ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 11:34:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: fixes, tweaks, new actions, linting (#186)

Browse Source 
* feat: fixes, tweaks, new actions, linting
* fix: improve docker publish loops and dotnet parsing (#193)
* fix: harden action scripts and version checks (#191)
* refactor: major repository restructuring and security enhancements

Add comprehensive development infrastructure:
- Add Makefile with automated documentation generation, formatting, and linting tasks
- Add TODO.md tracking self-containment progress and repository improvements
- Add .nvmrc for consistent Node.js version management
- Create python-version-detect-v2 action for enhanced Python detection

Enhance all GitHub Actions with standardized patterns:
- Add consistent token handling across 27 actions using standardized input patterns
- Implement bash error handling (set -euo pipefail) in all shell steps
- Add comprehensive input validation for path traversal and command injection protection
- Standardize checkout token authentication to prevent rate limiting
- Remove relative action dependencies to ensure external usability

Rewrite security workflow for PR-focused analysis:
- Transform security-suite.yml to PR-only security analysis workflow
- Remove scheduled runs, repository issue management, and Slack notifications
- Implement smart comment generation showing only sections with content
- Add GitHub Actions permission diff analysis and new action detection
- Integrate OWASP, Semgrep, and TruffleHog for comprehensive PR security scanning

Improve version detection and dependency management:
- Simplify version detection actions to use inline logic instead of shared utilities
- Fix Makefile version detection fallback to properly return 'main' when version not found
- Update all external action references to use SHA-pinned versions
- Remove deprecated run.sh in favor of Makefile automation

Update documentation and project standards:
- Enhance CLAUDE.md with self-containment requirements and linting standards
- Update README.md with improved action descriptions and usage examples
- Standardize code formatting with updated .editorconfig and .prettierrc.yml
- Improve GitHub templates for issues and security reporting

This refactoring ensures all 40 actions are fully self-contained and can be used independently when
referenced as ivuorinen/actions/action-name@main, addressing the critical requirement for external
usability while maintaining comprehensive security analysis and development automation.

* feat: add automated action catalog generation system

- Create generate_listing.cjs script for comprehensive action catalog
- Add package.json with development tooling and npm scripts
- Implement automated README.md catalog section with --update flag
- Generate markdown reference-style links for all 40 actions
- Add categorized tables with features, language support matrices
- Replace static reference links with auto-generated dynamic links
- Enable complete automation of action documentation maintenance

* feat: enhance actions with improved documentation and functionality

- Add comprehensive README files for 12 actions with usage examples
- Implement new utility actions (go-version-detect, dotnet-version-detect)
- Enhance node-setup with extensive configuration options
- Improve error handling and validation across all actions
- Update package.json scripts for better development workflow
- Expand TODO.md with detailed roadmap and improvement plans
- Standardize action structure with consistent inputs/outputs

* feat: add comprehensive output handling across all actions

- Add standardized outputs to 15 actions that previously had none
- Implement consistent snake_case naming convention for all outputs
- Add build status and test results outputs to build actions
- Add files changed and status outputs to lint/fix actions
- Add test execution metrics to php-tests action
- Add stale/closed counts to stale action
- Add release URLs and IDs to github-release action
- Update documentation with output specifications
- Mark comprehensive output handling task as complete in TODO.md

* feat: implement shared cache strategy across all actions

- Add caching to 10 actions that previously had none (Node.js, .NET, Python, Go)
- Standardize 4 existing actions to use common-cache instead of direct actions/cache
- Implement consistent cache-hit optimization to skip installations when cache available
- Add language-specific cache configurations with appropriate key files
- Create unified caching approach using ivuorinen/actions/common-cache@main
- Fix YAML syntax error in php-composer action paths parameter
- Update TODO.md to mark shared cache strategy as complete

* feat: implement comprehensive retry logic for network operations

- Create new common-retry action for standardized retry patterns with configurable strategies
- Add retry logic to 9 actions missing network retry capabilities
- Implement exponential backoff, custom timeouts, and flexible error handling
- Add max-retries input parameter to all network-dependent actions (Node.js, .NET, Python, Go)
- Standardize existing retry implementations to use common-retry utility
- Update action catalog to include new common-retry action (41 total actions)
- Update documentation with retry configuration examples and parameters
- Mark retry logic implementation as complete in TODO.md roadmap

* feat: enhance Node.js support with Corepack and Bun

- Add Corepack support for automatic package manager version management
- Add Bun package manager support across all Node.js actions
- Improve Yarn Berry/PnP support with .yarnrc.yml detection
- Add Node.js feature detection (ESM, TypeScript, frameworks)
- Update package manager detection priority and lockfile support
- Enhance caching with package-manager-specific keys
- Update eslint, prettier, and biome actions for multi-package-manager support

* fix: resolve critical runtime issues across multiple actions

- Fix token validation by removing ineffective literal string comparisons
- Add missing @microsoft/eslint-formatter-sarif dependency for SARIF output
- Fix Bash variable syntax errors in username and changelog length checks
- Update Dockerfile version regex to handle tags with suffixes (e.g., -alpine)
- Simplify version selection logic with single grep command
- Fix command execution in retry action with proper bash -c wrapper
- Correct step output references using .outcome instead of .outputs.outcome
- Add missing step IDs for version detection actions
- Include go.mod in cache key files for accurate invalidation
- Require minor version in all version regex patterns
- Improve Bun installation security by verifying script before execution
- Replace bc with sort -V for portable PHP version comparison
- Remove non-existent pre-commit output references

These fixes ensure proper runtime behavior, improved security, and better
cross-platform compatibility across all affected actions.

