ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 11:34:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: fixes, tweaks, new actions, linting (#186)

Browse Source 
* feat: fixes, tweaks, new actions, linting
* fix: improve docker publish loops and dotnet parsing (#193)
* fix: harden action scripts and version checks (#191)
* refactor: major repository restructuring and security enhancements

Add comprehensive development infrastructure:
- Add Makefile with automated documentation generation, formatting, and linting tasks
- Add TODO.md tracking self-containment progress and repository improvements
- Add .nvmrc for consistent Node.js version management
- Create python-version-detect-v2 action for enhanced Python detection

Enhance all GitHub Actions with standardized patterns:
- Add consistent token handling across 27 actions using standardized input patterns
- Implement bash error handling (set -euo pipefail) in all shell steps
- Add comprehensive input validation for path traversal and command injection protection
- Standardize checkout token authentication to prevent rate limiting
- Remove relative action dependencies to ensure external usability

Rewrite security workflow for PR-focused analysis:
- Transform security-suite.yml to PR-only security analysis workflow
- Remove scheduled runs, repository issue management, and Slack notifications
- Implement smart comment generation showing only sections with content
- Add GitHub Actions permission diff analysis and new action detection
- Integrate OWASP, Semgrep, and TruffleHog for comprehensive PR security scanning

Improve version detection and dependency management:
- Simplify version detection actions to use inline logic instead of shared utilities
- Fix Makefile version detection fallback to properly return 'main' when version not found
- Update all external action references to use SHA-pinned versions
- Remove deprecated run.sh in favor of Makefile automation

Update documentation and project standards:
- Enhance CLAUDE.md with self-containment requirements and linting standards
- Update README.md with improved action descriptions and usage examples
- Standardize code formatting with updated .editorconfig and .prettierrc.yml
- Improve GitHub templates for issues and security reporting

This refactoring ensures all 40 actions are fully self-contained and can be used independently when
referenced as ivuorinen/actions/action-name@main, addressing the critical requirement for external
usability while maintaining comprehensive security analysis and development automation.

* feat: add automated action catalog generation system

- Create generate_listing.cjs script for comprehensive action catalog
- Add package.json with development tooling and npm scripts
- Implement automated README.md catalog section with --update flag
- Generate markdown reference-style links for all 40 actions
- Add categorized tables with features, language support matrices
- Replace static reference links with auto-generated dynamic links
- Enable complete automation of action documentation maintenance

* feat: enhance actions with improved documentation and functionality

- Add comprehensive README files for 12 actions with usage examples
- Implement new utility actions (go-version-detect, dotnet-version-detect)
- Enhance node-setup with extensive configuration options
- Improve error handling and validation across all actions
- Update package.json scripts for better development workflow
- Expand TODO.md with detailed roadmap and improvement plans
- Standardize action structure with consistent inputs/outputs

* feat: add comprehensive output handling across all actions

- Add standardized outputs to 15 actions that previously had none
- Implement consistent snake_case naming convention for all outputs
- Add build status and test results outputs to build actions
- Add files changed and status outputs to lint/fix actions
- Add test execution metrics to php-tests action
- Add stale/closed counts to stale action
- Add release URLs and IDs to github-release action
- Update documentation with output specifications
- Mark comprehensive output handling task as complete in TODO.md

* feat: implement shared cache strategy across all actions

- Add caching to 10 actions that previously had none (Node.js, .NET, Python, Go)
- Standardize 4 existing actions to use common-cache instead of direct actions/cache
- Implement consistent cache-hit optimization to skip installations when cache available
- Add language-specific cache configurations with appropriate key files
- Create unified caching approach using ivuorinen/actions/common-cache@main
- Fix YAML syntax error in php-composer action paths parameter
- Update TODO.md to mark shared cache strategy as complete

* feat: implement comprehensive retry logic for network operations

- Create new common-retry action for standardized retry patterns with configurable strategies
- Add retry logic to 9 actions missing network retry capabilities
- Implement exponential backoff, custom timeouts, and flexible error handling
- Add max-retries input parameter to all network-dependent actions (Node.js, .NET, Python, Go)
- Standardize existing retry implementations to use common-retry utility
- Update action catalog to include new common-retry action (41 total actions)
- Update documentation with retry configuration examples and parameters
- Mark retry logic implementation as complete in TODO.md roadmap

* feat: enhance Node.js support with Corepack and Bun

- Add Corepack support for automatic package manager version management
- Add Bun package manager support across all Node.js actions
- Improve Yarn Berry/PnP support with .yarnrc.yml detection
- Add Node.js feature detection (ESM, TypeScript, frameworks)
- Update package manager detection priority and lockfile support
- Enhance caching with package-manager-specific keys
- Update eslint, prettier, and biome actions for multi-package-manager support

* fix: resolve critical runtime issues across multiple actions

- Fix token validation by removing ineffective literal string comparisons
- Add missing @microsoft/eslint-formatter-sarif dependency for SARIF output
- Fix Bash variable syntax errors in username and changelog length checks
- Update Dockerfile version regex to handle tags with suffixes (e.g., -alpine)
- Simplify version selection logic with single grep command
- Fix command execution in retry action with proper bash -c wrapper
- Correct step output references using .outcome instead of .outputs.outcome
- Add missing step IDs for version detection actions
- Include go.mod in cache key files for accurate invalidation
- Require minor version in all version regex patterns
- Improve Bun installation security by verifying script before execution
- Replace bc with sort -V for portable PHP version comparison
- Remove non-existent pre-commit output references

These fixes ensure proper runtime behavior, improved security, and better
cross-platform compatibility across all affected actions.

* fix: resolve critical runtime and security issues across actions

- Fix biome-fix files_changed calculation using git diff instead of git status delta
- Fix compress-images output description and add absolute path validation
- Remove csharp-publish token default and fix token fallback in push commands
- Add @microsoft/eslint-formatter-sarif to all package managers in eslint-check
- Fix eslint-check command syntax by using variable assignment
- Improve node-setup Bun installation security and remove invalid frozen-lockfile flag
- Fix pre-commit token validation by removing ineffective literal comparison
- Fix prettier-fix token comparison and expand regex for all GitHub token types
- Add version-file-parser regex validation safety and fix csproj wildcard handling

These fixes address security vulnerabilities, runtime errors, and functional issues
to ensure reliable operation across all affected GitHub Actions.

* feat: enhance Docker actions with advanced multi-architecture support

Major enhancement to Docker build and publish actions with comprehensive
multi-architecture capabilities and enterprise-grade features.

