Skip to main content
Menu
On this page
ISSUE-417 High Quick CLI Pipeline Composition

Required action or reusable workflow is missing

Control: Workflows must include required actions · Config key: workflowMustIncludeRequiredActions

📋 What is this?

An action or reusable workflow declared as required in workflowMustIncludeRequiredActions.requiredGroups is not referenced by any job or step in the project's .github/workflows/ files. The missing reference means a mandatory security scan, compliance check, or organisation-wide workflow is not actually running on this repository.

⚠️ Impact

A control that exists in policy but not in the pipeline gives a false sense of coverage. Auditors looking at the org-wide policy see the rule; the repo's actual workflow run does not exercise it. Common cases: a new repo onboarded without copying the security workflow, a refactor that dropped a uses: step, or a misspelled action name that resolves to nothing.

🔧 How to fix

Add a step or job in one of the project's workflow files that references the required action or reusable workflow. The two shapes the control accepts: step-level uses: <owner>/<repo>[/path]@<ref> (action invocation) and job-level jobs.<name>.uses: <owner>/<repo>/.github/workflows/<file>.yml@<ref> (reusable workflow call). Plumber matches the owner/repo[/path] prefix ref-agnostically, so any pinned ref works.

✗ Before Neither `myorg/sast-scan` nor `myorg/dependency-review` is referenced anywhere; the policy fires for both.
# .github/workflows/ci.yml — ❌ Required SAST action is not referenced
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - run: make build


# .plumber.yaml
# github:
#   controls:
#     workflowMustIncludeRequiredActions:
#       enabled: true
#       requiredGroups:
#         - ["myorg/sast-scan", "myorg/dependency-review"]
✓ After Both required actions are referenced; the AND group is satisfied and the policy reports 100% compliant.
# .github/workflows/ci.yml — ✅ Required actions wired up
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - run: make build


  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: myorg/sast-scan@abc1234567890abc1234567890abc1234567890a
      - uses: myorg/dependency-review@def4567890def4567890def4567890def4567890

💡 Tips

  • DNF semantics: the outer list is OR, the inner is AND. [[a, b], [c]] reads as (a AND b) OR c. Use this when you have a primary security suite plus an all-in-one alternative.
  • Use required: a AND b OR c if the boolean expression feels clearer than nested arrays. AND binds tighter than OR.
  • Reusable-workflow calls (jobs.<name>.uses: owner/repo/.github/workflows/file.yml@ref) count the same as step-level action uses: references. List the full path of the reusable workflow when that is the specific entry you require.
  • Matching is ref-agnostic, so myorg/sast-scan is satisfied by myorg/sast-scan@v2, myorg/sast-scan@abc1234…, and myorg/sast-scan/composite@v1. Pin the ref in the workflow with the standard SHA convention; this control does not care which ref.
  • Slash-guard prevents accidental matches: myorg/sast-scan does NOT match myorg/sast-scan-fork@v1.

⚙️ Configuration

This control is configured in .plumber.yaml under the github section:

github:
  controls:
    workflowMustIncludeRequiredActions:
      enabled: true

See the CLI documentation for the full configuration reference.

🔗 Related issues

ISSUE-405 Missing required template
High Medium
ISSUE-408 Missing required component
High Medium