* fix: resolve critical runtime and security issues across actions

- Fix biome-fix files_changed calculation using git diff instead of git status delta
- Fix compress-images output description and add absolute path validation
- Remove csharp-publish token default and fix token fallback in push commands
- Add @microsoft/eslint-formatter-sarif to all package managers in eslint-check
- Fix eslint-check command syntax by using variable assignment
- Improve node-setup Bun installation security and remove invalid frozen-lockfile flag
- Fix pre-commit token validation by removing ineffective literal comparison
- Fix prettier-fix token comparison and expand regex for all GitHub token types
- Add version-file-parser regex validation safety and fix csproj wildcard handling

These fixes address security vulnerabilities, runtime errors, and functional issues
to ensure reliable operation across all affected GitHub Actions.

* feat: enhance Docker actions with advanced multi-architecture support

Major enhancement to Docker build and publish actions with comprehensive
multi-architecture capabilities and enterprise-grade features.

Added features:
- Advanced buildx configuration (version control, cache modes, build contexts)
- Auto-detect platforms for dynamic architecture discovery
- Performance optimizations with enhanced caching strategies
- Security scanning with Trivy and image signing with Cosign
- SBOM generation in multiple formats with validation
- Verbose logging and dry-run modes for debugging
- Platform-specific build args and fallback mechanisms

Enhanced all Docker actions:
- docker-build: Core buildx features and multi-arch support
- docker-publish-gh: GitHub Packages with security features
- docker-publish-hub: Docker Hub with scanning and signing
- docker-publish: Orchestrator with unified configuration

Updated documentation across all modified actions.

* fix: resolve documentation generation placeholder issue

Fixed Makefile and package.json to properly replace placeholder tokens in generated documentation, ensuring all README files show correct repository paths instead of ***PROJECT***@***VERSION***.

* chore: simplify github token validation
* chore(lint): optional yamlfmt, config and fixes
* feat: use relative `uses` names

* feat: comprehensive testing infrastructure and Python validation system

- Migrate from tests/ to _tests/ directory structure with ShellSpec framework
- Add comprehensive validation system with Python-based input validation
- Implement dual testing approach (ShellSpec + pytest) for complete coverage
- Add modern Python tooling (uv, ruff, pytest-cov) and dependencies
- Create centralized validation rules with automatic generation system
- Update project configuration and build system for new architecture
- Enhance documentation to reflect current testing capabilities

This establishes a robust foundation for action validation and testing
with extensive coverage across all GitHub Actions in the repository.

* chore: remove Dockerfile for now
* chore: code review fixes

* feat: comprehensive GitHub Actions restructuring and tooling improvements

This commit represents a major restructuring of the GitHub Actions monorepo
with improved tooling, testing infrastructure, and comprehensive PR #186
review implementation.

## Major Changes

### 🔧 Development Tooling & Configuration
- **Shellcheck integration**: Exclude shellspec test files from linting
  - Updated .pre-commit-config.yaml to exclude _tests/*.sh from shellcheck/shfmt
  - Modified Makefile shellcheck pattern to skip shellspec files
  - Updated CLAUDE.md documentation with proper exclusion syntax
- **Testing infrastructure**: Enhanced Python validation framework
  - Fixed nested if statements and boolean parameter issues in validation.py
  - Improved code quality with explicit keyword arguments
  - All pre-commit hooks now passing

### 🏗️ Project Structure & Documentation
- **Added Serena AI integration** with comprehensive project memories:
  - Project overview, structure, and technical stack documentation
  - Code style conventions and completion requirements
  - Comprehensive PR #186 review analysis and implementation tracking
- **Enhanced configuration**: Updated .gitignore, .yamlfmt.yml, pyproject.toml
- **Improved testing**: Added integration workflows and enhanced test specs

### 🚀 GitHub Actions Improvements (30+ actions updated)
- **Centralized validation**: Updated 41 validation rule files
- **Enhanced actions**: Improvements across all action categories:
  - Setup actions (node-setup, version detectors)
  - Utility actions (version-file-parser, version-validator)
  - Linting actions (biome, eslint, terraform-lint-fix major refactor)
  - Build/publish actions (docker-build, npm-publish, csharp-*)
  - Repository management actions

