require-dependabot-github-actions-directory-root
Rule catalog ID: R084
Targeted pattern scopeโ
Dependabot update entries that use package-ecosystem: "github-actions".
What this rule reportsโ
This rule reports GitHub Actions ecosystem entries that do not use directory: "/" exactly, or that try to use directories instead.
Why this rule existsโ
GitHub documents directory: "/" as the correct location for the github-actions ecosystem. Dependabot uses that root setting to scan the standard workflow directory and root action metadata locations. Using a narrower or alternate directory is misleading and can cause missed updates.
โ Incorrectโ
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/.github/workflows"
schedule:
interval: "weekly"
โ Correctโ
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
Behavior and migration notesโ
The autofixer rewrites GitHub Actions ecosystem entries to the canonical directory: "/" form. If the entry incorrectly uses directories, the fix replaces that block with the single documented directory key because that is the only supported location for package-ecosystem: "github-actions".
Additional examplesโ
This rule is a good fit for repositories that maintain both workflow YAML and root-level composite or JavaScript actions, because the documented root scan location covers both surfaces.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.dependabot];
When not to use itโ
Disable this rule only if GitHub changes the documented scan behavior for the github-actions ecosystem and the repository intentionally follows that newer contract.