| applyTo | .github/{actions,workflows}/*.{yml,yaml} |
|---|---|
| description | Instructions for editing GitHub Actions workflows for this repository. |
This file contains instructions for working with GitHub Actions YAML files in the .github/actions/ and .github/workflows/ directories of the codeql-sap-js repository.
- ALWAYS pin ALL external GitHub Actions to full-length commit SHAs, never to tags or branch names — including GitHub-maintained
actions/*actions. Add a trailing comment with the original tag for readability (e.g.,uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6). To resolve a tag to its commit SHA, rungit ls-remote https://github.com/OWNER/REPO.git refs/tags/TAG(orrefs/heads/BRANCHfor branch-based refs). - ALWAYS use the principle of least privilege, and explicitly set
permissionsfor workflows. - ALWAYS use valid YAML syntax and follow GitHub Actions workflow conventions.
- ALWAYS follow best practices for GitHub Actions workflows including security, efficiency, and maintainability.
- ALWAYS use descriptive names for workflows, jobs, and steps that clearly explain their purpose.
- PREFER explicit permissions declarations using the
permissionskey for security. - PREFER descriptive step names that include the workflow context (e.g., "Tag - Checkout repository").
- PREFER matrix strategies for testing multiple versions when applicable.
- PREFER adding summary outputs using
$GITHUB_STEP_SUMMARYfor better workflow visibility.
- NEVER reference an external GitHub Action by tag or branch name (e.g.,
@v6,@main). ALWAYS use the full 40-character commit SHA with a# tagcomment. - NEVER use overly broad permissions.
- NEVER leave any trailing whitespace on any line.
- NEVER use deprecated GitHub Actions or workflow syntax.