mirror of
https://github.com/ivuorinen/actions.git
synced 2026-03-09 16:57:06 +00:00
Compare commits
9 Commits
v2026.03.0
...
renovate/b
| Author | SHA1 | Date | |
|---|---|---|---|
|
84d5c5f496 | ||
| 4360ea39c7 | |||
|
|
cfff9253d8 | ||
|
|
77394763a6 | ||
|
|
ca8482e2c3 | ||
| a0cc32995f | |||
| 34372bcd36 | |||
| f995f89a21 | |||
|
|
242ecca8f0 |
30
.claude/agents/action-validator.md
Normal file
30
.claude/agents/action-validator.md
Normal file
@@ -0,0 +1,30 @@
|
||||
You review action.yml files against the repository's critical prevention rules.
|
||||
|
||||
Check each action.yml file for these violations:
|
||||
|
||||
1. All external action refs are SHA-pinned (not @main/@v1)
|
||||
2. All internal action refs use `ivuorinen/actions/name@SHA` format
|
||||
3. Shell scripts use `set -eu` (POSIX, not bash)
|
||||
4. Steps with referenced outputs have `id:` fields
|
||||
5. Tool availability checked before use (`command -v`)
|
||||
6. Variables properly quoted (`"$var"`)
|
||||
7. `$GITHUB_OUTPUT` uses `printf`, not `echo`
|
||||
8. No nested `${{ }}` in quoted YAML strings
|
||||
9. Token inputs use `${{ github.token }}` default
|
||||
10. Fallbacks provided for tools not on all runners
|
||||
|
||||
Run `actionlint` on each file. Report violations with file path, line, and fix suggestion.
|
||||
|
||||
To find all action.yml files:
|
||||
|
||||
```bash
|
||||
find . -name "action.yml" -not -path "./.git/*"
|
||||
```
|
||||
|
||||
For each file, read it and check against all 10 rules. Then run:
|
||||
|
||||
```bash
|
||||
actionlint <file>
|
||||
```
|
||||
|
||||
Output a summary table of violations found, grouped by action.
|
||||
33
.claude/agents/test-coverage-reviewer.md
Normal file
33
.claude/agents/test-coverage-reviewer.md
Normal file
@@ -0,0 +1,33 @@
|
||||
You review test coverage for GitHub Actions in this monorepo.
|
||||
|
||||
For each action:
|
||||
|
||||
1. Read the action.yml to understand inputs, outputs, and steps
|
||||
2. Read the corresponding test files in `_tests/unit/<action-name>/`
|
||||
3. Check if all inputs have validation tests
|
||||
4. Check if error paths are tested (missing required inputs, invalid values)
|
||||
5. Check if shell scripts have edge case tests (spaces in paths, empty strings, special chars)
|
||||
6. Report coverage gaps with specific test suggestions
|
||||
|
||||
To find all actions and their tests:
|
||||
|
||||
```bash
|
||||
ls -d */action.yml | sed 's|/action.yml||'
|
||||
ls -d _tests/unit/*/
|
||||
```
|
||||
|
||||
Compare the two lists to find actions without any tests.
|
||||
|
||||
For each action with tests, check coverage of:
|
||||
|
||||
- All required inputs validated
|
||||
- All optional inputs with defaults tested
|
||||
- Error conditions (missing inputs, invalid formats)
|
||||
- Edge cases in shell logic (empty strings, special characters, spaces in paths)
|
||||
- Output values verified
|
||||
|
||||
Output a coverage report with:
|
||||
|
||||
- Actions with no tests (critical)
|
||||
- Actions with partial coverage (list missing test cases)
|
||||
- Actions with good coverage (brief confirmation)
|
||||
21
.claude/hooks/block-rules-yml.sh
Executable file
21
.claude/hooks/block-rules-yml.sh
Executable file
@@ -0,0 +1,21 @@
|
||||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
# Read JSON input from stdin to get the file path
|
||||
if ! command -v jq >/dev/null 2>&1; then
|
||||
echo "Error: jq is required but not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
INPUT=$(cat)
|
||||
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty')
|
||||
|
||||
if [ -z "$FILE_PATH" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
case "$FILE_PATH" in
|
||||
*/rules.yml)
|
||||
echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"rules.yml files are auto-generated. Run make update-validators instead."}}'
|
||||
;;
|
||||
esac
|
||||
46
.claude/hooks/post-edit-write.sh
Executable file
46
.claude/hooks/post-edit-write.sh
Executable file
@@ -0,0 +1,46 @@
|
||||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
# Read JSON input from stdin to get the file path
|
||||
if ! command -v jq >/dev/null 2>&1; then
|
||||
echo "Error: jq is required but not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
INPUT=$(cat)
|
||||
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty')
|
||||
|
||||
if [ -z "$FILE_PATH" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
case "$FILE_PATH" in
|
||||
*/rules.yml)
|
||||
# rules.yml should not be reached here (blocked by PreToolUse),
|
||||
# but skip formatting just in case
|
||||
exit 0
|
||||
;;
|
||||
*.py)
|
||||
ruff format --quiet "$FILE_PATH" 2>/dev/null || true
|
||||
ruff check --fix --quiet "$FILE_PATH" 2>/dev/null || true
|
||||
;;
|
||||
*.sh)
|
||||
shfmt -w "$FILE_PATH" 2>/dev/null || true
|
||||
shellcheck "$FILE_PATH" 2>&1 || true
|
||||
;;
|
||||
*.yml | *.yaml | *.json)
|
||||
npx prettier --write "$FILE_PATH" 2>/dev/null || true
|
||||
;;
|
||||
*.md)
|
||||
npx prettier --write "$FILE_PATH" 2>/dev/null || true
|
||||
;;
|
||||
esac
|
||||
|
||||
# Run actionlint on action.yml files
|
||||
case "$FILE_PATH" in
|
||||
*/action.yml)
|
||||
if command -v actionlint >/dev/null 2>&1; then
|
||||
actionlint "$FILE_PATH" 2>&1 || true
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
26
.claude/settings.json
Normal file
26
.claude/settings.json
Normal file
@@ -0,0 +1,26 @@
|
||||
{
|
||||
"hooks": {
|
||||
"PreToolUse": [
|
||||
{
|
||||
"matcher": "Edit|Write",
|
||||
"hooks": [
|
||||
{
|
||||
"type": "command",
|
||||
"command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/block-rules-yml.sh"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"PostToolUse": [
|
||||
{
|
||||
"matcher": "Edit|Write",
|
||||
"hooks": [
|
||||
{
|
||||
"type": "command",
|
||||
"command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/post-edit-write.sh"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
40
.claude/skills/check-pins/SKILL.md
Normal file
40
.claude/skills/check-pins/SKILL.md
Normal file
@@ -0,0 +1,40 @@
|
||||
---
|
||||
name: check-pins
|
||||
description: Verify all action references are properly SHA-pinned
|
||||
disable-model-invocation: true
|
||||
---
|
||||
|
||||
# Check SHA-Pinned Action References
|
||||
|
||||
## 1. Check version references
|
||||
|
||||
```bash
|
||||
make check-version-refs
|
||||
```
|
||||
|
||||
This verifies that all `ivuorinen/actions/*` references in `action.yml` files use SHA-pinned commits.
