This public status document tracks user-facing progress from the first preview release through the current stable release.
Current release: 1.0.0
Goal: first stable release. All documented CLI, JSON, SARIF, configuration, baseline, suppression, and safe-fix behavior is locked down.
- Stabilize documented CLI, JSON, SARIF, configuration, baseline, suppression, and safe-fix behavior for public CI usage.
- Refresh all documentation, project status, roadmap, package metadata, and install examples.
- Add
release-workflow-overprivileged-token,remote-script-execution, andsecret-echo-risksecurity rules. - Add SARIF
partialFingerprints. - Add machine-readable JSON schemas.
- Split fix command into dedicated
FixOptionsParser. - Make
WorkflowFixerrule-scoped and parse-aware (skip invalid/complex YAML). - Add stable baseline fingerprints and
--prune-baseline. - Add
--show-suppressions.
- Add baseline suppression, generation, and inline suppression comments.
- Add adoption guide.
-
Add
overbroad-id-token-permission,pull-request-target-untrusted-checkout, anduntrusted-expression-in-runsecurity rules. -
.NET 10 target framework.
-
Package metadata for the CLI .NET tool.
-
Text and JSON output.
-
Ten built-in workflow hygiene rules.
-
Include/exclude filtering.
-
Strict mode.
-
--fail-onexit-code behavior. -
Source locations for many findings.
-
CI build and test workflow.
-
README install and usage documentation.
-
Workflow hardening checklist.
-
Public release files and initial rule docs.
- Add
.gh-actions-doctor.ymlconfiguration support. - Add rule disabling and severity overrides.
- Add path, format, fail threshold, strict mode, include, exclude, disabled rule, and severity override config fields.
- Add config parse validation and CLI error output.
- Document config examples.
- Add config behavior tests.
- Add GitHub annotation output.
- Add official composite GitHub Action wrapper.
- Add CI-focused usage and smoke coverage.
- Add SARIF 2.1.0 output.
- Add SARIF rule metadata and source locations.
- Add Code Scanning-ready output behavior.
- Add conservative
fixcommand. - Add dry-run and apply modes.
- Add safe fix for missing top-level
permissions: contents: read. - Add safe fix for missing job
timeout-minutes: 30.
- Add
overbroad-id-token-permission. - Add
pull-request-target-untrusted-checkout. - Add
untrusted-expression-in-run. - Add focused tests and rule docs for advanced security findings.
- Add baseline suppression via
--baseline <path>and configbaseline. - Add baseline generation via
--write-baseline <path>. - Add inline suppression comments.
- Refresh release documentation and validation coverage.
The repository is configured so public contribution should flow through pull requests:
mainis protected.- The
buildGitHub Actions check is required before merge. - Pull requests require at least one approving review.
- Code-owner review is required.
CODEOWNERSassigns all files to@Wezylnia.- Stale approvals are dismissed after new commits are pushed.
- Conversation resolution is required before merge.
- Force pushes and branch deletion are disabled.
- Administrators keep emergency bypass ability.
- GitHub Copilot is configured for automatic pull request review on pushes to PRs targeting
main.
dotnet restore
dotnet build GhActionsDoctor.sln --configuration Release
dotnet test GhActionsDoctor.sln --configuration Release --no-build
dotnet pack src/GhActionsDoctor.Cli --configuration Release --no-build
dotnet run --project src/GhActionsDoctor.Cli -- scan --path samples/bad --fail-on none
dotnet run --project src/GhActionsDoctor.Cli -- scan --path samples/bad --format json --fail-on none
dotnet run --project src/GhActionsDoctor.Cli -- scan --path samples/bad --format github-annotations --fail-on none
dotnet run --project src/GhActionsDoctor.Cli -- scan --path samples/bad --format sarif --fail-on none
dotnet run --project src/GhActionsDoctor.Cli -- fix --path samples/bad --dry-run