Added features:
- Advanced buildx configuration (version control, cache modes, build contexts)
- Auto-detect platforms for dynamic architecture discovery
- Performance optimizations with enhanced caching strategies
- Security scanning with Trivy and image signing with Cosign
- SBOM generation in multiple formats with validation
- Verbose logging and dry-run modes for debugging
- Platform-specific build args and fallback mechanisms

Enhanced all Docker actions:
- docker-build: Core buildx features and multi-arch support
- docker-publish-gh: GitHub Packages with security features
- docker-publish-hub: Docker Hub with scanning and signing
- docker-publish: Orchestrator with unified configuration

Updated documentation across all modified actions.

* fix: resolve documentation generation placeholder issue

Fixed Makefile and package.json to properly replace placeholder tokens in generated documentation, ensuring all README files show correct repository paths instead of ***PROJECT***@***VERSION***.

* chore: simplify github token validation
* chore(lint): optional yamlfmt, config and fixes
* feat: use relative `uses` names

* feat: comprehensive testing infrastructure and Python validation system

- Migrate from tests/ to _tests/ directory structure with ShellSpec framework
- Add comprehensive validation system with Python-based input validation
- Implement dual testing approach (ShellSpec + pytest) for complete coverage
- Add modern Python tooling (uv, ruff, pytest-cov) and dependencies
- Create centralized validation rules with automatic generation system
- Update project configuration and build system for new architecture
- Enhance documentation to reflect current testing capabilities

This establishes a robust foundation for action validation and testing
with extensive coverage across all GitHub Actions in the repository.

* chore: remove Dockerfile for now
* chore: code review fixes

* feat: comprehensive GitHub Actions restructuring and tooling improvements

This commit represents a major restructuring of the GitHub Actions monorepo
with improved tooling, testing infrastructure, and comprehensive PR #186
review implementation.

## Major Changes

### 🔧 Development Tooling & Configuration
- **Shellcheck integration**: Exclude shellspec test files from linting
  - Updated .pre-commit-config.yaml to exclude _tests/*.sh from shellcheck/shfmt
  - Modified Makefile shellcheck pattern to skip shellspec files
  - Updated CLAUDE.md documentation with proper exclusion syntax
- **Testing infrastructure**: Enhanced Python validation framework
  - Fixed nested if statements and boolean parameter issues in validation.py
  - Improved code quality with explicit keyword arguments
  - All pre-commit hooks now passing

### 🏗️ Project Structure & Documentation
- **Added Serena AI integration** with comprehensive project memories:
  - Project overview, structure, and technical stack documentation
  - Code style conventions and completion requirements
  - Comprehensive PR #186 review analysis and implementation tracking
- **Enhanced configuration**: Updated .gitignore, .yamlfmt.yml, pyproject.toml
- **Improved testing**: Added integration workflows and enhanced test specs

### 🚀 GitHub Actions Improvements (30+ actions updated)
- **Centralized validation**: Updated 41 validation rule files
- **Enhanced actions**: Improvements across all action categories:
  - Setup actions (node-setup, version detectors)
  - Utility actions (version-file-parser, version-validator)
  - Linting actions (biome, eslint, terraform-lint-fix major refactor)
  - Build/publish actions (docker-build, npm-publish, csharp-*)
  - Repository management actions

### 📝 Documentation Updates
- **README consistency**: Updated version references across action READMEs
- **Enhanced documentation**: Improved action descriptions and usage examples
- **CLAUDE.md**: Updated with current tooling and best practices

## Technical Improvements
- **Security enhancements**: Input validation and sanitization improvements
- **Performance optimizations**: Streamlined action logic and dependencies
- **Cross-platform compatibility**: Better Windows/macOS/Linux support
- **Error handling**: Improved error reporting and user feedback

## Files Changed
- 100 files changed
- 13 new Serena memory files documenting project state
- 41 validation rules updated for consistency
- 30+ GitHub Actions and READMEs improved
- Core tooling configuration enhanced

* feat: comprehensive GitHub Actions improvements and PR review fixes

Major Infrastructure Improvements:
- Add comprehensive testing framework with 17+ ShellSpec validation tests
- Implement Docker-based testing tools with automated test runner
- Add CodeRabbit configuration for automated code reviews
- Restructure documentation and memory management system
- Update validation rules for 25+ actions with enhanced input validation
- Modernize CI/CD workflows and testing infrastructure

Critical PR Review Fixes (All Issues Resolved):
- Fix double caching in node-setup (eliminate redundant cache operations)
- Optimize shell pipeline in version-file-parser (single awk vs complex pipeline)
- Fix GitHub expression interpolation in prettier-check cache keys
- Resolve terraform command order issue (validation after setup)
- Add missing flake8-sarif dependency for Python SARIF output
- Fix environment variable scope in pr-lint (export to GITHUB_ENV)

Performance & Reliability:
- Eliminate duplicate cache operations saving CI time
- Improve shell script efficiency with optimized parsing
- Fix command execution dependencies preventing runtime failures
- Ensure proper dependency installation for all linting tools
- Resolve workflow conditional logic issues

Security & Quality:
- All input validation rules updated with latest security patterns
- Cross-platform compatibility improvements maintained
- Comprehensive error handling and retry logic preserved
- Modern development tooling and best practices adopted

This commit addresses 100% of actionable feedback from PR review analysis,
implements comprehensive testing infrastructure, and maintains high code
quality standards across all 41 GitHub Actions.

* feat: enhance expression handling and version parsing

- Fix node-setup force-version expression logic for proper empty string handling
- Improve version-file-parser with secure regex validation and enhanced Python detection
- Add CodeRabbit configuration for CalVer versioning and README review guidance

* feat(validate-inputs): implement modular validation system

- Add modular validator architecture with specialized validators
- Implement base validator classes for different input types
- Add validators: boolean, docker, file, network, numeric, security, token, version
- Add convention mapper for automatic input validation
- Add comprehensive documentation for the validation system
- Implement PCRE regex support and injection protection

* feat(validate-inputs): add validation rules for all actions

- Add YAML validation rules for 42 GitHub Actions
- Auto-generated rules with convention mappings
- Include metadata for validation coverage and quality indicators
- Mark rules as auto-generated to prevent manual edits

* test(validate-inputs): add comprehensive test suite for validators

- Add unit tests for all validator modules
- Add integration tests for the validation system
- Add fixtures for version test data
- Test coverage for boolean, docker, file, network, numeric, security, token, and version validators
- Add tests for convention mapper and registry

