Refactor: Replace YamlHelper utility with YamlScalarAccessor trait

Migrated all security recipes from static YamlHelper utility methods to
the YamlScalarAccessor trait pattern. This improves code organization and
follows OpenRewrite best practices for LST manipulation.

Changes:
- Created YamlScalarAccessor trait with 6 default methods
- Migrated 7 recipes to implement the trait
- Deleted deprecated YamlHelper utility class
- All tests pass

Author: sjungling

src/main/java/org/openrewrite/github/security/ArtifactSecurityRecipe.java

@@ -19,6 +19,7 @@
 import lombok.Value;
 import org.jspecify.annotations.Nullable;
 import org.openrewrite.*;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.JsonPathMatcher;
 import org.openrewrite.yaml.YamlIsoVisitor;
@@ -78,7 +79,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         );
     }
 
-    private static class ArtifactSecurityVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class ArtifactSecurityVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         private static final JsonPathMatcher STEP_USES_MATCHER = new JsonPathMatcher("$..steps[*].uses");
 
@@ -108,7 +109,7 @@ public Yaml.Mapping.Entry visitMappingEntry(Yaml.Mapping.Entry entry, ExecutionC
 
 
         private Yaml.Mapping.Entry checkUsesEntry(Yaml.Mapping.Entry entry) {
-            String usesValue = YamlHelper.getScalarValue(entry.getValue());
+            String usesValue = getScalarValue(entry.getValue());
             if (usesValue == null) {
                 return entry;
             }
@@ -133,7 +134,7 @@ private Yaml.Mapping.Entry checkCheckoutAction(Yaml.Mapping.Entry entry) {
                 return entry;
             }
 
-            String persistCredentials = YamlHelper.findNestedScalarValue(stepMapping, "with", "persist-credentials");
+            String persistCredentials = findNestedScalarValue(stepMapping, "with", "persist-credentials");
 
             if (persistCredentials == null) {
                 // No 'with' section or no persist-credentials means default behavior (persist-credentials: true)
@@ -159,7 +160,7 @@ private Yaml.Mapping.Entry checkUploadArtifactAction(Yaml.Mapping.Entry entry) {
                 return entry;
             }
 
-            String pathValue = YamlHelper.findNestedScalarValue(stepMapping, "with", "path");
+            String pathValue = findNestedScalarValue(stepMapping, "with", "path");
             if (pathValue != null && hasDangerousArtifactPaths(pathValue)) {
                 return SearchResult.found(entry,
                         "Uploading potentially sensitive paths that may contain credentials or configuration files.");

src/main/java/org/openrewrite/github/security/CachePoisoningRecipe.java

@@ -20,6 +20,7 @@
 import org.openrewrite.ExecutionContext;
 import org.openrewrite.Recipe;
 import org.openrewrite.TreeVisitor;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.YamlIsoVisitor;
 import org.openrewrite.yaml.tree.Yaml;
@@ -90,7 +91,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         return new CachePoisoningVisitor();
     }
 
-    private static class CachePoisoningVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class CachePoisoningVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         private boolean isPublishingWorkflow = false;
         private boolean hasPublisherAction = false;
@@ -131,14 +132,14 @@ private void analyzeWorkflow(Yaml.Document document) {
         }
 
         private boolean isPublishingTrigger(Yaml.Block onValue) {
-            String scalarTrigger = YamlHelper.getScalarValue(onValue);
+            String scalarTrigger = getScalarValue(onValue);
             if (scalarTrigger != null) {
                 return "release".equals(scalarTrigger);
             }
             if (onValue instanceof Yaml.Sequence) {
                 Yaml.Sequence sequence = (Yaml.Sequence) onValue;
                 for (Yaml.Sequence.Entry seqEntry : sequence.getEntries()) {
-                    String trigger = YamlHelper.getScalarValue(seqEntry.getBlock());
+                    String trigger = getScalarValue(seqEntry.getBlock());
                     if ("release".equals(trigger)) {
                         return true;
                     }
@@ -184,7 +185,7 @@ private boolean hasReleaseBranches(Yaml.Block branchesValue) {
             if (branchesValue instanceof Yaml.Sequence) {
                 Yaml.Sequence sequence = (Yaml.Sequence) branchesValue;
                 for (Yaml.Sequence.Entry entry : sequence.getEntries()) {
-                    String branch = YamlHelper.getScalarValue(entry.getBlock());
+                    String branch = getScalarValue(entry.getBlock());
                     if (branch != null && RELEASE_BRANCH_PATTERN.matcher(branch).matches()) {
                         return true;
                     }
@@ -230,7 +231,7 @@ private boolean jobHasPublisherAction(Yaml.Mapping jobMapping) {
         private boolean stepUsesPublisherAction(Yaml.Mapping stepMapping) {
             for (Yaml.Mapping.Entry entry : stepMapping.getEntries()) {
                 if ("uses".equals(entry.getKey().getValue())) {
-                    String uses = YamlHelper.getScalarValue(entry.getValue());
+                    String uses = getScalarValue(entry.getValue());
                     if (uses != null) {
                         String actionName = extractActionName(uses);
                         return PUBLISHER_ACTIONS.contains(actionName);
@@ -262,7 +263,7 @@ private boolean isCacheAwareActionStep(Yaml.Mapping.Entry entry) {
                 return false;
             }
 
