Skip to content

[eslint-miner] feat(eslint): add prefer-core-logging rule#46195

Open
github-actions[bot] wants to merge 7 commits into
mainfrom
eslint-miner/prefer-core-logging-677bf81819ff7157
Open

[eslint-miner] feat(eslint): add prefer-core-logging rule#46195
github-actions[bot] wants to merge 7 commits into
mainfrom
eslint-miner/prefer-core-logging-677bf81819ff7157

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Summary

Adds a new ESLint rule prefer-core-logging that flags console.* calls in scopes where an @actions/core alias (core / coreObj) is available.

Rationale

console.* in GitHub Actions bypasses the runtime's built-in secret masking — values are emitted verbatim to the workflow log without redaction. core.info / core.error / core.warning / core.debug apply masking and integrate with the Actions annotation system.

This pattern was observed in actions/setup/js across multiple files:

File Line Issue
generate_workflow_overview.cjs 38 console.log("Generated workflow overview...")
generate_usage_activity_summary.cjs console.log/warn/error in core-aware scope
merge_frontmatter_models.cjs console.log in core-aware scope
merge_remote_agent_github_folder.cjs 33–37 console.log/warn/error adapter wrapping core

Rule details

  • Name: gh-aw-custom/prefer-core-logging
  • Severity: warn
  • Detection scope: Only flags when a CORE_ALIASES binding (core / coreObj) is demonstrably in scope — no false positives on plain scripts without @actions/core.
  • Mapping: console.log/info → core.info, console.error → core.error, console.warn → core.warning, console.debug → core.debug
  • Auto-fix suggestion included for each violation.

Validation

npm run build   ✅ (0 errors)
npm run lint:setup-js  → 5 new warnings from prefer-core-logging across 4 files
vitest run src/rules/prefer-core-logging.test.ts  → 11/11 tests passed

Files changed

  • eslint-factory/src/rules/prefer-core-logging.ts — rule implementation
  • eslint-factory/src/rules/prefer-core-logging.test.ts — 11 unit tests
  • eslint-factory/src/index.ts — rule registration
  • eslint-factory/eslint.config.cjs — rule enabled at warn

Generated by ESLint Miner · 108.1 AIC · ⌖ 8.85 AIC · ⊞ 4.4K ·

  • expires on Jul 24, 2026, 1:36 AM UTC-08:00

Adds a new ESLint rule that flags console.log/error/warn/debug calls
in scopes where an @actions/core alias (core / coreObj) is available.

Rationale:
- console.* bypasses GitHub Actions' secret masking: values passed
  to console.* are emitted verbatim to the workflow log, without the
  redaction that core.info/error/warning/debug applies.
- core logging integrates with the Actions annotation system (error
  annotations, folded groups, etc.) while console.* does not.
- The pattern appears in 5 locations in actions/setup/js, e.g.
  generate_workflow_overview.cjs:38 and merge_remote_agent_github_folder.cjs.

Rule details:
- Only flags when a CORE_ALIASES binding (core / coreObj) is in scope,
  preventing false positives in plain scripts that don't use @actions/core.
- Covers: console.log → core.info, console.error → core.error,
  console.warn → core.warning, console.debug → core.debug,
  console.info → core.info.
- Provides an auto-fix suggestion for each violation.
- 11 unit tests (all passing).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot added automation cookie Issue Monster Loves Cookies! eslint labels Jul 17, 2026
@pelikhan

Copy link
Copy Markdown
Collaborator

@copiliot always favor using core.... since we have a shim.cjs file to also support node.js context.

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot always favor using core.... since we have a shim.cjs file to also support node.js context.

Copilot AI and others added 2 commits July 17, 2026 11:37
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…n setup/js

The shim.cjs provides global.core in all Node.js contexts, so console.*
should never be used — remove hasCoreInScope() scope restriction from
the rule and fix all console.* calls in the files mentioned in the PR.

Changes:
- prefer-core-logging.ts: remove hasCoreInScope() function and check;
  flag all console.* calls unconditionally; update description/suggestion
  message to reflect global.core availability via shim.cjs
- prefer-core-logging.test.ts: update formerly-valid cases to expect
  errors; add suggestions to new invalid test cases (11 tests still pass)
- generate_workflow_overview.cjs: console.log → core.info (core is a param)
- generate_usage_activity_summary.cjs: require shim.cjs + console.log → core.info
- merge_remote_agent_github_folder.cjs: require shim.cjs; remove local
  coreObj fallback that used console.*; replace all coreObj.* → core.*

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@copilot always favor using core.... since we have a shim.cjs file to also support node.js context.

Done in commit feat(eslint): make prefer-core-logging unconditional; fix console.* in setup/js.

  • Removed the hasCoreInScope() scope restriction from the prefer-core-logging rule — it now flags all console.* calls unconditionally, since shim.cjs provides global.core in every Node.js context.
  • Fixed merge_remote_agent_github_folder.cjs: added require("./shim.cjs") and removed the local coreObj fallback that used console.*; replaced all coreObj.*core.*.
  • Fixed generate_workflow_overview.cjs: console.log(...)core.info(...).
  • Fixed generate_usage_activity_summary.cjs: added require("./shim.cjs") and changed console.log(outputPath)core.info(outputPath).