* feat(tools): add validation scripts and utilities

- Add update-validators.py script for auto-generating rules
- Add benchmark-validator.py for performance testing
- Add debug-validator.py for troubleshooting
- Add generate-tests.py for test generation
- Add check-rules-not-manually-edited.sh for CI validation
- Add fix-local-action-refs.py tool for fixing action references

* feat(actions): add CustomValidator.py files for specialized validation

- Add custom validators for actions requiring special validation logic
- Implement validators for docker, go, node, npm, php, python, terraform actions
- Add specialized validation for compress-images, common-cache, common-file-check
- Implement version detection validators with language-specific logic
- Add validation for build arguments, architectures, and version formats

* test: update ShellSpec test framework for Python validation

- Update all validation.spec.sh files to use Python validator
- Add shared validation_core.py for common test utilities
- Remove obsolete bash validation helpers
- Update test output expectations for Python validator format
- Add codeql-analysis test suite
- Refactor framework utilities for Python integration
- Remove deprecated test files

* feat(actions): update action.yml files to use validate-inputs

- Replace inline bash validation with validate-inputs action
- Standardize validation across all 42 actions
- Add new codeql-analysis action
- Update action metadata and branding
- Add validation step as first step in composite actions
- Maintain backward compatibility with existing inputs/outputs

* ci: update GitHub workflows for enhanced security and testing

- Add new codeql-new.yml workflow
- Update security scanning workflows
- Enhance dependency review configuration
- Update test-actions workflow for new validation system
- Improve workflow permissions and security settings
- Update action versions to latest SHA-pinned releases

* build: update build configuration and dependencies

- Update Makefile with new validation targets
- Add Python dependencies in pyproject.toml
- Update npm dependencies and scripts
- Enhance Docker testing tools configuration
- Add targets for validator updates and local ref fixes
- Configure uv for Python package management

* chore: update linting and documentation configuration

- Update EditorConfig settings for consistent formatting
- Enhance pre-commit hooks configuration
- Update prettier and yamllint ignore patterns
- Update gitleaks security scanning rules
- Update CodeRabbit review configuration
- Update CLAUDE.md with latest project standards and rules

* docs: update Serena memory files and project metadata

- Remove obsolete PR-186 memory files
- Update project overview with current architecture
- Update project structure documentation
- Add quality standards and communication guidelines
- Add modular validator architecture documentation
- Add shellspec testing framework documentation
- Update project.yml with latest configuration

* feat: moved rules.yml to same folder as action, fixes

* fix(validators): correct token patterns and fix validator bugs

- Fix GitHub classic PAT pattern: ghp_ + 36 chars = 40 total
- Fix GitHub fine-grained PAT pattern: github_pat_ + 71 chars = 82 total
- Initialize result variable in convention_mapper to prevent UnboundLocalError
- Fix empty URL validation in network validator to return error
- Add GitHub expression check to docker architectures validator
- Update docker-build CustomValidator parallel-builds max to 16

* test(validators): fix test fixtures and expectations

- Fix token lengths in test data: github_pat 71 chars, ghp/gho 36 chars
- Update integration tests with correct token lengths
- Fix file validator test to expect absolute paths rejected for security
- Rename TestGenerator import to avoid pytest collection warning
- Update custom validator tests with correct input names
- Change docker-build tests: platforms->architectures, tags->tag
- Update docker-publish tests to match new registry enum validation

* test(shellspec): fix token lengths in test helpers and specs

- Fix default token lengths in spec_helper.sh to use correct 40-char format
- Update csharp-publish default tokens in 4 locations
- Update codeql-analysis default tokens in 2 locations
- Fix codeql-analysis test tokens to correct lengths (40 and 82 chars)
- Fix npm-publish fine-grained token test to use 82-char format

* feat(actions): add permissions documentation and environment variable usage

- Add permissions comments to all action.yml files documenting required GitHub permissions
- Convert direct input usage to environment variables in shell steps for security
- Add validation steps with proper error handling
- Update input descriptions and add security notes where applicable
- Ensure all actions follow consistent patterns for input validation

* chore(workflows): update GitHub Actions workflow versions

- Update workflow action versions to latest
- Improve workflow consistency and maintainability

* docs(security): add comprehensive security policy

- Document security features and best practices
- Add vulnerability reporting process
- Include audit history and security testing information

* docs(memory): add GitHub workflow reference documentation

- Add GitHub Actions workflow commands reference
- Add GitHub workflow expressions guide
- Add secure workflow usage patterns and best practices

* chore: token optimization, code style conventions
* chore: cr fixes
* fix: trivy reported Dockerfile problems
* fix(security): more security fixes
* chore: dockerfile and make targets for publishing
* fix(ci): add creds to test-actions workflow
* fix: security fix and checkout step to codeql-new
* chore: test fixes
* fix(security): codeql detected issues
* chore: code review fixes, ReDos protection
* style: apply MegaLinter fixes
* fix(ci): missing packages read permission
* fix(ci): add missing working directory setting
* chore: linting, add validation-regex to use regex_pattern
* chore: code review fixes
* chore(deps): update actions
* fix(security): codeql fixes
* chore(cr): apply cr comments
* chore: improve POSIX compatibility
* chore(cr): apply cr comments
* fix: codeql warning in Dockerfile, build failures
* chore(cr): apply cr comments
* fix: docker-testing-tools/Dockerfile
* chore(cr): apply cr comments
* fix(docker): update testing-tools image for GitHub Actions compatibility
* chore(cr): apply cr comments
* feat: add more tests, fix issues
* chore: fix codeql issues, update actions
* chore(cr): apply cr comments
* fix: integration tests
* chore: deduplication and fixes
* style: apply MegaLinter fixes
* chore(cr): apply cr comments
* feat: dry-run mode for generate-tests
* fix(ci): kcov installation
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments, simplify action testing, use uv
* fix: run-tests.sh action counting
* chore(cr): apply cr comments
* chore(cr): apply cr comments
This commit is contained in:
Ismo Vuorinen
2025-10-14 13:37:58 +03:00
committed by GitHub
parent d3cc8d4790
commit 78fdad69e5
353 changed files with 55370 additions and 1714 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/action-security.yml vendored
View File

@@ -117,14 +117,14 @@ jobs:
- name: Upload Trivy results
if: steps.verify-sarif.outputs.has_trivy == 'true'
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
with:
sarif_file: 'trivy-results.sarif'
category: 'trivy'
- name: Upload Gitleaks results
if: steps.verify-sarif.outputs.has_gitleaks == 'true'
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
with:
sarif_file: 'gitleaks-report.sarif'
category: 'gitleaks'
@@ -234,7 +234,7 @@ jobs:
if: failure()
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
script: |-
const { repo, owner } = context.repo;
const critical = core.getInput('critical_issues');