### 📝 Documentation Updates
- **README consistency**: Updated version references across action READMEs
- **Enhanced documentation**: Improved action descriptions and usage examples
- **CLAUDE.md**: Updated with current tooling and best practices

## Technical Improvements
- **Security enhancements**: Input validation and sanitization improvements
- **Performance optimizations**: Streamlined action logic and dependencies
- **Cross-platform compatibility**: Better Windows/macOS/Linux support
- **Error handling**: Improved error reporting and user feedback

## Files Changed
- 100 files changed
- 13 new Serena memory files documenting project state
- 41 validation rules updated for consistency
- 30+ GitHub Actions and READMEs improved
- Core tooling configuration enhanced

* feat: comprehensive GitHub Actions improvements and PR review fixes

Major Infrastructure Improvements:
- Add comprehensive testing framework with 17+ ShellSpec validation tests
- Implement Docker-based testing tools with automated test runner
- Add CodeRabbit configuration for automated code reviews
- Restructure documentation and memory management system
- Update validation rules for 25+ actions with enhanced input validation
- Modernize CI/CD workflows and testing infrastructure

Critical PR Review Fixes (All Issues Resolved):
- Fix double caching in node-setup (eliminate redundant cache operations)
- Optimize shell pipeline in version-file-parser (single awk vs complex pipeline)
- Fix GitHub expression interpolation in prettier-check cache keys
- Resolve terraform command order issue (validation after setup)
- Add missing flake8-sarif dependency for Python SARIF output
- Fix environment variable scope in pr-lint (export to GITHUB_ENV)

Performance & Reliability:
- Eliminate duplicate cache operations saving CI time
- Improve shell script efficiency with optimized parsing
- Fix command execution dependencies preventing runtime failures
- Ensure proper dependency installation for all linting tools
- Resolve workflow conditional logic issues

Security & Quality:
- All input validation rules updated with latest security patterns
- Cross-platform compatibility improvements maintained
- Comprehensive error handling and retry logic preserved
- Modern development tooling and best practices adopted

This commit addresses 100% of actionable feedback from PR review analysis,
implements comprehensive testing infrastructure, and maintains high code
quality standards across all 41 GitHub Actions.

* feat: enhance expression handling and version parsing

- Fix node-setup force-version expression logic for proper empty string handling
- Improve version-file-parser with secure regex validation and enhanced Python detection
- Add CodeRabbit configuration for CalVer versioning and README review guidance

* feat(validate-inputs): implement modular validation system

- Add modular validator architecture with specialized validators
- Implement base validator classes for different input types
- Add validators: boolean, docker, file, network, numeric, security, token, version
- Add convention mapper for automatic input validation
- Add comprehensive documentation for the validation system
- Implement PCRE regex support and injection protection

* feat(validate-inputs): add validation rules for all actions

- Add YAML validation rules for 42 GitHub Actions
- Auto-generated rules with convention mappings
- Include metadata for validation coverage and quality indicators
- Mark rules as auto-generated to prevent manual edits

* test(validate-inputs): add comprehensive test suite for validators

- Add unit tests for all validator modules
- Add integration tests for the validation system
- Add fixtures for version test data
- Test coverage for boolean, docker, file, network, numeric, security, token, and version validators
- Add tests for convention mapper and registry

* feat(tools): add validation scripts and utilities

- Add update-validators.py script for auto-generating rules
- Add benchmark-validator.py for performance testing
- Add debug-validator.py for troubleshooting
- Add generate-tests.py for test generation
- Add check-rules-not-manually-edited.sh for CI validation
- Add fix-local-action-refs.py tool for fixing action references

* feat(actions): add CustomValidator.py files for specialized validation

- Add custom validators for actions requiring special validation logic
- Implement validators for docker, go, node, npm, php, python, terraform actions
- Add specialized validation for compress-images, common-cache, common-file-check
- Implement version detection validators with language-specific logic
- Add validation for build arguments, architectures, and version formats

* test: update ShellSpec test framework for Python validation

- Update all validation.spec.sh files to use Python validator
- Add shared validation_core.py for common test utilities
- Remove obsolete bash validation helpers
- Update test output expectations for Python validator format
- Add codeql-analysis test suite
- Refactor framework utilities for Python integration
- Remove deprecated test files

* feat(actions): update action.yml files to use validate-inputs

- Replace inline bash validation with validate-inputs action
- Standardize validation across all 42 actions
- Add new codeql-analysis action
- Update action metadata and branding
- Add validation step as first step in composite actions
- Maintain backward compatibility with existing inputs/outputs

* ci: update GitHub workflows for enhanced security and testing

- Add new codeql-new.yml workflow
- Update security scanning workflows
- Enhance dependency review configuration
- Update test-actions workflow for new validation system
- Improve workflow permissions and security settings
- Update action versions to latest SHA-pinned releases

* build: update build configuration and dependencies

- Update Makefile with new validation targets
- Add Python dependencies in pyproject.toml
- Update npm dependencies and scripts
- Enhance Docker testing tools configuration
- Add targets for validator updates and local ref fixes
- Configure uv for Python package management

* chore: update linting and documentation configuration

- Update EditorConfig settings for consistent formatting
- Enhance pre-commit hooks configuration
- Update prettier and yamllint ignore patterns
- Update gitleaks security scanning rules
- Update CodeRabbit review configuration
- Update CLAUDE.md with latest project standards and rules

* docs: update Serena memory files and project metadata

- Remove obsolete PR-186 memory files
- Update project overview with current architecture
- Update project structure documentation
- Add quality standards and communication guidelines
- Add modular validator architecture documentation
- Add shellspec testing framework documentation
- Update project.yml with latest configuration

* feat: moved rules.yml to same folder as action, fixes

* fix(validators): correct token patterns and fix validator bugs

- Fix GitHub classic PAT pattern: ghp_ + 36 chars = 40 total
- Fix GitHub fine-grained PAT pattern: github_pat_ + 71 chars = 82 total
- Initialize result variable in convention_mapper to prevent UnboundLocalError
- Fix empty URL validation in network validator to return error
- Add GitHub expression check to docker architectures validator
- Update docker-build CustomValidator parallel-builds max to 16

* test(validators): fix test fixtures and expectations

- Fix token lengths in test data: github_pat 71 chars, ghp/gho 36 chars
- Update integration tests with correct token lengths
- Fix file validator test to expect absolute paths rejected for security
- Rename TestGenerator import to avoid pytest collection warning
- Update custom validator tests with correct input names
- Change docker-build tests: platforms->architectures, tags->tag
- Update docker-publish tests to match new registry enum validation

* test(shellspec): fix token lengths in test helpers and specs

- Fix default token lengths in spec_helper.sh to use correct 40-char format
- Update csharp-publish default tokens in 4 locations
- Update codeql-analysis default tokens in 2 locations
- Fix codeql-analysis test tokens to correct lengths (40 and 82 chars)
- Fix npm-publish fine-grained token test to use 82-char format

* feat(actions): add permissions documentation and environment variable usage

- Add permissions comments to all action.yml files documenting required GitHub permissions
- Convert direct input usage to environment variables in shell steps for security
- Add validation steps with proper error handling
- Update input descriptions and add security notes where applicable
- Ensure all actions follow consistent patterns for input validation

* chore(workflows): update GitHub Actions workflow versions

- Update workflow action versions to latest
- Improve workflow consistency and maintainability

* docs(security): add comprehensive security policy

- Document security features and best practices
- Add vulnerability reporting process
- Include audit history and security testing information

* docs(memory): add GitHub workflow reference documentation

- Add GitHub Actions workflow commands reference
- Add GitHub workflow expressions guide
- Add secure workflow usage patterns and best practices

* chore: token optimization, code style conventions
* chore: cr fixes
* fix: trivy reported Dockerfile problems
* fix(security): more security fixes
* chore: dockerfile and make targets for publishing
* fix(ci): add creds to test-actions workflow
* fix: security fix and checkout step to codeql-new
* chore: test fixes
* fix(security): codeql detected issues
* chore: code review fixes, ReDos protection
* style: apply MegaLinter fixes
* fix(ci): missing packages read permission
* fix(ci): add missing working directory setting
* chore: linting, add validation-regex to use regex_pattern
* chore: code review fixes
* chore(deps): update actions
* fix(security): codeql fixes
* chore(cr): apply cr comments
* chore: improve POSIX compatibility
* chore(cr): apply cr comments
* fix: codeql warning in Dockerfile, build failures
* chore(cr): apply cr comments
* fix: docker-testing-tools/Dockerfile
* chore(cr): apply cr comments
* fix(docker): update testing-tools image for GitHub Actions compatibility
* chore(cr): apply cr comments
* feat: add more tests, fix issues
* chore: fix codeql issues, update actions
* chore(cr): apply cr comments
* fix: integration tests
* chore: deduplication and fixes
* style: apply MegaLinter fixes
* chore(cr): apply cr comments
* feat: dry-run mode for generate-tests
* fix(ci): kcov installation
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments
* chore(cr): apply cr comments, simplify action testing, use uv
* fix: run-tests.sh action counting
* chore(cr): apply cr comments
* chore(cr): apply cr comments
This commit is contained in:
Ismo Vuorinen
2025-10-14 13:37:58 +03:00
committed by GitHub
parent d3cc8d4790
commit 78fdad69e5
353 changed files with 55370 additions and 1714 deletions
Download Patch File Download Diff File Expand all files Collapse all files

