900dd96797
feat: add action-validator and clean up CI workflows ( #513 )
...
* chore(pre-commit): update hooks and add action-validator
Update uv-pre-commit 0.10.9→0.10.11 and checkov 3.2.508→3.2.510.
Normalize single quotes to double quotes in hook args.
Add action-validator v0.8.0 hook for GitHub Actions validation.
* fix(ci): clean up workflow path filters
Remove non-existent action.yaml paths from action-security workflow.
Fix glob patterns (**.md → **/*.md) in pr-lint workflow.
Remove unused trigger paths (yarn.lock, pnpm-lock.yaml,
requirements.txt, .github/labels.yml, docs/**) from security-suite
and sync-labels workflows.
* feat(make): add lint-actions target for action-validator
Add lint-actions target that runs action-validator via pre-commit.
Include it in the lint dependency list and .PHONY declaration.
* docs: add context-mode routing rules to CLAUDE.md
Add mandatory routing rules section for context-mode MCP plugin,
documenting blocked commands, redirected tools, tool selection
hierarchy, and output constraints.
* fix(lint): resolve action-validator failure on language-version-detect
- Remove unsupported `deprecated: true` from language-version-detect/action.yml
(deprecation already communicated via description field)
- Scope action-validator pre-commit hook to workflow and action.yml files only
- Make missing pre-commit a hard error in lint-actions target
* fix(deps): update action pins and fix trivy-action version comment
Update SHA-pinned action references to latest versions:
- github/codeql-action v4.32.6 → v4.33.0
- nick-fields/retry v3.0.2 → v4.0.0
- actions/cache v5.0.3 → v5.0.4
- oven-sh/setup-bun v2.1.3 → v2.2.0
- softprops/action-gh-release v2.5.0 → v2.6.1
- github/issue-metrics v4.1.0 → v4.1.1
- shivammathur/setup-php 2.36.0 → 2.37.0
- astral-sh/setup-uv v7.5.0 → v7.6.0
- terraform-linters/setup-tflint v6.2.1 → v6.2.2
- aquasecurity/trivy-action: pin from master to v0.35.0
Fix pinact warning in docker-build by adding missing v prefix
to trivy-action version comment (0.35.0 → v0.35.0).
2026-03-20 13:01:24 +02:00
renovate[bot]
ce81e51641
chore(deps): update raven-actions/actionlint action (v2.1.1 → v2.1.2) ( #488 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-06 11:14:39 +02:00
renovate[bot]
08393e8063
chore(deps): update github/codeql-action action (v4.32.4 → v4.32.6) ( #484 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-06 02:49:32 +02:00
bd59245cd7
fix(deps): replace step-security/retry and update action pins ( #468 )
...
* fix(deps): replace step-security/retry with nick-fields/retry
* chore(deps): update github action sha pins via pinact
* refactor: remove common-retry references from tests and validators
* chore: simplify description fallback and update action count
* docs: remove hardcoded test counts from memory and docs
Replace exact "769 tests" references with qualitative language
so these files don't go stale as test count grows.
2026-03-02 02:31:26 +02:00
renovate[bot]
2e4525cb96
chore(deps): update github/codeql-action action (v4.32.3 → v4.32.4) ( #459 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-23 21:29:42 +02:00
renovate[bot]
291bb2fdc4
chore(deps): update github/codeql-action action (v4.32.2 → v4.32.3) ( #449 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-16 09:31:18 +02:00
renovate[bot]
a9605c642f
chore(deps): update github/codeql-action action (v4.31.9 → v4.32.2) ( #442 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-10 13:32:33 +02:00
renovate[bot]
77429988fd
chore(deps): update raven-actions/actionlint action (v2.1.0 → v2.1.1) ( #432 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-02-02 07:53:24 +02:00
renovate[bot]
61ebe619a8
chore(deps): update github/codeql-action action (v4.31.8 → v4.31.9) ( #406 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-22 07:38:46 +02:00
renovate[bot]
5e7b2fbc11
chore(deps)!: update actions/upload-artifact (v5.0.0 → v6.0.0) ( #397 )
2025-12-17 23:35:53 +02:00
renovate[bot]
23ac5dbca3
chore(deps): update github/codeql-action action (v4.31.7 → v4.31.8) ( #399 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-16 13:05:57 +02:00
renovate[bot]
a8031d3922
chore(deps): update raven-actions/actionlint action (v2.0.1 → v2.1.0) ( #400 )
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-12-16 13:05:24 +02:00
44a11e9773
chore: update actions, cleanup pr-lint and pre-commit ( #389 )
...
* chore: update actions, cleanup pr-lint
* chore: cleanup pre-commit config, formatting
* chore: revert sigstore/cosign-installer downgrade
* chore: formatting
2025-12-07 02:24:33 +02:00
9aa16a8164
feat: use our own actions in our workflows ( #377 )
...
* feat: use our own actions in our workflows
* fix: add missing inputs to validate-inputs, refactor node
* chore: cr comment fixes
* fix: update-validators formatting
* chore: update validators, add tests, conventions
* feat: validate severity with severity_enum
* feat: add 10 generic validators to improve input validation coverage
Add comprehensive validation system improvements across multiple phases:
Phase 2A - Quick Wins:
- Add multi_value_enum validator for 2-10 value enumerations
- Add exit_code_list validator for Unix/Linux exit codes (0-255)
- Refactor coverage_driver to use multi_value_enum
Phase 2B - High-Value Validators:
- Add key_value_list validator with shell injection prevention
- Add path_list validator with path traversal and glob support
Quick Wins - Additional Enums:
- Add network_mode validator for Docker network modes
- Add language_enum validator for language detection
- Add framework_mode validator for PHP framework modes
- Update boolean pattern to include 'push'
Phase 2C - Specialized Validators:
- Add json_format validator for JSON syntax validation
- Add cache_config validator for Docker BuildKit cache configs
Improvements:
- All validators include comprehensive security checks
- Pattern-based validation with clear error messages
- 23 new test methods with edge case coverage
- Update special case mappings for 20+ inputs
- Fix build-args mapping test expectation
Coverage impact: 22 actions now at 100% validation (88% → 92%)
Test suite: 762 → 785 tests (+23 tests, all passing)
* chore: regenerate rules.yml with improved validator coverage
Regenerate validation rules for all actions with new validators:
- compress-images: 86% → 100% (+1 input: ignore-paths)
- docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args)
- docker-publish: 73% → 100% (+1 input: build-args)
- language-version-detect: 67% → 100% (+1 input: language)
- php-tests: 89% (fixed framework→framework_mode mapping)
- prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins)
- security-scan: 86% (maintained coverage)
Overall: 23 of 25 actions now at 100% validation coverage (92%)
* fix: address PR #377 review comments
- Add | None type annotations to 6 optional parameters (PEP 604)
- Standardize injection pattern: remove @# from comma_separated_list validator
(@ and # are not shell injection vectors, allows npm scoped packages)
- Remove dead code: unused value expression in key_value_list validator
- Update tests to reflect injection pattern changes
2025-11-25 23:51:03 +02:00
