mirror of
https://github.com/ivuorinen/actions.git
synced 2026-02-15 11:47:55 +00:00
feat: use our own actions in our workflows (#377)
* feat: use our own actions in our workflows * fix: add missing inputs to validate-inputs, refactor node * chore: cr comment fixes * fix: update-validators formatting * chore: update validators, add tests, conventions * feat: validate severity with severity_enum * feat: add 10 generic validators to improve input validation coverage Add comprehensive validation system improvements across multiple phases: Phase 2A - Quick Wins: - Add multi_value_enum validator for 2-10 value enumerations - Add exit_code_list validator for Unix/Linux exit codes (0-255) - Refactor coverage_driver to use multi_value_enum Phase 2B - High-Value Validators: - Add key_value_list validator with shell injection prevention - Add path_list validator with path traversal and glob support Quick Wins - Additional Enums: - Add network_mode validator for Docker network modes - Add language_enum validator for language detection - Add framework_mode validator for PHP framework modes - Update boolean pattern to include 'push' Phase 2C - Specialized Validators: - Add json_format validator for JSON syntax validation - Add cache_config validator for Docker BuildKit cache configs Improvements: - All validators include comprehensive security checks - Pattern-based validation with clear error messages - 23 new test methods with edge case coverage - Update special case mappings for 20+ inputs - Fix build-args mapping test expectation Coverage impact: 22 actions now at 100% validation (88% → 92%) Test suite: 762 → 785 tests (+23 tests, all passing) * chore: regenerate rules.yml with improved validator coverage Regenerate validation rules for all actions with new validators: - compress-images: 86% → 100% (+1 input: ignore-paths) - docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args) - docker-publish: 73% → 100% (+1 input: build-args) - language-version-detect: 67% → 100% (+1 input: language) - php-tests: 89% (fixed framework→framework_mode mapping) - prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins) - security-scan: 86% (maintained coverage) Overall: 23 of 25 actions now at 100% validation coverage (92%) * fix: address PR #377 review comments - Add | None type annotations to 6 optional parameters (PEP 604) - Standardize injection pattern: remove @# from comma_separated_list validator (@ and # are not shell injection vectors, allows npm scoped packages) - Remove dead code: unused value expression in key_value_list validator - Update tests to reflect injection pattern changes
This commit is contained in:
GitHub
@@ -8,56 +8,62 @@ Centralized Python-based input validation for GitHub Actions with PCRE regex sup
|
||||
|
||||
### Inputs
|
||||
|
||||
| name | description | required | default |
|
||||
|---------------------|-------------------------------------------------------------------------------------|----------|---------|
|
||||
| `action` | <p>Action name to validate (alias for action-type)</p> | `false` | `""` |
|
||||
| `action-type` | <p>Type of action to validate (e.g., csharp-publish, docker-build, eslint-lint)</p> | `false` | `""` |
|
||||
| `rules-file` | <p>Path to validation rules file</p> | `false` | `""` |
|
||||
| `fail-on-error` | <p>Whether to fail on validation errors</p> | `false` | `true` |
|
||||
| `token` | <p>GitHub token for authentication</p> | `false` | `""` |
|
||||
| `namespace` | <p>Namespace/username for validation</p> | `false` | `""` |
|
||||
| `email` | <p>Email address for validation</p> | `false` | `""` |
|
||||
| `username` | <p>Username for validation</p> | `false` | `""` |
|
||||
| `dotnet-version` | <p>.NET version string</p> | `false` | `""` |
|
||||
| `terraform-version` | <p>Terraform version string</p> | `false` | `""` |
|
||||
| `tflint-version` | <p>TFLint version string</p> | `false` | `""` |
|
||||
| `node-version` | <p>Node.js version string</p> | `false` | `""` |
|
||||