581
validate-inputs/scripts/update-validators.py Executable file
View File

@@ -0,0 +1,581 @@
#!/usr/bin/env python3
"""update-validators.py
Automatically generates validation rules for GitHub Actions
by scanning action.yml files and applying convention-based detection.
Usage:
python update-validators.py [--dry-run] [--action action-name]
"""
from __future__ import annotations
import argparse
from pathlib import Path
import re
import sys
from typing import Any
import yaml # pylint: disable=import-error
class ValidationRuleGenerator:
"""Generate validation rules for GitHub Actions automatically.
This class scans GitHub Action YAML files and generates validation rules
based on convention-based detection patterns and special case handling.
"""
def __init__(self, *, dry_run: bool = False, specific_action: str | None = None) -> None:
"""Initialize the validation rule generator.
Args:
dry_run: If True, show what would be generated without writing files
specific_action: If provided, only generate rules for this action
"""
self.dry_run = dry_run
self.specific_action = specific_action
self.actions_dir = Path(__file__).parent.parent.parent.resolve()
# Convention patterns for automatic detection
# Order matters - more specific patterns should come first
self.conventions = {
# CodeQL-specific patterns (high priority)
"codeql_language": re.compile(r"\blanguage\b", re.IGNORECASE),
"codeql_queries": re.compile(r"\bquer(y|ies)\b", re.IGNORECASE),
"codeql_packs": re.compile(r"\bpacks?\b", re.IGNORECASE),
"codeql_build_mode": re.compile(r"\bbuild[_-]?mode\b", re.IGNORECASE),
"codeql_config": re.compile(r"\bconfig\b", re.IGNORECASE),
"category_format": re.compile(r"\bcategor(y|ies)\b", re.IGNORECASE),
# GitHub token patterns (high priority)
"github_token": re.compile(
r"\b(github[_-]?token|gh[_-]?token|token|auth[_-]?token|api[_-]?key)\b",
re.IGNORECASE,
),
# CalVer version patterns (high priority - check before semantic)
"calver_version": re.compile(
r"\b(release[_-]?tag|release[_-]?version|monthly[_-]?version|date[_-]?version)\b",
re.IGNORECASE,
),
# Specific version types (high priority)
"dotnet_version": re.compile(r"\bdotnet[_-]?version\b", re.IGNORECASE),
"terraform_version": re.compile(r"\bterraform[_-]?version\b", re.IGNORECASE),
"node_version": re.compile(r"\bnode[_-]?version\b", re.IGNORECASE),
# Docker-specific patterns (high priority)
"docker_image_name": re.compile(r"\bimage[_-]?name\b", re.IGNORECASE),
"docker_tag": re.compile(r"\b(tags?|image[_-]?tags?)\b", re.IGNORECASE),
"docker_architectures": re.compile(
r"\b(arch|architecture|platform)s?\b",
re.IGNORECASE,
),
# Namespace with lookahead (specific pattern)
"namespace_with_lookahead": re.compile(r"\bnamespace\b", re.IGNORECASE),
# Numeric ranges (specific ranges)
"numeric_range_0_16": re.compile(
r"\b(parallel[_-]?builds?|builds?[_-]?parallel)\b",
re.IGNORECASE,
),
"numeric_range_1_10": re.compile(
r"\b(retry|retries|attempt|attempts|max[_-]?retry)\b",
re.IGNORECASE,
),
"numeric_range_1_128": re.compile(r"\bthreads?\b", re.IGNORECASE),
"numeric_range_256_32768": re.compile(r"\bram\b", re.IGNORECASE),
"numeric_range_0_100": re.compile(r"\b(quality|percent|percentage)\b", re.IGNORECASE),
# File and path patterns
"file_path": re.compile(
r"\b(paths?|files?|dir|directory|config|dockerfile"
r"|ignore[_-]?file|key[_-]?files?)\b",
re.IGNORECASE,
),
"file_pattern": re.compile(r"\b(file[_-]?pattern|glob[_-]?pattern)\b", re.IGNORECASE),
"branch_name": re.compile(r"\b(branch|ref|base[_-]?branch)\b", re.IGNORECASE),
# User and identity patterns
"email": re.compile(r"\b(email|mail)\b", re.IGNORECASE),
"username": re.compile(r"\b(user|username|commit[_-]?user)\b", re.IGNORECASE),
# URL patterns (high priority)
"url": re.compile(r"\b(url|registry[_-]?url|api[_-]?url|endpoint)\b", re.IGNORECASE),
# Scope and namespace patterns
"scope": re.compile(r"\b(scope|namespace)\b", re.IGNORECASE),
# Security patterns for text content that could contain injection
"security_patterns": re.compile(
r"\b(changelog|notes|message|content|description|body|text|comment|summary|release[_-]?notes)\b",
re.IGNORECASE,
),
# Regex pattern validation (ReDoS detection)
"regex_pattern": re.compile(
r"\b(regex|pattern|validation[_-]?regex|regex[_-]?pattern)\b",
re.IGNORECASE,
),
# Additional validation types
"report_format": re.compile(r"\b(report[_-]?format|format)\b", re.IGNORECASE),
"plugin_list": re.compile(r"\b(plugins?|plugin[_-]?list)\b", re.IGNORECASE),
"prefix": re.compile(r"\b(prefix|tag[_-]?prefix)\b", re.IGNORECASE),
# Boolean patterns (broad, should be lower priority)
"boolean": re.compile(
r"\b(dry-?run|verbose|enable|disable|auto|skip|force|cache|provenance|sbom|scan|sign|fail[_-]?on[_-]?error|nightly)\b",
re.IGNORECASE,
),
# File extensions pattern
"file_extensions": re.compile(r"\b(file[_-]?extensions?|extensions?)\b", re.IGNORECASE),
# Registry pattern
"registry": re.compile(r"\bregistry\b", re.IGNORECASE),