|
||||
|
||||
## 2. Check local references
|
||||
|
||||
```bash
|
||||
make check-local-refs
|
||||
```
|
||||
|
||||
This verifies that test workflows use `./action-name` format (local references are allowed in tests).
|
||||
|
||||
## 3. Interpret results
|
||||
|
||||
**Violations to fix:**
|
||||
|
||||
- `@main` or `@v*` references in `action.yml` files must be replaced with full SHA commits
|
||||
- `./action-name` in `action.yml` (non-test) files must use `ivuorinen/actions/action-name@<SHA>`
|
||||
- External actions must be pinned to SHA commits, not version tags
|
||||
|
||||
**How to get the SHA for pinning:**
|
||||
|
||||
```bash
|
||||
# After pushing, get the SHA of the latest commit on the remote
|
||||
git rev-parse origin/main
|
||||
```
|
||||
|
||||
Use a SHA that exists on the remote. Local-only commits won't resolve when the action is used externally.
|
||||
60
.claude/skills/new-action/SKILL.md
Normal file
60
.claude/skills/new-action/SKILL.md
Normal file
@@ -0,0 +1,60 @@
|
||||
---
|
||||
name: new-action
|
||||
description: Scaffold a new GitHub Action with all required files
|
||||
disable-model-invocation: true
|
||||
---
|
||||
|
||||
# Scaffold a New GitHub Action
|
||||
|
||||
## 1. Gather information
|
||||
|
||||
Ask the user for:
|
||||
|
||||
- **Action name** (kebab-case, e.g. `my-new-action`)
|
||||
- **Description** (one line)
|
||||
- **Category** (setup, linting, testing, build, publishing, repository, utility)
|
||||
- **Inputs** (name, description, required, default for each)
|
||||
- **What it does** (shell commands, composite steps, etc.)
|
||||
|
||||
## 2. Create directory and action.yml
|
||||
|
||||
Create `<action-name>/action.yml` following the existing action patterns:
|
||||
|
||||
- Use `composite` runs type
|
||||
- Include `set -eu` in shell scripts (POSIX sh, not bash)
|
||||
- Use `${{ github.token }}` for token defaults
|
||||
- Pin all external action references to SHA commits
|
||||
- Pin internal action references using `ivuorinen/actions/action-name@<SHA>`
|
||||
- Add `id:` to steps whose outputs are referenced
|
||||
|
||||
## 3. Generate validation rules
|
||||
|
||||
```bash
|
||||
make update-validators
|
||||
```
|
||||
|
||||
This generates `<action-name>/rules.yml` from the action's inputs.
|
||||
|
||||
## 4. Generate test scaffolding
|
||||
|
||||
```bash
|
||||
make generate-tests
|
||||
```
|
||||
|
||||
## 5. Generate README
|
||||
|
||||
```bash
|
||||
make docs
|
||||
```
|
||||
|
||||
## 6. Run validation
|
||||
|
||||
```bash
|
||||
make all
|
||||
```
|
||||
|
||||
Fix any issues before considering the action complete.
|
||||
|
||||
## 7. Update repository overview
|
||||
|
||||
Remind the user to update the Serena memory `repository_overview` if they use Serena.
|
||||
57
.claude/skills/release/SKILL.md
Normal file
57
.claude/skills/release/SKILL.md
Normal file
@@ -0,0 +1,57 @@
|
||||
---
|
||||
name: release
|
||||
description: Create a new CalVer release with validation checks
|
||||
disable-model-invocation: true
|
||||
---
|
||||
|
||||
# Release Workflow
|
||||
|
||||
Follow these steps to create a new CalVer release:
|
||||
|
||||
## 1. Pre-flight checks
|
||||
|
||||
Run the full validation pipeline:
|
||||
|
||||
```bash
|
||||
make all
|
||||
```
|
||||
|
||||
If any step fails, fix the issues before proceeding.
|
||||
|
||||
## 2. Check version references
|
||||
|
||||
Verify all action references are properly pinned:
|
||||
|
||||
```bash
|
||||
make check-version-refs
|
||||
make check-local-refs
|
||||
```
|
||||
|
||||
## 3. Prepare the release
|
||||
|
||||
Run release preparation (updates version references):
|
||||
|
||||
```bash
|
||||
make release-prep
|
||||
```
|
||||
|
||||
Review the changes with `git diff`.
|
||||
|
||||
## 4. Confirm with user
|
||||
|
||||
Ask the user to confirm:
|
||||
|
||||
- The version number (defaults to `vYYYY.MM.DD` based on today's date)
|
||||
- That all changes look correct
|
||||
|
||||
## 5. Create the release
|
||||
|
||||
```bash
|
||||
make release VERSION=vYYYY.MM.DD
|
||||
```
|
||||
|
||||
Replace `vYYYY.MM.DD` with the confirmed version.
|
||||
|
||||
## 6. Verify
|
||||
|
||||
Show the user the created tag and any output from the release process.
|
||||
34
.claude/skills/test-action/SKILL.md
Normal file
34
.claude/skills/test-action/SKILL.md
Normal file
@@ -0,0 +1,34 @@
|
||||
---
|
||||
name: test-action
|
||||
description: Run tests for a specific GitHub Action by name
|
||||
disable-model-invocation: true
|
||||
---
|
||||
|
||||
# Test a Specific Action
|
||||
|
||||
## 1. Identify the action
|
||||
|
||||
Ask the user which action to test if not already specified.
|
||||
List available actions if needed:
|
||||
|
||||
```bash
|
||||
ls -d */action.yml | sed 's|/action.yml||'
|
||||
```
|
||||
|
||||
## 2. Run tests
|
||||
|
||||
```bash
|
||||
make test-action ACTION=<action-name>
|
||||
```
|
||||
|
||||
## 3. Display results
|
||||
|
||||
Show the test output. If tests fail, read the relevant test files in `_tests/unit/<action-name>/` and the action's `action.yml` to help diagnose the issue.
|
||||
|
||||
## 4. Coverage (optional)
|
||||
|
||||
If the user wants coverage information:
|
||||
|
||||
```bash
|
||||
make test-coverage
|
||||
```
|
||||
51
.claude/skills/validate/SKILL.md
Normal file
51
.claude/skills/validate/SKILL.md
Normal file
@@ -0,0 +1,51 @@
|
||||
---
|
||||
name: validate
|
||||
description: Run full validation pipeline (docs, format, lint, precommit)
|
||||
disable-model-invocation: true
|
||||
---
|
||||
|
||||
# Full Validation Pipeline
|
||||
|
||||
Run the complete validation pipeline:
|
||||
|
||||
```bash
|
||||
make all
|
||||
```
|
||||
|
||||
This runs in order: `install-tools` -> `update-validators` -> `docs` -> `update-catalog` -> `format` -> `lint` -> `precommit`
|
||||
|
||||
**Note:** `make test` must be run separately.
|
||||
|
||||
## If validation fails
|
||||
|
||||
### Formatting issues
|
||||
|
||||
```bash
|
||||
make format
|
||||
```
|
||||
|
||||
Then re-run `make all`.