| `force-version` | <p>Force version override</p> | `false` | `""` |
|
||||
| `default-version` | <p>Default version fallback</p> | `false` | `""` |
|
||||
| `image-name` | <p>Docker image name</p> | `false` | `""` |
|
||||
| `tag` | <p>Docker image tag</p> | `false` | `""` |
|
||||
| `architectures` | <p>Target architectures</p> | `false` | `""` |
|
||||
| `dockerfile` | <p>Dockerfile path</p> | `false` | `""` |
|
||||
| `context` | <p>Docker build context</p> | `false` | `""` |
|
||||
| `build-args` | <p>Docker build arguments</p> | `false` | `""` |
|
||||
| `buildx-version` | <p>Docker Buildx version</p> | `false` | `""` |
|
||||
| `max-retries` | <p>Maximum retry attempts</p> | `false` | `""` |
|
||||
| `image-quality` | <p>Image quality percentage</p> | `false` | `""` |
|
||||
| `png-quality` | <p>PNG quality percentage</p> | `false` | `""` |
|
||||
| `parallel-builds` | <p>Number of parallel builds</p> | `false` | `""` |
|
||||
| `days-before-stale` | <p>Number of days before marking as stale</p> | `false` | `""` |
|
||||
| `days-before-close` | <p>Number of days before closing stale items</p> | `false` | `""` |
|
||||
| `pre-commit-config` | <p>Pre-commit configuration file path</p> | `false` | `""` |
|
||||
| `base-branch` | <p>Base branch name</p> | `false` | `""` |
|
||||
| `dry-run` | <p>Dry run mode</p> | `false` | `""` |
|
||||
| `is_fiximus` | <p>Use Fiximus bot</p> | `false` | `""` |
|
||||
| `prefix` | <p>Release tag prefix</p> | `false` | `""` |
|
||||
| `language` | <p>Language to analyze (for CodeQL)</p> | `false` | `""` |
|
||||
| `queries` | <p>CodeQL queries to run</p> | `false` | `""` |
|
||||
| `packs` | <p>CodeQL query packs</p> | `false` | `""` |
|
||||
| `config-file` | <p>CodeQL configuration file path</p> | `false` | `""` |
|
||||
| `config` | <p>CodeQL configuration YAML string</p> | `false` | `""` |
|
||||
| `build-mode` | <p>Build mode for compiled languages</p> | `false` | `""` |
|
||||
| `source-root` | <p>Source code root directory</p> | `false` | `""` |
|
||||
| `category` | <p>Analysis category</p> | `false` | `""` |
|
||||
| `checkout-ref` | <p>Git reference to checkout</p> | `false` | `""` |
|
||||
| `working-directory` | <p>Working directory for analysis</p> | `false` | `""` |
|
||||
| `upload-results` | <p>Upload results to GitHub Security</p> | `false` | `""` |
|
||||
| `ram` | <p>Memory in MB for CodeQL</p> | `false` | `""` |
|
||||
| `threads` | <p>Number of threads for CodeQL</p> | `false` | `""` |
|
||||
| `output` | <p>Output path for SARIF results</p> | `false` | `""` |
|
||||
| `skip-queries` | <p>Skip running queries</p> | `false` | `""` |
|
||||
| `add-snippets` | <p>Add code snippets to SARIF</p> | `false` | `""` |
|
||||
| name | description | required | default |
|
||||
|----------------------|-------------------------------------------------------------------------------------|----------|---------|
|
||||
| `action` | <p>Action name to validate (alias for action-type)</p> | `false` | `""` |
|
||||
| `action-type` | <p>Type of action to validate (e.g., csharp-publish, docker-build, eslint-lint)</p> | `false` | `""` |
|
||||
| `rules-file` | <p>Path to validation rules file</p> | `false` | `""` |
|
||||
| `fail-on-error` | <p>Whether to fail on validation errors</p> | `false` | `true` |
|
||||
| `token` | <p>GitHub token for authentication</p> | `false` | `""` |
|
||||
| `namespace` | <p>Namespace/username for validation</p> | `false` | `""` |
|
||||
| `email` | <p>Email address for validation</p> | `false` | `""` |
|
||||
| `username` | <p>Username for validation</p> | `false` | `""` |
|
||||
| `dotnet-version` | <p>.NET version string</p> | `false` | `""` |
|
||||
| `terraform-version` | <p>Terraform version string</p> | `false` | `""` |
|
||||
| `tflint-version` | <p>TFLint version string</p> | `false` | `""` |
|
||||
| `node-version` | <p>Node.js version string</p> | `false` | `""` |
|
||||
| `force-version` | <p>Force version override</p> | `false` | `""` |
|
||||
| `default-version` | <p>Default version fallback</p> | `false` | `""` |