# PHP-specific patterns
"php_extensions": re.compile(r"\b(extensions?|php[_-]?extensions?)\b", re.IGNORECASE),
"coverage_driver": re.compile(r"\b(coverage|coverage[_-]?driver)\b", re.IGNORECASE),
# Generic version pattern (lowest priority - catches remaining version fields)
"semantic_version": re.compile(r"\bversion\b", re.IGNORECASE),
}
# Special cases that need manual handling
self.special_cases = {
# CalVer fields that might not be detected
"release-tag": "calver_version",
# Flexible version fields (support both CalVer and SemVer)
"version": "flexible_version", # For github-release action
# File paths that might not be detected
"pre-commit-config": "file_path",
"config-file": "file_path",
"ignore-file": "file_path",
"readme-file": "file_path",
"working-directory": "file_path",
# Numeric fields that need positive integer validation
"days-before-stale": "positive_integer",
"days-before-close": "positive_integer",
# Version fields with specific types
"buildx-version": "semantic_version",
"buildkit-version": "semantic_version",
"tflint-version": "terraform_version",
"default-version": "semantic_version",
"force-version": "semantic_version",
"golangci-lint-version": "semantic_version",
"prettier-version": "semantic_version",
"eslint-version": "strict_semantic_version",
"flake8-version": "semantic_version",
"autopep8-version": "semantic_version",
"composer-version": "semantic_version",
# Tokens and passwords
"dockerhub-password": "github_token",
"npm_token": "github_token",
"password": "github_token",
# Complex fields that should skip validation
"build-args": None, # Can be empty
"context": None, # Default handled
"cache-from": None, # Complex cache syntax
"cache-export": None, # Complex cache syntax
"cache-import": None, # Complex cache syntax
"build-contexts": None, # Complex syntax
"secrets": None, # Complex syntax
"platform-build-args": None, # JSON format
"extensions": None, # PHP extensions list
"tools": None, # PHP tools list
"args": None, # Composer args
"stability": None, # Composer stability
"registry-url": "url", # URL format
"scope": "scope", # NPM scope
"plugins": None, # Prettier plugins
"file-extensions": "file_extensions", # File extension list
"file-pattern": None, # Glob pattern
"enable-linters": None, # Linter list
"disable-linters": None, # Linter list
"success-codes": None, # Exit code list
"retry-codes": None, # Exit code list
"ignore-paths": None, # Path patterns
"key-files": None, # Cache key files
"restore-keys": None, # Cache restore keys
"env-vars": None, # Environment variables
# Action-specific fields that need special handling
"type": None, # Cache type enum (npm, composer, go, etc.) - complex enum,
# skip validation
"paths": None, # File paths for caching (comma-separated) - complex format,
# skip validation
"command": None, # Shell command - complex format, skip validation for safety
"backoff-strategy": None, # Retry strategy enum - complex enum, skip validation
"shell": None, # Shell type enum - simple enum, skip validation
# Removed image-name and tag - now handled by docker_image_name and docker_tag patterns
# Numeric inputs with different ranges
"timeout": "numeric_range_1_3600", # Timeout should support higher values
"retry-delay": "numeric_range_1_300", # Retry delay should support higher values
"max-warnings": "numeric_range_0_10000",
# version-file-parser specific fields
"language": None, # Simple enum (node, php, python, go, dotnet)
"tool-versions-key": None, # Simple string (nodejs, python, php, golang, dotnet)
"dockerfile-image": None, # Simple string (node, python, php, golang, dotnet)
"validation-regex": "regex_pattern", # Regex pattern - validate for ReDoS
}
def get_action_directories(self) -> list[str]:
"""Get all action directories"""
entries = []
for item in self.actions_dir.iterdir():
if (
item.is_dir()
and not item.name.startswith(".")
and item.name != "validate-inputs"
and (item / "action.yml").exists()
):
entries.append(item.name)
return entries
def parse_action_file(self, action_name: str) -> dict[str, Any] | None:
"""Parse action.yml file to extract inputs"""
action_file = self.actions_dir / action_name / "action.yml"
try:
with action_file.open(encoding="utf-8") as f:
content = f.read()
action_data = yaml.safe_load(content)
return {
"name": action_data.get("name", action_name),
"description": action_data.get("description", ""),
"inputs": action_data.get("inputs", {}),
}
except Exception as error:
print(f"Failed to parse {action_file}: {error}")
return None
def detect_validation_type(self, input_name: str, input_data: dict[str, Any]) -> str | None:
"""Detect validation type based on input name and description"""
description = input_data.get("description", "")
# Check special cases first - highest priority
if input_name in self.special_cases:
return self.special_cases[input_name]
