eslint-plugin-github-actions-2

June 23, 2026 ยท View on GitHub

npm license. npm total downloads. latest GitHub release. GitHub stars. GitHub forks. GitHub open issues. codecov.

ESLint plugin for GitHub Actions quality, reliability, security, and maintainability across the full GitHub Actions ecosystem.

The plugin covers:

  • workflow YAML files (.github/workflows/*.{yml,yaml})
  • action metadata files (**/action.yml, **/action.yaml)
  • Dependabot configuration (.github/dependabot.{yml,yaml})
  • workflow template packages (**/workflow-templates/*.{yml,yaml} and **/workflow-templates/*.properties.json)

The rules help teams:

  • standardize workflow, job, and step naming along with file-level conventions
  • validate workflow structure, supported keys, trigger declarations, interface definitions, timeouts, and concurrency settings
  • enforce safer permissions, shells, input handling, and pinned action references
  • harden CodeQL, dependency review, SARIF upload, secret-scanning, and Dependabot automation workflows
  • keep Dependabot and workflow-template metadata complete, consistent, and reviewable
  • apply targeted autofixes and suggestions where the intended change is safe and unambiguous

Installation

npm install --save-dev eslint eslint-plugin-github-actions-2

Quick start

import githubActions from "eslint-plugin-github-actions-2";

export default [githubActions.configs.recommended];

Every exported preset already scopes itself to the intended GitHub Actions file surfaces.

Presets

PresetPurpose
githubActions.configs.actionMetadataAction metadata hygiene and correctness checks.
githubActions.configs.codeScanningCodeQL, dependency review, SARIF, and code-scanning workflow checks.
githubActions.configs.dependabotDependabot configuration quality and policy checks.
githubActions.configs.workflowTemplatePropertiesWorkflow-template metadata quality checks.
githubActions.configs.workflowTemplatesCombined workflow-template YAML + metadata checks.
githubActions.configs.recommendedBalanced defaults for most repositories.
githubActions.configs.securitySecurity-focused checks like immutable SHA pinning.
githubActions.configs.strictOperational guardrails for mature workflow estates.
githubActions.configs.allComplete bundled rule coverage, excluding explicitly opt-in policy rules.

Rules

Fix legend:

  • ๐Ÿ”ง = autofixable
  • ๐Ÿ’ก = suggestions available
  • โ€” = report only

Preset key legend:

