ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-03-21 12:01:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add action-validator and clean up CI workflows (#513)

Browse Source 
* chore(pre-commit): update hooks and add action-validator

Update uv-pre-commit 0.10.9→0.10.11 and checkov 3.2.508→3.2.510.
Normalize single quotes to double quotes in hook args.
Add action-validator v0.8.0 hook for GitHub Actions validation.

* fix(ci): clean up workflow path filters

Remove non-existent action.yaml paths from action-security workflow.
Fix glob patterns (**.md → **/*.md) in pr-lint workflow.
Remove unused trigger paths (yarn.lock, pnpm-lock.yaml,
requirements.txt, .github/labels.yml, docs/**) from security-suite
and sync-labels workflows.

* feat(make): add lint-actions target for action-validator

Add lint-actions target that runs action-validator via pre-commit.
Include it in the lint dependency list and .PHONY declaration.

* docs: add context-mode routing rules to CLAUDE.md

Add mandatory routing rules section for context-mode MCP plugin,
documenting blocked commands, redirected tools, tool selection
hierarchy, and output constraints.

* fix(lint): resolve action-validator failure on language-version-detect

- Remove unsupported `deprecated: true` from language-version-detect/action.yml
  (deprecation already communicated via description field)
- Scope action-validator pre-commit hook to workflow and action.yml files only
- Make missing pre-commit a hard error in lint-actions target

* fix(deps): update action pins and fix trivy-action version comment

Update SHA-pinned action references to latest versions:
- github/codeql-action v4.32.6 → v4.33.0
- nick-fields/retry v3.0.2 → v4.0.0
- actions/cache v5.0.3 → v5.0.4
- oven-sh/setup-bun v2.1.3 → v2.2.0
- softprops/action-gh-release v2.5.0 → v2.6.1
- github/issue-metrics v4.1.0 → v4.1.1
- shivammathur/setup-php 2.36.0 → 2.37.0
- astral-sh/setup-uv v7.5.0 → v7.6.0
- terraform-linters/setup-tflint v6.2.1 → v6.2.2
- aquasecurity/trivy-action: pin from master to v0.35.0

Fix pinact warning in docker-build by adding missing v prefix
to trivy-action version comment (0.35.0 → v0.35.0).
This commit is contained in:
Ismo Vuorinen
2026-03-20 13:01:24 +02:00
committed by GitHub
parent 1da3a0e79f
commit 900dd96797
30 changed files with 147 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/setup-test-environment/action.yml vendored
View File

@@ -17,7 +17,7 @@ runs:
using: composite using: composite
steps: steps:
- name: Install uv - name: Install uv
uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0 uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with: with:
enable-cache: true enable-cache: true

2
.github/workflows/action-security.yml vendored
View File

@@ -6,11 +6,9 @@ on:
push: push:
paths: paths:
- '**/action.yml' - '**/action.yml'
- '**/action.yaml'
pull_request: pull_request:
paths: paths:
- '**/action.yml' - '**/action.yml'
- '**/action.yaml'
merge_group: merge_group:
concurrency: concurrency:

2
.github/workflows/issue-stats.yml vendored
View File

@@ -29,7 +29,7 @@ jobs:
echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV" echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV"
- name: Run issue-metrics tool - name: Run issue-metrics tool
uses: github/issue-metrics@41a7961f701cc64490f32e143af8ef479b93e87d # v4.1.0 uses: github/issue-metrics@6a35322ff89cee3e1a594d282c27eb34bffa9174 # v4.1.1
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"' SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"'

12
.github/workflows/pr-lint.yml vendored
View File

@@ -8,19 +8,17 @@ on:
- main - main
- master - master
paths-ignore: paths-ignore:
- '**.md' - '**/*.md'
- 'docs/**'
- '.github/*.md' - '.github/*.md'
- 'LICENSE' - 'LICENSE.md'
pull_request: pull_request:
branches: branches:
- main - main
- master - master
paths-ignore: paths-ignore:
- '**.md' - '**/*.md'
- 'docs/**'
- '.github/*.md' - '.github/*.md'
- 'LICENSE' - 'LICENSE.md'
merge_group: merge_group:
env: env:
@@ -72,7 +70,7 @@ jobs:
- name: Upload SARIF Report - name: Upload SARIF Report
if: always() && hashFiles('megalinter-reports/sarif/*.sarif') if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: megalinter-reports/sarif sarif_file: megalinter-reports/sarif
category: megalinter category: megalinter