# Special handling for version fields that might be CalVer
# Check if description mentions calendar/date/monthly/release
if input_name == "version" and any(
word in description.lower() for word in ["calendar", "date", "monthly", "release"]
):
return "calver_version"
# Apply convention patterns in order (more specific first)
# Test input name first (highest confidence), then description
for validator, pattern in self.conventions.items():
if pattern.search(input_name):
return validator # Direct name match has highest confidence
# If no name match, try description
for validator, pattern in self.conventions.items():
if pattern.search(description):
return validator # Description match has lower confidence
return None # No validation detected
def sort_object_by_keys(self, obj: dict[str, Any]) -> dict[str, Any]:
"""Sort object keys alphabetically for consistent output"""
return {key: obj[key] for key in sorted(obj.keys())}
def generate_rules_for_action(self, action_name: str) -> dict[str, Any] | None:
"""Generate validation rules for a single action"""
action_data = self.parse_action_file(action_name)
if not action_data:
return None
required_inputs = []
optional_inputs = []
conventions = {}
overrides = {}
# Process each input
for input_name, input_data in action_data["inputs"].items():
is_required = input_data.get("required") in [True, "true"]
if is_required:
required_inputs.append(input_name)
else:
optional_inputs.append(input_name)
# Detect validation type
validation_type = self.detect_validation_type(input_name, input_data)
if validation_type:
conventions[input_name] = validation_type
# Handle action-specific overrides using data-driven approach
action_overrides = {
"php-version-detect": {"default-version": "php_version"},
"python-version-detect": {"default-version": "python_version"},
"python-version-detect-v2": {"default-version": "python_version"},
"dotnet-version-detect": {"default-version": "dotnet_version"},
"go-version-detect": {"default-version": "go_version"},
"npm-publish": {"package-version": "strict_semantic_version"},
"docker-build": {
"cache-mode": "cache_mode",
"sbom-format": "sbom_format",
},
"common-cache": {
"paths": "file_path",
"key-files": "file_path",
},
"common-file-check": {
"file-pattern": "file_path",
},
"common-retry": {
"backoff-strategy": "backoff_strategy",
"shell": "shell_type",
},
"node-setup": {
"package-manager": "package_manager_enum",
},
"docker-publish": {
"registry": "registry_enum",
"cache-mode": "cache_mode",
"platforms": None, # Skip validation - complex platform format
},
"docker-publish-hub": {
"password": "docker_password",
},
"go-lint": {
"go-version": "go_version",
"timeout": "timeout_with_unit",
"only-new-issues": "boolean",
"enable-linters": "linter_list",
"disable-linters": "linter_list",
},
"prettier-check": {
"check-only": "boolean",
"file-pattern": "file_pattern",
"plugins": "plugin_list",
},
"php-laravel-phpunit": {
"extensions": "php_extensions",
},
"codeql-analysis": {
"language": "codeql_language",
"queries": "codeql_queries",
"packs": "codeql_packs",
"config": "codeql_config",
"build-mode": "codeql_build_mode",
"source-root": "file_path",
"category": "category_format",
"token": "github_token",
"ram": "numeric_range_256_32768",
"threads": "numeric_range_1_128",
"output": "file_path",
"skip-queries": "boolean",
"add-snippets": "boolean",
},
}
if action_name in action_overrides:
# Apply overrides for existing conventions
overrides.update(
{
input_name: override_value
for input_name, override_value in action_overrides[action_name].items()
if input_name in conventions
},
)
# Add missing inputs from overrides to conventions
for input_name, override_value in action_overrides[action_name].items():
if input_name not in conventions and input_name in action_data["inputs"]:
conventions[input_name] = override_value
# Calculate statistics
total_inputs = len(action_data["inputs"])
validated_inputs = len(conventions)
skipped_inputs = sum(1 for v in overrides.values() if v is None)
coverage = round((validated_inputs / total_inputs) * 100) if total_inputs > 0 else 0
# Generate rules object with enhanced metadata
rules = {
"schema_version": "1.0",
"action": action_name,
"description": action_data["description"],
"generator_version": "1.0.0",
"required_inputs": sorted(required_inputs),
"optional_inputs": sorted(optional_inputs),
"conventions": self.sort_object_by_keys(conventions),
"overrides": self.sort_object_by_keys(overrides),
"statistics": {
"total_inputs": total_inputs,
"validated_inputs": validated_inputs,
"skipped_inputs": skipped_inputs,
"coverage_percentage": coverage,
},
"validation_coverage": coverage,
"auto_detected": True,
"manual_review_required": coverage < 80 or validated_inputs == 0,
"quality_indicators": {
"has_required_inputs": len(required_inputs) > 0,
"has_token_validation": "token" in conventions or "github-token" in conventions,
"has_version_validation": any("version" in v for v in conventions.values() if v),