110
.github/workflows/build-testing-image.yml vendored Normal file
View File

@@ -0,0 +1,110 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Build Testing Docker Image
on:
push:
branches:
- main
paths:
- '_tools/docker-testing-tools/**'
- '.github/workflows/build-testing-image.yml'
pull_request:
branches:
- main
paths:
- '_tools/docker-testing-tools/**'
- '.github/workflows/build-testing-image.yml'
workflow_dispatch:
inputs:
tag:
description: 'Docker image tag'
required: false
default: 'latest'
type: string
permissions:
contents: read
packages: write
jobs:
build-and-push:
name: Build and Push Testing Image
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Log in to GitHub Container Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: ghcr.io/${{ github.repository_owner }}/actions
tags: |
type=ref,event=branch,suffix=-testing-tools
type=ref,event=pr,suffix=-testing-tools
type=raw,value=testing-tools,enable={{is_default_branch}}
type=raw,value=${{ github.event.inputs.tag }},enable=${{ github.event.inputs.tag != '' }}
- name: Build and push Docker image
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: _tools/docker-testing-tools
file: _tools/docker-testing-tools/Dockerfile
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64,linux/arm64
- name: Test image
if: github.event_name != 'pull_request'
run: |
# Test the built image works correctly
docker run --rm ghcr.io/${{ github.repository_owner }}/actions:testing-tools shellspec --version
docker run --rm ghcr.io/${{ github.repository_owner }}/actions:testing-tools act --version
docker run --rm ghcr.io/${{ github.repository_owner }}/actions:testing-tools trivy --version
- name: Generate image summary
if: github.event_name != 'pull_request'
run: |
{
echo "## 🐋 Docker Image Built Successfully"
echo ""
echo "**Image**: \`ghcr.io/${{ github.repository_owner }}/actions:testing-tools\`"
echo "**Tags**: ${{ steps.meta.outputs.tags }}"
echo ""
echo "### Usage in GitHub Actions"
echo ""
echo "\`\`\`yaml"
echo "jobs:"
echo " test:"
echo " runs-on: ubuntu-latest"
echo " container: ghcr.io/${{ github.repository_owner }}/actions:testing-tools"
echo " steps:"
echo " - uses: actions/checkout@v5"
echo " - run: shellspec _tests/unit/your-action/"
echo "\`\`\`"
echo ""
echo "### Pre-installed Tools"
echo "- ShellSpec"
echo "- nektos/act (latest)"
echo "- Trivy security scanner (latest)"
echo "- TruffleHog secrets scanner (latest)"
echo "- actionlint (latest)"
echo "- shellcheck, jq, kcov, GitHub CLI"
echo "- Node.js LTS, Python 3, build tools"
} >> "$GITHUB_STEP_SUMMARY"

45
.github/workflows/codeql-new.yml vendored Normal file
View File

@@ -0,0 +1,45 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: 'CodeQL (New Action)'
on:
push:
branches:
- 'main'
pull_request:
branches:
- 'main'
schedule:
- cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
merge_group:
permissions:
actions: read
contents: read
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
strategy:
fail-fast: false
matrix:
language:
- 'actions'
- 'javascript'
- 'python'
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run CodeQL Analysis
uses: ./codeql-analysis
with:
language: ${{ matrix.language }}
queries: security-and-quality
token: ${{ github.token }}

19
.github/workflows/codeql.yml vendored
View File

@@ -4,9 +4,11 @@ name: 'CodeQL'
on:
push:
branches: ['main']
branches:
- 'main'
pull_request:
branches: ['main']
branches:
- 'main'
schedule:
- cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
merge_group:
@@ -25,22 +27,25 @@ jobs:
strategy:
fail-fast: false
matrix:
language: ['actions', 'javascript'] # Add languages used in your actions
language:
- 'actions'
- 'javascript'
- 'python'
steps:
steps: # Add languages used in your actions
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Initialize CodeQL
uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
with:
languages: ${{ matrix.language }}
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
uses: github/codeql-action/autobuild@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
with:
category: '/language:${{matrix.language}}'

5
.github/workflows/dependency-review.yml vendored
View File

@@ -1,7 +1,8 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: 'Dependency Review'
on: [pull_request]
on:
- pull_request
permissions:
contents: read
@@ -13,4 +14,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1

10
.github/workflows/pr-lint.yml vendored
View File

@@ -55,6 +55,7 @@ jobs:
timeout-minutes: 30
permissions:
actions: write
contents: write
issues: write
pull-requests: write
@@ -69,7 +70,7 @@ jobs:
- name: MegaLinter
id: ml
uses: oxsecurity/megalinter/flavors/cupcake@0dcbedd66ea456ba2d54fd350affaa15df8a0da3 # v9.0.1
uses: oxsecurity/megalinter/flavors/cupcake@62c799d895af9bcbca5eacfebca29d527f125a57 # v9.1.0
- name: Check MegaLinter Results
id: check-results
@@ -99,7 +100,7 @@ jobs:
- name: Upload SARIF Report
if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
with:
sarif_file: megalinter-reports/sarif
category: megalinter
@@ -154,8 +155,9 @@ jobs:
github.ref != 'refs/heads/main' &&
(github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) &&
!contains(github.event.head_commit.message, 'skip fix')
uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
with:
token: ${{ secrets.FIXIMUS_TOKEN || secrets.GITHUB_TOKEN }}
branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
commit_message: |
style: apply MegaLinter fixes
@@ -191,7 +193,7 @@ jobs:
- name: Cleanup
if: always()
shell: bash
run: |
run: |-
# Remove temporary files but keep reports
find . -type f -name "megalinter.*" ! -name "megalinter-reports" -delete || true
find . -type d -name ".megalinter" -exec rm -rf {} + || true

2
.github/workflows/release.yml vendored
View File

@@ -17,6 +17,6 @@ jobs:
contents: write
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: softprops/action-gh-release@aec2ec56f94eb8180ceec724245f64ef008b89f5 # v2.4.0
- uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
with:
generate_release_notes: true