RuleFixPreset key
R009 action-name-casing๐Ÿ”ง๐ŸŸฃ ๐Ÿ”ด
R010 job-id-casingโ€”๐ŸŸฃ ๐Ÿ”ด
R011 max-jobs-per-actionโ€”๐ŸŸฃ ๐Ÿ”ด
R048 no-case-insensitive-input-id-collisionโ€”๐Ÿงฉ ๐ŸŸฃ
R097 no-codeql-autobuild-for-javascript-typescriptโ€”๐ŸŸฃ ๐Ÿ”Ž
R096 no-codeql-javascript-typescript-split-language-matrixโ€”๐ŸŸฃ ๐Ÿ”Ž
R049 no-composite-input-env-accessโ€”๐Ÿงฉ ๐ŸŸฃ
R044 no-deprecated-node-runtimeโ€”๐Ÿงฉ ๐ŸŸฃ
R051 no-duplicate-composite-step-idโ€”๐Ÿงฉ ๐ŸŸฃ
R060 no-empty-template-file-pattern๐Ÿ”ง๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R012 no-external-jobโ€”๐Ÿ 
R068 no-hardcoded-default-branch-in-templateโ€”๐Ÿงฑ ๐ŸŸฃ
R063 no-icon-file-extension-in-template-icon-name๐Ÿ”ง๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R026 no-inherit-secretsโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ ๐Ÿ”ด
R042 no-invalid-concurrency-contextโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R019 no-invalid-keyโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R041 no-invalid-reusable-workflow-job-keyโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R059 no-invalid-template-file-pattern-regexโ€”๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R040 no-invalid-workflow-call-output-valueโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R095 no-overlapping-dependabot-directoriesโ€”๐ŸŸฃ ๐Ÿค–
R064 no-path-separators-in-template-icon-name๐Ÿ’ก๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R046 no-post-if-without-post๐Ÿ”ง๐Ÿงฉ ๐ŸŸฃ
R030 no-pr-head-checkout-in-pull-request-targetโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ ๐Ÿ”ด
R045 no-pre-if-without-pre๐Ÿ”ง๐Ÿงฉ ๐ŸŸฃ
R047 no-required-input-with-default๐Ÿ’ก๐Ÿงฉ ๐ŸŸฃ
R027 no-secrets-in-ifโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ›ก๏ธ ๐Ÿ”ด
R036 no-self-hosted-runner-on-fork-pr-eventsโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ ๐Ÿ”ด
R062 no-subdirectory-template-file-patternโ€”๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R069 no-template-placeholder-in-non-template-workflowโ€”๐ŸŸก ๐Ÿ”ด ๐ŸŸฃ
R013 no-top-level-envโ€”๐ŸŸฃ ๐Ÿ”ด
R014 no-top-level-permissionsโ€”โ€”
R061 no-universal-template-file-patternโ€”๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R081 no-unknown-dependabot-multi-ecosystem-groupโ€”๐ŸŸฃ ๐Ÿค–
R050 no-unknown-input-reference-in-compositeโ€”๐Ÿงฉ ๐ŸŸฃ
R037 no-unknown-job-output-referenceโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R038 no-unknown-step-referenceโ€”๐ŸŸฃ ๐Ÿ”ด
R029 no-untrusted-input-in-runโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ ๐Ÿ”ด
R085 no-unused-dependabot-enable-beta-ecosystems๐Ÿ”ง๐ŸŸฃ ๐Ÿค–
R053 no-unused-input-in-compositeโ€”๐Ÿงฉ ๐ŸŸฃ
R023 no-write-all-permissionsโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ›ก๏ธ ๐Ÿ”ด
R003 pin-action-shasโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ ๐Ÿ”ด
R043 prefer-action-ymlโ€”๐Ÿงฉ ๐ŸŸฃ
R015 prefer-fail-fastโ€”๐ŸŸฃ ๐Ÿ”ด
R020 prefer-file-extensionโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R033 prefer-inputs-context๐Ÿ”ง๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R016 prefer-step-uses-styleโ€”๐ŸŸฃ
R066 prefer-template-yml-extensionโ€”๐Ÿงฑ ๐ŸŸฃ
R005 require-action-nameโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R006 require-action-run-nameโ€”๐ŸŸฃ ๐Ÿ”ด
R025 require-checkout-before-local-actionโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R099 require-codeql-actions-readโ€”๐ŸŸฃ ๐Ÿ”Ž
R113 require-codeql-branch-filtersโ€”๐ŸŸฃ ๐Ÿ”Ž
R114 require-codeql-category-when-language-matrixโ€”๐ŸŸฃ ๐Ÿ”Ž
R100 require-codeql-pull-request-triggerโ€”๐ŸŸฃ ๐Ÿ”Ž
R101 require-codeql-scheduleโ€”๐ŸŸฃ ๐Ÿ”Ž
R098 require-codeql-security-events-writeโ€”๐ŸŸฃ ๐Ÿ”Ž ๐Ÿ›ก๏ธ
R052 require-composite-step-nameโ€”๐Ÿงฉ ๐ŸŸฃ
R077 require-dependabot-assigneesโ€”๐ŸŸฃ ๐Ÿค–
R111 require-dependabot-automation-permissionsโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ
R112 require-dependabot-automation-pull-request-triggerโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ
R109 require-dependabot-bot-actor-guardโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ
R089 require-dependabot-commit-message-include-scopeโ€”๐ŸŸฃ ๐Ÿค–
R079 require-dependabot-commit-message-prefixโ€”๐ŸŸฃ ๐Ÿค–
R090 require-dependabot-commit-message-prefix-developmentโ€”๐ŸŸฃ ๐Ÿค–
R086 require-dependabot-cooldownโ€”๐ŸŸฃ ๐Ÿค–
R073 require-dependabot-directoryโ€”๐ŸŸฃ ๐Ÿค–
R084 require-dependabot-github-actions-directory-root๐Ÿ”ง๐ŸŸฃ ๐Ÿค–
R080 require-dependabot-labelsโ€”๐ŸŸฃ ๐Ÿค–
R087 require-dependabot-open-pull-requests-limitโ€”๐ŸŸฃ ๐Ÿค–
R072 require-dependabot-package-ecosystemโ€”๐ŸŸฃ ๐Ÿค–
R082 require-dependabot-patterns-for-multi-ecosystem-groupโ€”๐ŸŸฃ ๐Ÿค–
R083 require-dependabot-schedule-cronjobโ€”๐ŸŸฃ ๐Ÿค–
R074 require-dependabot-schedule-intervalโ€”๐ŸŸฃ ๐Ÿค–
R075 require-dependabot-schedule-timeโ€”๐ŸŸฃ ๐Ÿค–
R076 require-dependabot-schedule-timezoneโ€”๐ŸŸฃ ๐Ÿค–
R078 require-dependabot-target-branchโ€”๐ŸŸฃ ๐Ÿค–
R071 require-dependabot-updatesโ€”๐ŸŸฃ ๐Ÿค–
R070 require-dependabot-version๐Ÿ”ง๐ŸŸฃ ๐Ÿค–
R088 require-dependabot-versioning-strategy-for-npmโ€”๐ŸŸฃ ๐Ÿค–
R091 require-dependency-review-actionโ€”๐ŸŸฃ ๐Ÿ”Ž ๐Ÿ›ก๏ธ
R093 require-dependency-review-fail-on-severityโ€”๐ŸŸฃ ๐Ÿ”Ž ๐Ÿ›ก๏ธ
R092 require-dependency-review-permissions-contents-readโ€”๐ŸŸฃ ๐Ÿ”Ž ๐Ÿ›ก๏ธ
R094 require-dependency-review-pull-request-triggerโ€”๐ŸŸฃ ๐Ÿ”Ž ๐Ÿ›ก๏ธ
R110 require-fetch-metadata-github-tokenโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ
R007 require-job-name๐Ÿ’ก๐ŸŸฃ ๐Ÿ”ด
R008 require-job-step-name๐Ÿ’ก๐ŸŸฃ ๐Ÿ”ด
R002 require-job-timeout-minutesโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R035 require-merge-group-triggerโ€”๐ŸŸฃ ๐Ÿ”ด
R032 require-pull-request-target-branchesโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ ๐Ÿ”ด
R021 require-run-step-shellโ€”๐ŸŸฃ ๐Ÿ”ด
R115 require-run-step-timeoutโ€”๐ŸŸฃ ๐ŸŸก
R102 require-sarif-upload-security-events-writeโ€”๐ŸŸฃ ๐Ÿ”Ž ๐Ÿ›ก๏ธ
R103 require-scorecard-results-format-sarifโ€”๐ŸŸฃ ๐Ÿ”Ž
R104 require-scorecard-upload-sarif-stepโ€”๐ŸŸฃ ๐Ÿ”Ž
R107 require-secret-scan-contents-readโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ
R105 require-secret-scan-fetch-depth-zeroโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ
R106 require-secret-scan-scheduleโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ
R057 require-template-categoriesโ€”๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R058 require-template-file-patternsโ€”๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R065 require-template-icon-file-existsโ€”๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R056 require-template-icon-nameโ€”๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R067 require-template-workflow-nameโ€”๐Ÿงฑ ๐ŸŸฃ
R031 require-trigger-typesโ€”๐ŸŸฃ ๐Ÿ”ด
R108 require-trufflehog-verified-results-modeโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ
R034 require-workflow-call-input-typeโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R039 require-workflow-call-output-valueโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R004 require-workflow-concurrencyโ€”๐ŸŸฃ ๐Ÿ”ด
R022 require-workflow-dispatch-input-typeโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R024 require-workflow-interface-descriptionโ€”๐ŸŸฃ ๐Ÿ”ด
R001 require-workflow-permissionsโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ›ก๏ธ ๐Ÿ”ด
R028 require-workflow-run-branchesโ€”๐ŸŸฃ ๐Ÿ›ก๏ธ ๐Ÿ”ด
R054 require-workflow-template-pairโ€”๐Ÿงฑ ๐ŸŸฃ
R055 require-workflow-template-properties-pairโ€”๐Ÿ—‚๏ธ ๐Ÿงฑ ๐ŸŸฃ
R017 valid-timeout-minutesโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด
R018 valid-trigger-eventsโ€”๐ŸŸฃ ๐ŸŸก ๐Ÿ”ด

Example

name: ci

on:
 pull_request:
 push:
  branches:
   - main

permissions:
 contents: read

concurrency:
 group: ci-${{ github.ref }}
 cancel-in-progress: true

jobs:
 test:
  runs-on: ubuntu-latest
  timeout-minutes: 30
  steps:
   - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
   - run: npm test

Documentation

Status

eslint-plugin-github-actions-2 ships workflow, action metadata, and workflow-template linting surfaces with policy, reliability, and security coverage.