"has_file_validation": any(v == "file_path" for v in conventions.values()),
"has_security_validation": any(
v in ["github_token", "security_patterns"] for v in conventions.values()
),
},
}
return rules
def write_rules_file(self, action_name: str, rules: dict[str, Any]) -> None:
"""Write rules to YAML file in action folder"""
rules_file = self.actions_dir / action_name / "rules.yml"
generator_version = rules.get("generator_version", "unknown")
schema_version = rules.get("schema_version", "unknown")
validation_coverage = rules.get("validation_coverage", 0)
validated_inputs = rules["statistics"].get("validated_inputs", 0)
total_inputs = rules["statistics"].get("total_inputs", 0)
header = f"""---
# Validation rules for {action_name} action
# Generated by update-validators.py v{generator_version} - DO NOT EDIT MANUALLY
# Schema version: {schema_version}
# Coverage: {validation_coverage}% ({validated_inputs}/{total_inputs} inputs)
#
# This file defines validation rules for the {action_name} GitHub Action.
# Rules are automatically applied by validate-inputs action when this
# action is used.
#
"""
# Use a custom yaml dumper to ensure proper indentation
class CustomYamlDumper(yaml.SafeDumper):
def increase_indent(self, flow: bool = False, *, indentless: bool = False) -> None: # noqa: FBT001, FBT002
return super().increase_indent(flow, indentless=indentless)
yaml_content = yaml.dump(
rules,
Dumper=CustomYamlDumper,
indent=2,
width=120,
default_flow_style=False,
allow_unicode=True,
sort_keys=False,
)
content = header + yaml_content
if self.dry_run:
print(f"[DRY RUN] Would write {rules_file}:")
print(content)
print("---")
else:
with rules_file.open("w", encoding="utf-8") as f:
f.write(content)
print(f"✅ Generated {rules_file}")
def generate_rules(self) -> None:
"""Generate rules for all actions or a specific action"""
print("🔍 Scanning for GitHub Actions...")
actions = self.get_action_directories()
filtered_actions = actions
if self.specific_action:
filtered_actions = [name for name in actions if name == self.specific_action]
if not filtered_actions:
print(f"❌ Action '{self.specific_action}' not found")
sys.exit(1)
print(f"📝 Found {len(actions)} actions, processing {len(filtered_actions)}:")
for name in filtered_actions:
print(f" - {name}")
print()
processed = 0
failed = 0
for action_name in filtered_actions:
try:
rules = self.generate_rules_for_action(action_name)
if rules:
self.write_rules_file(action_name, rules)
processed += 1
else:
print(f"⚠️ Failed to generate rules for {action_name}")
failed += 1
except Exception as error:
print(f"❌ Error processing {action_name}: {error}")
failed += 1
print()
print("📊 Summary:")
print(f" - Processed: {processed}")
print(f" - Failed: {failed}")
coverage = (
round((processed / (processed + failed)) * 100) if (processed + failed) > 0 else 0
)
print(f" - Coverage: {coverage}%")
if not self.dry_run and processed > 0:
print()
print(
"✨ Validation rules updated! Run 'git diff */rules.yml' to review changes.",
)
def validate_rules_files(self) -> bool:
"""Validate existing rules files"""
print("🔍 Validating existing rules files...")
# Find all rules.yml files in action directories
rules_files = []
for action_dir in self.actions_dir.iterdir():
if action_dir.is_dir() and not action_dir.name.startswith("."):
rules_file = action_dir / "rules.yml"
if rules_file.exists():
rules_files.append(rules_file)
valid = 0
invalid = 0
for rules_file in rules_files:
try:
with rules_file.open(encoding="utf-8") as f:
content = f.read()
rules = yaml.safe_load(content)
# Basic validation
required = ["action", "required_inputs", "optional_inputs", "conventions"]
missing = [field for field in required if field not in rules]
if missing:
print(f"⚠️ {rules_file.name}: Missing fields: {', '.join(missing)}")
invalid += 1
else:
valid += 1
except Exception as error:
print(f"{rules_file.name}: {error}")
invalid += 1
print(f"✅ Validation complete: {valid} valid, {invalid} invalid")
return invalid == 0
def main() -> None:
"""CLI handling"""
parser = argparse.ArgumentParser(
description="Automatically generates validation rules for GitHub Actions",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python update-validators.py --dry-run
python update-validators.py --action csharp-publish
python update-validators.py --validate
""",
)
parser.add_argument(
"--dry-run",
action="store_true",
help="Show what would be generated without writing files",
)
parser.add_argument("--action", metavar="NAME", help="Generate rules for specific action only")
parser.add_argument("--validate", action="store_true", help="Validate existing rules files")
args = parser.parse_args()
generator = ValidationRuleGenerator(dry_run=args.dry_run, specific_action=args.action)
if args.validate:
success = generator.validate_rules_files()
sys.exit(0 if success else 1)
else:
generator.generate_rules()
if __name__ == "__main__":
main()