ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 03:23:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: fixes, tweaks, new actions, linting (#186)

Browse Source 
* feat: fixes, tweaks, new actions, linting
* fix: improve docker publish loops and dotnet parsing (#193)
* fix: harden action scripts and version checks (#191)
* refactor: major repository restructuring and security enhancements

Add comprehensive development infrastructure:
- Add Makefile with automated documentation generation, formatting, and linting tasks
- Add TODO.md tracking self-containment progress and repository improvements
- Add .nvmrc for consistent Node.js version management
- Create python-version-detect-v2 action for enhanced Python detection

Enhance all GitHub Actions with standardized patterns:
- Add consistent token handling across 27 actions using standardized input patterns
- Implement bash error handling (set -euo pipefail) in all shell steps
- Add comprehensive input validation for path traversal and command injection protection
- Standardize checkout token authentication to prevent rate limiting
- Remove relative action dependencies to ensure external usability

Rewrite security workflow for PR-focused analysis:
- Transform security-suite.yml to PR-only security analysis workflow
- Remove scheduled runs, repository issue management, and Slack notifications
- Implement smart comment generation showing only sections with content
- Add GitHub Actions permission diff analysis and new action detection
- Integrate OWASP, Semgrep, and TruffleHog for comprehensive PR security scanning

Improve version detection and dependency management:
- Simplify version detection actions to use inline logic instead of shared utilities
- Fix Makefile version detection fallback to properly return 'main' when version not found
- Update all external action references to use SHA-pinned versions
- Remove deprecated run.sh in favor of Makefile automation

Update documentation and project standards:
- Enhance CLAUDE.md with self-containment requirements and linting standards
- Update README.md with improved action descriptions and usage examples
- Standardize code formatting with updated .editorconfig and .prettierrc.yml
- Improve GitHub templates for issues and security reporting

This refactoring ensures all 40 actions are fully self-contained and can be used independently when
referenced as ivuorinen/actions/action-name@main, addressing the critical requirement for external
usability while maintaining comprehensive security analysis and development automation.

* feat: add automated action catalog generation system

- Create generate_listing.cjs script for comprehensive action catalog
- Add package.json with development tooling and npm scripts
- Implement automated README.md catalog section with --update flag
- Generate markdown reference-style links for all 40 actions
- Add categorized tables with features, language support matrices
- Replace static reference links with auto-generated dynamic links
- Enable complete automation of action documentation maintenance

* feat: enhance actions with improved documentation and functionality

- Add comprehensive README files for 12 actions with usage examples
- Implement new utility actions (go-version-detect, dotnet-version-detect)
- Enhance node-setup with extensive configuration options
- Improve error handling and validation across all actions
- Update package.json scripts for better development workflow
- Expand TODO.md with detailed roadmap and improvement plans
- Standardize action structure with consistent inputs/outputs

* feat: add comprehensive output handling across all actions

- Add standardized outputs to 15 actions that previously had none
- Implement consistent snake_case naming convention for all outputs
- Add build status and test results outputs to build actions
- Add files changed and status outputs to lint/fix actions
- Add test execution metrics to php-tests action
- Add stale/closed counts to stale action
- Add release URLs and IDs to github-release action
- Update documentation with output specifications
- Mark comprehensive output handling task as complete in TODO.md

* feat: implement shared cache strategy across all actions

- Add caching to 10 actions that previously had none (Node.js, .NET, Python, Go)
- Standardize 4 existing actions to use common-cache instead of direct actions/cache
- Implement consistent cache-hit optimization to skip installations when cache available
- Add language-specific cache configurations with appropriate key files
- Create unified caching approach using ivuorinen/actions/common-cache@main
- Fix YAML syntax error in php-composer action paths parameter
- Update TODO.md to mark shared cache strategy as complete

* feat: implement comprehensive retry logic for network operations

- Create new common-retry action for standardized retry patterns with configurable strategies
- Add retry logic to 9 actions missing network retry capabilities
- Implement exponential backoff, custom timeouts, and flexible error handling
- Add max-retries input parameter to all network-dependent actions (Node.js, .NET, Python, Go)
- Standardize existing retry implementations to use common-retry utility
- Update action catalog to include new common-retry action (41 total actions)
- Update documentation with retry configuration examples and parameters
- Mark retry logic implementation as complete in TODO.md roadmap

* feat: enhance Node.js support with Corepack and Bun

- Add Corepack support for automatic package manager version management
- Add Bun package manager support across all Node.js actions
- Improve Yarn Berry/PnP support with .yarnrc.yml detection
- Add Node.js feature detection (ESM, TypeScript, frameworks)
- Update package manager detection priority and lockfile support
- Enhance caching with package-manager-specific keys
- Update eslint, prettier, and biome actions for multi-package-manager support

* fix: resolve critical runtime issues across multiple actions

- Fix token validation by removing ineffective literal string comparisons
- Add missing @microsoft/eslint-formatter-sarif dependency for SARIF output
- Fix Bash variable syntax errors in username and changelog length checks
- Update Dockerfile version regex to handle tags with suffixes (e.g., -alpine)
- Simplify version selection logic with single grep command
- Fix command execution in retry action with proper bash -c wrapper
- Correct step output references using .outcome instead of .outputs.outcome
- Add missing step IDs for version detection actions
- Include go.mod in cache key files for accurate invalidation
- Require minor version in all version regex patterns
- Improve Bun installation security by verifying script before execution
- Replace bc with sort -V for portable PHP version comparison
- Remove non-existent pre-commit output references

These fixes ensure proper runtime behavior, improved security, and better
cross-platform compatibility across all affected actions.

* fix: resolve critical runtime and security issues across actions

- Fix biome-fix files_changed calculation using git diff instead of git status delta
- Fix compress-images output description and add absolute path validation
- Remove csharp-publish token default and fix token fallback in push commands
- Add @microsoft/eslint-formatter-sarif to all package managers in eslint-check
- Fix eslint-check command syntax by using variable assignment
- Improve node-setup Bun installation security and remove invalid frozen-lockfile flag
- Fix pre-commit token validation by removing ineffective literal comparison
- Fix prettier-fix token comparison and expand regex for all GitHub token types
- Add version-file-parser regex validation safety and fix csproj wildcard handling

These fixes address security vulnerabilities, runtime errors, and functional issues
to ensure reliable operation across all affected GitHub Actions.

* feat: enhance Docker actions with advanced multi-architecture support

Major enhancement to Docker build and publish actions with comprehensive
multi-architecture capabilities and enterprise-grade features.

Added features:
- Advanced buildx configuration (version control, cache modes, build contexts)
- Auto-detect platforms for dynamic architecture discovery
- Performance optimizations with enhanced caching strategies
- Security scanning with Trivy and image signing with Cosign
- SBOM generation in multiple formats with validation
- Verbose logging and dry-run modes for debugging
- Platform-specific build args and fallback mechanisms

Enhanced all Docker actions:
- docker-build: Core buildx features and multi-arch support
- docker-publish-gh: GitHub Packages with security features
- docker-publish-hub: Docker Hub with scanning and signing
- docker-publish: Orchestrator with unified configuration

Updated documentation across all modified actions.

* fix: resolve documentation generation placeholder issue

Fixed Makefile and package.json to properly replace placeholder tokens in generated documentation, ensuring all README files show correct repository paths instead of ***PROJECT***@***VERSION***.

* chore: simplify github token validation
* chore(lint): optional yamlfmt, config and fixes
* feat: use relative `uses` names

* feat: comprehensive testing infrastructure and Python validation system

- Migrate from tests/ to _tests/ directory structure with ShellSpec framework
- Add comprehensive validation system with Python-based input validation
- Implement dual testing approach (ShellSpec + pytest) for complete coverage
- Add modern Python tooling (uv, ruff, pytest-cov) and dependencies
- Create centralized validation rules with automatic generation system
- Update project configuration and build system for new architecture
- Enhance documentation to reflect current testing capabilities

This establishes a robust foundation for action validation and testing
with extensive coverage across all GitHub Actions in the repository.

* chore: remove Dockerfile for now
* chore: code review fixes

* feat: comprehensive GitHub Actions restructuring and tooling improvements

This commit represents a major restructuring of the GitHub Actions monorepo
with improved tooling, testing infrastructure, and comprehensive PR #186
review implementation.

## Major Changes

### 🔧 Development Tooling & Configuration
- **Shellcheck integration**: Exclude shellspec test files from linting
  - Updated .pre-commit-config.yaml to exclude _tests/*.sh from shellcheck/shfmt
  - Modified Makefile shellcheck pattern to skip shellspec files
  - Updated CLAUDE.md documentation with proper exclusion syntax
- **Testing infrastructure**: Enhanced Python validation framework
  - Fixed nested if statements and boolean parameter issues in validation.py
  - Improved code quality with explicit keyword arguments
  - All pre-commit hooks now passing

### 🏗️ Project Structure & Documentation
- **Added Serena AI integration** with comprehensive project memories:
  - Project overview, structure, and technical stack documentation
  - Code style conventions and completion requirements
  - Comprehensive PR #186 review analysis and implementation tracking
- **Enhanced configuration**: Updated .gitignore, .yamlfmt.yml, pyproject.toml
- **Improved testing**: Added integration workflows and enhanced test specs

### 🚀 GitHub Actions Improvements (30+ actions updated)
- **Centralized validation**: Updated 41 validation rule files
- **Enhanced actions**: Improvements across all action categories:
  - Setup actions (node-setup, version detectors)
  - Utility actions (version-file-parser, version-validator)
  - Linting actions (biome, eslint, terraform-lint-fix major refactor)
  - Build/publish actions (docker-build, npm-publish, csharp-*)
  - Repository management actions

### 📝 Documentation Updates
- **README consistency**: Updated version references across action READMEs
- **Enhanced documentation**: Improved action descriptions and usage examples
- **CLAUDE.md**: Updated with current tooling and best practices

## Technical Improvements
- **Security enhancements**: Input validation and sanitization improvements
- **Performance optimizations**: Streamlined action logic and dependencies
- **Cross-platform compatibility**: Better Windows/macOS/Linux support
- **Error handling**: Improved error reporting and user feedback

## Files Changed
- 100 files changed
- 13 new Serena memory files documenting project state
- 41 validation rules updated for consistency
- 30+ GitHub Actions and READMEs improved
- Core tooling configuration enhanced

* feat: comprehensive GitHub Actions improvements and PR review fixes

Major Infrastructure Improvements:
- Add comprehensive testing framework with 17+ ShellSpec validation tests
- Implement Docker-based testing tools with automated test runner
- Add CodeRabbit configuration for automated code reviews
- Restructure documentation and memory management system
- Update validation rules for 25+ actions with enhanced input validation
- Modernize CI/CD workflows and testing infrastructure

Critical PR Review Fixes (All Issues Resolved):
- Fix double caching in node-setup (eliminate redundant cache operations)
- Optimize shell pipeline in version-file-parser (single awk vs complex pipeline)
- Fix GitHub expression interpolation in prettier-check cache keys
- Resolve terraform command order issue (validation after setup)
- Add missing flake8-sarif dependency for Python SARIF output
- Fix environment variable scope in pr-lint (export to GITHUB_ENV)

Performance & Reliability:
- Eliminate duplicate cache operations saving CI time
- Improve shell script efficiency with optimized parsing
- Fix command execution dependencies preventing runtime failures
- Ensure proper dependency installation for all linting tools
- Resolve workflow conditional logic issues

Security & Quality:
- All input validation rules updated with latest security patterns
- Cross-platform compatibility improvements maintained
- Comprehensive error handling and retry logic preserved
- Modern development tooling and best practices adopted

This commit addresses 100% of actionable feedback from PR review analysis,
implements comprehensive testing infrastructure, and maintains high code
quality standards across all 41 GitHub Actions.

* feat: enhance expression handling and version parsing

- Fix node-setup force-version expression logic for proper empty string handling
- Improve version-file-parser with secure regex validation and enhanced Python detection
- Add CodeRabbit configuration for CalVer versioning and README review guidance

* feat(validate-inputs): implement modular validation system

- Add modular validator architecture with specialized validators
- Implement base validator classes for different input types
- Add validators: boolean, docker, file, network, numeric, security, token, version
- Add convention mapper for automatic input validation
- Add comprehensive documentation for the validation system
- Implement PCRE regex support and injection protection

* feat(validate-inputs): add validation rules for all actions

- Add YAML validation rules for 42 GitHub Actions
- Auto-generated rules with convention mappings
- Include metadata for validation coverage and quality indicators
- Mark rules as auto-generated to prevent manual edits

* test(validate-inputs): add comprehensive test suite for validators

- Add unit tests for all validator modules
- Add integration tests for the validation system
- Add fixtures for version test data
- Test coverage for boolean, docker, file, network, numeric, security, token, and version validators
- Add tests for convention mapper and registry

* feat(tools): add validation scripts and utilities

- Add update-validators.py script for auto-generating rules
- Add benchmark-validator.py for performance testing
- Add debug-validator.py for troubleshooting
- Add generate-tests.py for test generation
- Add check-rules-not-manually-edited.sh for CI validation
- Add fix-local-action-refs.py tool for fixing action references

* feat(actions): add CustomValidator.py files for specialized validation

- Add custom validators for actions requiring special validation logic
- Implement validators for docker, go, node, npm, php, python, terraform actions
- Add specialized validation for compress-images, common-cache, common-file-check
- Implement version detection validators with language-specific logic
- Add validation for build arguments, architectures, and version formats

* test: update ShellSpec test framework for Python validation

- Update all validation.spec.sh files to use Python validator
- Add shared validation_core.py for common test utilities
- Remove obsolete bash validation helpers
- Update test output expectations for Python validator format
- Add codeql-analysis test suite
- Refactor framework utilities for Python integration
- Remove deprecated test files

* feat(actions): update action.yml files to use validate-inputs

- Replace inline bash validation with validate-inputs action
- Standardize validation across all 42 actions
- Add new codeql-analysis action
- Update action metadata and branding
- Add validation step as first step in composite actions
- Maintain backward compatibility with existing inputs/outputs

* ci: update GitHub workflows for enhanced security and testing

- Add new codeql-new.yml workflow
- Update security scanning workflows
- Enhance dependency review configuration
- Update test-actions workflow for new validation system
- Improve workflow permissions and security settings
- Update action versions to latest SHA-pinned releases

* build: update build configuration and dependencies

- Update Makefile with new validation targets
- Add Python dependencies in pyproject.toml
- Update npm dependencies and scripts
- Enhance Docker testing tools configuration
- Add targets for validator updates and local ref fixes
- Configure uv for Python package management

* chore: update linting and documentation configuration

- Update EditorConfig settings for consistent formatting
- Enhance pre-commit hooks configuration
- Update prettier and yamllint ignore patterns
- Update gitleaks security scanning rules
- Update CodeRabbit review configuration
- Update CLAUDE.md with latest project standards and rules

* docs: update Serena memory files and project metadata

- Remove obsolete PR-186 memory files
- Update project overview with current architecture
- Update project structure documentation
- Add quality standards and communication guidelines
- Add modular validator architecture documentation
- Add shellspec testing framework documentation
- Update project.yml with latest configuration

* feat: moved rules.yml to same folder as action, fixes

* fix(validators): correct token patterns and fix validator bugs

- Fix GitHub classic PAT pattern: ghp_ + 36 chars = 40 total
- Fix GitHub fine-grained PAT pattern: github_pat_ + 71 chars = 82 total
- Initialize result variable in convention_mapper to prevent UnboundLocalError
- Fix empty URL validation in network validator to return error
- Add GitHub expression check to docker architectures validator
- Update docker-build CustomValidator parallel-builds max to 16

* test(validators): fix test fixtures and expectations

- Fix token lengths in test data: github_pat 71 chars, ghp/gho 36 chars
- Update integration tests with correct token lengths
- Fix file validator test to expect absolute paths rejected for security
- Rename TestGenerator import to avoid pytest collection warning
- Update custom validator tests with correct input names
- Change docker-build tests: platforms->architectures, tags->tag
- Update docker-publish tests to match new registry enum validation

* test(shellspec): fix token lengths in test helpers and specs

- Fix default token lengths in spec_helper.sh to use correct 40-char format
- Update csharp-publish default tokens in 4 locations
- Update codeql-analysis default tokens in 2 locations
- Fix codeql-analysis test tokens to correct lengths (40 and 82 chars)
- Fix npm-publish fine-grained token test to use 82-char format

* feat(actions): add permissions documentation and environment variable usage

- Add permissions comments to all action.yml files documenting required GitHub permissions
- Convert direct input usage to environment variables in shell steps for security
- Add validation steps with proper error handling
- Update input descriptions and add security notes where applicable
- Ensure all actions follow consistent patterns for input validation

* chore(workflows): update GitHub Actions workflow versions

- Update workflow action versions to latest
- Improve workflow consistency and maintainability

* docs(security): add comprehensive security policy

- Document security features and best practices
- Add vulnerability reporting process
- Include audit history and security testing information

* docs(memory): add GitHub workflow reference documentation

- Add GitHub Actions workflow commands reference
- Add GitHub workflow expressions guide
- Add secure workflow usage patterns and best practices

* chore: token optimization, code style conventions
* chore: cr fixes
* fix: trivy reported Dockerfile problems
* fix(security): more security fixes
* chore: dockerfile and make targets for publishing
* fix(ci): add creds to test-actions workflow
* fix: security fix and checkout step to codeql-new
* chore: test fixes
* fix(security): codeql detected issues
* chore: code review fixes, ReDos protection
* style: apply MegaLinter fixes
* fix(ci): missing packages read permission
* fix(ci): add missing working directory setting
* chore: linting, add validation-regex to use regex_pattern
* chore: code review fixes
* chore(deps): update actions
* fix(security): codeql fixes
* chore(cr): apply cr comments
* chore: improve POSIX compatibility
* chore(cr): apply cr comments
* fix: codeql warning in Dockerfile, build failures
* chore(cr): apply cr comments
* fix: docker-testing-tools/Dockerfile
* chore(cr): apply cr comments
* fix(docker): update testing-tools image for GitHub Actions compatibility
* chore(cr): apply cr comments
* feat: add more tests, fix issues
* chore: fix codeql issues, update actions
* chore(cr): apply cr comments
* fix: integration tests
* chore: deduplication and fixes
* style: apply MegaLinter fixes
* chore(cr): apply cr comments
* feat: dry-run mode for generate-tests
* fix(ci): kcov installation
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments, simplify action testing, use uv
* fix: run-tests.sh action counting
* chore(cr): apply cr comments
* chore(cr): apply cr comments
This commit is contained in:
Ismo Vuorinen
2025-10-14 13:37:58 +03:00
committed by GitHub
parent d3cc8d4790
commit 78fdad69e5
353 changed files with 55370 additions and 1714 deletions
Download Patch File Download Diff File Expand all files Collapse all files

582
codeql-analysis/CustomValidator.py Executable file
View File

@@ -0,0 +1,582 @@
#!/usr/bin/env python3
"""Custom validator for codeql-analysis action.
This validator handles CodeQL-specific validation including:
- Query validation (built-in and custom queries)
- Category validation (security, quality, etc.)
- Resource limits (threads, RAM)
- Language detection and validation
- Database and configuration validation
"""
from __future__ import annotations
from pathlib import Path
import sys
# Add validate-inputs directory to path to import validators
validate_inputs_path = Path(__file__).parent.parent / "validate-inputs"
sys.path.insert(0, str(validate_inputs_path))
from validators.base import BaseValidator
from validators.boolean import BooleanValidator
from validators.codeql import CodeQLValidator
from validators.file import FileValidator
from validators.numeric import NumericValidator
from validators.token import TokenValidator
class CustomValidator(BaseValidator):
"""Custom validator for codeql-analysis action.
Provides comprehensive validation for CodeQL analysis configuration.
"""
def __init__(self, action_type: str = "codeql-analysis") -> None:
"""Initialize the codeql-analysis validator."""
super().__init__(action_type)
self.codeql_validator = CodeQLValidator(action_type)
self.file_validator = FileValidator(action_type)
self.numeric_validator = NumericValidator(action_type)
self.token_validator = TokenValidator(action_type)
self.boolean_validator = BooleanValidator(action_type)
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate codeql-analysis specific inputs.
Args:
inputs: Dictionary of input names to values
Returns:
True if all validations pass, False otherwise
"""
valid = True
# Validate language (required, but we handle empty check in validate_language)
if "language" in inputs:
valid &= self.validate_language(inputs["language"])
else:
# Language is required but missing entirely
self.add_error("Required input 'language' is missing")
valid = False
# Validate queries
if "queries" in inputs:
valid &= self.validate_queries(inputs["queries"])
# Validate categories
if "categories" in inputs:
valid &= self.validate_categories(inputs["categories"])
elif "category" in inputs:
# Support both 'category' and 'categories'
valid &= self.validate_category(inputs["category"])
# Validate config file
if inputs.get("config-file"):
valid &= self.validate_config_file(inputs["config-file"])
# Validate database path
if inputs.get("database"):
valid &= self.validate_database(inputs["database"])
# Validate threads
if inputs.get("threads"):
result = self.codeql_validator.validate_threads(inputs["threads"])
for error in self.codeql_validator.errors:
if error not in self.errors:
self.add_error(error)
self.codeql_validator.clear_errors()
valid &= result
# Validate RAM
if inputs.get("ram"):
result = self.codeql_validator.validate_ram(inputs["ram"])
for error in self.codeql_validator.errors:
if error not in self.errors:
self.add_error(error)
self.codeql_validator.clear_errors()
valid &= result
# Validate debug mode
if inputs.get("debug"):
valid &= self.validate_debug(inputs["debug"])
# Validate upload options
if inputs.get("upload-database"):
valid &= self.validate_upload_database(inputs["upload-database"])
if inputs.get("upload-sarif"):
valid &= self.validate_upload_sarif(inputs["upload-sarif"])
# Validate custom options
if inputs.get("packs"):
valid &= self.validate_packs(inputs["packs"])
if inputs.get("external-repository-token"):
valid &= self.validate_external_token(inputs["external-repository-token"])
# Validate token
if "token" in inputs:
valid &= self.validate_token(inputs["token"])
# Validate working-directory
if inputs.get("working-directory"):
valid &= self.validate_working_directory(inputs["working-directory"])
# Validate upload-results
if "upload-results" in inputs:
valid &= self.validate_upload_results(inputs["upload-results"])
return valid
def get_required_inputs(self) -> list[str]:
"""Get list of required inputs for codeql-analysis.
Returns:
List of required input names
"""
# Language is typically required for CodeQL
return ["language"]
def get_validation_rules(self) -> dict:
"""Get validation rules for codeql-analysis.
Returns:
Dictionary of validation rules
"""
return {
"language": "Programming language(s) to analyze (required)",
"queries": "CodeQL query suites to run",
"categories": "Categories to include (security, quality, etc.)",
"config-file": "Path to CodeQL configuration file",
"database": "Path to CodeQL database",
"threads": "Number of threads (1-128)",
"ram": "RAM limit in MB (256-32768)",
"debug": "Enable debug mode (true/false)",
"upload-database": "Upload database to GitHub (true/false)",
"upload-sarif": "Upload SARIF results (true/false)",
"packs": "CodeQL packs to use",
"external-repository-token": "Token for external repositories",
}
def validate_language(self, language: str) -> bool:
"""Validate programming language specification.
Args:
language: Language(s) to analyze
Returns:
True if valid, False otherwise
"""
# Check for empty language first
if not language or not language.strip():
self.add_error("CodeQL language cannot be empty")
return False
# Allow GitHub Actions expressions
if self.is_github_expression(language):
return True
# CodeQL supported languages
supported_languages = [
"cpp",
"c",
"c++",
"csharp",
"c#",
"go",
"java",
"kotlin",
"javascript",
"js",
"typescript",
"ts",
"python",
"py",
"ruby",
"rb",
"swift",
"actions",
]
# Can be single language or comma-separated list
languages = [lang.strip().lower() for lang in language.split(",")]
for lang in languages:
if not lang:
self.add_error("CodeQL language cannot be empty")
return False
# Check if it's a supported language
if lang not in supported_languages:
self.add_error(
f"Unsupported CodeQL language: {lang}. "
f"Supported: {', '.join(supported_languages)}"
)
return False
return True
def validate_queries(self, queries: str) -> bool:
"""Validate CodeQL queries specification.
Args:
queries: Query specification
Returns:
True if valid, False otherwise
"""
# Check for empty queries first
if not queries or not queries.strip():
self.add_error("CodeQL queries cannot be empty")
return False
# Use the CodeQL validator
result = self.codeql_validator.validate_codeql_queries(queries)
# Copy any errors from codeql validator
for error in self.codeql_validator.errors:
if error not in self.errors:
self.add_error(error)
self.codeql_validator.clear_errors()
return result
def validate_categories(self, categories: str) -> bool:
"""Validate CodeQL categories.
Args:
categories: Categories specification
Returns:
True if valid, False otherwise
"""
# Use the CodeQL validator
result = self.codeql_validator.validate_category_format(categories)
# Copy any errors from codeql validator
for error in self.codeql_validator.errors:
if error not in self.errors:
self.add_error(error)
self.codeql_validator.clear_errors()
return result
def validate_category(self, category: str) -> bool:
"""Validate CodeQL category (singular).
Args:
category: Category specification
Returns:
True if valid, False otherwise
"""
# Use the CodeQL validator
result = self.codeql_validator.validate_category_format(category)
# Copy any errors from codeql validator
for error in self.codeql_validator.errors:
if error not in self.errors:
self.add_error(error)
self.codeql_validator.clear_errors()
return result
def validate_config_file(self, config_file: str) -> bool:
"""Validate CodeQL configuration file path.
Args:
config_file: Path to config file
Returns:
True if valid, False otherwise
"""
if not config_file or not config_file.strip():
return True
# Allow GitHub Actions expressions
if self.is_github_expression(config_file):
return True
# Use FileValidator for yaml file validation
result = self.file_validator.validate_yaml_file(config_file, "config-file")
# Copy any errors from file validator
for error in self.file_validator.errors:
if error not in self.errors:
self.add_error(error)
self.file_validator.clear_errors()
return result
def validate_database(self, database: str) -> bool:
"""Validate CodeQL database path.
Args:
database: Database path
Returns:
True if valid, False otherwise
"""
# Allow GitHub Actions expressions
if self.is_github_expression(database):
return True
# Use FileValidator for path validation
result = self.file_validator.validate_file_path(database, "database")
# Copy any errors from file validator
for error in self.file_validator.errors:
if error not in self.errors:
self.add_error(error)
self.file_validator.clear_errors()
# Database paths often contain the language
# e.g., "codeql-database/javascript" or "/tmp/codeql_databases/python"
# Just validate it's a reasonable path after basic validation
if result and database.startswith("/tmp/"): # noqa: S108
return True
return result
def validate_debug(self, debug: str) -> bool:
"""Validate debug mode setting.
Args:
debug: Debug mode value
Returns:
True if valid, False otherwise
"""
# Allow GitHub Actions expressions
if self.is_github_expression(debug):
return True
# Use BooleanValidator
result = self.boolean_validator.validate_boolean(debug, "debug")
# Copy any errors from boolean validator
for error in self.boolean_validator.errors:
if error not in self.errors:
self.add_error(error)
self.boolean_validator.clear_errors()
return result
def validate_upload_database(self, upload: str) -> bool:
"""Validate upload-database setting.
Args:
upload: Upload setting
Returns:
True if valid, False otherwise
"""
# Allow GitHub Actions expressions
if self.is_github_expression(upload):
return True
# Use BooleanValidator
result = self.boolean_validator.validate_boolean(upload, "upload-database")
# Copy any errors from boolean validator
for error in self.boolean_validator.errors:
if error not in self.errors:
self.add_error(error)
self.boolean_validator.clear_errors()
return result
def validate_upload_sarif(self, upload: str) -> bool:
"""Validate upload-sarif setting.
Args:
upload: Upload setting
Returns:
True if valid, False otherwise
"""
# Allow GitHub Actions expressions
if self.is_github_expression(upload):
return True
# Use BooleanValidator
result = self.boolean_validator.validate_boolean(upload, "upload-sarif")
# Copy any errors from boolean validator
for error in self.boolean_validator.errors:
if error not in self.errors:
self.add_error(error)
self.boolean_validator.clear_errors()
return result
def validate_packs(self, packs: str) -> bool:
"""Validate CodeQL packs.
Args:
packs: Packs specification
Returns:
True if valid, False otherwise
"""
# Allow GitHub Actions expressions
if self.is_github_expression(packs):
return True
if not packs or not packs.strip():
return True
# Split by comma and validate each pack
pack_list = [p.strip() for p in packs.split(",")]
for pack in pack_list:
if not pack:
continue
# Local pack path
if pack.startswith("./") or pack.startswith("../"):
if not self.validate_path_security(pack):
return False
# Remote pack with version
elif "@" in pack:
name_part, version_part = pack.rsplit("@", 1)
# Validate pack name format
if not self._validate_pack_name(name_part):
return False
# Basic version validation
if not version_part:
self.add_error(f"Pack version cannot be empty: {pack}")
return False
# Remote pack without version
elif not self._validate_pack_name(pack):
return False
return True
def _validate_pack_name(self, pack_name: str) -> bool:
"""Validate CodeQL pack name format.
Args:
pack_name: Pack name to validate
Returns:
True if valid, False otherwise
"""
# Pack names are typically in format: namespace/pack-name
# e.g., codeql/javascript-queries, github/codeql-go
if "/" not in pack_name:
self.add_error(f"Pack name should be in format 'namespace/pack-name': {pack_name}")
return False
namespace, name = pack_name.split("/", 1)
# Validate namespace (alphanumeric, hyphens, underscores)
if not namespace or not all(c.isalnum() or c in "-_" for c in namespace):
self.add_error(f"Invalid pack namespace: {namespace}")
return False
# Validate pack name
if not name or not all(c.isalnum() or c in "-_" for c in name):
self.add_error(f"Invalid pack name: {name}")
return False
return True
def validate_external_token(self, token: str) -> bool:
"""Validate external repository token.
Args:
token: Token value
Returns:
True if valid, False otherwise
"""
# Use the TokenValidator for proper validation
result = self.token_validator.validate_github_token(token, required=False)
# Copy any errors from token validator
for error in self.token_validator.errors:
if error not in self.errors:
self.add_error(error)
self.token_validator.clear_errors()
return result
def validate_token(self, token: str) -> bool:
"""Validate GitHub token.
Args:
token: Token value
Returns:
True if valid, False otherwise
"""
# Check for empty token
if not token or not token.strip():
self.add_error("Input 'token' is missing or empty")
return False
# Use the TokenValidator for proper validation
result = self.token_validator.validate_github_token(token, required=True)
# Copy any errors from token validator
for error in self.token_validator.errors:
if error not in self.errors:
self.add_error(error)
self.token_validator.clear_errors()
return result
def validate_working_directory(self, directory: str) -> bool:
"""Validate working directory path.
Args:
directory: Directory path
Returns:
True if valid, False otherwise
"""
# Allow GitHub Actions expressions
if self.is_github_expression(directory):
return True
# Use FileValidator for path validation
result = self.file_validator.validate_file_path(directory, "working-directory")
# Copy any errors from file validator
for error in self.file_validator.errors:
if error not in self.errors:
self.add_error(error)
self.file_validator.clear_errors()
return result
def validate_upload_results(self, value: str) -> bool:
"""Validate upload-results boolean value.
Args:
value: Boolean value to validate
Returns:
True if valid, False otherwise
"""
# Check for empty
if not value or not value.strip():
self.add_error("upload-results cannot be empty")
return False
# Allow GitHub Actions expressions
if self.is_github_expression(value):
return True
# Check for uppercase TRUE/FALSE first
if value in ["TRUE", "FALSE"]:
self.add_error("Must be lowercase 'true' or 'false'")
return False
# Use BooleanValidator for normal validation
result = self.boolean_validator.validate_boolean(value, "upload-results")
# Copy any errors from boolean validator
for error in self.boolean_validator.errors:
if error not in self.errors:
self.add_error(error)
self.boolean_validator.clear_errors()
return result

149
codeql-analysis/README.md Normal file
View File

@@ -0,0 +1,149 @@
# ivuorinen/actions/codeql-analysis
## CodeQL Analysis
### Description
Run CodeQL security analysis for a single language with configurable query suites
### Inputs
| name | description | required | default |
|---------------------|---------------------------------------------------------------------------------------------|----------|-----------------------|
| `language` | <p>Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.)</p> | `true` | `""` |
| `queries` | <p>Comma-separated list of additional queries to run</p> | `false` | `""` |
| `packs` | <p>Comma-separated list of CodeQL query packs to run</p> | `false` | `""` |
| `config-file` | <p>Path to CodeQL configuration file</p> | `false` | `""` |
| `config` | <p>Configuration passed as a YAML string</p> | `false` | `""` |
| `build-mode` | <p>The build mode for compiled languages (none, manual, autobuild)</p> | `false` | `""` |
| `source-root` | <p>Path of the root source code directory</p> | `false` | `""` |
| `category` | <p>Analysis category (default: /language:<language>)</p> | `false` | `""` |
| `checkout-ref` | <p>Git reference to checkout (default: current ref)</p> | `false` | `""` |
| `token` | <p>GitHub token for API access</p> | `false` | `${{ github.token }}` |
| `working-directory` | <p>Working directory for the analysis</p> | `false` | `.` |
| `upload-results` | <p>Upload results to GitHub Security tab</p> | `false` | `true` |
| `ram` | <p>Amount of memory in MB that can be used by CodeQL</p> | `false` | `""` |
| `threads` | <p>Number of threads that can be used by CodeQL</p> | `false` | `""` |
| `output` | <p>Path to save SARIF results</p> | `false` | `../results` |
| `skip-queries` | <p>Build database but skip running queries</p> | `false` | `false` |
| `add-snippets` | <p>Add code snippets to SARIF output</p> | `false` | `false` |
### Outputs
| name | description |
|---------------------|---------------------------------------|
| `language-analyzed` | <p>Language that was analyzed</p> |
| `analysis-category` | <p>Category used for the analysis</p> |
| `sarif-file` | <p>Path to generated SARIF file</p> |
### Runs
This action is a `composite` action.
### Usage
```yaml
- uses: ivuorinen/actions/codeql-analysis@main
with:
language:
# Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.)
#
# Required: true
# Default: ""
queries:
# Comma-separated list of additional queries to run
#
# Required: false
# Default: ""
packs:
# Comma-separated list of CodeQL query packs to run
#
# Required: false
# Default: ""
config-file:
# Path to CodeQL configuration file
#
# Required: false
# Default: ""
config:
# Configuration passed as a YAML string
#
# Required: false
# Default: ""
build-mode:
# The build mode for compiled languages (none, manual, autobuild)
#
# Required: false
# Default: ""
source-root:
# Path of the root source code directory
#
# Required: false
# Default: ""
category:
# Analysis category (default: /language:<language>)
#
# Required: false
# Default: ""
checkout-ref:
# Git reference to checkout (default: current ref)
#
# Required: false
# Default: ""
token:
# GitHub token for API access
#
# Required: false
# Default: ${{ github.token }}
working-directory:
# Working directory for the analysis
#
# Required: false
# Default: .
upload-results:
# Upload results to GitHub Security tab
#
# Required: false
# Default: true
ram:
# Amount of memory in MB that can be used by CodeQL
#
# Required: false
# Default: ""
threads:
# Number of threads that can be used by CodeQL
#
# Required: false
# Default: ""
output:
# Path to save SARIF results
#
# Required: false
# Default: ../results
skip-queries:
# Build database but skip running queries
#
# Required: false
# Default: false
add-snippets:
# Add code snippets to SARIF output
#
# Required: false
# Default: false
```

241
codeql-analysis/action.yml Normal file
View File

@@ -0,0 +1,241 @@
---
# permissions:
# - security-events: write # Required for uploading SARIF results
# - contents: read # Required for checking out repository
name: CodeQL Analysis
description: Run CodeQL security analysis for a single language with configurable query suites
author: Ismo Vuorinen
branding:
icon: shield
color: blue
inputs:
language:
description: 'Language to analyze (javascript, python, actions, java, csharp, cpp, ruby, go, etc.)'
required: true
queries:
description: 'Comma-separated list of additional queries to run'
required: false
default: ''
packs:
description: 'Comma-separated list of CodeQL query packs to run'
required: false
default: ''
config-file:
description: 'Path to CodeQL configuration file'
required: false
default: ''
config:
description: 'Configuration passed as a YAML string'
required: false
default: ''
build-mode:
description: 'The build mode for compiled languages (none, manual, autobuild)'
required: false
default: ''
source-root:
description: 'Path of the root source code directory'
required: false
default: ''
category:
description: 'Analysis category (default: /language:<language>)'
required: false
default: ''
checkout-ref:
description: 'Git reference to checkout (default: current ref)'
required: false
default: ''
token:
description: 'GitHub token for API access'
required: false
default: ${{ github.token }}
working-directory:
description: 'Working directory for the analysis'
required: false
default: '.'
upload-results:
description: 'Upload results to GitHub Security tab'
required: false
default: 'true'
ram:
description: 'Amount of memory in MB that can be used by CodeQL'
required: false
default: ''
threads:
description: 'Number of threads that can be used by CodeQL'
required: false
default: ''
output:
description: 'Path to save SARIF results'
required: false
default: '../results'
skip-queries:
description: 'Build database but skip running queries'
required: false
default: 'false'
add-snippets:
description: 'Add code snippets to SARIF output'
required: false
default: 'false'
outputs:
language-analyzed:
description: 'Language that was analyzed'
value: ${{ inputs.language }}
analysis-category:
description: 'Category used for the analysis'
value: ${{ steps.set-category.outputs.category }}
sarif-file:
description: 'Path to generated SARIF file'
value: ${{ steps.analysis.outputs.sarif-file }}
runs:
using: composite
steps:
- name: Validate inputs
uses: ./validate-inputs
with:
action-type: codeql-analysis
language: ${{ inputs.language }}
queries: ${{ inputs.queries }}
packs: ${{ inputs.packs }}
config-file: ${{ inputs.config-file }}
config: ${{ inputs.config }}
build-mode: ${{ inputs.build-mode }}
source-root: ${{ inputs.source-root }}
category: ${{ inputs.category }}
checkout-ref: ${{ inputs.checkout-ref }}
token: ${{ inputs.token }}
working-directory: ${{ inputs.working-directory }}
upload-results: ${{ inputs.upload-results }}
ram: ${{ inputs.ram }}
threads: ${{ inputs.threads }}
output: ${{ inputs.output }}
skip-queries: ${{ inputs.skip-queries }}
add-snippets: ${{ inputs.add-snippets }}
- name: Validate checkout safety
shell: bash
env:
CHECKOUT_REF: ${{ inputs.checkout-ref }}
EVENT_NAME: ${{ github.event_name }}
run: |
# Security check: Warn if checking out custom ref on pull_request_target
if [[ "$EVENT_NAME" == "pull_request_target" ]] && [[ -n "$CHECKOUT_REF" ]]; then
echo "::warning::Using custom checkout-ref on pull_request_target is potentially unsafe"
echo "::warning::Ensure the ref is validated before running untrusted code"
fi
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: ${{ inputs.checkout-ref || github.sha }}
token: ${{ inputs.token }}
- name: Set analysis category
id: set-category
shell: bash
env:
CATEGORY: ${{ inputs.category }}
LANGUAGE: ${{ inputs.language }}
run: |
if [[ -n "$CATEGORY" ]]; then
category="$CATEGORY"
else
category="/language:$LANGUAGE"
fi
echo "category=$category" >> $GITHUB_OUTPUT
echo "Using analysis category: $category"
- name: Set build mode
id: set-build-mode
shell: bash
env:
BUILD_MODE: ${{ inputs.build-mode }}
LANGUAGE: ${{ inputs.language }}
run: |
build_mode="$BUILD_MODE"
if [[ -z "$build_mode" ]]; then
# Auto-detect build mode based on language
case "$LANGUAGE" in
javascript|python|ruby|actions)
build_mode="none"
;;
java|csharp|cpp|c|go|swift|kotlin)
build_mode="autobuild"
;;
esac
fi
echo "build-mode=$build_mode" >> $GITHUB_OUTPUT
echo "Using build mode: $build_mode"
- name: Initialize CodeQL
uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
with:
languages: ${{ inputs.language }}
queries: ${{ inputs.queries }}
packs: ${{ inputs.packs }}
config-file: ${{ inputs.config-file }}
config: ${{ inputs.config }}
build-mode: ${{ steps.set-build-mode.outputs.build-mode }}
source-root: ${{ inputs.source-root || inputs.working-directory }}
ram: ${{ inputs.ram }}
threads: ${{ inputs.threads }}
- name: Autobuild
uses: github/codeql-action/autobuild@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}
- name: Perform CodeQL Analysis
id: analysis
uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
with:
category: ${{ steps.set-category.outputs.category }}
upload: ${{ inputs.upload-results }}
output: ${{ inputs.output }}
ram: ${{ inputs.ram }}
threads: ${{ inputs.threads }}
add-snippets: ${{ inputs.add-snippets }}
skip-queries: ${{ inputs.skip-queries }}
- name: Summary
shell: bash
env:
LANGUAGE: ${{ inputs.language }}
CATEGORY: ${{ steps.set-category.outputs.category }}
BUILD_MODE: ${{ steps.set-build-mode.outputs.build-mode }}
QUERIES: ${{ inputs.queries }}
PACKS: ${{ inputs.packs }}
UPLOAD_RESULTS: ${{ inputs.upload-results }}
OUTPUT: ${{ inputs.output }}
run: |
echo "✅ CodeQL analysis completed for language: $LANGUAGE"
echo "📊 Category: $CATEGORY"
echo "🏗️ Build mode: $BUILD_MODE"
echo "🔍 Queries: ${QUERIES:-default}"
echo "📦 Packs: ${PACKS:-none}"
if [[ "$UPLOAD_RESULTS" == "true" ]]; then
echo "📤 Results uploaded to GitHub Security tab"
fi
if [[ -n "$OUTPUT" ]]; then
echo "💾 SARIF saved to: $OUTPUT"
fi

77
codeql-analysis/rules.yml Normal file
View File

@@ -0,0 +1,77 @@
---
# Validation rules for codeql-analysis action
# Generated by update-validators.py v1.0.0 - DO NOT EDIT MANUALLY
# Schema version: 1.0
# Coverage: 94% (16/17 inputs)
#
# This file defines validation rules for the codeql-analysis GitHub Action.
# Rules are automatically applied by validate-inputs action when this
# action is used.
#
schema_version: '1.0'
action: codeql-analysis
description: Run CodeQL security analysis for a single language with configurable query suites
generator_version: 1.0.0
required_inputs:
- language
optional_inputs:
- add-snippets
- build-mode
- category
- checkout-ref
- config
- config-file
- output
- packs
- queries
- ram
- skip-queries
- source-root
- threads
- token
- upload-results
- working-directory
conventions:
add-snippets: boolean
build-mode: codeql_build_mode
category: category_format
checkout-ref: branch_name
config: codeql_config
config-file: file_path
language: codeql_language
output: file_path
packs: codeql_packs
queries: codeql_queries
ram: numeric_range_256_32768
skip-queries: codeql_queries
source-root: file_path
threads: numeric_range_1_128
token: github_token
working-directory: file_path
overrides:
build-mode: codeql_build_mode
category: category_format
config: codeql_config
output: file_path
packs: codeql_packs
queries: codeql_queries
ram: numeric_range_256_32768
skip-queries: boolean
source-root: file_path
threads: numeric_range_1_128
token: github_token
statistics:
total_inputs: 17
validated_inputs: 16
skipped_inputs: 0
coverage_percentage: 94
validation_coverage: 94
auto_detected: true
manual_review_required: false
quality_indicators:
has_required_inputs: true
has_token_validation: true
has_version_validation: false
has_file_validation: true
has_security_validation: true