603
.github/workflows/security-suite.yml vendored
View File

@@ -1,11 +1,8 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Security Suite
name: PR Security Analysis
on:
schedule:
- cron: '55 23 * * 0' # Every Sunday at 23:55
workflow_dispatch:
pull_request:
paths:
- '**/package.json'
@@ -17,339 +14,355 @@ on:
- '**/*.py'
- '**/*.js'
- '**/*.ts'
- '**/workflows/*.yml'
merge_group:
push:
branches: [main]
- '**/*.yml'
- '**/*.yaml'
- '.github/workflows/**'
permissions: read-all
permissions:
contents: read
pull-requests: write
issues: write
actions: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
check-secrets:
name: Check Required Secrets
security-analysis:
name: Security Analysis
runs-on: ubuntu-latest
outputs:
run_snyk: ${{ steps.check.outputs.run_snyk }}
run_slack: ${{ steps.check.outputs.run_slack }}
run_sonarcloud: ${{ steps.check.outputs.run_sonarcloud }}
steps:
- name: Check Required Secrets
id: check
shell: bash
- name: Checkout PR
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.sha }}
- name: Fetch PR Base
run: |
{
echo "run_snyk=false"
echo "run_slack=false"
echo "run_sonarcloud=false"
} >> "$GITHUB_OUTPUT"
set -euo pipefail
# Fetch the base ref from base repository with authentication (works for private repos and forked PRs)
# Using ref instead of SHA because git fetch requires ref names, not raw commit IDs
# Use authenticated URL to avoid 403/404 on private repositories
git fetch --no-tags --depth=1 \
"https://x-access-token:${{ github.token }}@github.com/${{ github.event.pull_request.base.repo.full_name }}" \
${{ github.event.pull_request.base.ref }}:refs/remotes/origin-base/${{ github.event.pull_request.base.ref }}
# Record the base commit for diffing without checking it out
# Keep PR head checked out so scanners analyze the new changes
BASE_REF="refs/remotes/origin-base/${{ github.event.pull_request.base.ref }}"
echo "BASE_REF=${BASE_REF}" >> $GITHUB_ENV
echo "Base ref: ${BASE_REF}"
git log -1 --oneline "${BASE_REF}"
if [ -n "${{ secrets.SNYK_TOKEN }}" ]; then
echo "run_snyk=true" >> "$GITHUB_OUTPUT"
else
echo "::warning::SNYK_TOKEN not set - Snyk scans will be skipped"
fi
if [ -n "${{ secrets.SLACK_WEBHOOK }}" ]; then
echo "run_slack=true" >> "$GITHUB_OUTPUT"
else
echo "::warning::SLACK_WEBHOOK not set - Slack notifications will be skipped"
fi
if [ -n "${{ secrets.SONAR_TOKEN }}" ]; then
echo "run_sonarcloud=true" >> "$GITHUB_OUTPUT"
else
echo "::warning::SONAR_TOKEN not set - SonarCloud analysis will be skipped"
fi
owasp:
name: OWASP Dependency Check
runs-on: ubuntu-latest
needs: check-secrets
permissions:
security-events: write
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run OWASP Dependency Check
- name: OWASP Dependency Check
# Only run on pull_request, not pull_request_target to prevent executing
# untrusted third-party actions against PR head from forks
if: github.event_name == 'pull_request'
uses: dependency-check/Dependency-Check_Action@3102a65fd5f36d0000297576acc56a475b0de98d # main
with:
project: 'GitHub Actions'
project: 'PR Security Analysis'
path: '.'
format: 'SARIF'
format: 'JSON'
out: 'reports'
args: >
--enableRetired
--enableExperimental
--failOnCVSS 7
- name: Upload OWASP Results
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
with:
sarif_file: reports/dependency-check-report.sarif
category: owasp-dependency-check
- name: Upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: owasp-results
path: reports/dependency-check-report.sarif
snyk:
name: Snyk Security Scan
runs-on: ubuntu-latest
needs: check-secrets
if: needs.check-secrets.outputs.run_snyk == 'true'
permissions:
security-events: write
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version: 'lts/*'
cache: 'npm'
- name: Run Snyk Scan
uses: snyk/actions/node@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
--enableRetired --enableExperimental --failOnCVSS 0
continue-on-error: true
- name: Semgrep Static Analysis
uses: semgrep/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # v1
with:
config: 'auto'
generateSarif: 'true'
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --all-projects --sarif-file-output=snyk-results.sarif
- name: Upload Snyk Results
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
with:
sarif_file: snyk-results.sarif
category: snyk
- name: Upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: snyk-results
path: snyk-results.sarif
SEMGREP_APP_TOKEN: ${{ github.event_name != 'pull_request_target' && secrets.SEMGREP_APP_TOKEN || '' }}
continue-on-error: true
scorecard:
name: OSSF Scorecard
runs-on: ubuntu-latest
needs: check-secrets
permissions:
security-events: write
id-token: write
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@0f58ae7c5036094a1e3e750d18772af92821b503
with:
results_file: scorecard-results.sarif
results_format: sarif
publish_results: true
- name: Upload Scorecard Results
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
with:
sarif_file: scorecard-results.sarif
category: scorecard
- name: Upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: scorecard-results
path: scorecard-results.sarif
path: ./
base: ${{ env.BASE_REF }}
head: HEAD
extra_args: --debug --only-verified --json --output /tmp/trufflehog_output.json
continue-on-error: true
analyze:
name: Analyze Results
runs-on: ubuntu-latest
needs: [check-secrets, owasp, scorecard, snyk]
if: always()
permissions:
issues: write
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Download scan results
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
- name: Analyze Security Results
id: analyze
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
path: ./results
- name: Analyze Results
id: analysis
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
script: |-
const fs = require('fs');
const path = require('path');
async function analyzeResults() {
const metrics = {
timestamp: new Date().toISOString(),
vulnerabilities: { critical: 0, high: 0, medium: 0, low: 0 },
scorecard: null,
trends: {},
tools: {}
};
