feat: use our own actions in our workflows (#377)

* feat: use our own actions in our workflows * fix: add missing inputs to validate-inputs, refactor node * chore: cr comment fixes * fix: update-validators formatting * chore: update validators, add tests, conventions * feat: validate severity with severity_enum * feat: add 10 generic validators to improve input validation coverage Add comprehensive validation system improvements across multiple phases: Phase 2A - Quick Wins: - Add multi_value_enum validator for 2-10 value enumerations - Add exit_code_list validator for Unix/Linux exit codes (0-255) - Refactor coverage_driver to use multi_value_enum Phase 2B - High-Value Validators: - Add key_value_list validator with shell injection prevention - Add path_list validator with path traversal and glob support Quick Wins - Additional Enums: - Add network_mode validator for Docker network modes - Add language_enum validator for language detection - Add framework_mode validator for PHP framework modes - Update boolean pattern to include 'push' Phase 2C - Specialized Validators: - Add json_format validator for JSON syntax validation - Add cache_config validator for Docker BuildKit cache configs Improvements: - All validators include comprehensive security checks - Pattern-based validation with clear error messages - 23 new test methods with edge case coverage - Update special case mappings for 20+ inputs - Fix build-args mapping test expectation Coverage impact: 22 actions now at 100% validation (88% → 92%) Test suite: 762 → 785 tests (+23 tests, all passing) * chore: regenerate rules.yml with improved validator coverage Regenerate validation rules for all actions with new validators: - compress-images: 86% → 100% (+1 input: ignore-paths) - docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args) - docker-publish: 73% → 100% (+1 input: build-args) - language-version-detect: 67% → 100% (+1 input: language) - php-tests: 89% (fixed framework→framework_mode mapping) - prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins) - security-scan: 86% (maintained coverage) Overall: 23 of 25 actions now at 100% validation coverage (92%) * fix: address PR #377 review comments - Add | None type annotations to 6 optional parameters (PEP 604) - Standardize injection pattern: remove @# from comma_separated_list validator (@ and # are not shell injection vectors, allows npm scoped packages) - Remove dead code: unused value expression in key_value_list validator - Update tests to reflect injection pattern changes
2026-03-11 03:57:36 +00:00 · 2025-11-25 23:51:03 +02:00
parent e58465e5d3
commit 9aa16a8164
32 changed files with 2823 additions and 523 deletions
--- a/.serena/memories/repository_overview.md
+++ b/.serena/memories/repository_overview.md
@@ -5,13 +5,14 @@
 - **Path**: /Users/ivuorinen/Code/ivuorinen/actions
 - **Branch**: main
 - **External Usage**: `ivuorinen/actions/<action-name>@main`
- **Total Actions**: 43 self-contained actions
+- **Total Actions**: 44 self-contained actions
+- **Dogfooding**: Workflows use local actions (pr-lint, codeql-analysis, security-scan)

 ## Structure

 ```text
 /
-├── <action-dirs>/           # 43 self-contained actions
+├── <action-dirs>/           # 44 self-contained actions
 │   ├── action.yml          # Action definition
 │   ├── README.md           # Auto-generated
 │   └── CustomValidator.py  # Optional validator
@@ -25,12 +26,14 @@
 └── Makefile               # Build automation
 ```

-## Action Categories (43 total)
+## Action Categories (44 total)

 **Setup (7)**: node-setup, set-git-config, php-version-detect, python-version-detect, python-version-detect-v2, go-version-detect, dotnet-version-detect

 **Linting (13)**: ansible-lint-fix, biome-check/fix, csharp-lint-check, eslint-check/fix, go-lint, pr-lint, pre-commit, prettier-check/fix, python-lint-fix, terraform-lint-fix

+**Security (1)**: security-scan (actionlint, Gitleaks, Trivy scanning)
+
 **Build (3)**: csharp-build, go-build, docker-build

 **Publishing (5)**: npm-publish, docker-publish, docker-publish-gh, docker-publish-hub, csharp-publish
@@ -85,3 +88,28 @@ make test       # All tests (pytest + ShellSpec)
 - ✅ Convention-based validation
 - ✅ Test generation system
 - ✅ Full backward compatibility
+
+## Dogfooding Strategy
+
+The repository actively dogfoods its own actions in workflows:
+
+**Fully Dogfooded Workflows**:
+
+- **pr-lint.yml**: Uses `./pr-lint` (was 204 lines, now 112 lines - 45% reduction)
+- **action-security.yml**: Uses `./security-scan` (was 264 lines, now 82 lines - 69% reduction)
+- **codeql-new.yml**: Uses `./codeql-analysis`
+- **sync-labels.yml**: Uses `./sync-labels`
+- **version-maintenance.yml**: Uses `./action-versioning`
+
+**Intentionally External**:
+
+- **build-testing-image.yml**: Uses docker/\* actions directly (needs metadata extraction)
+- Core GitHub actions (checkout, upload-artifact, setup-\*) kept for standardization
+
+**Benefits**:
+
+- Early detection of action issues
+- Real-world testing of actions
+- Reduced workflow duplication
+- Improved maintainability
+- Better documentation through usage examples