|
||||
|
||||
### Linting issues
|
||||
|
||||
- **actionlint**: Check action.yml syntax, step IDs, expression usage
|
||||
- **shellcheck**: POSIX compliance, quoting, variable usage
|
||||
- **ruff**: Python style and errors
|
||||
- **markdownlint**: Markdown formatting
|
||||
- **prettier**: YAML/JSON/MD formatting
|
||||
|
||||
### Test failures
|
||||
|
||||
```bash
|
||||
make test
|
||||
```
|
||||
|
||||
Read the failing test output and fix the underlying action or test.
|
||||
|
||||
### Documentation drift
|
||||
|
||||
```bash
|
||||
make docs
|
||||
```
|
||||
|
||||
Regenerates READMEs from action.yml files.
|
||||
@@ -1,18 +0,0 @@
|
||||
---
|
||||
# yaml-language-server: $schema=https://www.coderabbit.ai/integrations/schema.v2.json
|
||||
remote_config:
|
||||
url: 'https://raw.githubusercontent.com/ivuorinen/coderabbit/1985ff756ef62faf7baad0c884719339ffb652bd/coderabbit.yaml'
|
||||
path_instructions:
|
||||
- path: '.serena/**/*'
|
||||
instructions: >-
|
||||
- These are files for Serena LLM. Do not review them.
|
||||
- path: '**/*/README.md'
|
||||
instructions: >-
|
||||
- README.md files next to action.yml files are autogenerated
|
||||
and should not be reviewed.
|
||||
- README.md file in the root of the repository should be reviewed.
|
||||
- README.md files for actions use `@main` version for the action as an illustration.
|
||||
Do not review them.
|
||||
- path: '**/*.md'
|
||||
instructions: >-
|
||||
- The repository uses CalVer for versioning. Do not review version numbers in the documentation.
|
||||
2
.github/renovate.json
vendored
2
.github/renovate.json
vendored
@@ -4,6 +4,8 @@
|
||||
"github>ivuorinen/renovate-config",
|
||||
"customManagers:biomeVersions"
|
||||
],
|
||||
"pinDigests": true,
|
||||
"platformAutomerge": true,
|
||||
"packageRules": [
|
||||
{
|
||||
"matchUpdateTypes": [
|
||||
|
||||
18
.github/workflows/dependency-review.yml
vendored
18
.github/workflows/dependency-review.yml
vendored
@@ -1,18 +0,0 @@
|
||||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
||||
name: 'Dependency Review'
|
||||
on:
|
||||
- pull_request
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
|
||||
46
.github/workflows/release.yml
vendored
46
.github/workflows/release.yml
vendored
@@ -19,3 +19,49 @@ jobs:
|
||||
- uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
|
||||
with:
|
||||
generate_release_notes: true
|
||||
|
||||
provenance:
|
||||
needs: release
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: write
|
||||
attestations: write
|
||||
steps:
|
||||
- uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
|
||||
- name: Create source archive
|
||||
env:
|
||||
TAG: ${{ github.ref_name }}
|
||||
run: |
|
||||
set -eu
|
||||
git archive --format=tar.gz --prefix="${TAG}/" HEAD > "${TAG}-source.tar.gz"
|
||||
sha256sum "${TAG}-source.tar.gz" > "${TAG}-source.tar.gz.sha256"
|
||||
- uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
|
||||
with:
|
||||
subject-path: '${{ github.ref_name }}-source.tar.gz'
|
||||
- name: Upload release assets
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.ref_name }}
|
||||
run: |
|
||||
set -eu
|
||||
gh release upload "$TAG" "${TAG}-source.tar.gz" "${TAG}-source.tar.gz.sha256" --clobber
|
||||
|
||||
sbom:
|
||||
needs: release
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
steps:
|
||||
- uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
|
||||
- uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
|
||||
with:
|
||||
format: cyclonedx-json
|
||||
output-file: sbom.cdx.json
|
||||
- name: Upload SBOM to release
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.ref_name }}
|
||||
run: |
|
||||
set -eu
|
||||
gh release upload "$TAG" sbom.cdx.json --clobber
|
||||
|
||||
58
.github/workflows/scorecard.yml
vendored
Normal file
58
.github/workflows/scorecard.yml
vendored
Normal file
@@ -0,0 +1,58 @@
|
||||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
||||
name: Scorecard analysis workflow
|
||||
on:
|
||||
push:
|
||||
# Only the default branch is supported.
|
||||
branches:
|
||||
- main
|
||||
schedule:
|
||||
# Weekly on Saturdays.
|
||||
- cron: '30 1 * * 6'
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
analysis:
|
||||
name: Scorecard analysis
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
# Needed for Code scanning upload
|
||||
security-events: write
|
||||
# Needed for GitHub OIDC token if publish_results is true
|
||||
id-token: write
|
||||
|
||||
steps:
|
||||
- name: 'Checkout code'
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: 'Run analysis'
|
||||
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
# Scorecard team runs a weekly scan of public GitHub repos,
|
||||
# see https://github.com/ossf/scorecard#public-data.
|
||||
# Setting `publish_results: true` helps us scale by leveraging your workflow to
|
||||
# extract the results instead of relying on our own infrastructure to run scans.
|
||||
# And it's free for you!
|
||||
publish_results: true
|
||||
|
||||
# Upload the results as artifacts (optional). Commenting out will disable
|
||||
# uploads of run results in SARIF format to the repository Actions tab.
|
||||
# https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
|
||||
- name: 'Upload artifact'
|
||||
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
|
||||
# Upload the results to GitHub's code scanning dashboard (optional).
|
||||
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
|
||||
- name: 'Upload to code-scanning'
|
||||
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
@@ -55,7 +55,7 @@ repos:
|
||||
- id: yamllint
|
||||
|
||||
- repo: https://github.com/astral-sh/ruff-pre-commit
|
||||
rev: v0.15.4
|
||||
rev: v0.15.5
|
||||
hooks:
|
||||
# Run the linter with auto-fix
|
||||
- id: ruff-check
|
||||
@@ -84,7 +84,7 @@ repos:
|
||||
args: ['-shellcheck=']
|
||||
|
||||
- repo: https://github.com/bridgecrewio/checkov.git
|
||||
rev: '3.2.507'
|
||||
rev: '3.2.508'
|
||||
hooks:
|
||||
- id: checkov
|
||||
args:
|
||||
|
||||
@@ -60,10 +60,75 @@ excluded_tools: []
|
||||
# initial prompt for the project. It will always be given to the LLM upon activating the project
|
||||
# (contrary to the memories, which are loaded on demand).
|
||||
initial_prompt: ''
|
||||
|
||||
# the name by which the project can be referenced within Serena
|
||||
project_name: 'actions'
|
||||
|
||||
# list of languages for which language servers are started; choose from:
|
||||
# al bash clojure cpp csharp
|
||||
# csharp_omnisharp dart elixir elm erlang
|
||||
# fortran fsharp go groovy haskell
|
||||
# java julia kotlin lua markdown
|
||||
# matlab nix pascal perl php
|
||||
# php_phpactor powershell python python_jedi r
|
||||
# rego ruby ruby_solargraph rust scala
|
||||
# swift terraform toml typescript typescript_vts
|
||||
# vue yaml zig
|
||||
# (This list may be outdated. For the current list, see values of Language enum here:
|
||||
# https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py
|
||||
# For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.)
|
||||
# Note:
|
||||
# - For C, use cpp
|
||||
# - For JavaScript, use typescript
|
||||
# - For Free Pascal/Lazarus, use pascal
|
||||
# Special requirements:
|
||||
# Some languages require additional setup/installations.
|
||||
# See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers
|
||||
# When using multiple languages, the first language server that supports a given file will be used for that file.
|
||||
# The first language is the default language and the respective language server will be used as a fallback.
|
||||
# Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored.
|
||||
languages:
|
||||
- bash
|
||||
- python
|
||||
|
||||
# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default)
|
||||
included_optional_tools: []
|
||||
|
||||
# the encoding used by text files in the project
|
||||
# For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings
|
||||
encoding: utf-8
|
||||
|
||||
# fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools.
|
||||
# This cannot be combined with non-empty excluded_tools or included_optional_tools.
|
||||
fixed_tools: []
|
||||
|
||||
# list of mode names to that are always to be included in the set of active modes
|
||||
# The full set of modes to be activated is base_modes + default_modes.
|
||||
# If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply.
|
||||
# Otherwise, this setting overrides the global configuration.
|
||||
# Set this to [] to disable base modes for this project.
|
||||
# Set this to a list of mode names to always include the respective modes for this project.
|
||||
base_modes:
|
||||
|
||||
# list of mode names that are to be activated by default.
|
||||
# The full set of modes to be activated is base_modes + default_modes.
|
||||
# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply.
|
||||
# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
|
||||
# This setting can, in turn, be overridden by CLI parameters (--mode).
|
||||
default_modes:
|
||||
|
||||
# time budget (seconds) per tool call for the retrieval of additional symbol information
|
||||
# such as docstrings or parameter information.
|
||||
# This overrides the corresponding setting in the global configuration; see the documentation there.
|
||||
# If null or missing, use the setting from the global configuration.
|
||||
symbol_info_budget:
|
||||
|
||||
# The language backend to use for this project.
|
||||
# If not set, the global setting from serena_config.yml is used.
|
||||
# Valid values: LSP, JetBrains
|
||||
# Note: the backend is fixed at startup. If a project with a different backend
|
||||
# is activated post-init, an error will be returned.
|
||||
language_backend:
|
||||
|
||||
# list of regex patterns which, when matched, mark a memory entry as read‑only.
|
||||
# Extends the list from the global configuration, merging the two lists.
|
||||
read_only_memory_patterns: []
|
||||
|
||||
10
CLAUDE.md
10
CLAUDE.md
@@ -25,12 +25,22 @@
|
||||
### Folders
|
||||
|
||||
- `.serena/` – Internal config (do not edit)
|
||||
- `.claude/hooks/` – Claude Code hook scripts (auto-format, lint, block rules.yml edits)
|
||||
- `.claude/skills/` – Claude Code skills (`/release`, `/test-action`, `/new-action`, `/validate`, `/check-pins`)
|
||||
- `.claude/agents/` – Claude Code subagents (action-validator, test-coverage-reviewer)
|
||||
- `.github/` – Workflows/templates
|
||||
- `_tests/` – ShellSpec tests
|
||||
- `_tools/` – Helper tools
|
||||
- `validate-inputs/` – Python validation system + tests
|
||||
- `*/rules.yml` – Auto-generated validation rules
|
||||
|
||||
### Claude Code Hooks
|
||||
|
||||
**Auto-formatting**: PostToolUse hooks auto-format files on Edit/Write (ruff for .py, shfmt for .sh, prettier for .yml/.yaml/.json/.md, actionlint for action.yml)
|
||||
**Blocked edits**: PreToolUse hook blocks direct edits to `rules.yml` (auto-generated, use `make update-validators`)
|
||||
**Hook schema**: `matcher` is a regex string matching tool names (e.g. `"Edit|Write"`), not an object. File filtering done in hook scripts via stdin JSON (`jq -r '.tool_input.file_path'`)
|
||||
**Reference**: `$CLAUDE_PROJECT_DIR` for project-relative paths in hook commands
|
||||
|
||||
### Memory System
|
||||
|
||||
**Location**: `.serena/memories/` (9 consolidated memories for context)
|
||||
|
||||
75
CONTRIBUTING.md
Normal file
75
CONTRIBUTING.md
Normal file
@@ -0,0 +1,75 @@
|
||||
# Contributing to ivuorinen/actions
|
||||
|
||||
Thank you for your interest in contributing to this GitHub Actions monorepo.
|
||||
|
||||
## Reporting Issues
|
||||
|
||||
- **Bugs**: Open an issue using the bug report template.
|
||||
- **Security vulnerabilities**: See [SECURITY.md](SECURITY.md) for responsible disclosure.
|
||||
- **Feature requests**: Open an issue describing the use case.
|
||||
|
||||
## Development Setup
|
||||
|
||||
1. Clone the repository:
|
||||
|
||||
```bash
|
||||
git clone https://github.com/ivuorinen/actions.git
|
||||
cd actions
|
||||
```
|
||||
|
||||
2. Install dependencies (Node.js, Python 3, ShellSpec, shellcheck, actionlint, ruff, prettier, markdownlint, yamllint).
|
||||
3. Run formatting, linting, and pre-commit checks:
|
||||
|
||||
```bash
|
||||
make all
|
||||
```
|
||||
|
||||
4. Run the test suite:
|
||||
|
||||
```bash
|
||||
make test
|
||||
```
|
||||
|
||||
## Code Style
|
||||
|
||||
- **EditorConfig**: 2-space indentation, UTF-8, LF line endings, max 200 chars.
|
||||
- **Shell scripts**: POSIX `sh` with `set -eu`. No bash-only syntax.
|
||||
- **Python**: Formatted and linted with `ruff`.
|
||||
- **YAML/JSON/Markdown**: Formatted with `prettier`; linted with `yamllint` and `markdownlint`.
|
||||
- **Action references**: SHA-pinned in `action.yml` files. Date-based tags or commit SHAs for published refs.
|
||||
|
||||
Run `make dev` (format + lint) to check your changes.
|
||||
|
||||
## Pull Request Process
|
||||
|
||||
1. Branch from `main`.
|
||||
2. Make focused changes (one feature or fix per PR).
|
||||
3. Ensure all checks pass: `make all` and `make test`.
|
||||
4. Follow existing patterns in the codebase.
|
||||
5. Update documentation if adding or modifying actions.
|
||||
|
||||
## Testing
|
||||
|
||||
```bash
|
||||
make test # All tests (ShellSpec + pytest)
|
||||
make test-actions # GitHub Actions tests only
|
||||
make test-python # Python validation tests only
|
||||
make test-coverage # All tests with coverage
|
||||
```
|
||||
|
||||
See [\_tests/README.md](_tests/README.md) for details on the ShellSpec testing framework.
|
||||
|
||||
## Adding a New Action
|
||||
|
||||
Each action is a self-contained directory at the repository root containing:
|
||||
|
||||
- `action.yml` with inputs, outputs, and runs definition
|
||||
- `README.md` generated via `action-docs` (`make docs`)
|
||||
- Tests in `_tests/`
|
||||
|
||||
Do not manually edit sections between `<!--LISTING-->` markers in the root README.
|
||||
Use `npm run update-catalog` to regenerate the catalog.
|
||||
|
||||
## License
|
||||
|
||||
By contributing, you agree that your contributions will be licensed under the [MIT License](LICENSE.md).
|
||||
2
Makefile
2
Makefile
@@ -210,7 +210,7 @@ bump-major-version: ## Replace one major version with another (usage: make bump-
|
||||
@sh _tools/bump-major-version.sh "$(OLD)" "$(NEW)"
|
||||
@echo "$(GREEN)✅ Major version bumped$(RESET)"
|
||||
|
||||
check-version-refs: ## List all current SHA-pinned action references
|
||||
check-version-refs: ## Verify all action references are SHA-pinned
|
||||
@echo "$(BLUE)🔍 Checking action references...$(RESET)"
|
||||
@sh _tools/check-version-refs.sh
|
||||
|
||||
|
||||
132
README.md
132
README.md
@@ -1,5 +1,7 @@
|
||||
# ivuorinen/actions - My Reusable GitHub Actions and Workflows
|
||||
|
||||
[](https://scorecard.dev/viewer/?uri=github.com/ivuorinen/actions)
|
||||
|
||||
## Overview
|
||||
|
||||
This repository contains a collection of reusable GitHub Actions
|
||||
@@ -27,73 +29,73 @@ This repository contains **26 reusable GitHub Actions** for CI/CD automation.
|
||||
### Quick Reference (26 Actions)
|
||||
|
||||
| Icon | Action | Category | Description | Key Features |
|
||||
|:----:|:-----------------------------------------------------|:-----------|:----------------------------------------------------------------|:---------------------------------------------|
|
||||
| :--: | :--------------------------------------------------- | :--------- | :-------------------------------------------------------------- | :------------------------------------------- |
|
||||
| 🔀 | [`action-versioning`][action-versioning] | Utilities | Automatically update SHA-pinned action references to match l... | Token auth, Outputs |
|
||||
| 📦 | [`ansible-lint-fix`][ansible-lint-fix] | Linting | Lints and fixes Ansible playbooks, commits changes, and uplo... | Caching, Token auth, Outputs |
|
||||
| ✅ | [`biome-lint`][biome-lint] | Linting | Run Biome linter in check or fix mode | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 🛡️ | [`codeql-analysis`][codeql-analysis] | Repository | Run CodeQL security analysis for a single language with conf... | Auto-detection, Token auth, Outputs |
|
||||
| 🖼️ | [`compress-images`][compress-images] | Repository | Compress images on demand (workflow_dispatch), and at 11pm e... | Token auth, Outputs |
|
||||
| ✅ | [`biome-lint`][biome-lint] | Linting | Run Biome linter in check or fix mode | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 🛡️ | [`codeql-analysis`][codeql-analysis] | Repository | Run CodeQL security analysis for a single language with conf... | Auto-detection, Token auth, Outputs |
|
||||
| 🖼️ | [`compress-images`][compress-images] | Repository | Compress images on demand (workflow_dispatch), and at 11pm e... | Token auth, Outputs |
|
||||
| 📝 | [`csharp-build`][csharp-build] | Build | Builds and tests C# projects. | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📝 | [`csharp-lint-check`][csharp-lint-check] | Linting | Runs linters like StyleCop or dotnet-format for C# code styl... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📦 | [`csharp-publish`][csharp-publish] | Publishing | Publishes a C# project to GitHub Packages. | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📦 | [`docker-build`][docker-build] | Build | Builds a Docker image for multiple architectures with enhanc... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ☁️ | [`docker-publish`][docker-publish] | Publishing | Simple wrapper to publish Docker images to GitHub Packages a... | Token auth, Outputs |
|
||||
| ✅ | [`eslint-lint`][eslint-lint] | Linting | Run ESLint in check or fix mode with advanced configuration ... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ✅ | [`eslint-lint`][eslint-lint] | Linting | Run ESLint in check or fix mode with advanced configuration ... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📦 | [`go-build`][go-build] | Build | Builds the Go project. | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📝 | [`go-lint`][go-lint] | Linting | Run golangci-lint with advanced configuration, caching, and ... | Caching, Token auth, Outputs |
|
||||
| 📝 | [`language-version-detect`][language-version-detect] | Setup | DEPRECATED: This action is deprecated. Inline version detect... | Auto-detection, Token auth, Outputs |
|
||||
| 📦 | [`npm-publish`][npm-publish] | Publishing | Publishes the package to the NPM registry with configurable ... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ✅ | [`php-tests`][php-tests] | Testing | Run PHPUnit tests with optional Laravel setup and Composer d... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ✅ | [`pr-lint`][pr-lint] | Linting | Runs MegaLinter against pull requests | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ✅ | [`php-tests`][php-tests] | Testing | Run PHPUnit tests with optional Laravel setup and Composer d... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ✅ | [`pr-lint`][pr-lint] | Linting | Runs MegaLinter against pull requests | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📦 | [`pre-commit`][pre-commit] | Linting | Runs pre-commit on the repository and pushes the fixes back ... | Auto-detection, Token auth, Outputs |
|
||||
| ✅ | [`prettier-lint`][prettier-lint] | Linting | Run Prettier in check or fix mode with advanced configuratio... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ✅ | [`prettier-lint`][prettier-lint] | Linting | Run Prettier in check or fix mode with advanced configuratio... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📝 | [`python-lint-fix`][python-lint-fix] | Linting | Lints and fixes Python files, commits changes, and uploads S... | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📦 | [`release-monthly`][release-monthly] | Repository | Creates a release for the current month, incrementing patch ... | Token auth, Outputs |
|
||||
| 🛡️ | [`security-scan`][security-scan] | Security | Comprehensive security scanning for GitHub Actions including... | Caching, Token auth, Outputs |
|
||||
| 🛡️ | [`security-scan`][security-scan] | Security | Comprehensive security scanning for GitHub Actions including... | Caching, Token auth, Outputs |
|
||||
| 📦 | [`stale`][stale] | Repository | A GitHub Action to close stale issues and pull requests. | Token auth, Outputs |
|
||||
| 🏷️ | [`sync-labels`][sync-labels] | Repository | Sync labels from a YAML file to a GitHub repository | Token auth, Outputs |
|
||||
| 🖥️ | [`terraform-lint-fix`][terraform-lint-fix] | Linting | Lints and fixes Terraform files with advanced validation and... | Token auth, Outputs |
|
||||
| 🛡️ | [`validate-inputs`][validate-inputs] | Validation | Centralized Python-based input validation for GitHub Actions... | Token auth, Outputs |
|
||||
| 🏷️ | [`sync-labels`][sync-labels] | Repository | Sync labels from a YAML file to a GitHub repository | Token auth, Outputs |
|
||||
| 🖥️ | [`terraform-lint-fix`][terraform-lint-fix] | Linting | Lints and fixes Terraform files with advanced validation and... | Token auth, Outputs |
|
||||
| 🛡️ | [`validate-inputs`][validate-inputs] | Validation | Centralized Python-based input validation for GitHub Actions... | Token auth, Outputs |
|
||||
|
||||
### Actions by Category
|
||||
|
||||
#### 🔧 Setup (1 action)
|
||||
|
||||
| Action | Description | Languages | Features |
|
||||
|:--------------------------------------------------------|:------------------------------------------------------|:-------------------------------|:------------------------------------|
|
||||
| :------------------------------------------------------ | :---------------------------------------------------- | :----------------------------- | :---------------------------------- |
|
||||
| 📝 [`language-version-detect`][language-version-detect] | DEPRECATED: This action is deprecated. Inline vers... | PHP, Python, Go, .NET, Node.js | Auto-detection, Token auth, Outputs |
|
||||
|
||||
#### 🛠️ Utilities (1 action)
|
||||
|
||||
| Action | Description | Languages | Features |
|
||||
|:--------------------------------------------|:------------------------------------------------------|:---------------|:--------------------|
|
||||
| :------------------------------------------ | :---------------------------------------------------- | :------------- | :------------------ |
|
||||
| 🔀 [`action-versioning`][action-versioning] | Automatically update SHA-pinned action references ... | GitHub Actions | Token auth, Outputs |
|
||||
|
||||
#### 📝 Linting (10 actions)
|
||||
|
||||
| Action | Description | Languages | Features |
|
||||
|:-----------------------------------------------|:------------------------------------------------------|:---------------------------------------------|:---------------------------------------------|
|
||||
| 📦 [`ansible-lint-fix`][ansible-lint-fix] | Lints and fixes Ansible playbooks, commits changes... | Ansible, YAML | Caching, Token auth, Outputs |
|
||||
| ✅ [`biome-lint`][biome-lint] | Run Biome linter in check or fix mode | JavaScript, TypeScript, JSON | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📝 [`csharp-lint-check`][csharp-lint-check] | Runs linters like StyleCop or dotnet-format for C#... | C#, .NET | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ✅ [`eslint-lint`][eslint-lint] | Run ESLint in check or fix mode with advanced conf... | JavaScript, TypeScript | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📝 [`go-lint`][go-lint] | Run golangci-lint with advanced configuration, cac... | Go | Caching, Token auth, Outputs |
|
||||
| ✅ [`pr-lint`][pr-lint] | Runs MegaLinter against pull requests | Conventional Commits | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📦 [`pre-commit`][pre-commit] | Runs pre-commit on the repository and pushes the f... | Python, Multiple Languages | Auto-detection, Token auth, Outputs |
|
||||
| ✅ [`prettier-lint`][prettier-lint] | Run Prettier in check or fix mode with advanced co... | JavaScript, TypeScript, Markdown, YAML, JSON | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📝 [`python-lint-fix`][python-lint-fix] | Lints and fixes Python files, commits changes, and... | Python | Caching, Auto-detection, Token auth, Outputs |
|
||||
| Action | Description | Languages | Features |
|
||||
| :-------------------------------------------- | :---------------------------------------------------- | :------------------------------------------- | :------------------------------------------- |
|
||||
| 📦 [`ansible-lint-fix`][ansible-lint-fix] | Lints and fixes Ansible playbooks, commits changes... | Ansible, YAML | Caching, Token auth, Outputs |
|
||||
| ✅ [`biome-lint`][biome-lint] | Run Biome linter in check or fix mode | JavaScript, TypeScript, JSON | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📝 [`csharp-lint-check`][csharp-lint-check] | Runs linters like StyleCop or dotnet-format for C#... | C#, .NET | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ✅ [`eslint-lint`][eslint-lint] | Run ESLint in check or fix mode with advanced conf... | JavaScript, TypeScript | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📝 [`go-lint`][go-lint] | Run golangci-lint with advanced configuration, cac... | Go | Caching, Token auth, Outputs |
|
||||
| ✅ [`pr-lint`][pr-lint] | Runs MegaLinter against pull requests | Conventional Commits | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📦 [`pre-commit`][pre-commit] | Runs pre-commit on the repository and pushes the f... | Python, Multiple Languages | Auto-detection, Token auth, Outputs |
|
||||
| ✅ [`prettier-lint`][prettier-lint] | Run Prettier in check or fix mode with advanced co... | JavaScript, TypeScript, Markdown, YAML, JSON | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📝 [`python-lint-fix`][python-lint-fix] | Lints and fixes Python files, commits changes, and... | Python | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 🖥️ [`terraform-lint-fix`][terraform-lint-fix] | Lints and fixes Terraform files with advanced vali... | Terraform, HCL | Token auth, Outputs |
|
||||
|
||||
#### 🧪 Testing (1 action)
|
||||
|
||||
| Action | Description | Languages | Features |
|
||||
|:---------------------------|:------------------------------------------------------|:-------------|:---------------------------------------------|
|
||||
| Action | Description | Languages | Features |
|
||||
| :-------------------------- | :---------------------------------------------------- | :----------- | :------------------------------------------- |
|
||||
| ✅ [`php-tests`][php-tests] | Run PHPUnit tests with optional Laravel setup and ... | PHP, Laravel | Caching, Auto-detection, Token auth, Outputs |
|
||||
|
||||
#### 🏗️ Build (3 actions)
|
||||
|
||||
| Action | Description | Languages | Features |
|
||||
|:----------------------------------|:------------------------------------------------------|:----------|:---------------------------------------------|
|
||||
| :-------------------------------- | :---------------------------------------------------- | :-------- | :------------------------------------------- |
|
||||
| 📝 [`csharp-build`][csharp-build] | Builds and tests C# projects. | C#, .NET | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📦 [`docker-build`][docker-build] | Builds a Docker image for multiple architectures w... | Docker | Caching, Auto-detection, Token auth, Outputs |
|
||||
| 📦 [`go-build`][go-build] | Builds the Go project. | Go | Caching, Auto-detection, Token auth, Outputs |
|
||||
@@ -101,68 +103,68 @@ This repository contains **26 reusable GitHub Actions** for CI/CD automation.