2
.github/workflows/release.yml vendored
View File

@@ -16,7 +16,7 @@ jobs:
contents: write contents: write
steps: steps:
- uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
- uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
with: with:
generate_release_notes: true generate_release_notes: true

2
.github/workflows/scorecard.yml vendored
View File

@@ -53,6 +53,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional). # Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard # Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: 'Upload to code-scanning' - name: 'Upload to code-scanning'
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: results.sarif sarif_file: results.sarif

4
.github/workflows/security-suite.yml vendored
View File

@@ -7,16 +7,12 @@ on:
paths: paths:
- '**/package.json' - '**/package.json'
- '**/package-lock.json' - '**/package-lock.json'
- '**/yarn.lock'
- '**/pnpm-lock.yaml'
- '**/requirements.txt'
- '**/Dockerfile' - '**/Dockerfile'
- '**/*.py' - '**/*.py'
- '**/*.js' - '**/*.js'
- '**/*.ts' - '**/*.ts'
- '**/*.yml' - '**/*.yml'
- '**/*.yaml' - '**/*.yaml'
- '.github/workflows/**'
permissions: {} permissions: {}

1
.github/workflows/sync-labels.yml vendored
View File

@@ -8,7 +8,6 @@ on:
- main - main
- master - master
paths: paths:
- '.github/labels.yml'
- '.github/workflows/sync-labels.yml' - '.github/workflows/sync-labels.yml'
- 'sync-labels/action.yml' - 'sync-labels/action.yml'
- 'sync-labels/labels.yml' - 'sync-labels/labels.yml'

2
.github/workflows/test-actions.yml vendored
View File

@@ -73,7 +73,7 @@ jobs:
if: always() if: always()
- name: Upload SARIF file - name: Upload SARIF file
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
if: always() && hashFiles('_tests/reports/test-results.sarif') != '' if: always() && hashFiles('_tests/reports/test-results.sarif') != ''
with: with:
sarif_file: _tests/reports/test-results.sarif sarif_file: _tests/reports/test-results.sarif

18
.pre-commit-config.yaml
View File

@@ -14,7 +14,7 @@ repos:
types: [markdown, python, yaml] types: [markdown, python, yaml]
files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$ files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$
- repo: https://github.com/astral-sh/uv-pre-commit - repo: https://github.com/astral-sh/uv-pre-commit
rev: 0.10.9 rev: 0.10.11
hooks: hooks:
- id: uv-lock - id: uv-lock
- id: uv-sync - id: uv-sync
@@ -67,30 +67,36 @@ repos:
rev: v3.12.0-2 rev: v3.12.0-2
hooks: hooks:
- id: shfmt - id: shfmt
args: ['--apply-ignore'] args: ["--apply-ignore"]
exclude: '^_tests/.*\.sh$' exclude: '^_tests/.*\.sh$'
- repo: https://github.com/shellcheck-py/shellcheck-py - repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.11.0.1 rev: v0.11.0.1
hooks: hooks:
- id: shellcheck - id: shellcheck
args: ['-x'] args: ["-x"]
exclude: '^_tests/.*\.sh$' exclude: '^_tests/.*\.sh$'
- repo: https://github.com/rhysd/actionlint - repo: https://github.com/rhysd/actionlint
rev: v1.7.11 rev: v1.7.11
hooks: hooks:
- id: actionlint - id: actionlint
args: ['-shellcheck='] args: ["-shellcheck="]
- repo: https://github.com/bridgecrewio/checkov.git - repo: https://github.com/bridgecrewio/checkov.git
rev: '3.2.508' rev: "3.2.510"
hooks: hooks:
- id: checkov - id: checkov
args: args:
- '--quiet' - "--quiet"
- repo: https://github.com/gitleaks/gitleaks - repo: https://github.com/gitleaks/gitleaks
rev: v8.30.1 rev: v8.30.1
hooks: hooks:
- id: gitleaks - id: gitleaks
- repo: https://github.com/mpalmer/action-validator
rev: v0.8.0
hooks:
- id: action-validator
files: '(^\.github/workflows/.*\.ya?ml$|.*/action\.ya?ml$)'