-            String uses = YamlHelper.getScalarValue(entry.getValue());
+            String uses = getScalarValue(entry.getValue());
             if (uses == null) {
                 return false;
             }
@@ -272,7 +273,7 @@ private boolean isCacheAwareActionStep(Yaml.Mapping.Entry entry) {
         }
 
         private String getActionName(Yaml.Mapping.Entry entry) {
-            String uses = YamlHelper.getScalarValue(entry.getValue());
+            String uses = getScalarValue(entry.getValue());
             return uses != null ? extractActionName(uses) : "unknown";
         }
 

src/main/java/org/openrewrite/github/security/ExcessivePermissionsRecipe.java

@@ -18,6 +18,7 @@
 import lombok.EqualsAndHashCode;
 import lombok.Value;
 import org.openrewrite.*;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.YamlIsoVisitor;
 import org.openrewrite.yaml.tree.Yaml;
@@ -58,7 +59,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         );
     }
 
-    private static class ExcessivePermissionsVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class ExcessivePermissionsVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         @Override
         public Yaml.Mapping.Entry visitMappingEntry(Yaml.Mapping.Entry entry, ExecutionContext ctx) {
@@ -76,7 +77,7 @@ private boolean isPermissionsEntry(Yaml.Mapping.Entry entry) {
         }
 
         private Yaml.Mapping.Entry checkPermissions(Yaml.Mapping.Entry entry) {
-            String scalarPermissionValue = YamlHelper.getScalarValue(entry.getValue());
+            String scalarPermissionValue = getScalarValue(entry.getValue());
             if (scalarPermissionValue != null) {
                 return checkScalarPermissions(entry, scalarPermissionValue);
             }
@@ -107,7 +108,7 @@ private Yaml.Mapping.Entry checkMappingPermissions(Yaml.Mapping.Entry entry, Yam
 
             for (Yaml.Mapping.Entry permEntry : permissionsMapping.getEntries()) {
                 String permissionName = permEntry.getKey().getValue();
-                String permissionValue = YamlHelper.getScalarValue(permEntry.getValue());
+                String permissionValue = getScalarValue(permEntry.getValue());
                 if (permissionName != null && permissionValue != null) {
 
                     if ("write".equals(permissionValue)) {

src/main/java/org/openrewrite/github/security/GitHubEnvRecipe.java

@@ -20,6 +20,7 @@
 import org.openrewrite.ExecutionContext;
 import org.openrewrite.Recipe;
 import org.openrewrite.TreeVisitor;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.YamlIsoVisitor;
 import org.openrewrite.yaml.tree.Yaml;
@@ -75,7 +76,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         return new GitHubEnvVisitor();
     }
 
-    private static class GitHubEnvVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class GitHubEnvVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         private boolean hasDangerousTriggers = false;
 
@@ -109,14 +110,14 @@ private void analyzeTriggers(Yaml.Document document) {
         }
 
         private boolean checkForDangerousTriggers(Yaml.Block onValue) {
-            String scalarTrigger = YamlHelper.getScalarValue(onValue);
+            String scalarTrigger = getScalarValue(onValue);
             if (scalarTrigger != null) {
                 return DANGEROUS_TRIGGERS.contains(scalarTrigger);
             }
             if (onValue instanceof Yaml.Sequence) {
                 Yaml.Sequence sequence = (Yaml.Sequence) onValue;
                 for (Yaml.Sequence.Entry seqEntry : sequence.getEntries()) {
-                    String trigger = YamlHelper.getScalarValue(seqEntry.getBlock());
+                    String trigger = getScalarValue(seqEntry.getBlock());
                     if (trigger != null && DANGEROUS_TRIGGERS.contains(trigger)) {
                         return true;
                     }
@@ -163,7 +164,7 @@ private boolean isRunStepEntry(Yaml.Mapping.Entry entry) {
         }
 
         private String getRunContent(Yaml.Mapping.Entry entry) {
-            return YamlHelper.getScalarValue(entry.getValue());
+            return getScalarValue(entry.getValue());
         }
 
         private boolean usesGitHubEnv(String runContent) {

src/main/java/org/openrewrite/github/security/SelfHostedRunnerRecipe.java

@@ -18,6 +18,7 @@
 import lombok.EqualsAndHashCode;
 import lombok.Value;
 import org.openrewrite.*;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.YamlIsoVisitor;
 import org.openrewrite.yaml.tree.Yaml;
@@ -47,7 +48,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         );
     }
 