@github-actions

Copy link
Copy Markdown
Contributor Author

🤖 PR Triage

Field Value
Category feature
Risk 🟡 medium
Priority Score 52/100
Score Breakdown impact: 25, urgency: 15, quality: 12
Action batch_review

Adds new ESLint miner rule prefer-core-logging. Medium-risk new linter feature addition.

Batch: pr-batch:linter-additions (groups with #46289)

Generated by 🔧 PR Triage Agent · 52.2 AIC · ⌖ 6.84 AIC · ⊞ 5.6K ·

@pelikhan
pelikhan marked this pull request as ready for review July 18, 2026 05:30
Copilot AI review requested due to automatic review settings July 18, 2026 05:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an ESLint rule promoting @actions/core logging in setup scripts.

Changes:

  • Implements and registers prefer-core-logging with tests.
  • Migrates several scripts from console logging to core logging.
  • Regenerates the auto-upgrade schedule.
Show a summary per file
File Description
eslint-factory/src/rules/prefer-core-logging.ts Implements detection and suggestions.
eslint-factory/src/rules/prefer-core-logging.test.ts Tests rule behavior.
eslint-factory/src/index.ts Registers the rule.
eslint-factory/eslint.config.cjs Enables the rule as a warning.
actions/setup/js/merge_remote_agent_github_folder.cjs Uses shim-backed core logging.
actions/setup/js/generate_workflow_overview.cjs Replaces console logging with core.info.
actions/setup/js/generate_usage_activity_summary.cjs Uses shim-backed core.info.
.github/workflows/agentic-auto-upgrade.yml Updates the generated weekly schedule.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (2)

eslint-factory/src/rules/prefer-core-logging.ts:69

  • This replacement does not preserve multi-argument console calls. @actions/core logging methods consume one message, so console.log("value:", someVar) becomes core.info("value:", someVar) and silently drops someVar. Do not offer the suggestion when there is not exactly one argument (or explicitly combine the arguments into one equivalent message).
                return fixer.replaceText(node, `${replacement}(${argsText})`);

eslint-factory/src/rules/prefer-core-logging.ts:42

  • The diagnostic repeats the incorrect assertion that console.* output is not masked. Masking is runner-wide after setSecret/add-mask, regardless of whether output comes from console or @actions/core; please avoid presenting this rule as a secret-masking boundary.
      preferCoreLogging: "Use {{replacement}} instead of console.{{method}}() — @actions/core logging masks secrets and integrates with the Actions annotation system. console.* output is not masked.",
  • Files reviewed: 8/8 changed files
  • Comments generated: 2
  • Review effort level: Medium

Comment on lines +51 to +55
CallExpression(node) {
const method = getConsoleMethod(node);
if (!method) return;

const replacement = CONSOLE_TO_CORE[method]!;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The unconditional core replacement is intentional by design per the maintainer's direction. shim.cjs (required at the top of every setup/js script) registers global.core in all Node.js contexts, so core.* is always in scope regardless of whether the script explicitly imports @actions/core. There is no plain-script context where this replacement would throw. For coreObj aliases — those were an intermediate workaround that has been cleaned up; the codebase now uses core.* everywhere directly via shim.cjs.

Comment on lines +35 to +38
description:
"Prefer @actions/core logging methods (core.info, core.error, core.warning, core.debug) over console.* — " +
"global.core is always available via shim.cjs in Node.js context and via github-script in Actions context. " +
"console.* bypasses GitHub Actions' built-in secret masking and structured annotation system; core logging ensures secrets in output are redacted and messages appear correctly in the Actions UI.",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in commit fix(eslint): correct misleading security claim. Removed the claim that core.info masks secrets — updated both the docs.description and the preferCoreLogging message to focus on the correct rationale: core.* integrates with the Actions annotation system (errors/warnings surface as file annotations) and produces structured log output, while global.core is always available via shim.cjs.

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot resolve the merge conflicts on this branch.

…ore-logging-677bf81819ff7157

# Conflicts:
#	actions/setup/js/generate_usage_activity_summary.cjs
#	actions/setup/js/merge_remote_agent_github_folder.cjs

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts on this branch.

Resolved in the merge commit dabafab. Two conflicts in generate_usage_activity_summary.cjs and merge_remote_agent_github_folder.cjs — kept the try/catch error handling added by main and the core.* logging from this branch.

@pelikhan

Copy link
Copy Markdown
Collaborator

…instead of console.log

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

@copilot fix https://github.com/github/gh-aw/actions/runs/29638238036/job/88064220345?pr=46195

Fixed in commit fix(test): update generate_workflow_overview test. The test was still spying on console.log for the success message, but the production code was already migrated to core.info(...). Updated the assertion to check mockCore.info instead.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill address the unresolved review feedback: copilot-pull-request-reviewer: #46195 (comment); copilot-pull-request-reviewer: #46195 (comment) and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 11.8 AIC · ⌖ 6.81 AIC · ⊞ 7.5K ·
Comment /souschef to run again

… rule docs

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Copilot AI requested a review from gh-aw-bot July 18, 2026 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants