ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 11:34:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: fixes, tweaks, new actions, linting (#186)

Browse Source 
* feat: fixes, tweaks, new actions, linting
* fix: improve docker publish loops and dotnet parsing (#193)
* fix: harden action scripts and version checks (#191)
* refactor: major repository restructuring and security enhancements

Add comprehensive development infrastructure:
- Add Makefile with automated documentation generation, formatting, and linting tasks
- Add TODO.md tracking self-containment progress and repository improvements
- Add .nvmrc for consistent Node.js version management
- Create python-version-detect-v2 action for enhanced Python detection

Enhance all GitHub Actions with standardized patterns:
- Add consistent token handling across 27 actions using standardized input patterns
- Implement bash error handling (set -euo pipefail) in all shell steps
- Add comprehensive input validation for path traversal and command injection protection
- Standardize checkout token authentication to prevent rate limiting
- Remove relative action dependencies to ensure external usability

Rewrite security workflow for PR-focused analysis:
- Transform security-suite.yml to PR-only security analysis workflow
- Remove scheduled runs, repository issue management, and Slack notifications
- Implement smart comment generation showing only sections with content
- Add GitHub Actions permission diff analysis and new action detection
- Integrate OWASP, Semgrep, and TruffleHog for comprehensive PR security scanning

Improve version detection and dependency management:
- Simplify version detection actions to use inline logic instead of shared utilities
- Fix Makefile version detection fallback to properly return 'main' when version not found
- Update all external action references to use SHA-pinned versions
- Remove deprecated run.sh in favor of Makefile automation

Update documentation and project standards:
- Enhance CLAUDE.md with self-containment requirements and linting standards
- Update README.md with improved action descriptions and usage examples
- Standardize code formatting with updated .editorconfig and .prettierrc.yml
- Improve GitHub templates for issues and security reporting

This refactoring ensures all 40 actions are fully self-contained and can be used independently when
referenced as ivuorinen/actions/action-name@main, addressing the critical requirement for external
usability while maintaining comprehensive security analysis and development automation.

* feat: add automated action catalog generation system

- Create generate_listing.cjs script for comprehensive action catalog
- Add package.json with development tooling and npm scripts
- Implement automated README.md catalog section with --update flag
- Generate markdown reference-style links for all 40 actions
- Add categorized tables with features, language support matrices
- Replace static reference links with auto-generated dynamic links
- Enable complete automation of action documentation maintenance

* feat: enhance actions with improved documentation and functionality

- Add comprehensive README files for 12 actions with usage examples
- Implement new utility actions (go-version-detect, dotnet-version-detect)
- Enhance node-setup with extensive configuration options
- Improve error handling and validation across all actions
- Update package.json scripts for better development workflow
- Expand TODO.md with detailed roadmap and improvement plans
- Standardize action structure with consistent inputs/outputs

* feat: add comprehensive output handling across all actions

- Add standardized outputs to 15 actions that previously had none
- Implement consistent snake_case naming convention for all outputs
- Add build status and test results outputs to build actions
- Add files changed and status outputs to lint/fix actions
- Add test execution metrics to php-tests action
- Add stale/closed counts to stale action
- Add release URLs and IDs to github-release action
- Update documentation with output specifications
- Mark comprehensive output handling task as complete in TODO.md

* feat: implement shared cache strategy across all actions

- Add caching to 10 actions that previously had none (Node.js, .NET, Python, Go)
- Standardize 4 existing actions to use common-cache instead of direct actions/cache
- Implement consistent cache-hit optimization to skip installations when cache available
- Add language-specific cache configurations with appropriate key files
- Create unified caching approach using ivuorinen/actions/common-cache@main
- Fix YAML syntax error in php-composer action paths parameter
- Update TODO.md to mark shared cache strategy as complete

* feat: implement comprehensive retry logic for network operations

- Create new common-retry action for standardized retry patterns with configurable strategies
- Add retry logic to 9 actions missing network retry capabilities
- Implement exponential backoff, custom timeouts, and flexible error handling
- Add max-retries input parameter to all network-dependent actions (Node.js, .NET, Python, Go)
- Standardize existing retry implementations to use common-retry utility
- Update action catalog to include new common-retry action (41 total actions)
- Update documentation with retry configuration examples and parameters
- Mark retry logic implementation as complete in TODO.md roadmap

* feat: enhance Node.js support with Corepack and Bun

- Add Corepack support for automatic package manager version management
- Add Bun package manager support across all Node.js actions
- Improve Yarn Berry/PnP support with .yarnrc.yml detection
- Add Node.js feature detection (ESM, TypeScript, frameworks)
- Update package manager detection priority and lockfile support
- Enhance caching with package-manager-specific keys
- Update eslint, prettier, and biome actions for multi-package-manager support

* fix: resolve critical runtime issues across multiple actions

- Fix token validation by removing ineffective literal string comparisons
- Add missing @microsoft/eslint-formatter-sarif dependency for SARIF output
- Fix Bash variable syntax errors in username and changelog length checks
- Update Dockerfile version regex to handle tags with suffixes (e.g., -alpine)
- Simplify version selection logic with single grep command
- Fix command execution in retry action with proper bash -c wrapper
- Correct step output references using .outcome instead of .outputs.outcome
- Add missing step IDs for version detection actions
- Include go.mod in cache key files for accurate invalidation
- Require minor version in all version regex patterns
- Improve Bun installation security by verifying script before execution
- Replace bc with sort -V for portable PHP version comparison
- Remove non-existent pre-commit output references

These fixes ensure proper runtime behavior, improved security, and better
cross-platform compatibility across all affected actions.

* fix: resolve critical runtime and security issues across actions

- Fix biome-fix files_changed calculation using git diff instead of git status delta
- Fix compress-images output description and add absolute path validation
- Remove csharp-publish token default and fix token fallback in push commands
- Add @microsoft/eslint-formatter-sarif to all package managers in eslint-check
- Fix eslint-check command syntax by using variable assignment
- Improve node-setup Bun installation security and remove invalid frozen-lockfile flag
- Fix pre-commit token validation by removing ineffective literal comparison
- Fix prettier-fix token comparison and expand regex for all GitHub token types
- Add version-file-parser regex validation safety and fix csproj wildcard handling

These fixes address security vulnerabilities, runtime errors, and functional issues
to ensure reliable operation across all affected GitHub Actions.

* feat: enhance Docker actions with advanced multi-architecture support

Major enhancement to Docker build and publish actions with comprehensive
multi-architecture capabilities and enterprise-grade features.

Added features:
- Advanced buildx configuration (version control, cache modes, build contexts)
- Auto-detect platforms for dynamic architecture discovery
- Performance optimizations with enhanced caching strategies
- Security scanning with Trivy and image signing with Cosign
- SBOM generation in multiple formats with validation
- Verbose logging and dry-run modes for debugging
- Platform-specific build args and fallback mechanisms

Enhanced all Docker actions:
- docker-build: Core buildx features and multi-arch support
- docker-publish-gh: GitHub Packages with security features
- docker-publish-hub: Docker Hub with scanning and signing
- docker-publish: Orchestrator with unified configuration

Updated documentation across all modified actions.

* fix: resolve documentation generation placeholder issue

Fixed Makefile and package.json to properly replace placeholder tokens in generated documentation, ensuring all README files show correct repository paths instead of ***PROJECT***@***VERSION***.

* chore: simplify github token validation
* chore(lint): optional yamlfmt, config and fixes
* feat: use relative `uses` names

* feat: comprehensive testing infrastructure and Python validation system

- Migrate from tests/ to _tests/ directory structure with ShellSpec framework
- Add comprehensive validation system with Python-based input validation
- Implement dual testing approach (ShellSpec + pytest) for complete coverage
- Add modern Python tooling (uv, ruff, pytest-cov) and dependencies
- Create centralized validation rules with automatic generation system
- Update project configuration and build system for new architecture
- Enhance documentation to reflect current testing capabilities

This establishes a robust foundation for action validation and testing
with extensive coverage across all GitHub Actions in the repository.

* chore: remove Dockerfile for now
* chore: code review fixes

* feat: comprehensive GitHub Actions restructuring and tooling improvements

This commit represents a major restructuring of the GitHub Actions monorepo
with improved tooling, testing infrastructure, and comprehensive PR #186
review implementation.

## Major Changes

### 🔧 Development Tooling & Configuration
- **Shellcheck integration**: Exclude shellspec test files from linting
  - Updated .pre-commit-config.yaml to exclude _tests/*.sh from shellcheck/shfmt
  - Modified Makefile shellcheck pattern to skip shellspec files
  - Updated CLAUDE.md documentation with proper exclusion syntax
- **Testing infrastructure**: Enhanced Python validation framework
  - Fixed nested if statements and boolean parameter issues in validation.py
  - Improved code quality with explicit keyword arguments
  - All pre-commit hooks now passing

### 🏗️ Project Structure & Documentation
- **Added Serena AI integration** with comprehensive project memories:
  - Project overview, structure, and technical stack documentation
  - Code style conventions and completion requirements
  - Comprehensive PR #186 review analysis and implementation tracking
- **Enhanced configuration**: Updated .gitignore, .yamlfmt.yml, pyproject.toml
- **Improved testing**: Added integration workflows and enhanced test specs

### 🚀 GitHub Actions Improvements (30+ actions updated)
- **Centralized validation**: Updated 41 validation rule files
- **Enhanced actions**: Improvements across all action categories:
  - Setup actions (node-setup, version detectors)
  - Utility actions (version-file-parser, version-validator)
  - Linting actions (biome, eslint, terraform-lint-fix major refactor)
  - Build/publish actions (docker-build, npm-publish, csharp-*)
  - Repository management actions

### 📝 Documentation Updates
- **README consistency**: Updated version references across action READMEs
- **Enhanced documentation**: Improved action descriptions and usage examples
- **CLAUDE.md**: Updated with current tooling and best practices

## Technical Improvements
- **Security enhancements**: Input validation and sanitization improvements
- **Performance optimizations**: Streamlined action logic and dependencies
- **Cross-platform compatibility**: Better Windows/macOS/Linux support
- **Error handling**: Improved error reporting and user feedback

## Files Changed
- 100 files changed
- 13 new Serena memory files documenting project state
- 41 validation rules updated for consistency
- 30+ GitHub Actions and READMEs improved
- Core tooling configuration enhanced

* feat: comprehensive GitHub Actions improvements and PR review fixes

Major Infrastructure Improvements:
- Add comprehensive testing framework with 17+ ShellSpec validation tests
- Implement Docker-based testing tools with automated test runner
- Add CodeRabbit configuration for automated code reviews
- Restructure documentation and memory management system
- Update validation rules for 25+ actions with enhanced input validation
- Modernize CI/CD workflows and testing infrastructure

Critical PR Review Fixes (All Issues Resolved):
- Fix double caching in node-setup (eliminate redundant cache operations)
- Optimize shell pipeline in version-file-parser (single awk vs complex pipeline)
- Fix GitHub expression interpolation in prettier-check cache keys
- Resolve terraform command order issue (validation after setup)
- Add missing flake8-sarif dependency for Python SARIF output
- Fix environment variable scope in pr-lint (export to GITHUB_ENV)

Performance & Reliability:
- Eliminate duplicate cache operations saving CI time
- Improve shell script efficiency with optimized parsing
- Fix command execution dependencies preventing runtime failures
- Ensure proper dependency installation for all linting tools
- Resolve workflow conditional logic issues

Security & Quality:
- All input validation rules updated with latest security patterns
- Cross-platform compatibility improvements maintained
- Comprehensive error handling and retry logic preserved
- Modern development tooling and best practices adopted

This commit addresses 100% of actionable feedback from PR review analysis,
implements comprehensive testing infrastructure, and maintains high code
quality standards across all 41 GitHub Actions.

* feat: enhance expression handling and version parsing

- Fix node-setup force-version expression logic for proper empty string handling
- Improve version-file-parser with secure regex validation and enhanced Python detection
- Add CodeRabbit configuration for CalVer versioning and README review guidance

* feat(validate-inputs): implement modular validation system

- Add modular validator architecture with specialized validators
- Implement base validator classes for different input types
- Add validators: boolean, docker, file, network, numeric, security, token, version
- Add convention mapper for automatic input validation
- Add comprehensive documentation for the validation system
- Implement PCRE regex support and injection protection

* feat(validate-inputs): add validation rules for all actions

- Add YAML validation rules for 42 GitHub Actions
- Auto-generated rules with convention mappings
- Include metadata for validation coverage and quality indicators
- Mark rules as auto-generated to prevent manual edits

* test(validate-inputs): add comprehensive test suite for validators

- Add unit tests for all validator modules
- Add integration tests for the validation system
- Add fixtures for version test data
- Test coverage for boolean, docker, file, network, numeric, security, token, and version validators
- Add tests for convention mapper and registry

* feat(tools): add validation scripts and utilities

- Add update-validators.py script for auto-generating rules
- Add benchmark-validator.py for performance testing
- Add debug-validator.py for troubleshooting
- Add generate-tests.py for test generation
- Add check-rules-not-manually-edited.sh for CI validation
- Add fix-local-action-refs.py tool for fixing action references

* feat(actions): add CustomValidator.py files for specialized validation

- Add custom validators for actions requiring special validation logic
- Implement validators for docker, go, node, npm, php, python, terraform actions
- Add specialized validation for compress-images, common-cache, common-file-check
- Implement version detection validators with language-specific logic
- Add validation for build arguments, architectures, and version formats

* test: update ShellSpec test framework for Python validation

- Update all validation.spec.sh files to use Python validator
- Add shared validation_core.py for common test utilities
- Remove obsolete bash validation helpers
- Update test output expectations for Python validator format
- Add codeql-analysis test suite
- Refactor framework utilities for Python integration
- Remove deprecated test files

* feat(actions): update action.yml files to use validate-inputs

- Replace inline bash validation with validate-inputs action
- Standardize validation across all 42 actions
- Add new codeql-analysis action
- Update action metadata and branding
- Add validation step as first step in composite actions
- Maintain backward compatibility with existing inputs/outputs

* ci: update GitHub workflows for enhanced security and testing

- Add new codeql-new.yml workflow
- Update security scanning workflows
- Enhance dependency review configuration
- Update test-actions workflow for new validation system
- Improve workflow permissions and security settings
- Update action versions to latest SHA-pinned releases

* build: update build configuration and dependencies

- Update Makefile with new validation targets
- Add Python dependencies in pyproject.toml
- Update npm dependencies and scripts
- Enhance Docker testing tools configuration
- Add targets for validator updates and local ref fixes
- Configure uv for Python package management

* chore: update linting and documentation configuration

- Update EditorConfig settings for consistent formatting
- Enhance pre-commit hooks configuration
- Update prettier and yamllint ignore patterns
- Update gitleaks security scanning rules
- Update CodeRabbit review configuration
- Update CLAUDE.md with latest project standards and rules

* docs: update Serena memory files and project metadata

- Remove obsolete PR-186 memory files
- Update project overview with current architecture
- Update project structure documentation
- Add quality standards and communication guidelines
- Add modular validator architecture documentation
- Add shellspec testing framework documentation
- Update project.yml with latest configuration

* feat: moved rules.yml to same folder as action, fixes

* fix(validators): correct token patterns and fix validator bugs

- Fix GitHub classic PAT pattern: ghp_ + 36 chars = 40 total
- Fix GitHub fine-grained PAT pattern: github_pat_ + 71 chars = 82 total
- Initialize result variable in convention_mapper to prevent UnboundLocalError
- Fix empty URL validation in network validator to return error
- Add GitHub expression check to docker architectures validator
- Update docker-build CustomValidator parallel-builds max to 16

* test(validators): fix test fixtures and expectations

- Fix token lengths in test data: github_pat 71 chars, ghp/gho 36 chars
- Update integration tests with correct token lengths
- Fix file validator test to expect absolute paths rejected for security
- Rename TestGenerator import to avoid pytest collection warning
- Update custom validator tests with correct input names
- Change docker-build tests: platforms->architectures, tags->tag
- Update docker-publish tests to match new registry enum validation

* test(shellspec): fix token lengths in test helpers and specs

- Fix default token lengths in spec_helper.sh to use correct 40-char format
- Update csharp-publish default tokens in 4 locations
- Update codeql-analysis default tokens in 2 locations
- Fix codeql-analysis test tokens to correct lengths (40 and 82 chars)
- Fix npm-publish fine-grained token test to use 82-char format

* feat(actions): add permissions documentation and environment variable usage

- Add permissions comments to all action.yml files documenting required GitHub permissions
- Convert direct input usage to environment variables in shell steps for security
- Add validation steps with proper error handling
- Update input descriptions and add security notes where applicable
- Ensure all actions follow consistent patterns for input validation

* chore(workflows): update GitHub Actions workflow versions

- Update workflow action versions to latest
- Improve workflow consistency and maintainability

* docs(security): add comprehensive security policy

- Document security features and best practices
- Add vulnerability reporting process
- Include audit history and security testing information

* docs(memory): add GitHub workflow reference documentation

- Add GitHub Actions workflow commands reference
- Add GitHub workflow expressions guide
- Add secure workflow usage patterns and best practices

* chore: token optimization, code style conventions
* chore: cr fixes
* fix: trivy reported Dockerfile problems
* fix(security): more security fixes
* chore: dockerfile and make targets for publishing
* fix(ci): add creds to test-actions workflow
* fix: security fix and checkout step to codeql-new
* chore: test fixes
* fix(security): codeql detected issues
* chore: code review fixes, ReDos protection
* style: apply MegaLinter fixes
* fix(ci): missing packages read permission
* fix(ci): add missing working directory setting
* chore: linting, add validation-regex to use regex_pattern
* chore: code review fixes
* chore(deps): update actions
* fix(security): codeql fixes
* chore(cr): apply cr comments
* chore: improve POSIX compatibility
* chore(cr): apply cr comments
* fix: codeql warning in Dockerfile, build failures
* chore(cr): apply cr comments
* fix: docker-testing-tools/Dockerfile
* chore(cr): apply cr comments
* fix(docker): update testing-tools image for GitHub Actions compatibility
* chore(cr): apply cr comments
* feat: add more tests, fix issues
* chore: fix codeql issues, update actions
* chore(cr): apply cr comments
* fix: integration tests
* chore: deduplication and fixes
* style: apply MegaLinter fixes
* chore(cr): apply cr comments
* feat: dry-run mode for generate-tests
* fix(ci): kcov installation
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments, simplify action testing, use uv
* fix: run-tests.sh action counting
* chore(cr): apply cr comments
* chore(cr): apply cr comments
This commit is contained in:
Ismo Vuorinen
2025-10-14 13:37:58 +03:00
committed by GitHub
parent d3cc8d4790
commit 78fdad69e5
353 changed files with 55370 additions and 1714 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
node-setup/CustomValidator.py Executable file
View File

@@ -0,0 +1,80 @@
#!/usr/bin/env python3
"""Custom validator for node-setup action."""
from __future__ import annotations
from pathlib import Path
import sys
# Add validate-inputs directory to path to import validators
validate_inputs_path = Path(__file__).parent.parent / "validate-inputs"
sys.path.insert(0, str(validate_inputs_path))
from validators.base import BaseValidator
from validators.version import VersionValidator
class CustomValidator(BaseValidator):
"""Custom validator for node-setup action."""
def __init__(self, action_type: str = "node-setup") -> None:
"""Initialize node-setup validator."""
super().__init__(action_type)
self.version_validator = VersionValidator()
def validate_inputs(self, inputs: dict[str, str]) -> bool:
"""Validate node-setup action inputs."""
valid = True
# Validate default-version if provided
if "default-version" in inputs:
value = inputs["default-version"]
# Empty string should fail validation
if value == "":
self.add_error("Node version cannot be empty")
valid = False
elif value:
# Use the Node version validator
result = self.version_validator.validate_node_version(value, "default-version")
# Propagate errors from the version validator
for error in self.version_validator.errors:
if error not in self.errors:
self.add_error(error)
# Clear the version validator's errors after propagating
self.version_validator.clear_errors()
if not result:
valid = False
# Validate package-manager if provided
if "package-manager" in inputs:
value = inputs["package-manager"]
if value and value not in ["npm", "yarn", "pnpm", "bun"]:
self.add_error(
f"Invalid package manager: {value}. Must be one of: npm, yarn, pnpm, bun"
)
valid = False
return valid
def get_required_inputs(self) -> list[str]:
"""Get list of required inputs."""
return []
def get_validation_rules(self) -> dict:
"""Get validation rules."""
return {
"default-version": {
"type": "node_version",
"required": False,
"description": "Default Node.js version to use",
},
"package-manager": {
"type": "string",
"required": False,
"description": "Package manager to use",
},
}

30
node-setup/README.md
View File

@@ -4,29 +4,33 @@
### Description
Sets up Node.js environment with advanced version management, caching, and tooling.
Sets up Node.js env with advanced version management, caching, and tooling.
### Inputs
| name | description | required | default |
|-------------------|--------------------------------------------------------------------------|----------|------------------------------|
| `default-version` | <p>Default Node.js version to use if no configuration file is found.</p> | `false` | `22` |
| `package-manager` | <p>Node.js package manager to use (npm, yarn, pnpm)</p> | `false` | `npm` |
| `package-manager` | <p>Node.js package manager to use (npm, yarn, pnpm, bun, auto)</p> | `false` | `auto` |
| `registry-url` | <p>Custom NPM registry URL</p> | `false` | `https://registry.npmjs.org` |
| `token` | <p>Auth token for private registry</p> | `false` | `""` |
| `cache` | <p>Enable dependency caching</p> | `false` | `true` |
| `install` | <p>Automatically install dependencies</p> | `false` | `true` |
| `node-mirror` | <p>Custom Node.js binary mirror</p> | `false` | `""` |
| `force-version` | <p>Force specific Node.js version regardless of config files</p> | `false` | `""` |
| `max-retries` | <p>Maximum number of retry attempts for package manager operations</p> | `false` | `3` |
### Outputs
| name | description |
|-------------------|-------------------------------------------|
| `node-version` | <p>Installed Node.js version</p> |
| `package-manager` | <p>Selected package manager</p> |
| `cache-hit` | <p>Indicates if there was a cache hit</p> |
| `node-path` | <p>Path to Node.js installation</p> |
| name | description |
|-----------------------|----------------------------------------------------|
| `node-version` | <p>Installed Node.js version</p> |
| `package-manager` | <p>Selected package manager</p> |
| `cache-hit` | <p>Indicates if there was a cache hit</p> |
| `node-path` | <p>Path to Node.js installation</p> |
| `esm-support` | <p>Whether ESM modules are supported</p> |
| `typescript-support` | <p>Whether TypeScript is configured</p> |
| `detected-frameworks` | <p>Comma-separated list of detected frameworks</p> |
### Runs
@@ -44,10 +48,10 @@ This action is a `composite` action.
# Default: 22
package-manager:
# Node.js package manager to use (npm, yarn, pnpm)
# Node.js package manager to use (npm, yarn, pnpm, bun, auto)
#
# Required: false
# Default: npm
# Default: auto
registry-url:
# Custom NPM registry URL
@@ -84,4 +88,10 @@ This action is a `composite` action.
#
# Required: false
# Default: ""
max-retries:
# Maximum number of retry attempts for package manager operations
#
# Required: false
# Default: 3
```

505
node-setup/action.yml
View File

@@ -1,7 +1,9 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
# permissions:
# - (none required) # Setup action, no repository writes
---
name: Node Setup
description: 'Sets up Node.js environment with advanced version management, caching, and tooling.'
description: 'Sets up Node.js env with advanced version management, caching, and tooling.'
author: 'Ismo Vuorinen'
branding:
@@ -14,9 +16,9 @@ inputs:
required: false
default: '22'
package-manager:
description: 'Node.js package manager to use (npm, yarn, pnpm)'
description: 'Node.js package manager to use (npm, yarn, pnpm, bun, auto)'
required: false
default: 'npm'
default: 'auto'
registry-url:
description: 'Custom NPM registry URL'
required: false
@@ -38,6 +40,10 @@ inputs:
force-version:
description: 'Force specific Node.js version regardless of config files'
required: false
max-retries:
description: 'Maximum number of retry attempts for package manager operations'
required: false
default: '3'
outputs:
node-version:
@@ -45,248 +51,347 @@ outputs:
value: ${{ steps.setup.outputs.node-version }}
package-manager:
description: 'Selected package manager'
value: ${{ steps.setup.outputs.package-manager }}
value: ${{ steps.package-manager-resolution.outputs.final-package-manager }}
cache-hit:
description: 'Indicates if there was a cache hit'
value: ${{ steps.deps-cache.outputs.cache-hit }}
node-path:
description: 'Path to Node.js installation'
value: ${{ steps.setup.outputs.node-path }}
esm-support:
description: 'Whether ESM modules are supported'
value: ${{ steps.package-manager-resolution.outputs.esm-support }}
typescript-support:
description: 'Whether TypeScript is configured'
value: ${{ steps.package-manager-resolution.outputs.typescript-support }}
detected-frameworks:
description: 'Comma-separated list of detected frameworks'
value: ${{ steps.package-manager-resolution.outputs.detected-frameworks }}
runs:
using: composite
steps:
- name: Version Detection
id: version
- name: Validate Inputs
id: validate
shell: bash
env:
DEFAULT_VERSION: ${{ inputs.default-version }}
FORCE_VERSION: ${{ inputs.force-version }}
PACKAGE_MANAGER: ${{ inputs.package-manager }}
REGISTRY_URL: ${{ inputs.registry-url }}
NODE_MIRROR: ${{ inputs.node-mirror }}
MAX_RETRIES: ${{ inputs.max-retries }}
CACHE: ${{ inputs.cache }}
INSTALL: ${{ inputs.install }}
AUTH_TOKEN: ${{ inputs.token }}
run: |
set -euo pipefail
# Function to validate Node.js version format
validate_version() {
local version=$1
if ! [[ $version =~ ^[0-9]+(\.[0-9]+)*$ ]]; then
echo "::error::Invalid Node.js version format: $version"
return 1
fi
}
# Function to get version from .nvmrc
get_nvmrc_version() {
if [ -f .nvmrc ]; then
local version
version=$(cat .nvmrc | tr -d 'v' | tr -d ' ' | tr -d '\n')
if validate_version "$version"; then
echo "$version"
return 0
fi
fi
return 1
}
# Function to get version from .tool-versions
get_tool_versions_version() {
if [ -f .tool-versions ]; then
local version
version=$(grep -E '^nodejs[[:space:]]' .tool-versions |
sed 's/#.*//' |
awk '{print $2}' |
tr -d ' ' |
tr -d '\n')
if [ -n "$version" ] && validate_version "$version"; then
echo "$version"
return 0
fi
fi
return 1
}
# Function to get version from package.json
get_package_json_version() {
if [ -f package.json ]; then
local version
version=$(node -pe "try { require('./package.json').engines.node.replace(/[^0-9.]/g, '') } catch(e) { '' }")
if [ -n "$version" ] && validate_version "$version"; then
echo "$version"
return 0
fi
fi
return 1
}
# Determine Node.js version
if [ -n "${{ inputs.force-version }}" ]; then
if ! validate_version "${{ inputs.force-version }}"; then
# Validate default-version format
if [[ -n "$DEFAULT_VERSION" ]]; then
if ! [[ "$DEFAULT_VERSION" =~ ^[0-9]+(\.[0-9]+(\.[0-9]+)?)?$ ]]; then
echo "::error::Invalid default-version format: '$DEFAULT_VERSION'. Expected format: X or X.Y or X.Y.Z (e.g., 22, 20.9, 18.17.1)"
exit 1
fi
# Check for reasonable version range (prevent malicious inputs)
major_version=$(echo "$DEFAULT_VERSION" | cut -d'.' -f1)
if [ "$major_version" -lt 14 ] || [ "$major_version" -gt 30 ]; then
echo "::error::Invalid default-version: '$DEFAULT_VERSION'. Node.js major version should be between 14 and 30"
exit 1
fi
version="${{ inputs.force-version }}"
echo "Using forced Node.js version: $version"
else
version=$(get_nvmrc_version ||
get_tool_versions_version ||
get_package_json_version ||
echo "${{ inputs.default-version }}")
echo "Detected Node.js version: $version"
fi
echo "version=$version" >> $GITHUB_OUTPUT
# Validate force-version format if provided
if [[ -n "$FORCE_VERSION" ]]; then
if ! [[ "$FORCE_VERSION" =~ ^[0-9]+(\.[0-9]+(\.[0-9]+)?)?$ ]]; then
echo "::error::Invalid force-version format: '$FORCE_VERSION'. Expected format: X or X.Y or X.Y.Z (e.g., 22, 20.9, 18.17.1)"
exit 1
fi
- name: Package Manager Detection
id: pkg-manager
shell: bash
run: |
set -euo pipefail
# Check for reasonable version range
major_version=$(echo "$FORCE_VERSION" | cut -d'.' -f1)
if [ "$major_version" -lt 14 ] || [ "$major_version" -gt 30 ]; then
echo "::error::Invalid force-version: '$FORCE_VERSION'. Node.js major version should be between 14 and 30"
exit 1
fi
fi
# Validate input package manager
case "${{ inputs.package-manager }}" in
npm|yarn|pnpm)
pkg_manager="${{ inputs.package-manager }}"
# Validate package-manager
case "$PACKAGE_MANAGER" in
"npm"|"yarn"|"pnpm"|"bun"|"auto")
# Valid package managers
;;
*)
echo "::error::Invalid package manager specified: ${{ inputs.package-manager }}"
echo "::error::Invalid package-manager: '$PACKAGE_MANAGER'. Must be one of: npm, yarn, pnpm, bun, auto"
exit 1
;;
esac
# Auto-detect if files exist
if [ -f "yarn.lock" ]; then
pkg_manager="yarn"
elif [ -f "pnpm-lock.yaml" ]; then
pkg_manager="pnpm"
elif [ -f "package-lock.json" ]; then
pkg_manager="npm"
# Validate registry-url format (basic URL validation)
if [[ "$REGISTRY_URL" != "https://"* ]] && [[ "$REGISTRY_URL" != "http://"* ]]; then
echo "::error::Invalid registry-url: '$REGISTRY_URL'. Must be a valid HTTP/HTTPS URL"
exit 1
fi
echo "manager=$pkg_manager" >> $GITHUB_OUTPUT
# Validate node-mirror format if provided
if [[ -n "$NODE_MIRROR" ]]; then
if [[ "$NODE_MIRROR" != "https://"* ]] && [[ "$NODE_MIRROR" != "http://"* ]]; then
echo "::error::Invalid node-mirror: '$NODE_MIRROR'. Must be a valid HTTP/HTTPS URL"
exit 1
fi
fi
# Validate max retries (positive integer with reasonable upper limit)
if ! [[ "$MAX_RETRIES" =~ ^[0-9]+$ ]] || [ "$MAX_RETRIES" -le 0 ] || [ "$MAX_RETRIES" -gt 10 ]; then
echo "::error::Invalid max-retries: '$MAX_RETRIES'. Must be a positive integer between 1 and 10"
exit 1
fi
# Validate boolean inputs
if [[ "$CACHE" != "true" ]] && [[ "$CACHE" != "false" ]]; then
echo "::error::Invalid cache value: '$CACHE'. Must be 'true' or 'false'"
exit 1
fi
if [[ "$INSTALL" != "true" ]] && [[ "$INSTALL" != "false" ]]; then
echo "::error::Invalid install value: '$INSTALL'. Must be 'true' or 'false'"
exit 1
fi
# Validate auth token format if provided (basic check for NPM tokens)
if [[ -n "$AUTH_TOKEN" ]]; then
if [[ "$AUTH_TOKEN" == *";"* ]] || [[ "$AUTH_TOKEN" == *"&&"* ]] || [[ "$AUTH_TOKEN" == *"|"* ]]; then
echo "::error::Invalid token format: command injection patterns not allowed"
exit 1
fi
fi
echo "Input validation completed successfully"
- name: Parse Node.js Version
id: version
uses: ./version-file-parser
with:
language: 'node'
tool-versions-key: 'nodejs'
dockerfile-image: 'node'
version-file: '.nvmrc'
validation-regex: '^[0-9]+(\.[0-9]+)*$'
default-version: ${{ inputs.force-version != '' && inputs.force-version || inputs.default-version }}
- name: Resolve Package Manager
id: package-manager-resolution
shell: bash
env:
INPUT_PM: ${{ inputs.package-manager }}
DETECTED_PM: ${{ steps.version.outputs.package-manager }}
run: |
set -euo pipefail
input_pm="$INPUT_PM"
detected_pm="$DETECTED_PM"
final_pm=""
if [ "$input_pm" = "auto" ]; then
if [ -n "$detected_pm" ]; then
final_pm="$detected_pm"
echo "Auto-detected package manager: $final_pm"
else
final_pm="npm"
echo "No package manager detected, using default: $final_pm"
fi
else
final_pm="$input_pm"
echo "Using specified package manager: $final_pm"
fi
echo "final-package-manager=$final_pm" >> $GITHUB_OUTPUT
echo "Final package manager: $final_pm"
# Node.js feature detection
echo "Detecting Node.js features..."
# Detect ESM support
esm_support="false"
if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
pkg_type=$(jq -r '.type // "commonjs"' package.json 2>/dev/null)
if [ "$pkg_type" = "module" ]; then
esm_support="true"
fi
fi
echo "esm-support=$esm_support" >> $GITHUB_OUTPUT
echo "ESM support: $esm_support"
# Detect TypeScript
typescript_support="false"
if [ -f tsconfig.json ] || [ -f package.json ]; then
if [ -f tsconfig.json ]; then
typescript_support="true"
elif command -v jq >/dev/null 2>&1; then
if jq -e '.devDependencies.typescript or .dependencies.typescript' package.json >/dev/null 2>&1; then
typescript_support="true"
fi
fi
fi
echo "typescript-support=$typescript_support" >> $GITHUB_OUTPUT
echo "TypeScript support: $typescript_support"
# Detect frameworks
frameworks=""
if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
detected_frameworks=()
if jq -e '.dependencies.next or .devDependencies.next' package.json >/dev/null 2>&1; then
detected_frameworks+=("next")
fi
if jq -e '.dependencies.react or .devDependencies.react' package.json >/dev/null 2>&1; then
detected_frameworks+=("react")
fi
if jq -e '.dependencies.vue or .devDependencies.vue' package.json >/dev/null 2>&1; then
detected_frameworks+=("vue")
fi
if jq -e '.dependencies.svelte or .devDependencies.svelte' package.json >/dev/null 2>&1; then
detected_frameworks+=("svelte")
fi
if jq -e '.dependencies."@angular/core" or .devDependencies."@angular/core"' package.json >/dev/null 2>&1; then
detected_frameworks+=("angular")
fi
if [ ${#detected_frameworks[@]} -gt 0 ]; then
frameworks=$(IFS=','; echo "${detected_frameworks[*]}")
fi
fi
echo "detected-frameworks=$frameworks" >> $GITHUB_OUTPUT
echo "Detected frameworks: $frameworks"
- name: Setup Node.js
id: setup
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version: ${{ steps.version.outputs.version }}
node-version: ${{ steps.version.outputs.detected-version }}
registry-url: ${{ inputs.registry-url }}
cache: ${{ steps.pkg-manager.outputs.manager }}
node-version-file: ''
always-auth: ${{ inputs.token != '' }}
cache-dependency-path: |
**/package-lock.json
**/yarn.lock
**/pnpm-lock.yaml
cache: false
- name: Configure Package Manager
- name: Enable Corepack
id: corepack
shell: bash
run: |
set -euo pipefail
echo "Enabling Corepack for package manager management..."
corepack enable
echo "✅ Corepack enabled successfully"
# Configure package manager
case "${{ steps.pkg-manager.outputs.manager }}" in
yarn)
if ! command -v yarn &> /dev/null; then
echo "Installing Yarn..."
npm install -g yarn
fi
# Configure Yarn settings
yarn config set nodeLinker node-modules
yarn config set checksumBehavior ignore
;;
pnpm)
if ! command -v pnpm &> /dev/null; then
echo "Installing pnpm..."
npm install -g pnpm
fi
;;
esac
- name: Set Auth Token
if: inputs.token != ''
shell: bash
env:
TOKEN: ${{ inputs.token }}
run: |
# Sanitize token by removing newlines to prevent env var injection
sanitized_token="$(echo "$TOKEN" | tr -d '\n\r')"
printf 'NODE_AUTH_TOKEN=%s\n' "$sanitized_token" >> "$GITHUB_ENV"
# Configure registry authentication if token provided
if [ -n "${{ inputs.token }}" ]; then
echo "Configuring registry authentication..."
case "${{ steps.pkg-manager.outputs.manager }}" in
npm)
npm config set //${{ inputs.registry-url }}/:_authToken ${{ inputs.token }}
;;
yarn)
yarn config set npmAuthToken ${{ inputs.token }}
;;
pnpm)
pnpm config set //registry.npmjs.org/:_authToken ${{ inputs.token }}
;;
esac
fi
- name: Setup Caching
- name: Cache Dependencies
if: inputs.cache == 'true'
id: deps-cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
uses: ./common-cache
with:
path: |
**/node_modules
~/.npm
~/.pnpm-store
~/.yarn/cache
key: ${{ runner.os }}-node-${{ steps.version.outputs.version }}-${{ steps.pkg-manager.outputs.manager }}-${{ hashFiles('**/package-lock.json', '**/yarn.lock', '**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-node-${{ steps.version.outputs.version }}-${{ steps.pkg-manager.outputs.manager }}-
type: 'npm'
paths: '~/.npm,~/.yarn/cache,~/.pnpm-store,~/.bun/install/cache,node_modules'
key-prefix: 'node-${{ steps.version.outputs.detected-version }}-${{ steps.package-manager-resolution.outputs.final-package-manager }}'
key-files: 'package-lock.json,yarn.lock,pnpm-lock.yaml,bun.lockb,.yarnrc.yml'
restore-keys: '${{ runner.os }}-node-${{ steps.version.outputs.detected-version }}-${{ steps.package-manager-resolution.outputs.final-package-manager }}-'
- name: Install Package Managers
if: inputs.install == 'true' && steps.deps-cache.outputs.cache-hit != 'true'
shell: bash
env:
PACKAGE_MANAGER: ${{ steps.package-manager-resolution.outputs.final-package-manager }}
run: |
set -euo pipefail
package_manager="$PACKAGE_MANAGER"
echo "Setting up package manager: $package_manager"
case "$package_manager" in
"pnpm")
echo "Installing PNPM via Corepack..."
corepack prepare pnpm@latest --activate
echo "✅ PNPM installed successfully"
;;
"yarn")
echo "Installing Yarn via Corepack..."
corepack prepare yarn@stable --activate
echo "✅ Yarn installed successfully"
;;
"bun")
# Bun installation handled by separate step below
echo "Bun will be installed via official setup-bun action"
;;
"npm")
echo "Using built-in NPM"
;;
*)
echo "::warning::Unknown package manager: $package_manager, using NPM"
;;
esac
- name: Setup Bun
if: inputs.install == 'true' && steps.package-manager-resolution.outputs.final-package-manager == 'bun'
uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
with:
bun-version: latest
- name: Export Package Manager to Environment
if: inputs.install == 'true' && steps.deps-cache.outputs.cache-hit != 'true'
shell: bash
env:
PACKAGE_MANAGER: ${{ steps.package-manager-resolution.outputs.final-package-manager }}
run: |
# Sanitize package manager by removing newlines to prevent env var injection
sanitized_pm="$(echo "$PACKAGE_MANAGER" | tr -d '\n\r')"
printf 'PACKAGE_MANAGER=%s\n' "$sanitized_pm" >> "$GITHUB_ENV"
- name: Install Dependencies
if: inputs.install == 'true'
if: inputs.install == 'true' && steps.deps-cache.outputs.cache-hit != 'true'
uses: ./common-retry
with:
command: |
package_manager="$PACKAGE_MANAGER"
echo "Installing dependencies using $package_manager..."
case "$package_manager" in
"pnpm")
pnpm install --frozen-lockfile
;;
"yarn")
# Check for Yarn Berry/PnP configuration
if [ -f ".yarnrc.yml" ]; then
echo "Detected Yarn Berry configuration"
yarn install --immutable
else
echo "Using Yarn Classic"
yarn install --frozen-lockfile
fi
;;
"bun")
bun install
;;
"npm"|*)
npm ci
;;
esac
echo "✅ Dependencies installed successfully"
max-retries: ${{ inputs.max-retries }}
description: 'Installing Node.js dependencies'
- name: Set Final Outputs
shell: bash
run: |
set -euo pipefail
echo "Installing dependencies using ${{ steps.pkg-manager.outputs.manager }}..."
case "${{ steps.pkg-manager.outputs.manager }}" in
npm)
npm ci --prefer-offline --no-audit --no-fund
;;
yarn)
yarn install --frozen-lockfile --prefer-offline --non-interactive
;;
pnpm)
pnpm install --frozen-lockfile --prefer-offline
;;
esac
- name: Verify Setup
id: verify
shell: bash
run: |
set -euo pipefail
# Verify Node.js installation
echo "Verifying Node.js installation..."
node_version=$(node --version)
echo "Node.js version: $node_version"
# Verify package manager installation
echo "Verifying package manager installation..."
case "${{ steps.pkg-manager.outputs.manager }}" in
npm)
npm --version
;;
yarn)
yarn --version
;;
pnpm)
pnpm --version
;;
esac
# Verify module resolution
if [ -f "package.json" ]; then
echo "Verifying module resolution..."
node -e "require('./package.json')"
fi
- name: Output Configuration
id: config
shell: bash
run: |
set -euo pipefail
# Output final configuration
env:
NODE_VERSION: ${{ steps.version.outputs.detected-version }}
PACKAGE_MANAGER: ${{ steps.package-manager-resolution.outputs.final-package-manager }}
run: |-
{
echo "node-version=$(node --version)"
echo "node-version=$NODE_VERSION"
echo "package-manager=$PACKAGE_MANAGER"
echo "node-path=$(which node)"
echo "package-manager=${{ steps.pkg-manager.outputs.manager }}"
} >> $GITHUB_OUTPUT

50
node-setup/rules.yml Normal file
View File

@@ -0,0 +1,50 @@
---
# Validation rules for node-setup action
# Generated by update-validators.py v1.0.0 - DO NOT EDIT MANUALLY
# Schema version: 1.0
# Coverage: 78% (7/9 inputs)
#
# This file defines validation rules for the node-setup GitHub Action.
# Rules are automatically applied by validate-inputs action when this
# action is used.
#
schema_version: '1.0'
action: node-setup
description: Sets up Node.js env with advanced version management, caching, and tooling.
generator_version: 1.0.0
required_inputs: []
optional_inputs:
- cache
- default-version
- force-version
- install
- max-retries
- node-mirror
- package-manager
- registry-url
- token
conventions:
cache: boolean
default-version: semantic_version
force-version: semantic_version
max-retries: numeric_range_1_10
package-manager: boolean
registry-url: url
token: github_token
overrides:
package-manager: package_manager_enum
statistics:
total_inputs: 9
validated_inputs: 7
skipped_inputs: 0
coverage_percentage: 78
validation_coverage: 78
auto_detected: true
manual_review_required: true
quality_indicators:
has_required_inputs: false
has_token_validation: true
has_version_validation: true
has_file_validation: false
has_security_validation: true