-    private static class SelfHostedRunnerVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class SelfHostedRunnerVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         @Override
         public Yaml.Mapping.Entry visitMappingEntry(Yaml.Mapping.Entry entry, ExecutionContext ctx) {
@@ -87,7 +88,7 @@ private Yaml.Mapping.Entry checkRunsOnValue(Yaml.Mapping.Entry entry, String run
         }
 
         private Yaml.Mapping.Entry checkRunsOnSequence(Yaml.Mapping.Entry entry, Yaml.Sequence sequence) {
-            String firstValue = YamlHelper.getScalarValue(sequence.getEntries().get(0).getBlock());
+            String firstValue = getScalarValue(sequence.getEntries().get(0).getBlock());
             if ("self-hosted".equals(firstValue)) {
                 return SearchResult.found(entry,
                         "Uses self-hosted runner which may have security implications in public repositories. " +
@@ -137,7 +138,7 @@ private boolean containsSelfHostedInMatrixValues(Yaml.Mapping matrixMapping) {
                 if (matrixEntry.getValue() instanceof Yaml.Sequence) {
                     Yaml.Sequence sequence = (Yaml.Sequence) matrixEntry.getValue();
                     for (Yaml.Sequence.Entry seqEntry : sequence.getEntries()) {
-                        String value = YamlHelper.getScalarValue(seqEntry.getBlock());
+                        String value = getScalarValue(seqEntry.getBlock());
                         if ("self-hosted".equals(value)) {
                             return true;
                         }

src/main/java/org/openrewrite/github/security/TemplateInjectionRecipe.java

@@ -19,6 +19,7 @@
 import lombok.Value;
 import org.jspecify.annotations.Nullable;
 import org.openrewrite.*;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.JsonPathMatcher;
 import org.openrewrite.yaml.YamlIsoVisitor;
@@ -93,7 +94,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         );
     }
 
-    private static class TemplateInjectionVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class TemplateInjectionVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         private static final JsonPathMatcher STEP_RUN_MATCHER = new JsonPathMatcher("$..steps[*].run");
         private static final JsonPathMatcher STEP_USES_MATCHER = new JsonPathMatcher("$..steps[*].uses");
@@ -122,7 +123,7 @@ public Yaml.Mapping.Entry visitMappingEntry(Yaml.Mapping.Entry entry, ExecutionC
         }
 
         private Yaml.Mapping.Entry checkRunEntry(Yaml.Mapping.Entry entry) {
-            String runCommand = YamlHelper.getScalarValue(entry.getValue());
+            String runCommand = getScalarValue(entry.getValue());
             if (runCommand == null) {
                 return entry;
             }
@@ -143,7 +144,7 @@ private Yaml.Mapping.Entry checkRunEntry(Yaml.Mapping.Entry entry) {
         }
 
         private Yaml.Mapping.Entry checkUsesEntry(Yaml.Mapping.Entry entry) {
-            String usesValue = YamlHelper.getScalarValue(entry.getValue());
+            String usesValue = getScalarValue(entry.getValue());
             if (usesValue == null) {
                 return entry;
             }
@@ -161,7 +162,7 @@ private Yaml.Mapping.Entry checkUsesEntry(Yaml.Mapping.Entry entry) {
         }
 
         private Yaml.Mapping.Entry checkScriptEntry(Yaml.Mapping.Entry entry) {
-            String scriptContent = YamlHelper.getScalarValue(entry.getValue());
+            String scriptContent = getScalarValue(entry.getValue());
             if (scriptContent == null) {
                 return entry;
             }

src/main/java/org/openrewrite/github/security/UnpinnedDockerImagesRecipe.java

@@ -18,6 +18,7 @@
 import lombok.EqualsAndHashCode;
 import lombok.Value;
 import org.openrewrite.*;
+import org.openrewrite.github.traits.YamlScalarAccessor;
 import org.openrewrite.marker.SearchResult;
 import org.openrewrite.yaml.YamlIsoVisitor;
 import org.openrewrite.yaml.tree.Yaml;
@@ -55,7 +56,7 @@ public TreeVisitor<?, ExecutionContext> getVisitor() {
         );
     }
 
-    private static class UnpinnedDockerImagesVisitor extends YamlIsoVisitor<ExecutionContext> {
+    private static class UnpinnedDockerImagesVisitor extends YamlIsoVisitor<ExecutionContext> implements YamlScalarAccessor {
 
         @Override
         public Yaml.Mapping.Entry visitMappingEntry(Yaml.Mapping.Entry entry, ExecutionContext ctx) {
@@ -78,7 +79,7 @@ private boolean isImageEntry(Yaml.Mapping.Entry entry) {
         }
 
         private String getImageValue(Yaml.Mapping.Entry entry) {
-            return YamlHelper.getScalarValue(entry.getValue());
+            return getScalarValue(entry.getValue());
         }
 
         private boolean isUnpinnedDockerImage(String imageValue) {