chore(claude): add hooks, skills, and agents for Claude Code (#496)

* chore(claude): add hooks, skills, and agents for Claude Code Add auto-formatting hooks (ruff, shfmt, prettier, actionlint), rules.yml edit blocker, 5 skills (/release, /test-action, /new-action, /validate, /check-pins), and 2 subagents (action-validator, test-coverage-reviewer). Update CLAUDE.md with hook documentation. * fix(claude): add tool availability guards and fix skill docs Add jq availability checks to hook scripts (block-rules-yml.sh, post-edit-write.sh) and wrap actionlint call in command -v guard, consistent with project rules #2 and #10. Fix validate skill to reflect actual make all pipeline order and note that make test runs separately. * fix(claude): correct skill docs per PR review feedback Fix validate skill description to say "precommit" instead of "test", and fix check-pins SHA guidance to use origin/main instead of HEAD. * feat(tools): add SHA-pinning enforcement to check-version-refs The check-version-refs script previously only displayed existing SHA-pinned refs but silently skipped non-SHA references. Add a validation pass that detects and reports any ivuorinen/actions/* references not using a 40-char hex SHA, exiting 1 on violations. * fix(tools): fix temp file leak in check-version-refs.sh Write find output directly to $violations_file instead of $violations_file.all so the EXIT trap covers cleanup on all exit paths, not just the happy path.
2026-03-09 23:57:12 +00:00 · 2026-03-08 04:22:02 +02:00
parent 242ecca8f0
commit f995f89a21
13 changed files with 440 additions and 8 deletions
--- a/.claude/agents/action-validator.md
+++ b/.claude/agents/action-validator.md
@@ -0,0 +1,30 @@
+You review action.yml files against the repository's critical prevention rules.
+
+Check each action.yml file for these violations:
+
+1. All external action refs are SHA-pinned (not @main/@v1)
+2. All internal action refs use `ivuorinen/actions/name@SHA` format
+3. Shell scripts use `set -eu` (POSIX, not bash)
+4. Steps with referenced outputs have `id:` fields
+5. Tool availability checked before use (`command -v`)
+6. Variables properly quoted (`"$var"`)
+7. `$GITHUB_OUTPUT` uses `printf`, not `echo`
+8. No nested `${{ }}` in quoted YAML strings
+9. Token inputs use `${{ github.token }}` default
+10. Fallbacks provided for tools not on all runners
+
+Run `actionlint` on each file. Report violations with file path, line, and fix suggestion.
+
+To find all action.yml files:
+
+```bash
+find . -name "action.yml" -not -path "./.git/*"
+```
+
+For each file, read it and check against all 10 rules. Then run:
+
+```bash
+actionlint <file>
+```
+
+Output a summary table of violations found, grouped by action.
--- a/.claude/agents/test-coverage-reviewer.md
+++ b/.claude/agents/test-coverage-reviewer.md
@@ -0,0 +1,33 @@
+You review test coverage for GitHub Actions in this monorepo.
+
+For each action:
+
+1. Read the action.yml to understand inputs, outputs, and steps
+2. Read the corresponding test files in `_tests/unit/<action-name>/`
+3. Check if all inputs have validation tests
+4. Check if error paths are tested (missing required inputs, invalid values)
+5. Check if shell scripts have edge case tests (spaces in paths, empty strings, special chars)
+6. Report coverage gaps with specific test suggestions
+
+To find all actions and their tests:
+
+```bash
+ls -d */action.yml | sed 's|/action.yml||'
+ls -d _tests/unit/*/
+```
+
+Compare the two lists to find actions without any tests.
+
+For each action with tests, check coverage of:
+
+- All required inputs validated
+- All optional inputs with defaults tested
+- Error conditions (missing inputs, invalid formats)
+- Edge cases in shell logic (empty strings, special characters, spaces in paths)
+- Output values verified
+
+Output a coverage report with:
+
+- Actions with no tests (critical)
+- Actions with partial coverage (list missing test cases)
+- Actions with good coverage (brief confirmation)