From a0cc32995febced303822c846be6213babe544bc Mon Sep 17 00:00:00 2001 From: Ismo Vuorinen Date: Mon, 9 Mar 2026 01:59:07 +0200 Subject: [PATCH] feat(security): add OpenSSF Scorecard workflow and maximize score (#498) * feat(security): add OpenSSF Scorecard workflow and maximize score - Add scorecard.yml workflow (weekly + push to main) with SARIF upload - Add CONTRIBUTING.md for contributor guidelines - Add SLSA provenance attestation job to release workflow - Add CycloneDX SBOM generation job to release workflow - Pin Dockerfile base images to sha256 digests - Enable Renovate pinDigests and platformAutomerge - Add OpenSSF Scorecard badge to README * fix(docs): address PR #498 review comments and remove .coderabbit.yaml - Delete .coderabbit.yaml (falls back to shared org-level config) - Add missing linter deps to CONTRIBUTING.md install step - Separate make all and make test into distinct steps - Fix line length note to match EditorConfig (200 chars, no MD override) - Add yamllint/markdownlint to YAML/JSON/Markdown linter list - Refine action references guidance - Expand "Adding a New Action" section with action-docs and catalog info --- .coderabbit.yaml | 18 ---- .github/renovate.json | 2 + .github/workflows/release.yml | 46 +++++++++ .github/workflows/scorecard.yml | 37 +++++++ .serena/project.yml | 67 ++++++++++++- CONTRIBUTING.md | 75 ++++++++++++++ README.md | 132 +++++++++++++------------ _tools/docker-testing-tools/Dockerfile | 4 +- 8 files changed, 295 insertions(+), 86 deletions(-) delete mode 100644 .coderabbit.yaml create mode 100644 .github/workflows/scorecard.yml create mode 100644 CONTRIBUTING.md diff --git a/.coderabbit.yaml b/.coderabbit.yaml deleted file mode 100644 index a2026c9..0000000 --- a/.coderabbit.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# yaml-language-server: $schema=https://www.coderabbit.ai/integrations/schema.v2.json -remote_config: - url: 'https://raw.githubusercontent.com/ivuorinen/coderabbit/1985ff756ef62faf7baad0c884719339ffb652bd/coderabbit.yaml' -path_instructions: - - path: '.serena/**/*' - instructions: >- - - These are files for Serena LLM. Do not review them. - - path: '**/*/README.md' - instructions: >- - - README.md files next to action.yml files are autogenerated - and should not be reviewed. - - README.md file in the root of the repository should be reviewed. - - README.md files for actions use `@main` version for the action as an illustration. - Do not review them. - - path: '**/*.md' - instructions: >- - - The repository uses CalVer for versioning. Do not review version numbers in the documentation. diff --git a/.github/renovate.json b/.github/renovate.json index 7131c46..eaff93f 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -4,6 +4,8 @@ "github>ivuorinen/renovate-config", "customManagers:biomeVersions" ], + "pinDigests": true, + "platformAutomerge": true, "packageRules": [ { "matchUpdateTypes": [ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 303a62c..40b6744 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,3 +19,49 @@ jobs: - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: generate_release_notes: true + + provenance: + needs: release + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + attestations: write + steps: + - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta + - name: Create source archive + env: + TAG: ${{ github.ref_name }} + run: | + set -eu + git archive --format=tar.gz --prefix="${TAG}/" HEAD > "${TAG}-source.tar.gz" + sha256sum "${TAG}-source.tar.gz" > "${TAG}-source.tar.gz.sha256" + - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 + with: + subject-path: '${{ github.ref_name }}-source.tar.gz' + - name: Upload release assets + env: + GH_TOKEN: ${{ github.token }} + TAG: ${{ github.ref_name }} + run: | + set -eu + gh release upload "$TAG" "${TAG}-source.tar.gz" "${TAG}-source.tar.gz.sha256" --clobber + + sbom: + needs: release + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta + - uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0 + with: + format: cyclonedx-json + output-file: sbom.cdx.json + - name: Upload SBOM to release + env: + GH_TOKEN: ${{ github.token }} + TAG: ${{ github.ref_name }} + run: | + set -eu + gh release upload "$TAG" sbom.cdx.json --clobber diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..a2a77bc --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,37 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json +name: OpenSSF Scorecard + +on: + push: + branches: [main] + schedule: + - cron: '0 2 * * 0' # Weekly Sunday 2AM UTC + +permissions: {} + +jobs: + analysis: + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + contents: read + actions: read + steps: + - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta + with: + persist-credentials: false + - uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + with: + sarif_file: results.sarif diff --git a/.serena/project.yml b/.serena/project.yml index 6c0c4e0..1a7903e 100644 --- a/.serena/project.yml +++ b/.serena/project.yml @@ -60,10 +60,75 @@ excluded_tools: [] # initial prompt for the project. It will always be given to the LLM upon activating the project # (contrary to the memories, which are loaded on demand). initial_prompt: '' - +# the name by which the project can be referenced within Serena project_name: 'actions' + +# list of languages for which language servers are started; choose from: +# al bash clojure cpp csharp +# csharp_omnisharp dart elixir elm erlang +# fortran fsharp go groovy haskell +# java julia kotlin lua markdown +# matlab nix pascal perl php +# php_phpactor powershell python python_jedi r +# rego ruby ruby_solargraph rust scala +# swift terraform toml typescript typescript_vts +# vue yaml zig +# (This list may be outdated. For the current list, see values of Language enum here: +# https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py +# For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.) +# Note: +# - For C, use cpp +# - For JavaScript, use typescript +# - For Free Pascal/Lazarus, use pascal +# Special requirements: +# Some languages require additional setup/installations. +# See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers +# When using multiple languages, the first language server that supports a given file will be used for that file. +# The first language is the default language and the respective language server will be used as a fallback. +# Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored. languages: - bash - python + +# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default) included_optional_tools: [] + +# the encoding used by text files in the project +# For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings encoding: utf-8 + +# fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools. +# This cannot be combined with non-empty excluded_tools or included_optional_tools. +fixed_tools: [] + +# list of mode names to that are always to be included in the set of active modes +# The full set of modes to be activated is base_modes + default_modes. +# If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply. +# Otherwise, this setting overrides the global configuration. +# Set this to [] to disable base modes for this project. +# Set this to a list of mode names to always include the respective modes for this project. +base_modes: + +# list of mode names that are to be activated by default. +# The full set of modes to be activated is base_modes + default_modes. +# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply. +# Otherwise, this overrides the setting from the global configuration (serena_config.yml). +# This setting can, in turn, be overridden by CLI parameters (--mode). +default_modes: + +# time budget (seconds) per tool call for the retrieval of additional symbol information +# such as docstrings or parameter information. +# This overrides the corresponding setting in the global configuration; see the documentation there. +# If