eslint-plugin-github-actions-2
June 23, 2026 ยท View on GitHub
ESLint plugin for GitHub Actions quality, reliability, security, and maintainability across the full GitHub Actions ecosystem.
The plugin covers:
- workflow YAML files (
.github/workflows/*.{yml,yaml}) - action metadata files (
**/action.yml,**/action.yaml) - Dependabot configuration (
.github/dependabot.{yml,yaml}) - workflow template packages (
**/workflow-templates/*.{yml,yaml}and**/workflow-templates/*.properties.json)
The rules help teams:
- standardize workflow, job, and step naming along with file-level conventions
- validate workflow structure, supported keys, trigger declarations, interface definitions, timeouts, and concurrency settings
- enforce safer permissions, shells, input handling, and pinned action references
- harden CodeQL, dependency review, SARIF upload, secret-scanning, and Dependabot automation workflows
- keep Dependabot and workflow-template metadata complete, consistent, and reviewable
- apply targeted autofixes and suggestions where the intended change is safe and unambiguous
Installation
npm install --save-dev eslint eslint-plugin-github-actions-2
Quick start
import githubActions from "eslint-plugin-github-actions-2";
export default [githubActions.configs.recommended];
Every exported preset already scopes itself to the intended GitHub Actions file surfaces.
Presets
| Preset | Purpose |
|---|---|
githubActions.configs.actionMetadata | Action metadata hygiene and correctness checks. |
githubActions.configs.codeScanning | CodeQL, dependency review, SARIF, and code-scanning workflow checks. |
githubActions.configs.dependabot | Dependabot configuration quality and policy checks. |
githubActions.configs.workflowTemplateProperties | Workflow-template metadata quality checks. |
githubActions.configs.workflowTemplates | Combined workflow-template YAML + metadata checks. |
githubActions.configs.recommended | Balanced defaults for most repositories. |
githubActions.configs.security | Security-focused checks like immutable SHA pinning. |
githubActions.configs.strict | Operational guardrails for mature workflow estates. |
githubActions.configs.all | Complete bundled rule coverage, excluding explicitly opt-in policy rules. |
Rules
Fix legend:
- ๐ง = autofixable
- ๐ก = suggestions available
- โ = report only
Preset key legend:
- ๐งฉ โ
githubActions.configs.actionMetadata - ๐ฃ โ
githubActions.configs.all - ๐ โ
githubActions.configs.codeScanning - ๐ค โ
githubActions.configs.dependabot - ๐ โ
githubActions.configs.localWorkflows - ๐ก โ
githubActions.configs.recommended - ๐ก๏ธ โ
githubActions.configs.security - ๐ด โ
githubActions.configs.strict - ๐๏ธ โ
githubActions.configs.workflowTemplateProperties - ๐งฑ โ
githubActions.configs.workflowTemplates
Example
name: ci
on:
pull_request:
push:
branches:
- main
permissions:
contents: read
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- run: npm test
Documentation
- Rule docs:
docs/rules/ - Site: https://nick2bad4u.github.io/eslint-plugin-github-actions-2/docs/rules/overview
Status
eslint-plugin-github-actions-2 ships workflow, action metadata, and workflow-template linting surfaces with policy, reliability, and security coverage.