75
CLAUDE.md
View File

@@ -168,3 +168,78 @@ Check: `make check-version-refs`
--- ---
All actions modular and externally usable. No exceptions to any rule. All actions modular and externally usable. No exceptions to any rule.
## context-mode — MANDATORY routing rules
You have context-mode MCP tools available. These rules are NOT optional — they protect your context window from flooding. A single unrouted command can dump 56 KB into context and waste the entire session.
### BLOCKED commands — do NOT attempt these
#### curl / wget — BLOCKED
Any Bash command containing `curl` or `wget` is intercepted and replaced with an error message. Do NOT retry.
Instead use:
- `ctx_fetch_and_index(url, source)` to fetch and index web pages
- `ctx_execute(language: "javascript", code: "const r = await fetch(...)")` to run HTTP calls in sandbox
#### Inline HTTP — BLOCKED
Any Bash command containing `fetch('http`, `requests.get(`, `requests.post(`, `http.get(`, or `http.request(` is intercepted and replaced with an error message. Do NOT retry with Bash.
Instead use:
- `ctx_execute(language, code)` to run HTTP calls in sandbox — only stdout enters context
#### WebFetch — BLOCKED
WebFetch calls are denied entirely. The URL is extracted and you are told to use `ctx_fetch_and_index` instead.
Instead use:
- `ctx_fetch_and_index(url, source)` then `ctx_search(queries)` to query the indexed content
### REDIRECTED tools — use sandbox equivalents
#### Bash (>20 lines output)
Bash is ONLY for: `git`, `mkdir`, `rm`, `mv`, `cd`, `ls`, `npm install`, `pip install`, and other short-output commands.
For everything else, use:
- `ctx_batch_execute(commands, queries)` — run multiple commands + search in ONE call
- `ctx_execute(language: "shell", code: "...")` — run in sandbox, only stdout enters context
#### Read (for analysis)
If you are reading a file to **Edit** it → Read is correct (Edit needs content in context).
If you are reading to **analyze, explore, or summarize** → use `ctx_execute_file(path, language, code)` instead. Only your printed summary enters context. The raw file content stays in the sandbox.
#### Grep (large results)
Grep results can flood context. Use `ctx_execute(language: "shell", code: "grep ...")` to run searches in sandbox. Only your printed summary enters context.
### Tool selection hierarchy
1. **GATHER**: `ctx_batch_execute(commands, queries)` — Primary tool. Runs all commands, auto-indexes output, returns search results. ONE call replaces 30+ individual calls.
2. **FOLLOW-UP**: `ctx_search(queries: ["q1", "q2", ...])` — Query indexed content. Pass ALL questions as array in ONE call.
3. **PROCESSING**: `ctx_execute(language, code)` | `ctx_execute_file(path, language, code)` — Sandbox execution. Only stdout enters context.
4. **WEB**: `ctx_fetch_and_index(url, source)` then `ctx_search(queries)` — Fetch, chunk, index, query. Raw HTML never enters context.
5. **INDEX**: `ctx_index(content, source)` — Store content in FTS5 knowledge base for later search.
### Subagent routing
When spawning subagents (Agent/Task tool), the routing block is automatically injected into their prompt.
Bash-type subagents are upgraded to general-purpose so they have access to MCP tools.
You do NOT need to manually instruct subagents about context-mode.
### Output constraints
- Keep responses under 500 words.
- Write artifacts (code, configs, PRDs) to FILES — never return them as inline text. Return only: file path + 1-line description.
- When indexing content, use descriptive source labels so others can `ctx_search(source: "label")` later.
### ctx commands
| Command | Action |
|---------|--------|
| `ctx stats` | Call the `ctx_stats` MCP tool and display the full output verbatim |
| `ctx doctor` | Call the `ctx_doctor` MCP tool, run the returned shell command, display as checklist |
| `ctx upgrade` | Call the `ctx_upgrade` MCP tool, run the returned shell command, display as checklist |