|
||||
| `image-name` | <p>Docker image name</p> | `false` | `""` |
|
||||
| `tag` | <p>Docker image tag</p> | `false` | `""` |
|
||||
| `architectures` | <p>Target architectures</p> | `false` | `""` |
|
||||
| `dockerfile` | <p>Dockerfile path</p> | `false` | `""` |
|
||||
| `context` | <p>Docker build context</p> | `false` | `""` |
|
||||
| `build-args` | <p>Docker build arguments</p> | `false` | `""` |
|
||||
| `buildx-version` | <p>Docker Buildx version</p> | `false` | `""` |
|
||||
| `max-retries` | <p>Maximum retry attempts</p> | `false` | `""` |
|
||||
| `image-quality` | <p>Image quality percentage</p> | `false` | `""` |
|
||||
| `png-quality` | <p>PNG quality percentage</p> | `false` | `""` |
|
||||
| `parallel-builds` | <p>Number of parallel builds</p> | `false` | `""` |
|
||||
| `days-before-stale` | <p>Number of days before marking as stale</p> | `false` | `""` |
|
||||
| `days-before-close` | <p>Number of days before closing stale items</p> | `false` | `""` |
|
||||
| `pre-commit-config` | <p>Pre-commit configuration file path</p> | `false` | `""` |
|
||||
| `base-branch` | <p>Base branch name</p> | `false` | `""` |
|
||||
| `dry-run` | <p>Dry run mode</p> | `false` | `""` |
|
||||
| `is_fiximus` | <p>Use Fiximus bot</p> | `false` | `""` |
|
||||
| `prefix` | <p>Release tag prefix</p> | `false` | `""` |
|
||||
| `language` | <p>Language to analyze (for CodeQL)</p> | `false` | `""` |
|
||||
| `queries` | <p>CodeQL queries to run</p> | `false` | `""` |
|
||||
| `packs` | <p>CodeQL query packs</p> | `false` | `""` |
|
||||
| `config-file` | <p>CodeQL configuration file path</p> | `false` | `""` |
|
||||
| `config` | <p>CodeQL configuration YAML string</p> | `false` | `""` |
|
||||
| `build-mode` | <p>Build mode for compiled languages</p> | `false` | `""` |
|
||||
| `source-root` | <p>Source code root directory</p> | `false` | `""` |
|
||||
| `category` | <p>Analysis category</p> | `false` | `""` |
|
||||
| `checkout-ref` | <p>Git reference to checkout</p> | `false` | `""` |
|
||||
| `working-directory` | <p>Working directory for analysis</p> | `false` | `""` |
|
||||
| `upload-results` | <p>Upload results to GitHub Security</p> | `false` | `""` |
|
||||
| `ram` | <p>Memory in MB for CodeQL</p> | `false` | `""` |
|
||||
| `threads` | <p>Number of threads for CodeQL</p> | `false` | `""` |
|
||||
| `output` | <p>Output path for SARIF results</p> | `false` | `""` |
|
||||
| `skip-queries` | <p>Skip running queries</p> | `false` | `""` |
|
||||
| `add-snippets` | <p>Add code snippets to SARIF</p> | `false` | `""` |
|
||||
| `gitleaks-license` | <p>Gitleaks license key</p> | `false` | `""` |
|
||||
| `gitleaks-config` | <p>Gitleaks configuration file path</p> | `false` | `""` |
|
||||
| `trivy-severity` | <p>Trivy severity levels to scan</p> | `false` | `""` |
|
||||
| `trivy-scanners` | <p>Trivy scanner types to run</p> | `false` | `""` |
|
||||
| `trivy-timeout` | <p>Trivy scan timeout</p> | `false` | `""` |
|
||||
| `actionlint-enabled` | <p>Enable actionlint scanning</p> | `false` | `""` |
|
||||
|
||||
### Outputs
|
||||
|
||||
@@ -365,4 +371,40 @@ This action is a `composite` action.
|
||||
#
|
||||
# Required: false
|
||||
# Default: ""
|
||||
|
||||
gitleaks-license:
|
||||
# Gitleaks license key
|
||||
#
|
||||
# Required: false
|
||||
# Default: ""
|
||||
|
||||
gitleaks-config:
|
||||
# Gitleaks configuration file path
|
||||
#
|
||||
# Required: false
|
||||
# Default: ""
|
||||
|
||||
trivy-severity:
|
||||
# Trivy severity levels to scan
|
||||
#
|
||||
# Required: false
|
||||
# Default: ""
|
||||
|
||||
trivy-scanners:
|
||||
# Trivy scanner types to run
|
||||
#
|
||||
# Required: false
|
||||
# Default: ""
|
||||
|
||||
trivy-timeout:
|
||||
# Trivy scan timeout
|
||||
#
|
||||
# Required: false
|
||||
# Default: ""
|
||||
|
||||
actionlint-enabled:
|
||||
# Enable actionlint scanning
|
||||
#
|
||||
# Required: false
|
||||
# Default: ""
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user