists	—	🗂️ 🧱 🟣
R056 require-template-icon-name	—	🗂️ 🧱 🟣
R067 require-template-workflow-name	—	🧱 🟣
R031 require-trigger-types	—	🟣 🔴
R108 require-trufflehog-verified-results-mode	—	🟣 🛡️
R034 require-workflow-call-input-type	—	🟣 🟡 🔴
R039 require-workflow-call-output-value	—	🟣 🟡 🔴
R004 require-workflow-concurrency	—	🟣 🔴
R022 require-workflow-dispatch-input-type	—	🟣 🟡 🔴
R024 require-workflow-interface-description	—	🟣 🔴
R001 require-workflow-permissions	—	🟣 🟡 🛡️ 🔴
R028 require-workflow-run-branches	—	🟣 🛡️ 🔴
R054 require-workflow-template-pair	—	🧱 🟣
R055 require-workflow-template-properties-pair	—	🗂️ 🧱 🟣
R017 valid-timeout-minutes	—	🟣 🟡 🔴
R018 valid-trigger-events	—	🟣 🟡 🔴