18
Makefile
View File

@@ -1,7 +1,7 @@
# Makefile for GitHub Actions repository # Makefile for GitHub Actions repository
# Provides organized task management with parallel execution capabilities # Provides organized task management with parallel execution capabilities
.PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release release-dry release-prep release-tag release-undo update-version-refs bump-major-version check-version-refs .PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release release-dry release-prep release-tag release-undo update-version-refs bump-major-version check-version-refs lint-actions
.DEFAULT_GOAL := help .DEFAULT_GOAL := help
# Colors for output # Colors for output
@@ -98,7 +98,7 @@ update-validators-dry: ## Preview validation rules changes (dry run)
format: format-markdown format-yaml-json format-python ## Format all files format: format-markdown format-yaml-json format-python ## Format all files
@echo "$(GREEN)✅ All files formatted$(RESET)" @echo "$(GREEN)✅ All files formatted$(RESET)"
lint: lint-markdown lint-yaml lint-shell lint-python ## Run all linters lint: lint-markdown lint-yaml lint-shell lint-python lint-actions ## Run all linters
@echo "$(GREEN)✅ All linting completed$(RESET)" @echo "$(GREEN)✅ All linting completed$(RESET)"
check: check-tools check-syntax check-local-refs ## Quick syntax and tool availability checks check: check-tools check-syntax check-local-refs ## Quick syntax and tool availability checks
@@ -322,6 +322,20 @@ lint-python: ## Lint Python files with ruff and pyright
echo "$(GREEN)✅ Python linting and type checking passed$(RESET)"; \ echo "$(GREEN)✅ Python linting and type checking passed$(RESET)"; \
fi fi
lint-actions: ## Validate GitHub Actions workflows and action.yml files
@echo "$(BLUE)🔍 Validating GitHub Actions...$(RESET)"
@if command -v pre-commit >/dev/null 2>&1; then \
if PRE_COMMIT_USE_UV=1 pre-commit run action-validator --all-files; then \
echo "$(GREEN)✅ Actions validation passed$(RESET)"; \
else \
echo "$(RED)❌ Actions validation failed$(RESET)" | tee -a $(LOG_FILE); \
exit 1; \
fi; \
else \
echo "$(RED)❌ pre-commit not found. Install it via 'make install-tools' before linting$(RESET)"; \
exit 1; \
fi
# Check targets # Check targets
check-tools: ## Check if required tools are available check-tools: ## Check if required tools are available
@echo "$(BLUE)🔧 Checking required tools...$(RESET)" @echo "$(BLUE)🔧 Checking required tools...$(RESET)"

4
ansible-lint-fix/action.yml
View File

@@ -83,7 +83,7 @@ runs:
- name: Install ansible-lint - name: Install ansible-lint
id: install-ansible-lint id: install-ansible-lint
if: steps.check-files.outputs.files_found == 'true' if: steps.check-files.outputs.files_found == 'true'
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
with: with:
timeout_minutes: 5 timeout_minutes: 5
max_attempts: ${{ inputs.max-retries }} max_attempts: ${{ inputs.max-retries }}
@@ -130,6 +130,6 @@ runs:
- name: Upload SARIF Report - name: Upload SARIF Report
if: steps.check-files.outputs.files_found == 'true' if: steps.check-files.outputs.files_found == 'true'
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: ansible-lint.sarif sarif_file: ansible-lint.sarif

6
biome-lint/action.yml
View File

@@ -212,13 +212,13 @@ runs:
- name: Setup Bun - name: Setup Bun
if: steps.detect-pm.outputs.package-manager == 'bun' if: steps.detect-pm.outputs.package-manager == 'bun'
uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with: with:
bun-version: latest bun-version: latest
- name: Cache Node Dependencies - name: Cache Node Dependencies
id: cache id: cache
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with: with:
path: node_modules path: node_modules
key: ${{ runner.os }}-biome-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} key: ${{ runner.os }}-biome-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -331,7 +331,7 @@ runs:
- name: Upload SARIF Report - name: Upload SARIF Report
if: inputs.mode == 'check' && always() if: inputs.mode == 'check' && always()
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: biome-report.sarif sarif_file: biome-report.sarif

6
codeql-analysis/action.yml
View File

@@ -186,7 +186,7 @@ runs:
echo "Using build mode: $build_mode" echo "Using build mode: $build_mode"
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
languages: ${{ inputs.language }} languages: ${{ inputs.language }}
queries: ${{ inputs.queries }} queries: ${{ inputs.queries }}
@@ -199,12 +199,12 @@ runs:
threads: ${{ inputs.threads }} threads: ${{ inputs.threads }}
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }} if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
id: analysis id: analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
category: ${{ steps.set-category.outputs.category }} category: ${{ steps.set-category.outputs.category }}
upload: ${{ inputs.upload-results }} upload: ${{ inputs.upload-results }}

2
csharp-build/action.yml
View File

@@ -155,7 +155,7 @@ runs:
cache-dependency-path: '**/packages.lock.json' cache-dependency-path: '**/packages.lock.json'
- name: Restore Dependencies - name: Restore Dependencies
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
with: with:
timeout_minutes: 10 timeout_minutes: 10
max_attempts: ${{ inputs.max-retries }} max_attempts: ${{ inputs.max-retries }}

2
csharp-lint-check/action.yml
View File

@@ -206,6 +206,6 @@ runs:
fi fi
- name: Upload SARIF Report - name: Upload SARIF Report
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: dotnet-format.sarif sarif_file: dotnet-format.sarif

2
csharp-publish/action.yml
View File

@@ -169,7 +169,7 @@ runs:
cache-dependency-path: '**/packages.lock.json' cache-dependency-path: '**/packages.lock.json'
- name: Restore Dependencies - name: Restore Dependencies
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
with: with:
timeout_minutes: 10 timeout_minutes: 10
max_attempts: ${{ inputs.max-retries }} max_attempts: ${{ inputs.max-retries }}

2
docker-build/action.yml
View File

@@ -536,7 +536,7 @@ runs:
- name: Scan Image for Vulnerabilities - name: Scan Image for Vulnerabilities
id: scan id: scan
if: inputs.scan-image == 'true' && inputs.dry-run != 'true' if: inputs.scan-image == 'true' && inputs.dry-run != 'true'
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with: with:
scan-type: 'image' scan-type: 'image'
image-ref: ${{ steps.image-name.outputs.name }}:${{ inputs.tag }} image-ref: ${{ steps.image-name.outputs.name }}:${{ inputs.tag }}

6
eslint-lint/action.yml
View File

@@ -319,13 +319,13 @@ runs:
- name: Setup Bun - name: Setup Bun
if: steps.detect-pm.outputs.package-manager == 'bun' if: steps.detect-pm.outputs.package-manager == 'bun'
uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with: with:
bun-version: latest bun-version: latest
- name: Cache Node Dependencies - name: Cache Node Dependencies
id: cache id: cache
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with: with:
path: node_modules path: node_modules
key: ${{ runner.os }}-eslint-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} key: ${{ runner.os }}-eslint-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -457,7 +457,7 @@ runs:
- name: Upload SARIF Report - name: Upload SARIF Report
if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always() if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always()
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif

2
go-build/action.yml
View File

@@ -165,7 +165,7 @@ runs:
cache: true cache: true
- name: Download Dependencies - name: Download Dependencies
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
with: with:
timeout_minutes: 10 timeout_minutes: 10
max_attempts: ${{ inputs.max-retries }} max_attempts: ${{ inputs.max-retries }}

4
go-lint/action.yml
View File

@@ -218,7 +218,7 @@ runs:
- name: Cache golangci-lint - name: Cache golangci-lint
id: cache id: cache
if: inputs.cache == 'true' if: inputs.cache == 'true'
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with: with:
path: | path: |
~/.cache/golangci-lint ~/.cache/golangci-lint
@@ -414,7 +414,7 @@ runs:
- name: Upload Lint Results - name: Upload Lint Results
if: always() && inputs.report-format == 'sarif' if: always() && inputs.report-format == 'sarif'
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif
category: golangci-lint category: golangci-lint

1
language-version-detect/action.yml
View File

@@ -5,7 +5,6 @@
name: Language Version Detect name: Language Version Detect
description: 'DEPRECATED: This action is deprecated. Inline version detection directly in your actions instead. Detects language version from project configuration files with support for PHP, Python, Go, and .NET.' description: 'DEPRECATED: This action is deprecated. Inline version detection directly in your actions instead. Detects language version from project configuration files with support for PHP, Python, Go, and .NET.'
author: 'Ismo Vuorinen' author: 'Ismo Vuorinen'
deprecated: true
branding: branding:
icon: code icon: code

4
npm-publish/action.yml
View File

@@ -152,13 +152,13 @@ runs:
- name: Setup Bun - name: Setup Bun
if: steps.detect-pm.outputs.package-manager == 'bun' if: steps.detect-pm.outputs.package-manager == 'bun'
uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with: with:
bun-version: latest bun-version: latest
- name: Cache Node Dependencies - name: Cache Node Dependencies
id: cache id: cache
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with: with:
path: node_modules path: node_modules
key: ${{ runner.os }}-npm-publish-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} key: ${{ runner.os }}-npm-publish-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}