null or missing, use the setting from the global configuration. +symbol_info_budget: + +# The language backend to use for this project. +# If not set, the global setting from serena_config.yml is used. +# Valid values: LSP, JetBrains +# Note: the backend is fixed at startup. If a project with a different backend +# is activated post-init, an error will be returned. +language_backend: + +# list of regex patterns which, when matched, mark a memory entry as read‑only. +# Extends the list from the global configuration, merging the two lists. +read_only_memory_patterns: [] diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..876ce2c --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,75 @@ +# Contributing to ivuorinen/actions + +Thank you for your interest in contributing to this GitHub Actions monorepo. + +## Reporting Issues + +- **Bugs**: Open an issue using the bug report template. +- **Security vulnerabilities**: See [SECURITY.md](SECURITY.md) for responsible disclosure. +- **Feature requests**: Open an issue describing the use case. + +## Development Setup + +1. Clone the repository: + + ```bash + git clone https://github.com/ivuorinen/actions.git + cd actions + ``` + +2. Install dependencies (Node.js, Python 3, ShellSpec, shellcheck, actionlint, ruff, prettier, markdownlint, yamllint). +3. Run formatting, linting, and pre-commit checks: + + ```bash + make all + ``` + +4. Run the test suite: + + ```bash + make test + ``` + +## Code Style + +- **EditorConfig**: 2-space indentation, UTF-8, LF line endings, max 200 chars. +- **Shell scripts**: POSIX `sh` with `set -eu`. No bash-only syntax. +- **Python**: Formatted and linted with `ruff`. +- **YAML/JSON/Markdown**: Formatted with `prettier`; linted with `yamllint` and `markdownlint`. +- **Action references**: SHA-pinned in `action.yml` files. Date-based tags or commit SHAs for published refs. + +Run `make dev` (format + lint) to check your changes. + +## Pull Request Process + +1. Branch from `main`. +2. Make focused changes (one feature or fix per PR). +3. Ensure all checks pass: `make all` and `make test`. +4. Follow existing patterns in the codebase. +5. Update documentation if adding or modifying actions. + +## Testing + +```bash +make test # All tests (ShellSpec + pytest) +make test-actions # GitHub Actions tests only +make test-python # Python validation tests only +make test-coverage # All tests with coverage +``` + +See [\_tests/README.md](_tests/README.md) for details on the ShellSpec testing framework. + +## Adding a New Action + +Each action is a self-contained directory at the repository root containing: + +- `action.yml` with inputs, outputs, and runs definition +- `README.md` generated via `action-docs` (`make docs`) +- Tests in `_tests/` + +Do not manually edit sections between `` markers in the root README. +Use `npm run update-catalog` to regenerate the catalog. + +## License + +By contributing, you agree that your contributions will be licensed under the [MIT License](LICENSE.md). diff --git a/README.md b/README.md index b0b2198..c8a75d1 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # ivuorinen/actions - My Reusable GitHub Actions and Workflows +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/ivuorinen/actions/badge)](https://scorecard.dev/viewer/?uri=github.com/ivuorinen/actions) + ## Overview This repository contains a collection of reusable GitHub Actions @@ -27,73 +29,73 @@ This repository contains **26 reusable GitHub Actions** for CI/CD automation. ### Quick Reference (26 Actions) | Icon | Action | Category | Description | Key Features | -|:----:|:-----------------------------------------------------|:-----------|:----------------------------------------------------------------|:---------------------------------------------| +| :--: | :--------------------------------------------------- | :--------- | :-------------------------------------------------------------- | :------------------------------------------- | | πŸ”€ | [`action-versioning`][action-versioning] | Utilities | Automatically update SHA-pinned action references to match l... | Token auth, Outputs | | πŸ“¦ | [`ansible-lint-fix`][ansible-lint-fix] | Linting | Lints and fixes Ansible playbooks, commits changes, and uplo... | Caching, Token auth, Outputs | -| βœ… | [`biome-lint`][biome-lint] | Linting | Run Biome linter in check or fix mode | Caching, Auto-detection, Token auth, Outputs | -| πŸ›‘οΈ | [`codeql-analysis`][codeql-analysis] | Repository | Run CodeQL security analysis for a single language with conf... | Auto-detection, Token auth, Outputs | -| πŸ–ΌοΈ | [`compress-images`][compress-images] | Repository | Compress images on demand (workflow_dispatch), and at 11pm e... | Token auth, Outputs | +| βœ… | [`biome-lint`][biome-lint] | Linting | Run Biome linter in check or fix mode | Caching, Auto-detection, Token auth, Outputs | +| πŸ›‘οΈ | [`codeql-analysis`][codeql-analysis] | Repository | Run CodeQL security analysis for a single language with conf... | Auto-detection, Token auth, Outputs | +| πŸ–ΌοΈ | [`compress-images`][compress-images] | Repository | Compress images on demand (workflow_dispatch), and at 11pm e... | Token auth, Outputs | | πŸ“ | [`csharp-build`][csharp-build] | Build | Builds and tests C# projects. | Caching, Auto-detection, Token auth, Outputs | | πŸ“ | [`csharp-lint-check`][csharp-lint-check] | Linting | Runs linters like StyleCop or dotnet-format for C# code styl... | Caching, Auto-detection, Token auth, Outputs | | πŸ“¦ | [`csharp-publish`][csharp-publish] | Publishing | Publishes a C# project to GitHub Packages. | Caching, Auto-detection, Token auth, Outputs | | πŸ“¦ | [`docker-build`][docker-build] | Build | Builds a Docker image for multiple architectures with enhanc... | Caching, Auto-detection, Token auth, Outputs | | ☁️ | [`docker-publish`][docker-publish] | Publishing | Simple wrapper to publish Docker images to GitHub Packages a... | Token auth, Outputs | -| βœ… | [`eslint-lint`][eslint-lint] | Linting | Run ESLint in check or fix mode with advanced configuration ... | Caching, Auto-detection, Token auth, Outputs | +| βœ… | [`eslint-lint`][eslint-lint] | Linting | Run ESLint in check or fix mode with advanced configuration ... | Caching, Auto-detection, Token auth, Outputs | | πŸ“¦ | [`go-build`][go-build] | Build | Builds the Go project. | Caching, Auto-detection, Token auth, Outputs | | πŸ“ | [`go-lint`][go-lint] | Linting | Run golangci-lint with advanced configuration, caching, and ... | Caching, Token auth, Outputs | | πŸ“ | [`language-version-detect`][language-version-detect] | Setup | DEPRECATED: This action is deprecated. Inline version detect... | Auto-detection, Token auth, Outputs | | πŸ“¦ | [`npm-publish`][npm-publish] | Publishing | Publishes the package to the NPM registry with configurable ... | Caching, Auto-detection, Token auth, Outputs | -| βœ… | [`php-tests`][php-tests] | Testing | Run PHPUnit tests with optional Laravel setup and Composer d... | Caching, Auto-detection, Token auth, Outputs | -| βœ… | [`pr-lint`][pr-lint] | Linting | Runs MegaLinter against pull requests | Caching, Auto-detection, Token auth, Outputs | +| βœ… | [`php-tests`][php-tests] | Testing | Run PHPUnit tests with optional Laravel setup and Composer d... | Caching, Auto-detection, Token auth, Outputs | +| βœ… | [`pr-lint`][pr-lint] | Linting | Runs MegaLinter against pull requests | Caching, Auto-detection, Token auth, Outputs | | πŸ“¦ | [`pre-commit`][pre-commit] | Linting | Runs pre-commit on the repository and pushes the fixes back ... | Auto-detection, Token auth, Outputs | -| βœ… | [`prettier-lint`][prettier-lint] | Linting | Run Prettier in check or fix mode with advanced configuratio... | Caching, Auto-detection, Token auth, Outputs | +| βœ… | [`prettier-lint`][prettier-lint] | Linting | Run Prettier in check or fix mode with advanced configuratio... | Caching, Auto-detection, Token auth, Outputs | | πŸ“ | [`python-lint-fix`][python-lint-fix] | Linting | Lints and fixes Python files, commits changes, and uploads S... | Caching, Auto-detection, Token auth, Outputs | | πŸ“¦ | [`release-monthly`][release-monthly] | Repository | Creates a release for the current month, incrementing patch ... | Token auth, Outputs | -| πŸ›‘οΈ | [`security-scan`][security-scan] | Security | Comprehensive security scanning for GitHub Actions including... | Caching, Token auth, Outputs | +| πŸ›‘οΈ | [`security-scan`][security-scan] | Security | Comprehensive security scanning for GitHub Actions including... | Caching, Token auth, Outputs | | πŸ“¦ | [`stale`][stale] | Repository | A GitHub Action to close stale issues and pull requests. | Token auth, Outputs | -| 🏷️ | [`sync-labels`][sync-labels] | Repository | Sync labels from a YAML file to a GitHub repository | Token auth, Outputs | -| πŸ–₯️ | [`terraform-lint-fix`][terraform-lint-fix] | Linting | Lints and fixes Terraform files with advanced validation and... | Token auth, Outputs | -| πŸ›‘οΈ | [`validate-inputs`][validate-inputs] | Validation | Centralized Python-based input validation for GitHub Actions... | Token auth, Outputs | +| 🏷️ | [`sync-labels`][sync-labels] | Repository | Sync labels from a YAML file to a GitHub repository | Token auth, Outputs | +| πŸ–₯️ | [`terraform-lint-fix`][terraform-lint-fix] | Linting | Lints and fixes Terraform files with advanced validation and... | Token auth, Outputs | +| πŸ›‘οΈ | [`validate-inputs`][validate-inputs] | Validation | Centralized Python-based input validation for GitHub Actions... | Token auth, Outputs | ### Actions by Category #### πŸ”§ Setup (1 action) | Action | Description | Languages | Features | -|:--------------------------------------------------------|:------------------------------------------------------|:-------------------------------|:------------------------------------| +| :------------------------------------------------------ | :---------------------------------------------------- | :----------------------------- | :---------------------------------- | | πŸ“ [`language-version-detect`][language-version-detect] | DEPRECATED: This action is deprecated. Inline vers... | PHP, Python, Go, .NET, Node.js | Auto-detection, Token auth, Outputs | #### πŸ› οΈ Utilities (1 action) | Action | Description | Languages | Features | -|:--------------------------------------------|:------------------------------------------------------|:---------------|:--------------------| +| :------------------------------------------ | :---------------------------------------------------- | :------------- | :------------------ | | πŸ”€ [`action-versioning`][action-versioning] | Automatically update SHA-pinned action references ... | GitHub Actions | Token auth, Outputs | #### πŸ“ Linting (10 actions) -| Action | Description | Languages | Features | -|:-----------------------------------------------|:------------------------------------------------------|:---------------------------------------------|:---------------------------------------------| -| πŸ“¦ [`ansible-lint-fix`][ansible-lint-fix] | Lints and fixes Ansible playbooks, commits changes... | Ansible, YAML | Caching, Token auth, Outputs | -| βœ… [`biome-lint`][biome-lint] | Run Biome linter in check or fix mode | JavaScript, TypeScript, JSON | Caching, Auto-detection, Token auth, Outputs | -| πŸ“ [`csharp-lint-check`][csharp-lint-check] | Runs linters like StyleCop or dotnet-format for C#... | C#, .NET | Caching, Auto-detection, Token auth, Outputs | -| βœ… [`eslint-lint`][eslint-lint] | Run ESLint in check or fix mode with advanced conf... | JavaScript, TypeScript | Caching, Auto-detection, Token auth, Outputs | -| πŸ“ [`go-lint`][go-lint] | Run golangci-lint with advanced configuration, cac... | Go | Caching, Token auth, Outputs | -| βœ… [`pr-lint`][pr-lint] | Runs MegaLinter against pull requests | Conventional Commits | Caching, Auto-detection, Token auth, Outputs | -| πŸ“¦ [`pre-commit`][pre-commit] | Runs