fix: test-actions security scan (#307)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/test-actions.yml

@@ -235,8 +235,8 @@ jobs:
         uses: trufflesecurity/trufflehog@0f58ae7c5036094a1e3e750d18772af92821b503
         with:
           path: ./
-          base: ${{ github.event.repository.default_branch }}
-          head: HEAD
+          base: ${{ github.event_name == 'pull_request' && github.event.repository.default_branch || '' }}
+          head: ${{ github.event_name == 'pull_request' && 'HEAD' || '' }}
           extra_args: --debug --only-verified
 
       - name: Scan shell scripts

.pre-commit-config.yaml

@@ -14,7 +14,7 @@ repos:
         types: [markdown, python, yaml]
         files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.9.2
+    rev: 0.9.5
     hooks:
       - id: uv-lock
       - id: uv-sync
@@ -89,7 +89,7 @@ repos:
       - id: renovate-config-validator
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.483'
+    rev: '3.2.487'
     hooks:
       - id: checkov
         args:

npm-publish/README.md

@@ -10,10 +10,10 @@ Publishes the package to the NPM registry with configurable scope and registry U
 
 | name              | description                            | required | default                                |
 |-------------------|----------------------------------------|----------|----------------------------------------|
+| `npm_token`       | <p>NPM token.</p>                      | `true`   | `""`                                   |
 | `registry-url`    | <p>Registry URL for publishing.</p>    | `false`  | `https://registry.npmjs.org/`          |
 | `scope`           | <p>Package scope to use.</p>           | `false`  | `@ivuorinen`                           |
 | `package-version` | <p>The version to publish.</p>         | `false`  | `${{ github.event.release.tag_name }}` |
-| `npm_token`       | <p>NPM token.</p>                      | `true`   | `""`                                   |
 | `token`           | <p>GitHub token for authentication</p> | `false`  | `""`                                   |
 
 ### Outputs
@@ -33,6 +33,12 @@ This action is a `composite` action.
 ```yaml
 - uses: ivuorinen/actions/npm-publish@main
   with:
+    npm_token:
+    # NPM token.
+    #
+    # Required: true
+    # Default: ""
+
     registry-url:
     # Registry URL for publishing.
     #
@@ -51,12 +57,6 @@ This action is a `composite` action.
     # Required: false
     # Default: ${{ github.event.release.tag_name }}
 
-    npm_token:
-    # NPM token.
-    #
-    # Required: true
-    # Default: ""
-
     token:
     # GitHub token for authentication
     #

validate-inputs/README.md

@@ -10,7 +10,7 @@ Centralized Python-based input validation for GitHub Actions with PCRE regex sup
 
 | name                | description                                                                        | required | default |
 |---------------------|------------------------------------------------------------------------------------|----------|---------|
-| `action`            | <p>Action name to validate (alias for action-type)</p>                             | `true`   | `""`    |
+| `action`            | <p>Action name to validate (alias for action-type)</p>                             | `false`  | `""`    |
 | `action-type`       | <p>Type of action to validate (e.g., csharp-publish, docker-build, eslint-fix)</p> | `false`  | `""`    |
 | `rules-file`        | <p>Path to validation rules file</p>                                               | `false`  | `""`    |
 | `fail-on-error`     | <p>Whether to fail on validation errors</p>                                        | `false`  | `true`  |
@@ -81,7 +81,7 @@ This action is a `composite` action.
     action:
     # Action name to validate (alias for action-type)
     #
-    # Required: true
+    # Required: false
     # Default: ""
 
     action-type:

validate-inputs/action.yml

@@ -13,7 +13,7 @@ branding:
 inputs:
   action:
     description: 'Action name to validate (alias for action-type)'
-    required: true
+    required: false
   action-type:
     description: 'Type of action to validate (e.g., csharp-publish, docker-build, eslint-fix)'
     required: false

validate-inputs/validator.py

@@ -32,7 +32,7 @@ def collect_inputs() -> dict[str, str]:
     """
     inputs = {}
     for key, value in os.environ.items():
-        if key.startswith("INPUT_") and key != "INPUT_ACTION_TYPE":
+        if key.startswith("INPUT_") and key not in ("INPUT_ACTION_TYPE", "INPUT_ACTION"):
             input_name = key[6:].lower()
             inputs[input_name] = value
 
@@ -73,8 +73,11 @@ def write_output(status: str, action_type: str, **kwargs) -> None:
 
 def main() -> None:
     """Main validation entry point."""
-    # Get the action type from environment
-    action_type = os.environ.get("INPUT_ACTION_TYPE", "").strip()
+    # Get the action type from environment (check both INPUT_ACTION_TYPE and INPUT_ACTION)
+    action_type = (
+        os.environ.get("INPUT_ACTION_TYPE", "").strip()
+        or os.environ.get("INPUT_ACTION", "").strip()
+    )
     if not action_type:
         logger.error("::error::No action type provided")
         sys.exit(1)