Rule set "Default" (default)

• ComponentCountRule (workflows, actions)
  • TooManyJobs: Workflow has too many jobs.
  • TooManySteps: Job has too many steps.
• DoubleCurlyIfRule (workflows, actions)
  • DoubleCurlyIf: if: is not wrapped in double-curly-braces.
• DuplicateShellRule (workflows)
  • DuplicateShellOnSteps: Multiple steps have the shell defined.
• DuplicateStepIdRule (workflows, actions)
  • DuplicateStepId: Steps must have unique identifiers within a job.
  • SimilarStepId: Steps should have distinguishable identifiers within a job.
• EmptyEnvRule (workflows, actions)
  • EmptyJobEnv: Job has empty env.
  • EmptyStepEnv: Step has empty env.
  • EmptyWorkflowEnv: Workflow has empty env.
• EnvironmentFileOverwriteRule (workflows, actions)
  • EnvironmentFileOverwritten: Environment files should be appended.
• ExplicitJobPermissionsRule (workflows)
  • ExplicitJobPermissions: Permissions should be declared on the job level only.
  • MissingJobPermissions: Permissions are not declared.
• FailFastActionsRule (workflows, actions)
  • FailFastPeterEvansCreatePullRequest: peter-evans/create-pull-request has unsafe edge cases, use gh pr create instead.
  • FailFastPublishUnitTestResults: publish-unit-test-result-action should fail fast.
  • FailFastSoftpropsGhRelease: action-gh-release should fail fast.
  • FailFastUploadArtifact: upload-artifact should fail fast.
• IdNamingRule (workflows, actions)
  • JobIdNaming: Job should have a lower-case kebab ID.
  • StepIdNaming: Step should have a lower-case kebab ID.
  • WorkflowIdNaming: Workflow should have a lower-case kebab ID.
• ImplicitStatusCheckRule (workflows, actions)
  • NegativeStatusCheck: Use positive conditions.
  • NeverUseAlways: Using always() is discouraged.
• InvalidExpressionUsageRule (workflows, actions)
  • InvalidExpressionUsage: Step uses must not contain expressions.
• JobDependenciesRule (workflows)
  • JobDependencyCycle: Cycle in job dependencies (needs).
  • MissingNeedsJob: Needs references a missing job.
• MissingGhRepoRule (workflows, actions)
  • MissingGhRepo: GH_REPO or checkout is required for using the gh CLI tool.
• MissingGhTokenRule (workflows, actions)
  • MissingGhHost: GH_HOST is required for using the gh CLI tool with GH_ENTERPRISE_TOKEN.
  • MissingGhToken: GH_TOKEN is required for using the gh CLI tool.
• MissingJobTimeoutRule (workflows)
  • MissingJobTimeout: Job is missing a timeout.
• MissingNameRule (workflows, actions)
  • MissingJobName: Job is missing a name.
  • MissingStepName: Step is missing a name.
  • MissingWorkflowName: Workflow is missing a name.
• MissingShellRule (workflows)
  • MissingShell: Run step is missing a shell.
• PreferGitHubTokenRule (workflows, actions)
  • PreferGitHubToken: Prefer github.token instead of secrets.GITHUB_TOKEN.
• RedundantShellRule (workflows)
  • RedundantDefaultShell: Same default shell is defined both on job and workflow.
  • RedundantShell: Same shell is defined both on step and globally.
• SafeEnvironmentFileRedirectRule (workflows, actions)
  • SafeEnvironmentFileRedirect: GITHUB_OUTPUT must be quoted.
• ScriptInjectionRule (workflows, actions)
  • JSScriptInjection: JavaScript vulnerable to script injection.
  • ShellScriptInjection: Shell script vulnerable to script injection.