.spectral.yaml

extends:
  - spectral:oas

rules:
  # Workflow validation rules
  workflow-name-required:
    message: "GitHub Actions workflow must have a name"
    severity: error
    given: "$"
    then:
      field: name
      function: truthy

  workflow-on-required:
    message: "Workflow must define triggers"
    severity: error
    given: "$"
    then:
      field: "on"
      function: truthy

  job-runs-on-required:
    message: "Job must specify runs-on"
    severity: error
    given: "$.jobs.*"
    then:
      field: runs-on
      function: truthy

  # Schema validation rules
  schema-type-valid:
    message: "Schema must have valid type"
    severity: error
    given: "$.properties"
    then:
      function: schema
      functionOptions:
        schema:
          type: object

  # Frontmatter validation rules
  frontmatter-required-fields:
    message: "Must contain required frontmatter fields"
    severity: warning
    given: "$"
    then:
      function: truthy

  # Documentation rules
  heading-hierarchy-valid:
    message: "Headings must follow proper hierarchy (avoid skipping levels)"
    severity: warning
    given: "$"
    then:
      function: truthy

  # Workflow security rules
  workflow-no-hardcoded-secrets:
    message: "Workflows must not contain hardcoded secrets"
    severity: error
    given: "$.jobs.*"
    then:
      field: env
      function: pattern
      functionOptions:
        match: "^(?!.*password|.*secret|.*token).*$"
        severity: error

  workflow-permissions-explicit:
    message: "Workflows should explicitly define permissions"
    severity: warning
    given: "$"
    then:
      field: permissions
      function: truthy

  # Action pinning
  actions-pinned-to-commit:
    message: "Actions should be pinned to commit SHA"
    severity: warning
    given: "$.jobs.*.steps[*].uses"
    then:
      function: pattern
      functionOptions:
        match: "@[a-f0-9]{40}$"