function analyzeSarif(file, tool) {
if (!fs.existsSync(file)) return null;
try {
const data = JSON.parse(fs.readFileSync(file, 'utf8'));
const results = {
total: 0,
bySeverity: { critical: 0, high: 0, medium: 0, low: 0 },
details: []
};
data.runs.forEach(run => {
if (!run.results) return;
run.results.forEach(result => {
results.total++;
const severity = result.level === 'error' ? 'high' :
result.level === 'warning' ? 'medium' : 'low';
results.bySeverity[severity]++;
metrics.vulnerabilities[severity]++;
results.details.push({
title: result.message?.text || 'Unnamed issue',
severity,
location: result.locations?.[0]?.physicalLocation?.artifactLocation?.uri || 'Unknown',
description: result.message?.text || '',
ruleId: result.ruleId || ''
});
});
});
return results;
} catch (error) {
console.error(`Error analyzing ${tool} results:`, error);
return null;
}
}
// Analyze all SARIF files
metrics.tools = {
owasp: analyzeSarif('./results/owasp-results/dependency-check-report.sarif', 'OWASP'),
snyk: ${{ needs.check-secrets.outputs.run_snyk == 'true' }} ?
analyzeSarif('./results/snyk-results/snyk-results.sarif', 'Snyk') : null,
scorecard: analyzeSarif('./results/scorecard-results/scorecard-results.sarif', 'Scorecard')
};
// Save results
fs.writeFileSync('security-results.json', JSON.stringify(metrics, null, 2));
// Set outputs
core.setOutput('total_critical', metrics.vulnerabilities.critical);
core.setOutput('total_high', metrics.vulnerabilities.high);
return metrics;
}
return await analyzeResults();
- name: Generate Reports
if: always()
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const fs = require('fs');
const metrics = JSON.parse(fs.readFileSync('security-results.json', 'utf8'));
// Find existing security report issue
const issues = await github.rest.issues.listForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
labels: ['security-report'],
per_page: 1
});
const severityEmoji = {
critical: '🚨',
high: '⚠️',
medium: '⚡',
low: '📝'
const findings = {
permissions: [],
actions: [],
secrets: [],
vulnerabilities: [],
dependencies: []
};
// Generate report body
const report = `## Security Scan Report ${new Date().toISOString()}
// Analyze GitHub Actions permission changes
const { execSync } = require('child_process');
const baseRef = process.env.BASE_REF;
try {
const changedWorkflows = execSync(
`git diff --name-only ${baseRef}...HEAD | grep -E "\.github/workflows/.*\.ya?ml$" || true`,
{ encoding: 'utf8' }
).trim().split('\n').filter(Boolean);
### Summary
${Object.entries(metrics.vulnerabilities)
.map(([sev, count]) => `${severityEmoji[sev]} ${sev}: ${count}`)
.join('\n')}
for (const workflow of changedWorkflows) {
if (!workflow) continue;
### Tool Results
${Object.entries(metrics.tools)
.filter(([_, results]) => results)
.map(([tool, results]) => `
#### ${tool.toUpperCase()}
- Total issues: ${results.total}
${Object.entries(results.bySeverity)
.filter(([_, count]) => count > 0)
.map(([sev, count]) => `- ${sev}: ${count}`)
.join('\n')}
try {
const oldContent = execSync(`git show ${baseRef}:${workflow}`, { encoding: 'utf8' });
const newContent = fs.readFileSync(workflow, 'utf8');
${results.details
.filter(issue => ['critical', 'high'].includes(issue.severity))
.map(issue => `- ${severityEmoji[issue.severity]} ${issue.title} (${issue.severity})
- Location: \`${issue.location}\`
- Rule: \`${issue.ruleId}\``)
.join('\n')}
`).join('\n')}
// Simple permission extraction (could be enhanced with YAML parsing)
const oldPerms = oldContent.match(/permissions:\s*\n([\s\S]*?)(?=\n\w|\n$|$)/);
const newPerms = newContent.match(/permissions:\s*\n([\s\S]*?)(?=\n\w|\n$|$)/);
### Action Items
${metrics.vulnerabilities.critical + metrics.vulnerabilities.high > 0 ?
`- [ ] Address ${metrics.vulnerabilities.critical} critical and ${metrics.vulnerabilities.high} high severity issues
- [ ] Review automated fix PRs
- [ ] Update dependencies with known vulnerabilities` :
'✅ No critical or high severity issues found'}
if (oldPerms?.[1] !== newPerms?.[1]) {
findings.permissions.push({
file: workflow,
old: oldPerms?.[1]?.trim() || 'None',
new: newPerms?.[1]?.trim() || 'None'
});
}
### Links
- [Workflow Run](${process.env.GITHUB_SERVER_URL}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})
- [Security Overview](${process.env.GITHUB_SERVER_URL}/${context.repo.owner}/${context.repo.repo}/security)
// Check for new actions
const oldActions = [...oldContent.matchAll(/uses:\s*([^\s\n]+)/g)].map(m => m[1]);
const newActions = [...newContent.matchAll(/uses:\s*([^\s\n]+)/g)].map(m => m[1]);
const addedActions = newActions.filter(action => !oldActions.includes(action));
> Last updated: ${new Date().toISOString()}`;
if (addedActions.length > 0) {
findings.actions.push({
file: workflow,
added: addedActions
});
}
} catch (error) {
console.log(`Could not analyze ${workflow}: ${error.message}`);
}
}
} catch (error) {
console.log('No workflow changes detected');
}
// Update or create issue
if (issues.data.length > 0) {
await github.rest.issues.update({
// Parse OWASP Dependency Check results
try {
const owaspResults = JSON.parse(fs.readFileSync('reports/dependency-check-report.json', 'utf8'));
if (owaspResults.dependencies) {
owaspResults.dependencies.forEach(dep => {
if (dep.vulnerabilities && dep.vulnerabilities.length > 0) {
dep.vulnerabilities.forEach(vuln => {
findings.dependencies.push({
file: dep.fileName || 'Unknown',
cve: vuln.name,
severity: vuln.severity || 'Unknown',
description: vuln.description || 'No description'
});
});
}
});
}
} catch (error) {
console.log('No OWASP results found');
}
// Parse Semgrep SARIF results
try {
if (fs.existsSync('semgrep.sarif')) {
const sarifContent = JSON.parse(fs.readFileSync('semgrep.sarif', 'utf8'));
if (sarifContent.runs && sarifContent.runs[0] && sarifContent.runs[0].results) {
const run = sarifContent.runs[0];
const rules = run.tool?.driver?.rules || [];
run.results.forEach(result => {
const rule = rules.find(r => r.id === result.ruleId);
findings.vulnerabilities.push({