|
||||
#### 🚀 Publishing (3 actions)
|
||||
|
||||
| Action | Description | Languages | Features |
|
||||
|:--------------------------------------|:------------------------------------------------------|:-------------|:---------------------------------------------|
|
||||
| :------------------------------------ | :---------------------------------------------------- | :----------- | :------------------------------------------- |
|
||||
| 📦 [`csharp-publish`][csharp-publish] | Publishes a C# project to GitHub Packages. | C#, .NET | Caching, Auto-detection, Token auth, Outputs |
|
||||
| ☁️ [`docker-publish`][docker-publish] | Simple wrapper to publish Docker images to GitHub ... | Docker | Token auth, Outputs |
|
||||
| 📦 [`npm-publish`][npm-publish] | Publishes the package to the NPM registry with con... | Node.js, npm | Caching, Auto-detection, Token auth, Outputs |
|
||||
|
||||
#### 📦 Repository (5 actions)
|
||||
|
||||
| Action | Description | Languages | Features |
|
||||
|:-----------------------------------------|:------------------------------------------------------|:--------------------------------------------------------|:------------------------------------|
|
||||
| Action | Description | Languages | Features |
|
||||
| :-------------------------------------- | :---------------------------------------------------- | :------------------------------------------------------ | :---------------------------------- |
|
||||
| 🛡️ [`codeql-analysis`][codeql-analysis] | Run CodeQL security analysis for a single language... | JavaScript, TypeScript, Python, Java, C#, C++, Go, Ruby | Auto-detection, Token auth, Outputs |
|
||||
| 🖼️ [`compress-images`][compress-images] | Compress images on demand (workflow_dispatch), and... | Images, PNG, JPEG | Token auth, Outputs |
|
||||
| 📦 [`release-monthly`][release-monthly] | Creates a release for the current month, increment... | GitHub Actions | Token auth, Outputs |
|
||||
| 📦 [`stale`][stale] | A GitHub Action to close stale issues and pull req... | GitHub Actions | Token auth, Outputs |
|
||||
| 📦 [`release-monthly`][release-monthly] | Creates a release for the current month, increment... | GitHub Actions | Token auth, Outputs |
|
||||
| 📦 [`stale`][stale] | A GitHub Action to close stale issues and pull req... | GitHub Actions | Token auth, Outputs |
|
||||
| 🏷️ [`sync-labels`][sync-labels] | Sync labels from a YAML file to a GitHub repositor... | YAML, GitHub | Token auth, Outputs |
|
||||
|
||||
#### 🛡️ Security (1 action)
|
||||
|
||||
| Action | Description | Languages | Features |
|
||||
|:-------------------------------------|:------------------------------------------------------|:----------|:-----------------------------|
|
||||
| Action | Description | Languages | Features |
|
||||
| :---------------------------------- | :---------------------------------------------------- | :-------- | :--------------------------- |
|
||||
| 🛡️ [`security-scan`][security-scan] | Comprehensive security scanning for GitHub Actions... | - | Caching, Token auth, Outputs |
|
||||
|
||||
#### ✅ Validation (1 action)
|
||||
|
||||
| Action | Description | Languages | Features |
|
||||
|:-----------------------------------------|:------------------------------------------------------|:---------------------|:--------------------|
|
||||
| Action | Description | Languages | Features |
|
||||
| :-------------------------------------- | :---------------------------------------------------- | :------------------- | :------------------ |
|
||||
| 🛡️ [`validate-inputs`][validate-inputs] | Centralized Python-based input validation for GitH... | YAML, GitHub Actions | Token auth, Outputs |
|
||||
|
||||
### Feature Matrix
|
||||
|
||||
| Action | Caching | Auto-detection | Token auth | Outputs |
|
||||
|:-----------------------------------------------------|:-------:|:--------------:|:----------:|:-------:|
|
||||
| [`action-versioning`][action-versioning] | - | - | ✅ | ✅ |
|
||||
| [`ansible-lint-fix`][ansible-lint-fix] | ✅ | - | ✅ | ✅ |
|
||||
| [`biome-lint`][biome-lint] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`codeql-analysis`][codeql-analysis] | - | ✅ | ✅ | ✅ |
|
||||
| [`compress-images`][compress-images] | - | - | ✅ | ✅ |
|
||||
| [`csharp-build`][csharp-build] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`csharp-lint-check`][csharp-lint-check] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`csharp-publish`][csharp-publish] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`docker-build`][docker-build] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`docker-publish`][docker-publish] | - | - | ✅ | ✅ |
|
||||
| [`eslint-lint`][eslint-lint] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`go-build`][go-build] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`go-lint`][go-lint] | ✅ | - | ✅ | ✅ |
|
||||
| [`language-version-detect`][language-version-detect] | - | ✅ | ✅ | ✅ |
|
||||
| [`npm-publish`][npm-publish] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`php-tests`][php-tests] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`pr-lint`][pr-lint] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`pre-commit`][pre-commit] | - | ✅ | ✅ | ✅ |
|
||||
| [`prettier-lint`][prettier-lint] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`python-lint-fix`][python-lint-fix] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`release-monthly`][release-monthly] | - | - | ✅ | ✅ |
|
||||
| [`security-scan`][security-scan] | ✅ | - | ✅ | ✅ |
|
||||
| [`stale`][stale] | - | - | ✅ | ✅ |
|
||||
| [`sync-labels`][sync-labels] | - | - | ✅ | ✅ |
|
||||
| [`terraform-lint-fix`][terraform-lint-fix] | - | - | ✅ | ✅ |
|
||||
| [`validate-inputs`][validate-inputs] | - | - | ✅ | ✅ |
|
||||
| :--------------------------------------------------- | :-----: | :------------: | :--------: | :-----: |
|
||||
| [`action-versioning`][action-versioning] | - | - | ✅ | ✅ |
|
||||
| [`ansible-lint-fix`][ansible-lint-fix] | ✅ | - | ✅ | ✅ |
|
||||
| [`biome-lint`][biome-lint] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`codeql-analysis`][codeql-analysis] | - | ✅ | ✅ | ✅ |
|
||||
| [`compress-images`][compress-images] | - | - | ✅ | ✅ |
|
||||
| [`csharp-build`][csharp-build] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`csharp-lint-check`][csharp-lint-check] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`csharp-publish`][csharp-publish] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`docker-build`][docker-build] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`docker-publish`][docker-publish] | - | - | ✅ | ✅ |
|
||||
| [`eslint-lint`][eslint-lint] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`go-build`][go-build] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`go-lint`][go-lint] | ✅ | - | ✅ | ✅ |
|
||||
| [`language-version-detect`][language-version-detect] | - | ✅ | ✅ | ✅ |
|
||||
| [`npm-publish`][npm-publish] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`php-tests`][php-tests] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`pr-lint`][pr-lint] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`pre-commit`][pre-commit] | - | ✅ | ✅ | ✅ |
|
||||
| [`prettier-lint`][prettier-lint] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`python-lint-fix`][python-lint-fix] | ✅ | ✅ | ✅ | ✅ |
|
||||
| [`release-monthly`][release-monthly] | - | - | ✅ | ✅ |
|
||||
| [`security-scan`][security-scan] | ✅ | - | ✅ | ✅ |
|
||||
| [`stale`][stale] | - | - | ✅ | ✅ |
|
||||
| [`sync-labels`][sync-labels] | - | - | ✅ | ✅ |
|
||||
| [`terraform-lint-fix`][terraform-lint-fix] | - | - | ✅ | ✅ |
|
||||
| [`validate-inputs`][validate-inputs] | - | - | ✅ | ✅ |
|
||||
|
||||
### Language Support
|
||||
|
||||
| Language | Actions |
|
||||
|:---------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| :------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| .NET | [`csharp-build`][csharp-build], [`csharp-lint-check`][csharp-lint-check], [`csharp-publish`][csharp-publish], [`language-version-detect`][language-version-detect] |
|
||||
| Ansible | [`ansible-lint-fix`][ansible-lint-fix] |
|
||||
| C# | [`codeql-analysis`][codeql-analysis], [`csharp-build`][csharp-build], [`csharp-lint-check`][csharp-lint-check], [`csharp-publish`][csharp-publish] |
|
||||
|
||||
@@ -23,19 +23,43 @@ for tool in find grep sed printf sort cut tr wc; do
|
||||
fi
|
||||
done
|
||||
|
||||
# --- Validation pass: detect non-SHA-pinned references ---
|
||||
violations_file=$(safe_mktemp)
|
||||
trap 'rm -f "$violations_file"' EXIT
|
||||
|
||||
find . -maxdepth 2 -name "action.yml" -path "*/action.yml" \
|
||||
! -path "./_*" ! -path "./.github/*" \
|
||||
-exec grep -nE '^\s+uses:\s+ivuorinen/actions/' {} /dev/null \; \
|
||||
>"$violations_file"
|
||||
|
||||
violations_found=false
|
||||
while IFS= read -r match; do
|
||||
if ! printf '%s\n' "$match" | grep -qE '@[0-9a-f]{40}'; then
|
||||
if [ "$violations_found" = false ]; then
|
||||
msg_error "Non-SHA-pinned action references found:"
|
||||
violations_found=true
|
||||
fi
|
||||
printf ' %s\n' "$match" >&2
|
||||
fi
|
||||
done <"$violations_file"
|
||||
|
||||
if [ "$violations_found" = true ]; then
|
||||
rm -f "$violations_file"
|
||||
exit 1
|
||||
fi
|
||||
rm -f "$violations_file"
|
||||
|
||||
printf '%b' "${BLUE}Current SHA-pinned action references:${NC}\n"
|
||||
printf '\n'
|
||||
|
||||
# Create temp files for processing
|
||||
temp_file=$(safe_mktemp)
|
||||
trap 'rm -f "$temp_file"' EXIT
|
||||
|
||||
temp_input=$(safe_mktemp)
|
||||
trap 'rm -f "$temp_file" "$temp_input"' EXIT
|
||||
|
||||
# Find all action references and collect SHA|action pairs
|
||||
# Use input redirection to avoid subshell issues with pipeline
|
||||
find . -maxdepth 2 -name "action.yml" -path "*/action.yml" ! -path "./_*" ! -path "./.github/*" -exec grep -h "uses: ivuorinen/actions/" {} \; > "$temp_input"
|
||||
find . -maxdepth 2 -name "action.yml" -path "*/action.yml" ! -path "./_*" ! -path "./.github/*" -exec grep -h "uses: ivuorinen/actions/" {} \; >"$temp_input"
|
||||
|
||||
while IFS= read -r line; do
|
||||
# Extract action name and SHA using sed
|
||||
@@ -43,9 +67,9 @@ while IFS= read -r line; do
|
||||
sha=$(echo "$line" | sed -n 's|.*@\([a-f0-9]\{40\}\).*|\1|p')
|
||||
|
||||
if [ -n "$action" ] && [ -n "$sha" ]; then
|
||||
printf '%s\n' "$sha|$action" >> "$temp_file"
|
||||
printf '%s\n' "$sha|$action" >>"$temp_file"
|
||||
fi
|
||||
done < "$temp_input"
|
||||
done <"$temp_input"
|
||||
|
||||
# Check if we found any references
|
||||
if [ ! -s "$temp_file" ]; then
|
||||
@@ -54,7 +78,7 @@ if [ ! -s "$temp_file" ]; then
|
||||
fi
|
||||
|
||||
# Sort by SHA and group
|
||||
sort "$temp_file" | uniq > "${temp_file}.sorted"
|
||||
sort "$temp_file" | uniq >"${temp_file}.sorted"
|
||||
mv "${temp_file}.sorted" "$temp_file"
|
||||
|
||||
# Count unique SHAs
|
||||
@@ -95,7 +119,7 @@ while IFS='|' read -r sha action; do
|
||||
# Add to current SHA group
|
||||
actions_list="$actions_list, $action"
|
||||
fi
|
||||
done < "$temp_file"
|
||||
done <"$temp_file"
|
||||
|
||||
# Print last SHA group
|
||||
if [ -n "$current_sha" ]; then
|
||||
|
||||
@@ -10,7 +10,7 @@ ARG ACT_VERSION=0.2.71
|
||||
ARG SHELLSPEC_VERSION=0.28.1
|
||||
|
||||
# Stage 1: Build kcov separately to keep final image slim
|
||||
FROM ubuntu:24.04 AS kcov-builder
|
||||
FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS kcov-builder
|
||||
|
||||
ARG KCOV_VERSION
|
||||
|
||||
@@ -43,7 +43,7 @@ RUN cmake .. \
|
||||
&& make install DESTDIR=/kcov-install
|
||||
|
||||
# Stage 2: Base system setup
|
||||
FROM ubuntu:24.04 AS base
|
||||
FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS base
|
||||
|
||||
LABEL maintainer="ivuorinen"
|
||||
LABEL description="GitHub Actions testing framework with pre-installed tools"
|
||||
|
||||
@@ -536,7 +536,7 @@ runs:
|
||||
- name: Scan Image for Vulnerabilities
|
||||
id: scan
|
||||
if: inputs.scan-image == 'true' && inputs.dry-run != 'true'
|
||||
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
|
||||
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
|
||||
with:
|
||||
scan-type: 'image'
|
||||
image-ref: ${{ steps.image-name.outputs.name }}:${{ inputs.tag }}
|
||||
|
||||
@@ -626,6 +626,33 @@ runs:
|
||||
go-version: ${{ steps.go-version.outputs.detected-version }}
|
||||
cache: true
|
||||
|
||||
# ╭──────────────────────────────────────────────────────────╮
|
||||
# │ Dependency Review │
|
||||
# ╰──────────────────────────────────────────────────────────╯
|
||||
- name: Check Repository Visibility
|
||||
id: repo-visibility
|
||||
if: github.event_name == 'pull_request'
|
||||
shell: sh
|
||||
run: |
|
||||
set -eu
|
||||
|
||||
is_private=$(jq -r '.repository.private' "$GITHUB_EVENT_PATH")
|
||||
|
||||
if [ "$is_private" = "false" ]; then
|
||||
printf '%s\n' "is-public=true" >> "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
- name: Dependency Review
|
||||
id: dependency-review
|
||||
continue-on-error: true
|
||||
if: >-
|
||||
steps.repo-visibility.outputs.is-public == 'true'
|
||||
&& github.event_name == 'pull_request'
|
||||
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
|
||||
with:
|
||||
comment-summary-in-pr: always
|
||||
fail-on-severity: critical
|
||||
|
||||
# ╭──────────────────────────────────────────────────────────╮
|
||||
# │ MegaLinter │
|
||||
# ╰──────────────────────────────────────────────────────────╯
|
||||
@@ -684,3 +711,10 @@ runs:
|
||||
path: |
|
||||
megalinter-reports
|
||||
mega-linter.log
|
||||
|
||||
- name: Fail if dependency review found critical issues
|
||||
if: steps.dependency-review.outcome == 'failure'
|
||||
shell: sh
|
||||
run: |
|
||||
printf '%s\n' "Dependency review found critical issues" >&2
|
||||
exit 1
|
||||
|
||||
Reference in New Issue
Block a user