6
php-tests/action.yml
View File

@@ -319,7 +319,7 @@ runs:
- name: Setup PHP - name: Setup PHP
id: setup-php id: setup-php
uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
with: with:
php-version: ${{ steps.detect-php-version.outputs.detected-version }} php-version: ${{ steps.detect-php-version.outputs.detected-version }}
extensions: ${{ inputs.extensions }} extensions: ${{ inputs.extensions }}
@@ -356,7 +356,7 @@ runs:
- name: Cache Composer packages - name: Cache Composer packages
id: composer-cache id: composer-cache
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with: with:
path: | path: |
vendor vendor
@@ -376,7 +376,7 @@ runs:
composer clear-cache composer clear-cache
- name: Install Composer Dependencies - name: Install Composer Dependencies
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
with: with:
timeout_minutes: 10 timeout_minutes: 10
max_attempts: ${{ inputs.max-retries }} max_attempts: ${{ inputs.max-retries }}

6
pr-lint/action.yml
View File

@@ -156,14 +156,14 @@ runs:
- name: Setup Bun - name: Setup Bun
if: steps.detect-node.outputs.found == 'true' && steps.detect-pm.outputs.package-manager == 'bun' if: steps.detect-node.outputs.found == 'true' && steps.detect-pm.outputs.package-manager == 'bun'
uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with: with:
bun-version: latest bun-version: latest
- name: Cache Node Dependencies - name: Cache Node Dependencies
if: steps.detect-node.outputs.found == 'true' if: steps.detect-node.outputs.found == 'true'
id: node-cache id: node-cache
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with: with:
path: node_modules path: node_modules
key: ${{ runner.os }}-pr-lint-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} key: ${{ runner.os }}-pr-lint-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -335,7 +335,7 @@ runs:
- name: Setup PHP - name: Setup PHP
if: steps.detect-php.outputs.found == 'true' if: steps.detect-php.outputs.found == 'true'
uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
with: with:
php-version: ${{ steps.php-version.outputs.detected-version }} php-version: ${{ steps.php-version.outputs.detected-version }}
tools: composer tools: composer

4
prettier-lint/action.yml
View File

@@ -305,13 +305,13 @@ runs:
- name: Setup Bun - name: Setup Bun
if: steps.detect-pm.outputs.package-manager == 'bun' if: steps.detect-pm.outputs.package-manager == 'bun'
uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with: with:
bun-version: latest bun-version: latest
- name: Cache Node Dependencies - name: Cache Node Dependencies
id: cache id: cache
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with: with:
path: node_modules path: node_modules
key: ${{ runner.os }}-prettier-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} key: ${{ runner.os }}-prettier-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}

2
python-lint-fix/action.yml
View File

@@ -370,7 +370,7 @@ runs:
- name: Upload SARIF Report - name: Upload SARIF Report
if: steps.check-files.outputs.result == 'found' if: steps.check-files.outputs.result == 'found'
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif
category: 'python-lint' category: 'python-lint'

6
security-scan/action.yml
View File

@@ -118,7 +118,7 @@ runs:
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
if: steps.check-configs.outputs.run_trivy == 'true' if: steps.check-configs.outputs.run_trivy == 'true'
uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # master uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with: with:
scan-type: 'fs' scan-type: 'fs'
scanners: ${{ inputs.trivy-scanners }} scanners: ${{ inputs.trivy-scanners }}
@@ -161,14 +161,14 @@ runs:
- name: Upload Trivy results - name: Upload Trivy results
if: steps.verify-sarif.outputs.has_trivy == 'true' if: steps.verify-sarif.outputs.has_trivy == 'true'
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
category: 'trivy' category: 'trivy'
- name: Upload Gitleaks results - name: Upload Gitleaks results
if: steps.verify-sarif.outputs.has_gitleaks == 'true' if: steps.verify-sarif.outputs.has_gitleaks == 'true'
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: 'gitleaks-report.sarif' sarif_file: 'gitleaks-report.sarif'
category: 'gitleaks' category: 'gitleaks'

4
terraform-lint-fix/action.yml
View File

@@ -147,7 +147,7 @@ runs:
- name: Setup TFLint - name: Setup TFLint
if: steps.check-files.outputs.found == 'true' if: steps.check-files.outputs.found == 'true'
uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1 uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2
with: with:
tflint_version: ${{ inputs.tflint-version }} tflint_version: ${{ inputs.tflint-version }}
@@ -256,7 +256,7 @@ runs:
- name: Upload SARIF Report - name: Upload SARIF Report
if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif' if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif'
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with: with:
sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif
category: terraform-lint category: terraform-lint