chore: add tests, update docs and actions (#299)

* docs: update documentation

* feat: validate-inputs has it's own pyproject

* security: mask DOCKERHUB_PASSWORD

* chore: add tokens, checkout, recrete docs, integration tests

* fix: add `statuses: write` permission to pr-lint

docker-publish/README.md

@@ -21,6 +21,7 @@ Publish a Docker image to GitHub Packages and Docker Hub.
 | `verbose`               | <p>Enable verbose logging</p>                                     | `false`  | `false`                                |
 | `dockerhub-username`    | <p>Docker Hub username for authentication</p>                     | `false`  | `""`                                   |
 | `dockerhub-password`    | <p>Docker Hub password or access token for authentication</p>     | `false`  | `""`                                   |
+| `token`                 | <p>GitHub token for authentication</p>                            | `false`  | `""`                                   |
 
 ### Outputs
 
@@ -109,4 +110,10 @@ This action is a `composite` action.
     #
     # Required: false
     # Default: ""
+
+    token:
+    # GitHub token for authentication
+    #
+    # Required: false
+    # Default: ""
 ```

docker-publish/action.yml

@@ -54,6 +54,10 @@ inputs:
   dockerhub-password:
     description: 'Docker Hub password or access token for authentication'
     required: false
+  token:
+    description: 'GitHub token for authentication'
+    required: false
+    default: ''
 
 outputs:
   registry:
@@ -84,6 +88,18 @@ outputs:
 runs:
   using: composite
   steps:
+    - name: Mask Sensitive Inputs
+      shell: bash
+      env:
+        DOCKERHUB_PASSWORD: ${{ inputs.dockerhub-password }}
+      run: |
+        set -euo pipefail
+
+        # Mask Docker Hub credentials to prevent exposure in logs
+        if [[ -n "${DOCKERHUB_PASSWORD}" ]]; then
+          echo "::add-mask::${DOCKERHUB_PASSWORD}"
+        fi
+
     - name: Validate Inputs
       id: validate
       shell: bash
@@ -147,6 +163,11 @@ runs:
 
         echo "Publishing to: $REGISTRY"
 
+    - name: Checkout Repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        token: ${{ inputs.token || github.token }}
+
     - name: Build Multi-Arch Docker Image
       id: build
       uses: ./docker-build

docker-publish/rules.yml

@@ -2,7 +2,7 @@
 # Validation rules for docker-publish action
 # Generated by update-validators.py v1.0.0 - DO NOT EDIT MANUALLY
 # Schema version: 1.0
-# Coverage: 100% (11/11 inputs)
+# Coverage: 100% (12/12 inputs)
 #
 # This file defines validation rules for the docker-publish GitHub Action.
 # Rules are automatically applied by validate-inputs action when this
@@ -25,6 +25,7 @@ optional_inputs:
   - platforms
   - scan-image
   - sign-image
+  - token
   - verbose
 conventions:
   auto-detect-platforms: docker_architectures
@@ -37,14 +38,15 @@ conventions:
   registry: registry
   scan-image: boolean
   sign-image: boolean
+  token: github_token
   verbose: boolean
 overrides:
   cache-mode: cache_mode
   platforms: null
   registry: registry_enum
 statistics:
-  total_inputs: 11
-  validated_inputs: 11
+  total_inputs: 12
+  validated_inputs: 12
   skipped_inputs: 1
   coverage_percentage: 100
 validation_coverage: 100
@@ -52,7 +54,7 @@ auto_detected: true
 manual_review_required: false
 quality_indicators:
   has_required_inputs: true
-  has_token_validation: false
+  has_token_validation: true
   has_version_validation: true
   has_file_validation: false
   has_security_validation: true