pre-commit on the repository and pushes the f... | Python, Multiple Languages | Auto-detection, Token auth, Outputs | -| βœ… [`prettier-lint`][prettier-lint] | Run Prettier in check or fix mode with advanced co... | JavaScript, TypeScript, Markdown, YAML, JSON | Caching, Auto-detection, Token auth, Outputs | -| πŸ“ [`python-lint-fix`][python-lint-fix] | Lints and fixes Python files, commits changes, and... | Python | Caching, Auto-detection, Token auth, Outputs | +| Action | Description | Languages | Features | +| :-------------------------------------------- | :---------------------------------------------------- | :------------------------------------------- | :------------------------------------------- | +| πŸ“¦ [`ansible-lint-fix`][ansible-lint-fix] | Lints and fixes Ansible playbooks, commits changes... | Ansible, YAML | Caching, Token auth, Outputs | +| βœ… [`biome-lint`][biome-lint] | Run Biome linter in check or fix mode | JavaScript, TypeScript, JSON | Caching, Auto-detection, Token auth, Outputs | +| πŸ“ [`csharp-lint-check`][csharp-lint-check] | Runs linters like StyleCop or dotnet-format for C#... | C#, .NET | Caching, Auto-detection, Token auth, Outputs | +| βœ… [`eslint-lint`][eslint-lint] | Run ESLint in check or fix mode with advanced conf... | JavaScript, TypeScript | Caching, Auto-detection, Token auth, Outputs | +| πŸ“ [`go-lint`][go-lint] | Run golangci-lint with advanced configuration, cac... | Go | Caching, Token auth, Outputs | +| βœ… [`pr-lint`][pr-lint] | Runs MegaLinter against pull requests | Conventional Commits | Caching, Auto-detection, Token auth, Outputs | +| πŸ“¦ [`pre-commit`][pre-commit] | Runs pre-commit on the repository and pushes the f... | Python, Multiple Languages | Auto-detection, Token auth, Outputs | +| βœ… [`prettier-lint`][prettier-lint] | Run Prettier in check or fix mode with advanced co... | JavaScript, TypeScript, Markdown, YAML, JSON | Caching, Auto-detection, Token auth, Outputs | +| πŸ“ [`python-lint-fix`][python-lint-fix] | Lints and fixes Python files, commits changes, and... | Python | Caching, Auto-detection, Token auth, Outputs | | πŸ–₯️ [`terraform-lint-fix`][terraform-lint-fix] | Lints and fixes Terraform files with advanced vali... | Terraform, HCL | Token auth, Outputs | #### πŸ§ͺ Testing (1 action) -| Action | Description | Languages | Features | -|:---------------------------|:------------------------------------------------------|:-------------|:---------------------------------------------| +| Action | Description | Languages | Features | +| :-------------------------- | :---------------------------------------------------- | :----------- | :------------------------------------------- | | βœ… [`php-tests`][php-tests] | Run PHPUnit tests with optional Laravel setup and ... | PHP, Laravel | Caching, Auto-detection, Token auth, Outputs | #### πŸ—οΈ Build (3 actions) | Action | Description | Languages | Features | -|:----------------------------------|:------------------------------------------------------|:----------|:---------------------------------------------| +| :-------------------------------- | :---------------------------------------------------- | :-------- | :------------------------------------------- | | πŸ“ [`csharp-build`][csharp-build] | Builds and tests C# projects. | C#, .NET | Caching, Auto-detection, Token auth, Outputs | | πŸ“¦ [`docker-build`][docker-build] | Builds a Docker image for multiple architectures w... | Docker | Caching, Auto-detection, Token auth, Outputs | | πŸ“¦ [`go-build`][go-build] | Builds the Go project. | Go | Caching, Auto-detection, Token auth, Outputs | @@ -101,68 +103,68 @@ This repository contains **26 reusable GitHub Actions** for CI/CD automation. #### πŸš€ Publishing (3 actions) | Action | Description | Languages | Features | -|:--------------------------------------|:------------------------------------------------------|:-------------|:---------------------------------------------| +| :------------------------------------ | :---------------------------------------------------- | :----------- | :------------------------------------------- | | πŸ“¦ [`csharp-publish`][csharp-publish] | Publishes a C# project to GitHub Packages. | C#, .NET | Caching, Auto-detection, Token auth, Outputs | | ☁️ [`docker-publish`][docker-publish] | Simple wrapper to publish Docker images to GitHub ... | Docker | Token auth, Outputs | | πŸ“¦ [`npm-publish`][npm-publish] | Publishes the package to the NPM registry with con... | Node.js, npm | Caching, Auto-detection, Token auth, Outputs | #### πŸ“¦ Repository (5 actions) -| Action | Description | Languages | Features | -|:-----------------------------------------|:------------------------------------------------------|:--------------------------------------------------------|:------------------------------------| +| Action | Description | Languages | Features | +| :-------------------------------------- | :---------------------------------------------------- | :------------------------------------------------------ | :---------------------------------- | | πŸ›‘οΈ [`codeql-analysis`][codeql-analysis] | Run CodeQL security analysis for a single language... | JavaScript, TypeScript, Python, Java, C#, C++, Go, Ruby | Auto-detection, Token auth, Outputs | | πŸ–ΌοΈ [`compress-images`][compress-images] | Compress images on demand (workflow_dispatch), and... | Images, PNG, JPEG | Token auth, Outputs | -| πŸ“¦ [`release-monthly`][release-monthly] | Creates a release for the current month, increment... | GitHub Actions | Token auth, Outputs | -| πŸ“¦ [`stale`][stale] | A GitHub Action to close stale issues and pull req... | GitHub Actions | Token auth, Outputs | +| πŸ“¦ [`release-monthly`][release-monthly] | Creates a release for the current month, increment... | GitHub Actions | Token auth, Outputs | +| πŸ“¦ [`stale`][stale] | A GitHub Action to close stale issues and pull req... | GitHub Actions | Token auth, Outputs | | 🏷️ [`sync-labels`][sync-labels] | Sync labels from a YAML file to a GitHub repositor... | YAML, GitHub | Token auth, Outputs | #### πŸ›‘οΈ Security (1 action) -| Action | Description | Languages | Features | -|:-------------------------------------|:------------------------------------------------------|:----------|:-----------------------------| +| Action | Description | Languages | Features | +| :---------------------------------- | :---------------------------------------------------- | :-------- | :--------------------------- | | πŸ›‘οΈ [`security-scan`][security-scan] | Comprehensive security scanning for GitHub Actions... | - | Caching, Token auth, Outputs | #### βœ… Validation (1 action) -| Action | Description | Languages | Features | -|:-----------------------------------------|:------------------------------------------------------|:---------------------|:--------------------| +| Action | Description | Languages | Features | +| :-------------------------------------- | :---------------------------------------------------- | :------------------- | :------------------ | | πŸ›‘οΈ [`validate-inputs`][validate-inputs] | Centralized Python-based input validation for GitH... | YAML, GitHub Actions | Token auth, Outputs | ### Feature Matrix | Action | Caching | Auto-detection | Token auth | Outputs | -|:-----------------------------------------------------|:-------:|:--------------:|:----------:|:-------:| -| [`action-versioning`][action-versioning] | - | - | βœ… | βœ… | -| [`ansible-lint-fix`][ansible-lint-fix] | βœ… | - | βœ… | βœ… | -| [`biome-lint`][biome-lint] | βœ… | βœ… | βœ… | βœ… | -| [`codeql-analysis`][codeql-analysis] | - | βœ… | βœ… | βœ… | -| [`compress-images`][compress-images] | - | - | βœ… | βœ… | -| [`csharp-build`][csharp-build] | βœ… | βœ… | βœ… | βœ… | -| [`csharp-lint-check`][csharp-lint-check] | βœ… | βœ… | βœ… | βœ… | -| [`csharp-publish`][csharp-publish] | βœ… | βœ… | βœ… | βœ… | -| [`docker-build`][docker-build] | βœ… | βœ… | βœ… | βœ… | -| [`docker-publish`][docker-publish] | - | - | βœ… | βœ… | -| [`eslint-lint`][eslint-lint] | βœ… | βœ… | βœ… | βœ… | -| [`go-build`][go-build] | βœ… | βœ… | βœ… | βœ… | -| [`go-lint`][go-lint] | βœ… | - | βœ… | βœ… | -| [`language-version-detect`][language-version-detect] | - | βœ… | βœ… | βœ… | -| [`npm-publish`][npm-publish] | βœ… | βœ… | βœ… | βœ… | -| [`php-tests`][php-tests] | βœ… | βœ… | βœ… | βœ… | -| [`pr-lint`][pr-lint] | βœ… | βœ… | βœ… | βœ… | -| [`pre-commit`][pre-commit] | - | βœ… | βœ… | βœ… | -| [`prettier-lint`][prettier-lint] | βœ… | βœ… | βœ… | βœ… | -| [`python-lint-fix`][python-lint-fix] | βœ… | βœ… | βœ… | βœ… | -| [`release-monthly`][release-monthly] | - | - | βœ… | βœ… | -| [`security-scan`][security-scan] | βœ… | - | βœ… | βœ… | -| [`stale`][stale] | - | - | βœ… | βœ… | -| [`sync-labels`][sync-labels] | - | - | βœ… | βœ… | -| [`terraform-lint-fix`][terraform-lint-fix] | - | - | βœ… | βœ… | -| [`validate-inputs`][validate-inputs] | - | - | βœ… | βœ… | +| :--------------------------------------------------- | :-----: | :------------: | :--------: | :-----: | +| [`action-versioning`][action-versioning] | - | - | βœ… | βœ… | +| [`ansible-lint-fix`][ansible-lint-fix] | βœ… | - | βœ… | βœ… | +| [`biome-lint`][biome-lint] | βœ… | βœ… | βœ… | βœ… | +| [`codeql-analysis`][codeql-analysis] | - | βœ… | βœ… | βœ… | +| [`compress-images`][compress-images] | - | - | βœ… | βœ… | +| [`csharp-build`][csharp-build] | βœ… | βœ… | βœ… | βœ… | +| [`csharp-lint-check`][csharp-lint-check] | βœ… | βœ… | βœ… | βœ… | +| [`csharp-publish`][csharp-publish] | βœ… | βœ… | βœ… | βœ… | +| [`docker-build`][docker-build] | βœ… | βœ… | βœ… | βœ… | +| [`docker-publish`][docker-publish] | - | - | βœ… | βœ… | +| [`eslint-lint`][eslint-lint] | βœ… | βœ… | βœ… | βœ… | +| [`go-build`][go-build] | βœ… | βœ… | βœ… | βœ… | +| [`go-lint`][go-lint] | βœ… | - | βœ… | βœ… | +| [`language-version-detect`][language-version-detect] | - | βœ… | βœ… | βœ… | +| [`npm-publish`][npm-publish] | βœ… | βœ… | βœ… | βœ… | +| [`php-tests`][php-tests] | βœ… | βœ… | βœ… | βœ… | +| [`pr-lint`][pr-lint] | βœ… | βœ… | βœ… | βœ… | +| [`pre-commit`][pre-commit] | - | βœ… | βœ… | βœ… | +| [`prettier-lint`][prettier-lint] | βœ… | βœ… | βœ… | βœ… | +| [`python-lint-fix`][python-lint-fix] | βœ… | βœ… | βœ… | βœ… | +| [`release-monthly`][release-monthly] | - | - | βœ… | βœ… | +| [`security-scan`][security-scan] | βœ… | - | βœ… | βœ… | +| [`stale`][stale] | - | - | βœ… | βœ… | +| [`sync-labels`][sync-labels] | - | - | βœ… | βœ… | +| [`terraform-lint-fix`][terraform-lint-fix] | - | - | βœ… | βœ… | +| [`validate-inputs`][validate-inputs] | - | - | βœ… | βœ… | ### Language Support | Language | Actions | -|:---------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| :------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | .NET | [`csharp-build`][csharp-build], [`csharp-lint-check`][csharp-lint-check], [`csharp-publish`][csharp-publish], [`language-version-detect`][language-version-detect] | | Ansible | [`ansible-lint-fix`][ansible-lint-fix] | | C# | [`codeql-analysis`][codeql-analysis], [`csharp-build`][csharp-build], [`csharp-lint-check`][csharp-lint-check], [`csharp-publish`][csharp-publish] | diff --git a/_tools/docker-testing-tools/Dockerfile b/_tools/docker-testing-tools/Dockerfile index 0a60845..40729e2 100644 --- a/_tools/docker-testing-tools/Dockerfile +++ b/_tools/docker-testing-tools/Dockerfile @@ -10,7 +10,7 @@ ARG ACT_VERSION=0.2.71 ARG SHELLSPEC_VERSION=0.28.1 # Stage 1: Build kcov separately to keep final image slim -FROM ubuntu:24.04 AS kcov-builder +FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS kcov-builder ARG KCOV_VERSION @@ -43,7 +43,7 @@ RUN cmake .. \ && make install DESTDIR=/kcov-install # Stage 2: Base system setup -FROM ubuntu:24.04 AS base +FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS base LABEL maintainer="ivuorinen" LABEL description="GitHub Actions testing framework with pre-installed tools"