file: result.locations?.[0]?.physicalLocation?.artifactLocation?.uri || 'Unknown',
line: result.locations?.[0]?.physicalLocation?.region?.startLine || 0,
rule: result.ruleId,
severity: result.level?.toUpperCase() || 'INFO',
message: result.message?.text || rule?.shortDescription?.text || 'No description'
});
});
}
}
} catch (error) {
console.log('Semgrep SARIF parsing completed');
}
// Parse TruffleHog results (NDJSON format - one JSON object per line)
try {
const truffleOutput = execSync('cat /tmp/trufflehog_output.json || echo ""', { encoding: 'utf8' });
const truffleLines = truffleOutput.trim().split('\n').filter(line => line.length > 0);
truffleLines.forEach((line, index) => {
try {
const result = JSON.parse(line);
findings.secrets.push({
file: result.SourceMetadata?.Data?.Filesystem?.file || 'Unknown',
line: result.SourceMetadata?.Data?.Filesystem?.line || 0,
detector: result.DetectorName,
verified: result.Verified || false
});
} catch (parseError) {
// Log only safe metadata to avoid leaking secrets
console.log('Failed to parse TruffleHog line at index', index, '- Error:', parseError.message, '(line length:', line.length, 'chars)');
}
});
if (truffleLines.length === 0) {
console.log('No secrets detected');
}
} catch (error) {
console.log('No TruffleHog output file found');
}
// Generate clean comment sections
const sections = [];
// GitHub Actions Permissions Changes
if (findings.permissions.length > 0) {
const permSection = ['## 🔐 GitHub Actions Permissions Changes'];
findings.permissions.forEach(change => {
permSection.push(`**${change.file}**:`);
permSection.push('```diff');
permSection.push(`- ${change.old}`);
permSection.push(`+ ${change.new}`);
permSection.push('```');
});
sections.push(permSection.join('\n'));
}
// New/Changed Actions
if (findings.actions.length > 0) {
const actionSection = ['## 🎯 New GitHub Actions'];
findings.actions.forEach(change => {
actionSection.push(`**${change.file}**:`);
change.added.forEach(action => {
actionSection.push(`- \`${action}\``);
});
});
sections.push(actionSection.join('\n'));
}
// Secrets Detected
if (findings.secrets.length > 0) {
const secretSection = ['## 🔑 Secrets Detected'];
findings.secrets.forEach(secret => {
const verified = secret.verified ? '🚨 **VERIFIED**' : '⚠️ Potential';
secretSection.push(`- ${verified} ${secret.detector} in \`${secret.file}:${secret.line}\``);
});
sections.push(secretSection.join('\n'));
}
// Security Vulnerabilities
if (findings.vulnerabilities.length > 0) {
const vulnSection = ['## ⚠️ Security Vulnerabilities'];
const groupedBySeverity = findings.vulnerabilities.reduce((acc, vuln) => {
const sev = vuln.severity.toUpperCase();
if (!acc[sev]) acc[sev] = [];
acc[sev].push(vuln);
return acc;
}, {});
['ERROR', 'WARNING', 'INFO'].forEach(severity => {
if (groupedBySeverity[severity]) {
vulnSection.push(`\n**${severity} Severity:**`);
groupedBySeverity[severity].forEach(vuln => {
vulnSection.push(`- \`${vuln.file}:${vuln.line}\` - ${vuln.message}`);
vulnSection.push(` - Rule: \`${vuln.rule}\``);
});
}
});
sections.push(vulnSection.join('\n'));
}
// Dependency Issues
if (findings.dependencies.length > 0) {
const depSection = ['## 📦 Dependency Vulnerabilities'];
const groupedBySeverity = findings.dependencies.reduce((acc, dep) => {
const sev = dep.severity.toUpperCase();
if (!acc[sev]) acc[sev] = [];
acc[sev].push(dep);
return acc;
}, {});
['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'].forEach(severity => {
if (groupedBySeverity[severity]) {
depSection.push(`\n**${severity} Severity:**`);
groupedBySeverity[severity].forEach(dep => {
depSection.push(`- **${dep.cve}** in \`${dep.file}\``);
depSection.push(` - ${dep.description.substring(0, 100)}...`);
});
}
});
sections.push(depSection.join('\n'));
}
// Count critical issues for output
const criticalCount =
findings.secrets.filter(s => s.verified).length +
(findings.vulnerabilities.filter(v => v.severity.toUpperCase() === 'ERROR').length || 0) +
(findings.dependencies.filter(d => d.severity.toUpperCase() === 'CRITICAL').length || 0);
// Export critical count as output
core.setOutput('critical_issues', criticalCount.toString());
// Generate final comment
let comment = '## ✅ Security Analysis\n\n';
if (sections.length === 0) {
comment += 'No security issues detected in this PR.';
} else {
comment += sections.join('\n\n');
}
// Find existing security comment
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number
});
const existingComment = comments.find(comment =>
comment.body.includes('Security Analysis') ||
comment.body.includes('🔐 GitHub Actions Permissions')
);
if (existingComment) {
// Update existing comment
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issues.data[0].number,
body: report,
state: 'open'
comment_id: existingComment.id,
body: comment
});
} else {
await github.rest.issues.create({
// Create new comment
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
title: '🔒 Security Scan Report',
body: report,
labels: ['security-report', 'automated'],
assignees: ['ivuorinen']
issue_number: context.issue.number,
body: comment
});
}
// Add summary to workflow
await core.summary
.addRaw(report)
.write();
- name: Archive Results
- name: Check Critical Issues
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
CRITICAL_COUNT: ${{ steps.analyze.outputs.critical_issues || '0' }}
with:
name: security-results
path: |
reports/
*.sarif
security-results.json
retention-days: 30
script: |-
const criticalCount = parseInt(process.env.CRITICAL_COUNT || '0', 10);
- name: Notify on Failure
if: failure() && needs.check-secrets.outputs.run_slack == 'true'
run: |
curl -X POST -H 'Content-type: application/json' \
--data '{"text":"❌ Security checks failed! Check the logs for details."}' \
${{ secrets.SLACK_WEBHOOK }}
if (criticalCount > 0) {
core.setFailed(`Found ${criticalCount} critical security issue(s). Please review and address them before merging.`);
} else {
console.log('No critical security issues found.');
}

