pub struct GhaJob {
pub permissions: Option<Permissions>,
pub env: Option<EnvSpec>,
pub steps: Vec<GhaStep>,
pub uses: Option<String>,
pub with: Option<HashMap<String, Value>>,
pub secrets: Option<Value>,
pub container: Option<ContainerConfig>,
pub strategy: Option<Value>,
pub runs_on: Option<Value>,
pub outputs: Option<HashMap<String, String>>,
pub if_cond: Option<String>,
}Fields§
§permissions: Option<Permissions>§env: Option<EnvSpec>Job-level env vars. Polymorphic: typically a map, but can be a
template expression (e.g. env: ${{ matrix }}) whose shape is unknown
statically.
steps: Vec<GhaStep>§uses: Option<String>Reusable workflow reference — uses: owner/repo/.github/workflows/foo.yml@ref
with: Option<HashMap<String, Value>>with: inputs passed to a reusable workflow call.
secrets: Option<Value>secrets: block on a reusable-workflow uses: call. Polymorphic:
the literal string inherit (secrets: inherit) or a mapping of
secret-name → expression (secrets: { TOKEN: ${{ secrets.X }} }).
We accept it as opaque YAML and inspect the variant in the parser.
container: Option<ContainerConfig>Job container image.
strategy: Option<Value>Matrix/strategy configuration. When a matrix is present, the authority shape may differ per matrix entry — graph is marked Partial.
runs_on: Option<Value>Runner label(s). Can be a string (ubuntu-latest), a sequence
([self-hosted, linux]), or absent for reusable workflows.
outputs: Option<HashMap<String, String>>jobs.<id>.outputs: map (output name → expression). Captured for the
sensitive_value_in_job_output rule which inspects each value for
secrets.* / steps.*.outputs.* references and credential-shaped
names. Empty / absent for jobs that declare no outputs.
if_cond: Option<String>Job-level if: condition. Captured verbatim so rules can scan for
the standard fork-check pattern
(github.event.pull_request.head.repo.fork == false or the
equivalent head.repo.full_name == github.repository). Job-level
if: applies to every step the job contains.