313
.github/workflows/test-actions.yml vendored Normal file
View File

@@ -0,0 +1,313 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Test GitHub Actions
on:
push:
branches:
- main
paths:
- '*/action.yml'
- '_tests/**'
- 'Makefile'
- '.github/workflows/test-actions.yml'
pull_request:
branches:
- main
paths:
- '*/action.yml'
- '_tests/**'
- 'Makefile'
- '.github/workflows/test-actions.yml'
workflow_dispatch:
inputs:
test-type:
description: 'Type of tests to run'
required: true
default: 'all'
type: choice
options:
- all
- unit
- integration
action-filter:
description: 'Filter tests by action name (optional)'
required: false
type: string
permissions: {}
jobs:
unit-tests:
name: Unit Tests
runs-on: ubuntu-latest
permissions:
contents: read
actions: write
security-events: write
timeout-minutes: 10
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup test environment
uses: ./.github/actions/setup-test-environment
- name: Run unit tests
shell: bash
run: |
if [[ "${{ github.event.inputs.test-type }}" == "unit" || "${{ github.event.inputs.test-type }}" == "all" || -z "${{ github.event.inputs.test-type }}" ]]; then
if [[ -n "${{ github.event.inputs.action-filter }}" ]]; then
make test-action ACTION="${{ github.event.inputs.action-filter }}"
else
make test-unit
fi
else
echo "Skipping unit tests (test-type: ${{ github.event.inputs.test-type }})"
fi
- name: Generate SARIF report
shell: bash
run: ./_tests/run-tests.sh --type unit --format sarif
if: always()
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
if: always() && hashFiles('_tests/reports/test-results.sarif') != ''
with:
sarif_file: _tests/reports/test-results.sarif
category: github-actions-tests
- name: Upload unit test results
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: always()
with:
name: unit-test-results
path: _tests/reports/unit/
retention-days: 7
if-no-files-found: ignore
integration-tests:
name: Integration Tests
runs-on: ubuntu-latest
permissions:
contents: read
actions: write
timeout-minutes: 20
if: github.event.inputs.test-type != 'unit'
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup test environment
uses: ./.github/actions/setup-test-environment
with:
install-act: 'true'
- name: Run integration tests
shell: bash
run: |
if [[ "${{ github.event.inputs.test-type }}" == "integration" || "${{ github.event.inputs.test-type }}" == "all" || -z "${{ github.event.inputs.test-type }}" ]]; then
if [[ -n "${{ github.event.inputs.action-filter }}" ]]; then
./_tests/run-tests.sh --type integration --action "${{ github.event.inputs.action-filter }}"
else
make test-integration
fi
else
echo "Skipping integration tests (test-type: ${{ github.event.inputs.test-type }})"
fi
- name: Check for integration test reports
id: check-integration-reports
if: always()
shell: bash
run: |
if [ -d "_tests/reports/integration" ] && [ -n "$(find _tests/reports/integration -type f 2>/dev/null)" ]; then
echo "reports-found=true" >> $GITHUB_OUTPUT
echo "Integration test reports found"
else
echo "reports-found=false" >> $GITHUB_OUTPUT
echo "No integration test reports found"
fi
- name: Upload integration test results
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: always() && steps.check-integration-reports.outputs.reports-found == 'true'
with:
name: integration-test-results
path: _tests/reports/integration/
retention-days: 7
if-no-files-found: ignore
coverage:
name: Test Coverage
runs-on: ubuntu-latest
permissions:
contents: read
actions: write
issues: write
pull-requests: write
timeout-minutes: 15
needs:
- unit-tests
if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup test environment
uses: ./.github/actions/setup-test-environment
with:
install-kcov: 'true'
- name: Generate coverage report
run: make test-coverage
- name: Upload coverage report
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: coverage-report
path: _tests/coverage/
retention-days: 30
if-no-files-found: warn
- name: Comment coverage summary
if: github.event_name == 'pull_request'
shell: bash
run: |
if [[ -f _tests/coverage/summary.json ]]; then
coverage=$(jq -r '.coverage_percent' _tests/coverage/summary.json)
tested_actions=$(jq -r '.tested_actions' _tests/coverage/summary.json)
total_actions=$(jq -r '.total_actions' _tests/coverage/summary.json)
cat > coverage_comment.md <<EOF
## 📊 Test Coverage Report
- **Action Coverage**: ${coverage}% (${tested_actions}/${total_actions} actions)
- **Generated**: $(date)
EOF
echo "Coverage: ${coverage}%"
fi
- name: Post coverage comment
if: github.event_name == 'pull_request' && hashFiles('coverage_comment.md') != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
const body = fs.readFileSync('coverage_comment.md', 'utf8');
const { owner, repo } = context.repo;
const issue_number = context.issue.number;
// Create or update a sticky comment
const marker = '<!-- coverage-comment -->';
const list = await github.rest.issues.listComments({ owner, repo, issue_number });
const existing = list.data.find(c => c.body && c.body.includes(marker));
const finalBody = `${marker}\n` + body;
if (existing) {
await github.rest.issues.updateComment({ owner, repo, comment_id: existing.id, body: finalBody });
} else {
await github.rest.issues.createComment({ owner, repo, issue_number, body: finalBody });
}
security-scan:
name: Security Scan
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: 10
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup test environment
uses: ./.github/actions/setup-test-environment
with:
install-kcov: 'true'
- name: Scan for secrets
uses: trufflesecurity/trufflehog@0f58ae7c5036094a1e3e750d18772af92821b503
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified
- name: Scan shell scripts
shell: bash
run: |
# Scan all shell scripts in _tests/
find _tests/ -name "*.sh" -exec shellcheck -x {} \; || {
echo "❌ Shell script security issues found"
exit 1
}
echo "✅ Shell script security scan passed"
test-summary:
name: Test Summary
runs-on: ubuntu-latest
permissions:
contents: read
actions: read # Required to download artifacts
needs:
- unit-tests
- integration-tests
if: always()
steps:
- name: Download test results
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with:
pattern: '*-test-results'
merge-multiple: true
path: test-results/
- name: Generate test summary
shell: bash
run: |
{
echo "## 🧪 Test Results Summary"
echo ""
# Unit tests
unit_count=$(find test-results -type f -path "*/unit/*.txt" | wc -l || true)
if [[ "${unit_count:-0}" -gt 0 ]]; then
echo "- **Unit Tests**: $unit_count action(s) tested"
fi
# Integration tests
integration_count=$(find test-results -type f -path "*/integration/*.txt" | wc -l || true)
if [[ "${integration_count:-0}" -gt 0 ]]; then
echo "- **Integration Tests**: $integration_count action(s) tested"
fi
echo ""
unit_success="${{ needs.unit-tests.result == 'success' }}"
integration_ok="${{ needs.integration-tests.result == 'success' || needs.integration-tests.result == 'skipped' }}"
if [[ "$unit_success" == "true" && "$integration_ok" == "true" ]]; then
status="✅ All tests passed"
else
status="❌ Some tests failed"
fi
echo "**Status**: $status"
# Job status details
echo ""
echo "### Job Details"
echo "- Unit Tests: ${{ needs.unit-tests.result }}"
echo "- Integration Tests: ${{ needs.integration-tests.result }}"
} >> "$GITHUB_STEP_SUMMARY"
- name: Fail if tests failed
if: needs.unit-tests.result == 'failure' || needs.integration-tests.result == 'failure'
shell: bash
run: |-
echo "❌ One or more test jobs failed"
exit 1